research-article

Dependent types for enforcement of information flow and erasure policies in heterogeneous data structures

Authors:

Gordon Stewart,

Anindya Banerjee,

Aleksandar NanevskiAuthors Info & Claims

PPDP '13: Proceedings of the 15th Symposium on Principles and Practice of Declarative Programming

Pages 145 - 156

https://doi.org/10.1145/2505879.2505895

Published: 16 September 2013 Publication History

Abstract

We consider verification of information flow and erasure properties in programs with heterogeneous heap-based data structures, in the presence of procedures with local state. A heterogeneous data structure, such as a hash table implementing a medical record database, may store both secret and public data simultaneously. In contrast, extant work primarily focuses on homogeneous data structures which store data of a uniform security level. Heterogeneity, however, does not come for free. For example, standard implementations of hash tables do not support heterogeneity, and may leak sensitive information easily owing to hash collisions. In this paper we identify unique representation as a sufficient condition for a heterogeneous data structure to be leak-free, while simultaneously supporting abstraction and modularity in verification. As a case study, we implement and verify a novel uniquely-represented variant of heterogeneous hash tables. Furthermore, we demonstrate modular reasoning by showing how specifications of the hash table methods can be used in a client application; we thereby obtain abstract and concise formal proofs of erasure. We formalize our work in Relational Hoare Type Theory (RHTT), an expressive, higher-order imperative language and program logic embedded in the Coq proof assistant.

References

[1]

O. Amble and D. E. Knuth. Ordered hash tables. Comput. J., 17(2):135--142, 1974.

[2]

T. Amtoft, S. Bandhakavi, and A. Banerjee. A logic for information flow in object-oriented programs. In POPL, 2006.

Digital Library

[3]

D. Bell and L. LaPadula. Secure computer systems: Mathematical foundations. Technical Report MTR-2547, MITRE Corp., 1973.

[4]

N. Benton. Simple relational correctness proofs for static analyses and program transformations. In POPL, 2004.

Digital Library

[5]

J.-P. Bernardy, P. Jansson, and R. Paterson. Proofs for free --- parametricity for dependent types. JFP, 22(2), 2012.

Digital Library

[6]

J.-P. Bernardy and G. Moulin. A computational interpretation of parametricity. In LICS, 2012.

Digital Library

[7]

A. Birgisson, D. Hedin, and A. Sabelfeld. Boosting the permissiveness of dynamic information-flow tracking by testing. In ESORICS, 2012.

[8]

G. E. Blelloch and D. Golovin. Strongly history-independent hashing with applications. In FOCS, 2007.

Digital Library

[9]

J. Borgström, A. D. Gordon, and R. Pucella. Roles, stacks, histories: A triple for Hoare. JFP, 21(2):159--207, 2011.

[10]

S. Chong and A. C. Myers. Language-based information erasure. In CSFW, 2005.

Digital Library

[11]

S. Chong and A. C. Myers. End-to-end enforcement of erasure and declassification. In CSF, 2008.

Digital Library

[12]

E. S. Cohen. Information transmission in sequential programs. In R. A. DeMillo, D. P. Dobkin, A. K. Jones, and R. J. Lipton, editors, Foundations of Secure Computation. 1978.

[13]

D. Denning. A lattice model of secure information flow. CACM, 19(5):236--242, 1976.

Digital Library

[14]

D. Fotakis, R. Pagh, P. Sanders, and P. Spirakis. Space efficient hash tables with worst case constant access time. In STACS, 2003.

Digital Library

[15]

D. Golovin. Uniquely Represented Data Structures with Applications to Privacy. PhD thesis, Carnegie Mellon University, Pittsburgh, PA, August 2008.

Digital Library

[16]

J. D. Hartline, E. S. Hong, A. E. Mohr, W. R. Pentney, and E. Rocke. Characterizing history independent data structures. Algorithmica, 42(1):57--74, 2005.

Digital Library

[17]

D. Hedin and A. Sabelfeld. Information-flow security for a core of Javascript. In CSF, 2012.

Digital Library

[18]

S. Hunt and D. Sands. Just forget it - the semantics and enforcement of information erasure. In ESOP, 2008.

Digital Library

[19]

A. McCreight, T. Chevalier, and A. Tolmach. A certified framework for compiling and executing garbage-collected languages. In ICFP, 2010.

Digital Library

[20]

D. Micciancio. Oblivious data structures: Applications to cryptography. In STOC, 1997.

Digital Library

[21]

J. C. Mitchell and G. D. Plotkin. Abstract types have existential type. TOPLAS, 10(3):470--502, 1988.

Digital Library

[22]

D. Molnar, T. Kohno, N. Sastry, and D. Wagner. Tamper-evident, history-independent, subliminal-free data structures on prom storage-or-how to store ballots on a voting machine (extended abstract). In IEEE Symp. Security and Privacy, 2006.

Digital Library

[23]

A. C. Myers. JFlow: Practical mostly-static information flow control. In POPL, 1999.

Digital Library

[24]

A. Nanevski, A. Banerjee, and D. Garg. Dependent type theory for verification of access control and information flow policies. TOPLAS, 35(2):6, 2013.

Digital Library

[25]

M. Naor and V. Teague. Anti-persistence: history independent data structures. In STOC, 2001.

Digital Library

[26]

J. C. Reynolds. Separation logic: a logic for shared mutable data structures. In LICS, 2002.

Digital Library

[27]

A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In ESORICS, 2009.

Digital Library

[28]

A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE J. Selected Areas in Communications, 21(1):5--19, 2003.

Digital Library

[29]

A. Sabelfeld and D. Sands. Declassification: Dimensions and principles. JCS, 17(5):517--548, 2009.

Digital Library

[30]

R. Sundar and R. E. Tarjan. Unique binary-search-tree representations and equality testing of sets and sequences. SIAM J. Comput., 23(1):24--44, 1994.

Digital Library

[31]

N. Swamy, J. Chen, C. Fournet, P.-Y. Strub, K. Bhargavan, and J. Yang. Secure distributed programming with value-dependent types. In ICFP, 2011.

Digital Library

[32]

D. M. Volpano, C. E. Irvine, and G. Smith. A sound type system for secure flow analysis. JCS, 4(2/3):167--188, 1996.

Digital Library

Cited By

Zagieboylo DSherk CMyers ASuh GMeng WJensen CCremers CKirda E(2023)SpecVerilog: Adapting Information Flow Control for Secure SpeculationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623074(2068-2082)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623074
AGUIRRE ABARTHE GGABOARDI MGARG DSTRUB P(2019)A relational logic for higher-order programsJournal of Functional Programming10.1017/S095679681900014529Online publication date: 21-Oct-2019
https://doi.org/10.1017/S0956796819000145
Aguirre ABarthe GGaboardi MGarg DStrub P(2017)A relational logic for higher-order programsProceedings of the ACM on Programming Languages10.1145/31102651:ICFP(1-29)Online publication date: 29-Aug-2017
https://dl.acm.org/doi/10.1145/3110265
Show More Cited By

Index Terms

Dependent types for enforcement of information flow and erasure policies in heterogeneous data structures

Recommendations

Dependent types and multi-monadic effects in F*
POPL '16: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages

We present a new, completely redesigned, version of F*, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F* is a dependently ...
Axiomatising an information flow logic based on partial equivalence relations
Abstract
We present a relational program logic for reasoning about information flow properties formalised in an assertion language based on partial equivalence relations. We define and prove the soundness of the logic, a proof technique for precise, logic-...
Dependent types and multi-monadic effects in F*
POPL '16

We present a new, completely redesigned, version of F*, a language that works both as a proof assistant as well as a general-purpose, verification-oriented, effectful programming language. In support of these complementary roles, F* is a dependently ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

PPDP '13: Proceedings of the 15th Symposium on Principles and Practice of Declarative Programming

September 2013

308 pages

ISBN:9781450321549

DOI:10.1145/2505879

General Chair:
Ricardo Peña
Universidad Complutense de Madrid
,
Program Chair:
Tom Schrijvers
Spain Ghent University, Belgium

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Universidad Complutense de Madrid

In-Cooperation

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 September 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Madrid Regional Government Project
Ministerio de Economía y Competitividad
Seventh Framework Programme
Ramon y Cajal

Conference

PPDP '13

Sponsor:

PPDP '13: 15th International Symposium on Principles and Practice of Declarative Programming

September 16 - 18, 2013

Madrid, Spain

Acceptance Rates

Overall Acceptance Rate 230 of 486 submissions, 47%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
90
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 24 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zagieboylo DSherk CMyers ASuh GMeng WJensen CCremers CKirda E(2023)SpecVerilog: Adapting Information Flow Control for Secure SpeculationProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623074(2068-2082)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623074
AGUIRRE ABARTHE GGABOARDI MGARG DSTRUB P(2019)A relational logic for higher-order programsJournal of Functional Programming10.1017/S095679681900014529Online publication date: 21-Oct-2019
https://doi.org/10.1017/S0956796819000145
Aguirre ABarthe GGaboardi MGarg DStrub P(2017)A relational logic for higher-order programsProceedings of the ACM on Programming Languages10.1145/31102651:ICFP(1-29)Online publication date: 29-Aug-2017
https://dl.acm.org/doi/10.1145/3110265
Murray TSison RPierzchalski ERizkallah C(2016)Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference2016 IEEE 29th Computer Security Foundations Symposium (CSF)10.1109/CSF.2016.36(417-431)Online publication date: Jun-2016
https://doi.org/10.1109/CSF.2016.36
Barthe GFournet CGrégoire BStrub PSwamy NZanella-Béguelin S(2014)Probabilistic relational verification for cryptographic implementationsACM SIGPLAN Notices10.1145/2578855.253584749:1(193-205)Online publication date: 8-Jan-2014
https://dl.acm.org/doi/10.1145/2578855.2535847
Barthe GFournet CGrégoire BStrub PSwamy NZanella-Béguelin SJagannathan SSewell P(2014)Probabilistic relational verification for cryptographic implementationsProceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages10.1145/2535838.2535847(193-205)Online publication date: 11-Jan-2014
https://dl.acm.org/doi/10.1145/2535838.2535847
Seidl HKovács M(2014)Interprocedural Information Flow Analysis of XML ProcessorsProceedings of the 8th International Conference on Language and Automata Theory and Applications - Volume 837010.1007/978-3-319-04921-2_4(34-61)Online publication date: 10-Mar-2014
https://dl.acm.org/doi/10.1007/978-3-319-04921-2_4

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents