Team mimosa

Overall Objectives
Scientific Foundations
Application Domains
New Results
Contracts and Grants with Industry
Other Grants and Activities

Section: New Results


Participants : Roberto Amadio, Gérard Boudol, Ilaria Castellani, Frédéric Dabrowski, Silvano Dal Zilio, Ana Matos.

Controlling information flow

Non-interference is a property of programs asserting that a piece of code does not implement a flow of information from classified or secret data to public results. In the past we have followed Volpano and Smith approach, using type systems, to statically check this property for concurrent programs. The motivation is that one should find formal techniques that could be applied to mobile code, in order to ensure that migrating agents do not corrupt protected data, and that the behaviour of such agents does not actually depend on the value of secret information.

The non-interference property is very often questioned, on the basis that it cannot be used in practice because it rules out, by its very definition, programs that intentionally declassify information from a confidential level to a public one, like a password checking procedure for instance. We have addressed this problem, of how to combine declassification with a security analysis of programs, like typing the information flow. Our standpoint is that there are two different issues to be considered, namely what information is released and how information is declassified. To address this second question, we have introduced, in a Core ML-like language with concurrent threads, a declassification mechanism that takes the form of a local flow policy declaration. The computation in the scope of such a declaration is allowed to implement information flow according to the local policy. This dynamic view of information flow policies is supported by a concrete presentation of the security lattice, where the confidentiality levels are sets of principals, similar to access control lists. To take into account declassification, and more generally dynamic flow policies, we introduce a generalization of non-interference, that we call the non-disclosure policy, and we design a type and effect system for our language that enforces this policy. Our workshop paper [16] has been selected for publication in the Journal of Computer Security.

In the paper [19] , we further investigate the issue of typing confidentiality in a language-based information-flow security approach, aiming at improving some previously proposed type systems, especially for higher-order languages with mutable state à la ML. We show that the typing of terminations leaks can be largely improved, by particularizing the case where the alternatives in a conditional branching both terminate. Moreover, we also provide a quite precise way of approximating the confidentiality level of an expression, that ignores the level of values used for side-effects only.

Ana Matos has studied in [15] new forms of security leaks, called migration leaks, that are introduced in a mobile code scenario. The language used in [16] is extended with a notion of domain and a migration primitive. Then the non-interference property is generalized to networks of domains, and a type and effect system for enforcing it is presented and proved correct.

The full version of a paper of last year on non-interference for reactive programs has been submitted for publication in a journal [23] .

Controlling the complexity of code

The objective of this research activity is to design, study and implement static analysis techniques by which one can ensure that the computational complexity of a piece of code is restricted to some known classes. The motivation is primarily in the mobile code, to ensure that migrating agents are not using local resources beyond some fixed limits, but this could also apply to embedded systems, where a program can only use limited resources.

In the paper [17] , we propose a compositional static analysis for a language of cooperative threads which guarantees that the size of the values computed by a program is bounded by the size of the parameters of the system at the beginning of the computation. This improves previous results by Amadio and Dal Zilio (see below) where bounds were functions of the parameters of the system at the beginning of each instant. The existence of bounds for arbitrary many instants relied on the assumption of a dynamic check of the size of the parameters of the system at the beginning of each instant which is now useless. In the same paper, termination of the instants is revisited using a more general criterion. As before, simplification orders (a kind of well-found orders used for proving termination of rewriting systems) are used but bounds provided by the static analysis are used instead of the embedding relation to prove the existence of a reduction order. These two results lead to the termination of the instants in time polynomial in the size of the parameters at the beginning of the computation.

In [20] we define a method to statically bound the size of values computed during the execution of a program as a function of the size of its parameters. More precisely, we consider bytecode programs that are to be executed on a simple stack machine with support for algebraic data types, pattern-matching and tail recursion. Our size verification method is expressed as a static analysis performed at the level of the bytecode, that relies on machine-checkable certificates. We follow here the usual assumption that code and certificates may be forged and should be checked before execution. Our approach extends a system of static analysis based on the notion of quasi-interpretations that has already been used to enforce resources bounds on first-order functional programs. This paper makes two additional contributions. First, we are able to check optimized programs, containing instructions for unconditional jumps and tail recursive calls, and remove restrictions on the structure of the bytecode that were imposed in previous works. Second, we propose a direct algorithm that depends on solving a set of arithmetical constraints.

The work by Roberto Amadio on quasi-interpretations which was presented in a 2003 report has been published [10] . The full version of the paper on Resource control for synchronous cooperative threads by Roberto Amadio and Silvano Dal Zilio has been accepted for publication in the journal Theoretical Computer Science.


Logo Inria