Section: New Results
Keywords : Information flow, dependency, security levels, dynamic analysis.
Dynamic and static information flow analysis
Participants : Gurvan Le Guernic, Thomas Jensen, David Pichardie.
A standard way of formalising confidentiality is via the notions of information flow and non-interference. In collaboration with A. Banerjee and D. Schmidt at Kansas State University we have developed an information flow monitoring mechanism for sequential programs. The monitor executes a program on standard data that are tagged with labels indicating their security level. The originality of the approach is that we formalize the monitoring mechanism as a big-step operational semantics that integrates a static information flow analysis to gather information flow properties of non-executed branches of the program. This essentially shows how to mix static and dynamic non-interference analysis. Using the information flow monitoring mechanism, it is then possible to partition the set of all executions in two sets. The first one contains executions which are safe and the other one contains executions which may be unsafe . Based on this information, we show that, by resetting the value of some output variables, it is possible to alter the behavior of executions belonging to the second set in order to ensure the confidentiality of secret data [21] .
On the purelly static approach, much previous work on type systems for non-interference has focused on calculi or high-level programming languages, and existing type systems for low-level languages typically omit objects, exceptions, and method calls, and/or do not prove formally the soundness of the type system. In collaboration with G. Barthe and T. Rezk at INRIA Sophia Antipolis we have developed [11] an information flow type system for a sequential JVM-like language that includes classes, objects, arrays, exceptions and method calls, and proved that it guarantees non-interference. For increased confidence, we have formalized the proof in the proof assistant Coq; an additional benefit of the formalization is that we have extracted from our proof a certified lightweight bytecode verifier for information flow. Our work provides, to our best knowledge, the first sound and implemented information flow type system for such an expressive fragment of the JVM.
