research-article

Open Access

Mechanized logical relations for termination-insensitive noninterference

Authors:
Simon Oddershede Gregersen

Aarhus University, Denmark

Aarhus University, Denmark

0000-0001-6045-5232
View Profile

,
Johan Bay

Aarhus University, Denmark

Aarhus University, Denmark
View Profile

,
Amin Timany

Aarhus University, Denmark

Aarhus University, Denmark

0000-0002-2237-851X
View Profile

,
Lars Birkedal

Aarhus University, Denmark

Aarhus University, Denmark

0000-0003-1320-0098
View Profile

Proceedings of the ACM on Programming Languages Volume 5 Issue POPLArticle No.: 10pp 1–29https://doi.org/10.1145/3434291

Published:04 January 2021Publication History

Proceedings of the ACM on Programming Languages

Abstract

We present an expressive information-flow control type system with recursive types, existential types, label polymorphism, and impredicative type polymorphism for a higher-order programming language with higher-order state. We give a novel semantic model of this type system and show that well-typed programs satisfy termination-insensitive noninterference. Our semantic approach supports compositional integration of syntactically well-typed and syntactically ill-typed---but semantically sound---components, which we demonstrate through several interesting examples. We define our model using logical relations on top of the Iris program logic framework; to capture termination-insensitivity, we develop a novel language-agnostic theory of Modal Weakest Preconditions. We formalize all of our theory and examples in the Coq proof assistant.

References

Martín Abadi. 2006. Access control in a core calculus of dependency. In Proceedings of the 11th ACM SIGPLAN International Conference on Functional Programming, ICFP 2006, Portland, Oregon, USA, September 16-21, 2006. 263-273. https: //doi.org/10.1145/1159803.1159839 Google ScholarDigital Library
Martín Abadi, Anindya Banerjee, Nevin Heintze, and Jon G. Riecke. 1999. A Core Calculus of Dependency. In POPL '99, Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Antonio, TX, USA, January 20-22, 1999. 147-160. https://doi.org/10.1145/292540.292555 Google ScholarDigital Library
Amal Ahmed. 2004. Semantics of Types for Mutable State. Ph.D. Dissertation. Princeton University.Google ScholarDigital Library
Amal J. Ahmed, Andrew W. Appel, and Roberto Virga. 2002. A Stratified Semantics of General References A Stratified Semantics of General References. In 17th IEEE Symposium on Logic in Computer Science (LICS 2002 ), 22-25 July 2002, Copenhagen, Denmark, Proceedings. 75. https://doi.org/10.1109/LICS. 2002.1029818 Google ScholarCross Ref
Maximilian Algehed and Jean-Philippe Bernardy. 2019. Simple noninterference from parametricity. Proc. ACM Program. Lang. 3, ICFP ( 2019 ), 89 : 1-89 : 22. https://doi.org/10.1145/3341693 Google ScholarDigital Library
Maximilian Algehed, Jean-Philippe Bernardy, and Catalin Hritcu. 2020. Dynamic IFC Theorems for Free! CoRR abs/ 2005.04722 ( 2020 ). arXiv: 2005.04722 https://arxiv.org/abs/ 2005.04722Google Scholar
Maximilian Algehed and Alejandro Russo. 2017. Encoding DCC in Haskell. In Proceedings of the 2017 Workshop on Programming Languages and Analysis for Security, PLAS@CCS 2017, Dallas, TX, USA, October 30, 2017. 77-89. https: //doi.org/10.1145/3139337.3139338 Google ScholarDigital Library
Owen Arden and Andrew C. Myers. 2016. A Calculus for Flow-Limited Authorization. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27-July 1, 2016. 135-149. https://doi.org/10.1109/CSF. 2016.17 Google ScholarCross Ref
Lars Birkedal and Aleš Bizjak. 2017. Lecture Notes on Iris: Higher-Order Concurrent Separation Log. http://iris-project. org/ tutorial-pdfs/iris-lecture-notes.pdf. ( 2017 ).Google Scholar
Lars Birkedal, Bernhard Reus, Jan Schwinghammer, Kristian Støvring, Jacob Thamsborg, and Hongseok Yang. 2011. Stepindexed kripke models over recursive worlds. In Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2011, Austin, TX, USA, January 26-28, 2011. 119-132. https://doi.org/10.1145/1926385. 1926401 Google ScholarDigital Library
William J. Bowman and Amal Ahmed. 2015. Noninterference for free. In Proceedings of the 20th ACM SIGPLAN International Conference on Functional Programming, ICFP 2015, Vancouver, BC, Canada, September 1-3, 2015. 101-113. https://doi.org/ 10.1145/2784731.2784733 Google ScholarDigital Library
Derek Dreyer, Amal Ahmed, and Lars Birkedal. 2009. Logical Step-Indexed Logical Relations. In Proceedings of the 24th Annual IEEE Symposium on Logic in Computer Science, LICS 2009, 11-14 August 2009, Los Angeles, CA, USA. 71-80. https://doi.org/10.1109/LICS. 2009.34 Google ScholarDigital Library
Luminous Fennell and Peter Thiemann. 2013. Gradual Security Typing with References. In 2013 IEEE 26th Computer Security Foundations Symposium, New Orleans, LA, USA, June 26-28, 2013. 224-239. https://doi.org/10.1109/CSF. 2013.22 Google ScholarDigital Library
Dan Frumin, Robbert Krebbers, and Lars Birkedal. 2019. Compositional Non-Interference for Fine-Grained Concurrent Programs. CoRR abs/ 1910.00905 ( 2019 ). arXiv: 1910.00905 http://arxiv.org/abs/ 1910.00905Google Scholar
J. A. Goguen and J. Meseguer. 1982. Security Policies and Security Models. 1982 IEEE Symposium on Security and Privacy (Apr 1982 ). https://doi.org/10.1109/sp. 1982.10014 Google ScholarCross Ref
Simon Gregersen, Søren Eller Thomsen, and Aslan Askarov. 2019. A Dependently Typed Library for Static Information-Flow Control in Idris. In Principles of Security and Trust-8th International Conference, POST 2019, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019, Prague, Czech Republic, April 6-11, 2019, Proceedings. 51-75. https://doi.org/10.1007/978-3-030-17138-4_3 Google ScholarCross Ref
Nevin Heintze and Jon G. Riecke. 1998. The SLam Calculus: Programming with Secrecy and Integrity. In POPL '98, Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Diego, CA, USA, January 19-21, 1998. 365-377. https://doi.org/10.1145/268946.268976 Google ScholarDigital Library
Ralf Jung, Jacques-Henri Jourdan, Robbert Krebbers, and Derek Dreyer. 2018a. RustBelt: securing the foundations of the rust programming language. Proc. ACM Program. Lang. 2, POPL ( 2018 ), 66 : 1-66 : 34. https://doi.org/10.1145/3158154 Google ScholarDigital Library
Ralf Jung, Robbert Krebbers, Lars Birkedal, and Derek Dreyer. 2016. Higher-order ghost state. In Proceedings of the 21st ACM SIGPLAN International Conference on Functional Programming, ICFP 2016, Nara, Japan, September 18-22, 2016. 256-269. https://doi.org/10.1145/2951913.2951943 Google ScholarDigital Library
Ralf Jung, Robbert Krebbers, Jacques-Henri Jourdan, Ales Bizjak, Lars Birkedal, and Derek Dreyer. 2018b. Iris from the ground up: A modular foundation for higher-order concurrent separation logic. J. Funct. Program. 28 ( 2018 ), e20. https://doi.org/10.1017/S0956796818000151 Google ScholarCross Ref
Ralf Jung, David Swasey, Filip Sieczkowski, Kasper Svendsen, Aaron Turon, Lars Birkedal, and Derek Dreyer. 2015. Iris: Monoids and Invariants as an Orthogonal Basis for Concurrent Reasoning. In Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015. 637-650. https://doi.org/10.1145/2676726.2676980 Google ScholarDigital Library
Robbert Krebbers, Jacques-Henri Jourdan, Ralf Jung, Joseph Tassarotti, Jan-Oliver Kaiser, Amin Timany, Arthur Charguéraud, and Derek Dreyer. 2018. MoSeL: a general, extensible modal framework for interactive proofs in separation logic. PACMPL 2, ICFP ( 2018 ), 77 : 1-77 : 30. https://doi.org/10.1145/3236772 Google ScholarDigital Library
Robbert Krebbers, Ralf Jung, Ales Bizjak, Jacques-Henri Jourdan, Derek Dreyer, and Lars Birkedal. 2017a. The Essence of Higher-Order Concurrent Separation Logic. In Programming Languages and Systems-26th European Symposium on Programming, ESOP 2017, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Uppsala, Sweden, April 22-29, 2017, Proceedings. 696-723. https://doi.org/10.1007/978-3-662-54434-1_26 Google ScholarDigital Library
Robbert Krebbers, Amin Timany, and Lars Birkedal. 2017b. Interactive Proofs in Higher-Order Concurrent Separation Logic. In Principles of Programming Languages (POPL).Google Scholar
Peng Li and Steve Zdancewic. 2006. Encoding Information Flow in Haskell. In 19th IEEE Computer Security Foundations Workshop, (CSFW-19 2006 ), 5-7 July 2006, Venice, Italy. 16. https://doi.org/10.1109/CSFW. 2006.13 Google ScholarDigital Library
Luísa Lourenço and Luís Caires. 2015. Dependent Information Flow Types. In Proceedings of the 42nd Annual ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL 2015, Mumbai, India, January 15-17, 2015. 317-328. https://doi.org/10.1145/2676726.2676994 Google ScholarDigital Library
Toby C. Murray, Robert Sison, Edward Pierzchalski, and Christine Rizkallah. 2016. Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference. In IEEE 29th Computer Security Foundations Symposium, CSF 2016, Lisbon, Portugal, June 27-July 1, 2016. 417-431. https://doi.org/10.1109/CSF. 2016.36 Google ScholarCross Ref
Andrew C. Myers. 1999. JFlow: Practical Mostly-Static Information Flow Control. In POPL '99, Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, San Antonio, TX, USA, January 20-22, 1999. 228-241. https://doi.org/10.1145/292540.292561 Google ScholarDigital Library
Aleksandar Nanevski, Anindya Banerjee, and Deepak Garg. 2011. Verification of Information Flow and Access Control Policies with Dependent Types. In 32nd IEEE Symposium on Security and Privacy, S&P 2011, 22-25 May 2011, Berkeley, California, USA. 165-179. https://doi.org/10.1109/SP. 2011.12 Google ScholarDigital Library
Andrew M. Pitts and Ian D. B. Stark. 1998. Operational Reasoning for Functions with Local State. In Higher Order Operational Techniques in Semantics, A. D. Gordon and A. M. Pitts (Eds.). Cambridge University Press, 227-273.Google Scholar
Gordon D. Plotkin and Martín Abadi. 1993. A Logic for Parametric Polymorphism. In Typed Lambda Calculi and Applications, International Conference on Typed Lambda Calculi and Applications, TLCA '93, Utrecht, The Netherlands, March 16-18, 1993, Proceedings. 361-375. https://doi.org/10.1007/BFb0037118 Google ScholarCross Ref
François Pottier and Sylvain Conchon. 2000. Information flow inference for free. In Proceedings of the Fifth ACM SIGPLAN International Conference on Functional Programming (ICFP '00), Montreal, Canada, September 18-21, 2000. 46-57. https: //doi.org/10.1145/351240.351245 Google ScholarDigital Library
François Pottier and Vincent Simonet. 2003. Information flow inference for ML. ACM Trans. Program. Lang. Syst. 25, 1 ( 2003 ), 117-158. https://doi.org/10.1145/596980.596983 Google ScholarDigital Library
Vineet Rajani and Deepak Garg. 2020. On the expressiveness and semantics of information flow types. Journal of Computer Security 28, 1 ( 2020 ), 129-156. https://doi.org/10.3233/JCS-191382 Google ScholarCross Ref
Alejandro Russo. 2015. Functional pearl: two can keep a secret, if one of them uses Haskell. In Proceedings of the 20th ACM SIGPLAN International Conference on Functional Programming, ICFP 2015, Vancouver, BC, Canada, September 1-3, 2015. 280-288. https://doi.org/10.1145/2784731.2784756 Google ScholarDigital Library
Alejandro Russo, Koen Claessen, and John Hughes. 2008. A library for light-weight information-flow security in haskell. In Proceedings of the 1st ACM SIGPLAN Symposium on Haskell, Haskell 2008, Victoria, BC, Canada, 25 September 2008. 13-24. https://doi.org/10.1145/1411286.1411289 Google ScholarDigital Library
Andrei Sabelfeld and David Sands. 1999. A PER Model of Secure Information Flow in Sequential Programs. In Programming Languages and Systems, 8th European Symposium on Programming, ESOP'99, Held as Part of the European Joint Conferences on the Theory and Practice of Software, ETAPS'99, Amsterdam, The Netherlands, 22-28 March, 1999, Proceedings. 40-58. https://doi.org/10.1007/3-540-49099-X_4 Google ScholarCross Ref
Andrei Sabelfeld and David Sands. 2001. A Per Model of Secure Information Flow in Sequential Programs. High. Order Symb. Comput. 14, 1 ( 2001 ), 59-91. https://doi.org/10.1023/A:1011553200337 Google ScholarDigital Library
Vincent Simonet. 2003a. Flow Caml in a Nutshell. In Proc. of the first APPSEM-II workshop, Graham Hutton (Ed.). Nottingham, United Kingdom.Google Scholar
Vincnet Simonet. 2003b. The Flow Caml system. http://cristal.inria.fr/~simonet/soft/flowcamlGoogle Scholar
Amin Timany and Lars Birkedal. 2019. Mechanized relational verification of concurrent programs with continuations. Proc. ACM Program. Lang. 3, ICFP ( 2019 ), 105 : 1-105 : 28. https://doi.org/10.1145/3341709 Google ScholarDigital Library
Amin Timany, Léo Stefanesco, Morten Krogh-Jespersen, and Lars Birkedal. 2018. A logical relation for monadic encapsulation of state: proving contextual equivalences in the presence of runST. Proc. ACM Program. Lang. 2, POPL ( 2018 ), 64 : 1-64 : 28. https://doi.org/10.1145/3158152 Google ScholarDigital Library
Stephen Tse and Steve Zdancewic. 2004. Translating dependency into parametricity. In Proceedings of the Ninth ACM SIGPLAN International Conference on Functional Programming, ICFP 2004, Snow Bird, UT, USA, September 19-21, 2004. 115-125. https://doi.org/10.1145/1016850.1016868 Google ScholarDigital Library
Aaron Turon, Derek Dreyer, and Lars Birkedal. 2013. Unifying refinement and hoare-style reasoning in a logic for higherorder concurrency. In ACM SIGPLAN International Conference on Functional Programming, ICFP'13, Boston, MA, USA-September 25-27, 2013. 377-390. https://doi.org/10.1145/2500365.2500600 Google ScholarDigital Library
Marco Vassena, Alejandro Russo, Pablo Buiras, and Lucas Waye. 2018. MAC A verified static information-flow control library. Journal of Logical and Algebraic Methods in Programming 95 ( 2018 ), 148-180. https://doi.org/10.1016/j.jlamp. 2017. 12.003 Google ScholarCross Ref
Marco Vassena, Alejandro Russo, Deepak Garg, Vineet Rajani, and Deian Stefan. 2019. From fine-to coarse-grained dynamic information flow control and back. Proc. ACM Program. Lang. 3, POPL ( 2019 ), 76 : 1-76 : 31. https://doi.org/10.1145/3290389 Google ScholarDigital Library
Stephan Arthur Zdancewic. 2002. Programming Languages for Information Security. Ph.D. Dissertation. Cornell University, USA.Google ScholarDigital Library
Lantian Zheng and Andrew C. Myers. 2007. Dynamic security labels and static information flow control. Int. J. Inf. Sec. 6, 2-3 ( 2007 ), 67-84. https://doi.org/10.1007/s10207-007-0019-9 Google ScholarCross Ref

Index Terms

Mechanized logical relations for termination-insensitive noninterference
1. Security and privacy
  1. Formal methods and theory of security
    1. Formal security models
    2. Logic and verification
2. Theory of computation
  1. Logic
    1. Separation logic
  2. Semantics and reasoning
    1. Program reasoning
      1. Program verification

Recommendations

Structural Logical Relations
LICS '08: Proceedings of the 2008 23rd Annual IEEE Symposium on Logic in Computer Science

Tait's method (a.k.a. proof by logical relations) is a powerful proof technique frequently used for showing foundational properties of languages based on typed lambda-calculi. Historically, these proofs have been extremely difficult to formalize in ...
Read More
A logical relation for monadic encapsulation of state: proving contextual equivalences in the presence of runST

We present a logical relations model of a higher-order functional programming language with impredicative polymorphism, recursive types, and a Haskell-style ST monad type with runST. We use our logical relations model to show that runST provides proper ...
Read More
Structural logical relations with case analysis and equality reasoning
LFMTP '13: Proceedings of the Eighth ACM SIGPLAN international workshop on Logical frameworks & meta-languages: theory & practice

Formalizing proofs by logical relations in the Twelf proof assistant is known to be notoriously difficult. However, as demonstrated by Schürmann and Sarnat [In Proc. of 23rd Symp. on Logic in Computer Science, 2008] such proofs can be represented and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

Proceedings of the ACM on Programming Languages Volume 5, Issue POPL
January 2021
1789 pages
EISSN:2475-1421
DOI:10.1145/3445980
Issue’s Table of Contents

Copyright © 2021 Owner/Author
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 January 2021
Published in pacmpl Volume 5, Issue POPL

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Badges
Author Tags
Information-Flow Control
Iris
Logical Relations
Program Logics
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 5
  Total Citations
  View Citations
- 487
  Total Downloads
- Downloads (Last 12 months)118
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Mechanized logical relations for termination-insensitive noninterference

Proceedings of the ACM on Programming Languages

Abstract

References

Cited By

Index Terms

Recommendations

Structural Logical Relations

A logical relation for monadic encapsulation of state: proving contextual equivalences in the presence of runST

Structural logical relations with case analysis and equality reasoning