Figure - available from: Journal of Automated Reasoning
This content is subject to copyright. Terms and conditions apply.
Source publication
This paper describes progress with our agenda of formal verification of information flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibi...
Similar publications
Ensuring the correctness of smart contracts is of paramount importance to achieve trust and continuity in the Blockchain-based business process execution. Due to the immutable nature of distributed ledger technology on the blockchain, a smart contract should work as intended before using it. Any bugs or errors will become permanent once published a...
Our daily life is increasingly becoming more and more dependent on software as they are being extensively used to control safety and mission-critical systems. This has lead to very stringent verification requirements for ensuring that the software performs as intended. However, the testing based techniques cannot provide a rigorous verification due...
Due to the ever-increasing toll of soft errors in memories, Error Correction Codes (ECCs) like Hamming and Reed-Solomon Codes have been used to protect data in memories, in applications ranging from space to terresterial work stations. In past seven decades, most of the research has focused on providing better ECC strategies for data integrity in m...
Citations
... Prior work on practical secure declassification includes the verification of the kernel of a conference management system [66], a social media platform [12] and its distributed successor [11]. These works proved variants of the generic security property of Bounded Deducibility [65], which is similar to declassification policies D. The proofs use manual unwinding in Isabelle/HOL, over an abstract program representation of I/O automata. ...
We consider the problem of specifying and proving the security of non-trivial, concurrent programs that intentionally leak information. We present a method that decomposes the problem into (a) proving that the program only leaks information it has declassified via assume annotations already widely used in deductive program verification; and (b) auditing the declassifications against a declarative security policy. We show how condition (a) can be enforced by an extension of the existing program logic SecCSL, and how (b) can be checked by proving a set of simple entailments. Part of the challenge is to define respective semantic soundness criteria and to formally connect these to the logic rules and policy audit. We support our methodology in an auto-active program verifier, which we apply to verify the implementations of various case study programs against a range of declassification policies.
... A substantial contribution to web client security is the Quark verified browser [37]. Our own line of work is concerned with proof assistant verification of web-based system confidentiality grounded in BD Security: It started in 2014 with CoCon and continued with the CoSMed social media platform [7] and its extension to a distributed model, CoSMeDis [6]. For most of the CoSMed/CoSMeDis properties of interest, the bounds B had to be significantly more complex, to account for the repeated opening and closing of access windows, i.e., the repeated firing and canceling of various triggers. ...
We present a case study in formally verified security for realistic systems: the information flow security verification of the functional kernel of a web application, the CoCon conference management system. We use the Isabelle theorem prover to specify and verify fine-grained confidentiality properties, as well as complementary safety and “traceback” properties. The challenges posed by this development in terms of expressiveness have led to bounded-deducibility (BD) security, a novel security model and verification method generally applicable to systems describable as input/output automata.
... For highlighting the issue of privacy leakage, an inference attack for leakage of data privacy is introduced. A new approach known as PbD (Privacy by Design) principles is introduced for OSNs in distributed computing environments [32], instead of any framework or technique, it pointed out the lack of proper PIA (Privacy Impact Assessment) [33]. Authentication and access control always remained the core area of research in every computing system development [34], [35]. ...
Social networking has elevated the human life to
the heights of interaction, response and content sharing. It has
been offering state of the art facilities to its users for a long time.
Though, over the period of time, the systems have become quite
matured yet alongside the benefits, multiple concerns of the user
with regard to the privacy and information security also exist.
Multidimensional threat spectrum to the Internet has also been
posed to social networking tools. A lot of work is being done to un�derstand privacy concerns in social networks. In this scenario, a
survey of privacy concerns in online social networks is conducted.
Risks, privacy issues, and threats have been highlighted that
occurred in recent years, analyzing the targets of attackers, their
methods of attack and measures taken to counter/manage these
threats are the focus. A social network depends on the user, social
network site/application and communication medium provider i.e.
the Internet facility. Existing research contains domain specific re�search work regarding privacy issues in social networks; however,
a comprehensive research work related to overall infrastructure
of online social networks is missing. Development of a taxonomy
of threats and categorization of frauds relevant to social networks
is an important contribution of this survey. After completing
a comprehensive research survey on privacy concerns in online
social networks, a set of privacy guidelines is provided and open
research challenges are highlighted.
... PLAS '18, October 19, 2018 Motivation. Recent years have seen a proliferation of research on information flow control [16,17,19,39,49,55,67,70,72,73], leading to applications in a wide range of areas including hardware [8], operating system microkernels [59] and virtualization platforms [32], programming languages [36,37], mobile operating systems [44], web browsers [12,43], web applications [13,45], and distributed systems [50]. A recent special issue of Journal of Computer Security on verified information flow [60] reflects an active state of the art. ...
Recent years have seen a proliferation of research on information flow control. While the progress has been tremendous, it has also given birth to a bewildering breed of concepts, policies, conditions, and enforcement mechanisms. Thus, when designing information flow controls for a new application domain, the designer is confronted with two basic questions: (i) What is the right security characterization for a new application domain? and (ii) What is the right enforcement mechanism for a new application domain?
This paper puts forward six informal principles for designing information flow security definitions and enforcement mechanisms: attacker-driven security, trust-aware enforcement, separation of policy annotations and code, language-independence, justified abstraction, and permissiveness. We particularly highlight the core principles of attacker-driven security and trust-aware enforcement, giving us a rationale for deliberating over soundness vs. soundiness. The principles contribute to roadmapping the state of the art in information flow security, weeding out inconsistencies from the folklore, and providing a rationale for designing information flow characterizations and enforcement mechanisms for new application domains.
... Relational properties are useful when reasoning about program refinement, approximation, equivalence, provenance, as well as many notions of security. A great many relational program analyses have been proposed in the recent literature, including works by Antonopoulos et al. (2017); Asada et al. (2016); Banerjee et al. (2016); Barthe et al. (2014Barthe et al. ( , 2015Barthe et al. ( , 2012Barthe et al. ( , 2013b; ; Benton et al. (2009); Ştefan ; Godlin and Strichman (2010); Hedin and Sabelfeld (2012); Kundu et al. (2009); Küsters et al. (2015); Yang (2007); Zaks and Pnueli (2008); Murray et al. (2013); Fehrenbach and Cheney (2016); Bauereiß et al. (2016Bauereiß et al. ( , 2017; and Çiçek et al. (2017). While some systems have been designed for the efficient verification of specialized relational properties of programs (notably information-flow type systems, e.g., Sabelfeld and Myers (2003)), others support larger classes of properties. ...
Relational properties describe multiple runs of one or more programs. They characterize many useful notions of security, program refinement, and equivalence for programs with diverse computational effects, and they have received much attention in the recent literature. Rather than developing separate tools for special classes of effects and relational properties, we advocate using a general purpose proof assistant as a unifying framework for the relational verification of effectful programs. The essence of our approach is to model effectful computations using monads and to prove relational properties on their monadic representations, making the most of existing support for reasoning about pure programs. We apply this method in F* and evaluate it by encoding a variety of relational program analyses, including information flow control, program equivalence and refinement at higher order, correctness of program optimizations and game-based cryptographic security. By relying on SMT-based automation, unary weakest preconditions, user-defined effects, and monadic reification, we show that, compared to unary properties, verifying relational properties requires little additional effort from the F* programmer.
... As described in the proof of eorem 2.1 universal quantification over a sort is translated into a conjunction over all Skolem constants of that sort. 5 us, the resulting encoding of the universally quantified conjunct is exponential in the number of existentially quantified variables of each sort. For every causal agent considered, s n s additional existential quantifiers are added to the formula. ...
... ere have recently been many efforts to verify concrete workflow systems, such as conference management systems [2,21] or an eHealth system [7], or a social media platform [5]. For instance, the C C conference management system [21] is implemented and checked in the interactive theorem prover I . ...
We consider the automatic verification of information flow security policies of web-based workflows, such as conference submission systems like EasyChair. Our workflow description language allows for loops, non-deterministic choice, and an unbounded number of participating agents. The information flow policies are specified in a temporal logic for hyperproperties. We show that the verification problem can be reduced to the satisfiability of a formula of first-order linear-time temporal logic, and provide decidability results for relevant classes of workflows and specifications. We report on experimental results obtained with an implementation of our approach on a series of benchmarks.
The technology of formal software verification has made spectacular advances, but how much does it actually benefit the development of practical software? Considerable disagreement remains about the practicality of building systems with mechanically-checked proofs of correctness. Is this prospect confined to a few expensive, life-critical projects, or can the idea be applied to a wide segment of the software industry? To help answer this question, the present survey examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use. It considers the technologies used, the form of verification applied, the results obtained, and the lessons that can be drawn for the software industry at large and its ability to benefit from formal verification techniques and tools.
