Article

Abstract non-interference: parameterizing non-interference by abstract interpretation

Authors:
Roberto Giacobazzi

Università di Verona, Verona, Italy

Università di Verona, Verona, Italy
View Profile

,
Isabella Mastroeni

Università di Verona, Verona, Italy

Università di Verona, Verona, Italy
View Profile

POPL '04: Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languagesJanuary 2004Pages 186–197https://doi.org/10.1145/964001.964017

Published:01 January 2004Publication History

POPL '04: Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages

Pages 186–197

ABSTRACT

In this paper we generalize the notion of non-interference making it parametric relatively to what an attacker can analyze about the input/output information flow. The idea is to consider attackers as data-flow analyzers, whose task is to reveal properties of confidential resources by analyzing public ones. This means that no unauthorized flow of information is possible from confidential to public data, relatively to the degree of precision of an attacker. We prove that this notion can be fully specified in standard abstract interpretation framework, making the degree of security of a program a property of its semantics. This provides a comprehensive account of non-interference features for language-based security. We introduce systematic methods for extracting attackers from programs, providing domain-theoretic characterizations of the most precise attackers which cannot violate the security of a given program. These methods allow us both to compare attackers and program secrecy by comparing the corresponding abstractions in the lattice of abstract interpretations, and to design automatic program certification tools for language-based security by abstract interpretation.

References

Bell, D. E., and Burke, E. A software validation technique for certification: The methodology. Tech. Rep. MTR-2932, MITRE Corp., Badford, MA, 1974.]]Google Scholar
Bell, D. E., and LaPadula, L. J. Secure computer systems: Mathematical foundations and model. Tech. Rep. M74-244, MITRE Corp., Badford, MA, 1973.]]Google Scholar
Bodei, C., Degano, P., Nielson, F., and Nielson, H. Static analysis for secrecy and non-interference in networks of processes. In Proc. of 6th Internat. Conference on Parallel Computing Technologies : (PaCT'01) (2001), vol. 2127 of Lecture Notes in Computer Science, Springer-Verlag, pp. 27--41.]] Google ScholarDigital Library
Clark, D., Hankin, C., and Hunt, S. Information flow for algol-like languages. Computer Languages 28, 1 (2002), 3--28.]]Google Scholar
Cohen, E. S. Information transmission in computational systems. ACM SIGOPS Operating System Review 11, 5 (1977), 133--139.]] Google ScholarDigital Library
Cousot, P. Constructive design of a hierarchy of semantics of a transition system by abstract interpretation. Theor. Comput. Sci. 277, 1--2 (2002), 47,103.]] Google ScholarDigital Library
Cousot, P., and Cousot, R. Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Conference Record of the 4th ACM Symp. on Principles of Programming Languages (POPL '77) (1977), ACM Press, New York, pp. 238--252.]] Google ScholarDigital Library
Cousot, P., and Cousot, R. Constructive versions of Tarski's fixed point theorems. Pacific J. Math. 82, 1 (1979), 43--57.]]Google ScholarCross Ref
Cousot, P., and Cousot, R. Systematic design of program analysis frameworks. In Conference Record of the 6th ACM Symp. on Principles of Programming Languages ( POPL '79) (1979), ACM Press, New York, pp. 269--282.]] Google ScholarDigital Library
Cousot, P., and Cousot, R. Inductive definitions, semantics and abstract interpretation. In Conference Record of the 19th ACM Symp. on Principles of Programming Languages (POPL '92) (1992), ACM Press, New York, pp. 83--94.]] Google ScholarDigital Library
Davey, B. A., and Priestley, H. A. Introduction to Lattices and Order. Cambridge University Press, Cambridge, U.K., 1990.]]Google Scholar
Denning, D. E. Secure Information Flow in Computer Systems. PhD thesis, Purdue University, 1975.]] Google ScholarDigital Library
Denning, D. E. A lattice model of secure information flow. Communications of the ACM 19, 5 (1976), 236--242.]] Google ScholarDigital Library
Denning, D. E., and Denning, P. Certification of programs for secure information flow. Communications of the ACM 20, 7 (1977), 504--513.]] Google ScholarDigital Library
Di Pierro, A., Hankin, C., and Wiklicky, H. Approximate non-interference. In Proc. of the IEEE Computer Security Foundations Workshop (2002), IEEE Computer Society Press, pp. 1--17.]] Google ScholarDigital Library
Filé, G., Giacobazzi, R., and Ranzato, F. A unifying view of abstract domain design. ACM Comput. Surv. 28, 2 (1996), 333--336.]] Google ScholarDigital Library
Giacobazzi, R., and Quintarelli, E. Incompleteness, counterexamples and refinements in abstract model-checking. In Proc. of The 8th Internat. Static Analysis Symposium, (SAS'01) (2001), P. Cousot, Ed., vol. 2126 of Lecture Notes in Computer Science, Springer-Verlag, pp. 356--373.]] Google ScholarDigital Library
Giacobazzi, R., and Ranzato, F. Refining and compressing abstract domains. In Proc. of the 24th Internat. Colloq. on Automata, Languages and Programming (ICALP '97) (1997), P. Degano, R. Gorrieri, and A. Marchetti-Spaccamela, Eds., vol. 1256 of Lecture Notes in Computer Science, Springer-Verlag, Berlin, pp. 771--781.]] Google ScholarDigital Library
Giacobazzi, R., and Ranzato, F. Optimal domains for disjunctive abstract interpretation. Sci. Comput. Program. 32, 1-3 (1998), 177--210.]] Google ScholarDigital Library
Giacobazzi, R., Ranzato, F., and Scozzari, F. Making abstract interpretations complete. J. of the ACM. 47, 2 (2000), 361--416.]] Google ScholarDigital Library
Goguen, J. A., and Meseguer, J. Security policies and security models. In Proc. IEEE Symp. on Security and Privacy (1982), IEEE Computer Society Press, pp. 11--20.]]Google ScholarCross Ref
Goguen, J. A., and Meseguer, J. Unwinding and inference control. In Proc. IEEE Symp. on Security and Privacy (1984), IEEE Computer Society Press, pp. 75--86.]]Google ScholarCross Ref
Joshi, R., and Leino, K. R. M. A semantic approach to secure information flow. Sci. Comput. Program. 37 (2000), 113--138.]] Google ScholarDigital Library
Landauer, J., and Redmond, T. A lattice of information. In Proc. of the IEEE Computer Security Foundations Workshop (1993), IEEE Computer Society Press, pp. 65--70.]]Google ScholarCross Ref
Laud, P. Semantics and program analysis of computationally secure information flow. In In Programming Languages and Systems, 10th European Symposium On Programming, (ESOP'01) (2001), vol. 2028 of Lecture Notes in Computer Science, Springer-Verlag, pp. 77--91.]] Google ScholarDigital Library
Lowe, G. Quantifying information flow. In Proc. of the IEEE Computer Security Foundations Workshop (2002), IEEE Computer Society Press, pp. 18--31.]] Google ScholarDigital Library
Monniaux, D. An abstract analysis of the probabilistic termination programs. In Proc. of The 8th Internat. Static Analysis Symposium, (SAS'01) (2001), vol. 2126 of Lecture Notes in Computer Science, Springer-Verlag, pp. 111--127.]] Google ScholarDigital Library
Ørbæk, P. Can you trust your data? In Proc. of the 6th Internat. Joint Conf. CAAP/FASE, Theory and Practice of Software Devolpment (TAPSOFT '95) (1995), P. Mosses, M. Nielsen, and M. Schwartzbach, Eds., vol. 915 of Lecture Notes in Computer Science, Springer-Verlag, pp. 575--589.]] Google ScholarDigital Library
Ranzato, F., and Tapparo, F. Making abstract model checking strongly preserving. In Proc. of The 9th Internat. Static Analysis Symposium, (SAS'02) (2002), M. Hermenegildo and G. Puebla, Eds., vol. 2477 of Lecture Notes in Computer Science, Springer-Verlag, pp. 411--427.]] Google ScholarDigital Library
Sabelfeld, A., and Myers, A. Language-based information-flow security. IEEE J. on selected ares in communications 21, 1 (2003), 5--19.]]Google ScholarDigital Library
Sabelfeld, A., and Sands, D. A PER model of secure information flow in sequential programs. Higher-Order and Symbolic Computation 14, 1 (2001), 59--91.]] Google ScholarDigital Library
Schneider, F., Morrisett, G., and Harper, R. A language-based approach to security. In In Informatics: 10 Years Back, 10 Years Ahead (2000), vol. 2000 of Lecture Notes in Computer Science, Springer-Verlag, pp. 86--101.]] Google ScholarDigital Library
Skalka, C., and Smith, S. Static enforcement of security with types. In Proc. Internat. Conference on Functional Programming (ICFP'00) (2000), ACM Press, New York, pp. 254--267.]] Google ScholarDigital Library
Volpano, D. Safety versus secrecy. In Proc. of The 6th Internat. Static Analysis Symposium (SAS'99) (1999), A. Cortesi and G. Filé, Eds., vol. 1694 of Lecture Notes in Computer Science, Springer-Verlag, pp. 303--311.]] Google ScholarDigital Library
Volpano, D., and Smith, G. Verifying secrets and relative secrecy. In Conference Record of the 27th ACM Symp. on Principles of Programming Languages (POPL '00) (2000), ACM Press, New York, pp. 268--276.]] Google ScholarDigital Library
Volpano, D., Smith, G., and Irvine, C. A sound type system for secure flow analysis. J. of Computer Security 4, 2,3 (1996), 167--187.]] Google ScholarDigital Library
Weiser, M. Program slicing. IEEE Transactions on software engineering 10, 4 (1984), 352--357.]]Google ScholarDigital Library
Winskel, G. The formal semantics of programming languages: an introduction. MIT Press, 1993.]] Google ScholarCross Ref
Zanotti, M. Security typings by abstract interpretation. In Proc. of The 9th Internat. Static Analysis Symposium, (SAS'02) (2002), M. Hermenegildo and H. Puebla, Eds., vol. 2477 of Lecture Notes in Computer Science, Springer-Verlag, pp. 360--375.]] Google ScholarDigital Library
Zdancewic, S., and Myers, A. C. Robust declassification. In Proc. of the IEEE Computer Security Foundations Workshop (2001), IEEE Computer Society Press, pp. 15--23.]] Google ScholarDigital Library

Index Terms

Abstract non-interference: parameterizing non-interference by abstract interpretation

Recommendations

Abstract Non-Interference: A Unifying Framework for Weakening Information-flow

Non-interference happens when some elements of a dynamic system do not interfere, i.e., do not affect, other elements in the same system. Originally introduced in language-based security, non-interference means that the manipulation of private ...
Read More
Abstract non-interference: parameterizing non-interference by abstract interpretation
POPL '04

In this paper we generalize the notion of non-interference making it parametric relatively to what an attacker can analyze about the input/output information flow. The idea is to consider attackers as data-flow analyzers, whose task is to reveal ...
Read More
The PER model of abstract non-interference
SAS'05: Proceedings of the 12th international conference on Static Analysis

In this paper, we study the relationship between two models of secure information flow: the PER model (which uses equivalence relations) and the abstract non-interference model (which uses upper closure operators). We embed the lattice of equivalence ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
POPL '04: Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages
January 2004
364 pages
ISBN:158113729X
DOI:10.1145/964001
General Chair:
Neil D. Jones
DIKU, University of Copenhagen
,
Program Chair:
Xavier Leroy
INRIA Rocquencourt
ACM SIGPLAN Notices Volume 39, Issue 1
POPL '04
January 2004
352 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/982962
Issue’s Table of Contents
Copyright © 2004 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 1 January 2004
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
abstract domains
abstract interpretation
language-based security
non-interference
Qualifiers
- Article
Conference

Acceptance Rates
POPL '04 Paper Acceptance Rate29of176submissions,16%Overall Acceptance Rate824of4,130submissions,20%
More
Upcoming Conference
POPL '25

Sponsor:

sigplan

The 52nd Annual ACM SIGPLAN Symposium on Principles of Programming Languages

January 19 - 25, 2025

Denver , CO , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 140
  Total Citations
  View Citations
- 1,174
  Total Downloads
- Downloads (Last 12 months)52
- Downloads (Last 6 weeks)7
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Abstract non-interference: parameterizing non-interference by abstract interpretation

POPL '04: Proceedings of the 31st ACM SIGPLAN-SIGACT symposium on Principles of programming languages

ABSTRACT

References

Cited By

Index Terms

Recommendations

Abstract Non-Interference: A Unifying Framework for Weakening Information-flow

Abstract non-interference: parameterizing non-interference by abstract interpretation

The PER model of abstract non-interference