ArticlePublisher preview available

CoSMed: A Confidentiality-Verified Social Media Platform

Authors:
Thomas Bauereiß
Thomas Bauereiß
Thomas Bauereiß
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Armando Pesenti Gritti
Armando Pesenti Gritti
Armando Pesenti Gritti
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Andrei Popescu at The University of Sheffield
Andrei Popescu
Franco Raimondi
Franco Raimondi
Franco Raimondi
  • This person is not on ResearchGate, or hasn't claimed this research yet.
Read publisher preview
Download citation
To read the full-text of this research, you can request a copy directly from the authors.

Abstract and Figures

This paper describes progress with our agenda of formal verification of information flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD Security has to give way to a dynamic integration of the triggers as part of the bounds. We also show that, from a theoretical viewpoint, the removal of triggers from the notion of BD Security does not restrict its expressiveness.
Figures - available from: Journal of Automated Reasoning
This content is subject to copyright. Terms and conditions apply.
A preview of this full-text is provided by Springer Nature.
Learn more
Content available from Journal of Automated Reasoning
This content is subject to copyright. Terms and conditions apply.
J Autom Reasoning (2018) 61:113–139
https://doi.org/10.1007/s10817-017-9443-3
CoSMed: A Confidentiality-Verified Social Media
Platform
Thomas Bauereiß1·Armando Pesenti Gritti3·
Andrei Popescu2,4·Franco Raimondi2
Received: 19 March 2017 / Accepted: 24 November 2017 / Published online: 2 December 2017
© Springer Science+Business Media B.V., part of Springer Nature 2017
Abstract This paper describes progress with our agenda of formal verification of information
flow security for realistic systems. We present CoSMed, a social media platform with veri-
fied document confidentiality. The system’s kernel is implemented and verified in the proof
assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility
(BD) Security, previously introduced for the conference system CoCon. CoSMed is a sec-
ond major case study in this framework. For CoSMed, the static topology of declassification
bounds and triggers that characterized previous instances of BD Security has to give way to
a dynamic integration of the triggers as part of the bounds. We also show that, from a theo-
retical viewpoint, the removal of triggers from the notion of BD Security does not restrict its
expressiveness.
Keywords Information flow security ·Secure social media platform ·Formal verification ·
Interactive theorem proving ·Isabelle/HOL
BAndrei Popescu
a.popescu@mdx.ac.uk
Thomas Bauereiß
thomas@bauereiss.name
Armando Pesenti Gritti
arpesenti@gmail.com
Franco Raimondi
f.raimondi@mdx.ac.uk
1German Research Center for Artificial Intelligence (DFKI), Bremen, Germany
2Department of Computer Science, Middlesex University, London, UK
3Global NoticeBoard, London, UK
4Institute of Mathematics Simion Stoilow of the Romanian Academy, Bucharest, Romania
123
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
... As described in the proof of eorem 2.1 universal quantification over a sort is translated into a conjunction over all Skolem constants of that sort. 5 us, the resulting encoding of the universally quantified conjunct is exponential in the number of existentially quantified variables of each sort. For every causal agent considered, s n s additional existential quantifiers are added to the formula. ...
... ere have recently been many efforts to verify concrete workflow systems, such as conference management systems [2,21] or an eHealth system [7], or a social media platform [5]. For instance, the C C conference management system [21] is implemented and checked in the interactive theorem prover I . ...
Verifying Security Policies in Multi-agent Workflows with Loops
Preprint
  • Aug 2017
We consider the automatic verification of information flow security policies of web-based workflows, such as conference submission systems like EasyChair. Our workflow description language allows for loops, non-deterministic choice, and an unbounded number of participating agents. The information flow policies are specified in a temporal logic for hyperproperties. We show that the verification problem can be reduced to the satisfiability of a formula of first-order linear-time temporal logic, and provide decidability results for relevant classes of workflows and specifications. We report on experimental results obtained with an implementation of our approach on a series of benchmarks.
View
... Prior work on practical secure declassification includes the verification of the kernel of a conference management system [66], a social media platform [12] and its distributed successor [11]. These works proved variants of the generic security property of Bounded Deducibility [65], which is similar to declassification policies D. The proofs use manual unwinding in Isabelle/HOL, over an abstract program representation of I/O automata. ...
Assume but Verify: Deductive Verification of Leaked Information in Concurrent Applications (Extended Version)
Preprint
  • Sep 2023
We consider the problem of specifying and proving the security of non-trivial, concurrent programs that intentionally leak information. We present a method that decomposes the problem into (a) proving that the program only leaks information it has declassified via assume annotations already widely used in deductive program verification; and (b) auditing the declassifications against a declarative security policy. We show how condition (a) can be enforced by an extension of the existing program logic SecCSL, and how (b) can be checked by proving a set of simple entailments. Part of the challenge is to define respective semantic soundness criteria and to formally connect these to the logic rules and policy audit. We support our methodology in an auto-active program verifier, which we apply to verify the implementations of various case study programs against a range of declassification policies.
View
... A substantial contribution to web client security is the Quark verified browser [37]. Our own line of work is concerned with proof assistant verification of web-based system confidentiality grounded in BD Security: It started in 2014 with CoCon and continued with the CoSMed social media platform [7] and its extension to a distributed model, CoSMeDis [6]. For most of the CoSMed/CoSMeDis properties of interest, the bounds B had to be significantly more complex, to account for the repeated opening and closing of access windows, i.e., the repeated firing and canceling of various triggers. ...
CoCon: A Conference Management System with Formally Verified Document Confidentiality
Article
Full-text available
  • Feb 2021
  • J AUTOM REASONING
We present a case study in formally verified security for realistic systems: the information flow security verification of the functional kernel of a web application, the CoCon conference management system. We use the Isabelle theorem prover to specify and verify fine-grained confidentiality properties, as well as complementary safety and “traceback” properties. The challenges posed by this development in terms of expressiveness have led to bounded-deducibility (BD) security, a novel security model and verification method generally applicable to systems describable as input/output automata.
View
... For highlighting the issue of privacy leakage, an inference attack for leakage of data privacy is introduced. A new approach known as PbD (Privacy by Design) principles is introduced for OSNs in distributed computing environments [32], instead of any framework or technique, it pointed out the lack of proper PIA (Privacy Impact Assessment) [33]. Authentication and access control always remained the core area of research in every computing system development [34], [35]. ...
Privacy Concerns in Online Social Networks: A Users' Perspective
Article
Full-text available
  • Aug 2019
Social networking has elevated the human life to the heights of interaction, response and content sharing. It has been offering state of the art facilities to its users for a long time. Though, over the period of time, the systems have become quite matured yet alongside the benefits, multiple concerns of the user with regard to the privacy and information security also exist. Multidimensional threat spectrum to the Internet has also been posed to social networking tools. A lot of work is being done to un�derstand privacy concerns in social networks. In this scenario, a survey of privacy concerns in online social networks is conducted. Risks, privacy issues, and threats have been highlighted that occurred in recent years, analyzing the targets of attackers, their methods of attack and measures taken to counter/manage these threats are the focus. A social network depends on the user, social network site/application and communication medium provider i.e. the Internet facility. Existing research contains domain specific re�search work regarding privacy issues in social networks; however, a comprehensive research work related to overall infrastructure of online social networks is missing. Development of a taxonomy of threats and categorization of frauds relevant to social networks is an important contribution of this survey. After completing a comprehensive research survey on privacy concerns in online social networks, a set of privacy guidelines is provided and open research challenges are highlighted.
View
View
Lessons from Formally Verified Deployed Software Systems
Preprint
Full-text available
  • Jan 2023
The technology of formal software verification has made spectacular advances, but how much does it actually benefit the development of practical software? Considerable disagreement remains about the practicality of building systems with mechanically-checked proofs of correctness. Is this prospect confined to a few expensive, life-critical projects, or can the idea be applied to a wide segment of the software industry? To help answer this question, the present survey examines a range of projects, in various application areas, that have produced formally verified systems and deployed them for actual use. It considers the technologies used, the form of verification applied, the results obtained, and the lessons that can be drawn for the software industry at large and its ability to benefit from formal verification techniques and tools.
View
View
View
View
D_PSNI: Delimited Persistent Stochastic Non-Interference
Article
  • Aug 2021
  • THEOR COMPUT SCI
Non-Interference is an information flow security property which aims to protect confidential data by ensuring the complete absence of any information flow from high level entities to low level ones. However, this requirement is too demanding when dealing with real applications: indeed, no real policy ever guarantees a total absence of information flow. In order to deal with real applications, it is often necessary to allow mechanisms for downgrading or declassifying information such as information filters and channel control. In this paper we introduce the notion of Delimited Persistent Stochastic Non-Interference (D_PSNI) that allows information to flow from a higher to a lower security level through a downgrader. We provide two algebraic characterizations of D_PSNI and prove some compositionality properties. Finally, we present a decision algorithm and discuss its time complexity.
View
Encoding Monomorphic and Polymorphic Types
Article
Full-text available
  • Apr 2017
  • LOG METH COMPUT SCI
Many automatic theorem provers are restricted to untyped logics, and existing translations from typed logics are bulky or unsound. Recent research proposes monotonicity as a means to remove some clutter when translating monomorphic to untyped first-order logic. Here we pursue this approach systematically, analysing formally a variety of encodings that further improve on efficiency while retaining soundness and completeness. We extend the approach to rank-1 polymorphism and present alternative schemes that lighten the translation of polymorphic symbols based on the novel notion of "cover". The new encodings are implemented in Isabelle/HOL as part of the Sledgehammer tool. We include informal proofs of soundness and correctness, and have formalised the monomorphic part of this work in Isabelle/HOL. Our evaluation finds the new encodings vastly superior to previous schemes.
View
CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees
Conference Paper
Full-text available
  • May 2017
We present the design, implementation and information flow verification of CoSMeDis, a distributed social media platform. The system consists of an arbitrary number of communicating nodes, deployable at different locations over the Internet. Its registered users can post content and establish intra-node and inter-node friendships, used to regulate access control over the posts. The system's kernel has been verified in the proof assistant Isabelle/HOL and automatically extracted as Scala code. We formalized a framework for composing a class of information flow security guarantees in a distributed system, applicable to input/output automata. We instantiated this framework to confidentiality properties for CoSMeDis's sources of information: posts, friendship requests, and friendship status.
View
A Verified Information-Flow Architecture
Article
Full-text available
  • Dec 2016
SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model. We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators.
View
CoSMed: A Confidentiality-Verified Social Media Platform
Conference Paper
Full-text available
  • Aug 2016
  • Lect Notes Comput Sci
This paper describes progress with our agenda of formal verification of information-flow security for realistic systems. We present CoSMed, a social media platform with verified document confidentiality. The system’s kernel is implemented and verified in the proof assistant Isabelle/HOL. For verification, we employ the framework of Bounded-Deducibility (BD) Security, previously introduced for the conference system CoCon. CoSMed is a second major case study in this framework. For CoSMed, the static topology of declassification bounds and triggers that characterized previous instances of BD security has to give way to a dynamic integration of the triggers as part of the bounds.
View
A verified information-flow architecture
Article
  • Jan 2014
SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end-to-end proof of noninterference for this model.
View
Automated Reasoning with Analytic Tableaux and Related Methods: 24th International Conference, TABLEAUX 2015, Wroclaw, Poland, September 21-24, 2015, Proceedings
Book
  • Jan 2015
  • Lect Notes Comput Sci
This book constitutes the refereed proceedings of the 24th International Conference on Automated Reasoning with Analytic Tableaux and Related Methods, TABLEAUX 2015, held in Wroclaw, Poland, in September 2015. The 19 full papers and 2 papers presented in this volume were carefully reviewed and selected from 34 submissions. They are organized in topical sections named: tableaux calculi; sequent calculus; resolution; other calculi; and applications.
View
Interactive Theorem Proving: 7th International Conference, ITP 2016, Nancy, France, August 22-25, 2016, Proceedings
Book
  • Jan 2016
  • Lect Notes Comput Sci
This book constitutes the refereed proceedings of the 7th International Conference on Interactive Theorem Proving, ITP 2016, held in Nancy, France, in August 2016. The 27 full papers and 5 short papers presented were carefully reviewed and selected from 55 submissions. The topics range from theoretical foundations to implementation aspects and applications in program verification, security and formalization of mathematical theories.
View
Paragon – Practical programming with information flow control
Article
  • Jun 2017
Conventional security policies for software applications are adequate for managing concerns on the level of access control. But standard abstraction mechanisms of mainstream programming languages are not sufficient to express how information is allowed to flow between resources once access to them has been obtained. In practice we believe that such control - information flow control - is needed to manage the end-to-end security properties of applications. In this paper we present Paragon, a Java-based language with first-class support for static checking of information flow control policies. Paragon policies are specified in a logic-based policy language. By virtue of their explicitly stateful nature, these policies appear to be more expressive and flexible than those used in previous languages with information-flow support. Our contribution is to present the design and implementation of Paragon, which smoothly integrates the policy language with Java's object-oriented setting, and reaps the benefits of the marriage with a fully fledged programming language.
View
View
Ur/Web: A simple model for programming the web
Article
  • Jul 2016
The World Wide Web has evolved gradually from a document delivery platform to an architecture for distributed programming. This largely unplanned evolution is apparent in the set of interconnected languages and protocols that any Web application must manage. This paper presents Ur/Web, a domain-specific, statically typed functional programming language with a much simpler model for programming modern Web applications. Ur/Web's model is unified, where programs in a single programming language are compiled to other "Web standards" languages as needed; supports novel kinds of encapsulation of Web-specific state; and exposes simple concurrency, where programmers can reason about distributed, multithreaded applications via a mix of transactions and cooperative preemption. We give a tutorial introduction to the main features of Ur/Web.
View