Information Flow Control-by-Construction for an Object-Oriented Language

Tobias Runge; Alexander Kittelmann; Marco Servetto; Alex Potanin; Ina Schaefer

doi:10.1007/978-3-031-17108-6_13

Information Flow Control-by-Construction for an Object-Oriented Language

Tobias Runge^*, Alexander Kittelmann, Marco Servetto, Alex Potanin, Ina Schaefer

^*Corresponding author for this work

School of Computing

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › peer-review

5 Citations (Scopus)

Abstract

In security-critical software applications, confidential information must be prevented from leaking to unauthorized sinks. Static analysis techniques are widespread to enforce a secure information flow by checking a program after construction. A drawback of these systems is that incomplete programs during construction cannot be checked properly. The user is not guided to a secure program by most systems. We introduce IFbCOO, an approach that guides users incrementally to a secure implementation by using refinement rules. In each refinement step, confidentiality or integrity (or both) is guaranteed alongside the functional correctness of the program, such that insecure programs are declined by construction. In this work, we formalize IFbCOO and prove soundness of the refinement rules. We implement IFbCOO in the tool CorC and conduct a feasibility study by successfully implementing case studies.

Original language	English
Title of host publication	Software Engineering and Formal Methods - 20th International Conference, SEFM 2022, Proceedings
Editors	Bernd-Holger Schlingloff, Ming Chai
Place of Publication	Cham
Publisher	Springer Science+Business Media B.V.
Pages	209-226
Number of pages	18
ISBN (Electronic)	978-3-031-17108-6
ISBN (Print)	978-3-031-17107-9
DOIs	https://doi.org/10.1007/978-3-031-17108-6_13
Publication status	Published - 1 Oct 2022
Event	20th International Conference on Software Engineering and Formal Methods, SEFM 2022 - Berlin, Germany Duration: 26 Sept 2022 → 30 Sept 2022

Publication series

Name	Lecture Notes in Computer Science
Volume	13550 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	20th International Conference on Software Engineering and Formal Methods, SEFM 2022
Country/Territory	Germany
City	Berlin
Period	26/09/22 → 30/09/22

Access to Document

10.1007/978-3-031-17108-6_13

Cite this

Runge, T., Kittelmann, A., Servetto, M., Potanin, A., & Schaefer, I. (2022). Information Flow Control-by-Construction for an Object-Oriented Language. In B.-H. Schlingloff, & M. Chai (Eds.), Software Engineering and Formal Methods - 20th International Conference, SEFM 2022, Proceedings (pp. 209-226). (Lecture Notes in Computer Science; Vol. 13550 LNCS). Springer Science+Business Media B.V.. https://doi.org/10.1007/978-3-031-17108-6_13

Runge, Tobias ; Kittelmann, Alexander ; Servetto, Marco et al. / Information Flow Control-by-Construction for an Object-Oriented Language. Software Engineering and Formal Methods - 20th International Conference, SEFM 2022, Proceedings. editor / Bernd-Holger Schlingloff ; Ming Chai. Cham : Springer Science+Business Media B.V., 2022. pp. 209-226 (Lecture Notes in Computer Science).

@inproceedings{74403f903d1e4a8b87e9f711ed11ff1c,

title = "Information Flow Control-by-Construction for an Object-Oriented Language",

abstract = "In security-critical software applications, confidential information must be prevented from leaking to unauthorized sinks. Static analysis techniques are widespread to enforce a secure information flow by checking a program after construction. A drawback of these systems is that incomplete programs during construction cannot be checked properly. The user is not guided to a secure program by most systems. We introduce IFbCOO, an approach that guides users incrementally to a secure implementation by using refinement rules. In each refinement step, confidentiality or integrity (or both) is guaranteed alongside the functional correctness of the program, such that insecure programs are declined by construction. In this work, we formalize IFbCOO and prove soundness of the refinement rules. We implement IFbCOO in the tool CorC and conduct a feasibility study by successfully implementing case studies.",

keywords = "Correctness-by-construction, Information flow control, Security-by-design",

author = "Tobias Runge and Alexander Kittelmann and Marco Servetto and Alex Potanin and Ina Schaefer",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 20th International Conference on Software Engineering and Formal Methods, SEFM 2022 ; Conference date: 26-09-2022 Through 30-09-2022",

year = "2022",

month = oct,

day = "1",

doi = "10.1007/978-3-031-17108-6\_13",

language = "English",

isbn = "978-3-031-17107-9",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science+Business Media B.V.",

pages = "209--226",

editor = "Bernd-Holger Schlingloff and Ming Chai",

booktitle = "Software Engineering and Formal Methods - 20th International Conference, SEFM 2022, Proceedings",

address = "Netherlands",

}

Runge, T, Kittelmann, A, Servetto, M, Potanin, A & Schaefer, I 2022, Information Flow Control-by-Construction for an Object-Oriented Language. in B-H Schlingloff & M Chai (eds), Software Engineering and Formal Methods - 20th International Conference, SEFM 2022, Proceedings. Lecture Notes in Computer Science, vol. 13550 LNCS, Springer Science+Business Media B.V., Cham, pp. 209-226, 20th International Conference on Software Engineering and Formal Methods, SEFM 2022, Berlin, Germany, 26/09/22. https://doi.org/10.1007/978-3-031-17108-6_13

Information Flow Control-by-Construction for an Object-Oriented Language. / Runge, Tobias; Kittelmann, Alexander; Servetto, Marco et al.
Software Engineering and Formal Methods - 20th International Conference, SEFM 2022, Proceedings. ed. / Bernd-Holger Schlingloff; Ming Chai. Cham: Springer Science+Business Media B.V., 2022. p. 209-226 (Lecture Notes in Computer Science; Vol. 13550 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › peer-review

TY - GEN

T1 - Information Flow Control-by-Construction for an Object-Oriented Language

AU - Runge, Tobias

AU - Kittelmann, Alexander

AU - Servetto, Marco

AU - Potanin, Alex

AU - Schaefer, Ina

PY - 2022/10/1

Y1 - 2022/10/1

N2 - In security-critical software applications, confidential information must be prevented from leaking to unauthorized sinks. Static analysis techniques are widespread to enforce a secure information flow by checking a program after construction. A drawback of these systems is that incomplete programs during construction cannot be checked properly. The user is not guided to a secure program by most systems. We introduce IFbCOO, an approach that guides users incrementally to a secure implementation by using refinement rules. In each refinement step, confidentiality or integrity (or both) is guaranteed alongside the functional correctness of the program, such that insecure programs are declined by construction. In this work, we formalize IFbCOO and prove soundness of the refinement rules. We implement IFbCOO in the tool CorC and conduct a feasibility study by successfully implementing case studies.

AB - In security-critical software applications, confidential information must be prevented from leaking to unauthorized sinks. Static analysis techniques are widespread to enforce a secure information flow by checking a program after construction. A drawback of these systems is that incomplete programs during construction cannot be checked properly. The user is not guided to a secure program by most systems. We introduce IFbCOO, an approach that guides users incrementally to a secure implementation by using refinement rules. In each refinement step, confidentiality or integrity (or both) is guaranteed alongside the functional correctness of the program, such that insecure programs are declined by construction. In this work, we formalize IFbCOO and prove soundness of the refinement rules. We implement IFbCOO in the tool CorC and conduct a feasibility study by successfully implementing case studies.

KW - Correctness-by-construction

KW - Information flow control

KW - Security-by-design

UR - https://www.scopus.com/pages/publications/85140434158

U2 - 10.1007/978-3-031-17108-6_13

DO - 10.1007/978-3-031-17108-6_13

M3 - Conference Paper

AN - SCOPUS:85140434158

SN - 978-3-031-17107-9

T3 - Lecture Notes in Computer Science

SP - 209

EP - 226

BT - Software Engineering and Formal Methods - 20th International Conference, SEFM 2022, Proceedings

A2 - Schlingloff, Bernd-Holger

A2 - Chai, Ming

PB - Springer Science+Business Media B.V.

CY - Cham

T2 - 20th International Conference on Software Engineering and Formal Methods, SEFM 2022

Y2 - 26 September 2022 through 30 September 2022

ER -

Runge T, Kittelmann A, Servetto M, Potanin A, Schaefer I. Information Flow Control-by-Construction for an Object-Oriented Language. In Schlingloff BH, Chai M, editors, Software Engineering and Formal Methods - 20th International Conference, SEFM 2022, Proceedings. Cham: Springer Science+Business Media B.V. 2022. p. 209-226. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-17108-6_13