Trace property:
safety property: violation can be determined from finite prefix (e.g. out-of-bounds access)
liveness property: violation may depend on whole infinite trace (e.g. lock is eventually released)
Liveness property require P \to <\alpha>Q, which needs a proof of termination (which is not decidable in general).
Information Flow Policies: cannot be determined by analyzing program trace.
Reading from a high security variable and writing the value to a low security variable would be a violation of our information flow policy.
Let's say we have x being high security while y, z are low security. Then the two program:
def first() {
x := 1;
y := x + 5;
z := y - 1;
}
def second() {
x := 1;
y := 6;
z := 5;
}
Both program have exactly the same trace, but first one violate the policy while no information flows at all on the right. This shows that information flow can't be determined by trace.
\Sigma: map from variables to security levels. \Sigma(x) \sqsubseteq l means variable x is at most low security level.
We use the following notation for partial order of security levels:
l_i \sqsubseteq l_j: l_1 is lower security level than l_j
l_1 \sqcup l_2: the least upper bound of l_1 and l_2 (max)
l_1 \sqcap l_2: the greatest lower bound of l_1 and l_2 (min)
And we have the following rules:
We can use these rules for taint analysis. If tainted value reaches low-security value, it is a violation (either statically or dynamically with taint bits attached to memory locations). But taint analysis can't discover all information flow.
Branching: we attach a ghost variable pc to track the security of program flow caused by branching. Security of pc always go up (or backtrack to outside of conditional branch).
Expression Read Level:
Formula Read Level:
Confinement:
We define \text{maydef}(\alpha) as the set of variables that a program may assign a value to—just all the left-hand sides of assignments in \alpha. This can include more variables than the set \text{def}(\alpha) which includes only those variables that \alpha must write to.
We define \text{use}(e) as the set of variables that an expression e may read from. For example, \text{use}(x + y) would be \{x, y\}.
Table of Content