Tracking Dependent Information Flows

Zeineb Zhioua, Yves Roudier, Rabéa Ameur Boulifa, Takoua Kechiche, Stuart Short

Abstract

Ensuring the compliance of developed software with security requirements is a challenging task due to imprecision on the security guidelines definition, and to the lack of automatic and formal means to lead this verification. In this paper, we present our approach that aims at integrating the formal specification and verification of security guidelines in early stages of the development life cycle by combining the model checking together with information flow analysis. We formally specify security guidelines that involve dependent information flows as a basis to lead formal verification through model checking, and provide precise feedback to the developer.

References

  1. Aderhold, M., Cu?llar, J., Mantel, H., and Sudbrock, H. (2010). Exemplary formalization of secure coding guidelines. Technical report, TU Darmstadt and Siemens AG.
  2. Akeel, F., Salehi Fathabadi, A., Paci, F., Gravell, A., and Wills, G. (2016). Formal modelling of data integration systems security policies. Data Science and Engineering, pages 1-10.
  3. Andrew, J., Lucas, W., and Scott, M. (2015). Exploring and enforcing security guarantees via program dependence graphs. PLDI 2015 Proceedings of the 36th ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 291-302.
  4. Arnold, A. (1994). Finite transition systems. Semantics of communicating sytems. Prentice-Hall. ISBN 0-13- 092990-5.
  5. Chen, Z., editor (2011). Specification and Management of Security Requirements for Service-Based Systems. Proquest, Umi Dissertation Publishing.
  6. Denning, D. E. and Denning, P. J. (1977). Certification of programs for secure information flow. Commun. ACM, 20(7):504-513.
  7. Dimitrova, R., Finkbeiner, B., and Rabe, M. N. (2012). Leveraging Applications of Formal Methods, Verification and Validation. Technologies for Mastering Change: 5th International Symposium, ISoLA 2012, Heraklion, Crete, Greece, October 15-18, 2012, Proceedings, Part I, chapter Monitoring Temporal Information Flow, pages 342-357. Springer Berlin Heidelberg, Berlin, Heidelberg.
  8. Graf, J., Hecker, M., and Mohr, M. (2013). Using joana for information flow control in java programs - a practical guide. In Proceedings of the 6th Working Conference on Programming Languages (ATPS'13), Lecture Notes in Informatics (LNI) 215, pages 123-138. Springer Berlin / Heidelberg.
  9. Graf, J., Hecker, M., Mohr, M., and Snelting, G. (2015). Checking applications using security apis with joana. 8th International Workshop on Analysis of Security APIs.
  10. Lang, F., Garavel, H., and Mateescu, R. (2002). An overview of cadp 2001. European Association for Software Science and Technology (EASST) Newsletter, 4.
  11. Mateescu, R. and Thivolle, D. (2008). A model checking language for concurrent value-passing systems. In Proceedings of the 15th International Symposium on Formal Methods, FM 7808, pages 148-164, Berlin, Heidelberg. Springer-Verlag.
  12. Myers, A. C. and Liskov, B. (1997). A decentralized model for information flow control. SIGOPS Oper. Syst. Rev., 31(5):129-142.
  13. Myers, A. C. and Liskov, B. (2000). Protecting privacy using the decentralized label model. ACM Trans. Softw. Eng. Methodol., 9(4):410-442.
  14. Wilander, J. and Fak, P. (2005). Pattern matching security properties of code using dependence graphs.
  15. Zhioua, Z., Roudier, Y., Short, S., and Boulifa Ameur, R. (2016). Security guidelines: Requirements engineering for verifying code quality. In ESPRE 2016, 3rd International Workshop on Evolving Security and Privacy Requirements Engineering, September 12th, 2016, Beijing, China, co-located with the 24th IEEE International Requirements Engineering Conference, Beijing, CHINA.
Download


Paper Citation


in Harvard Style

Zhioua Z., Roudier Y., Ameur Boulifa R., Kechiche T. and Short S. (2017). Tracking Dependent Information Flows . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 179-189. DOI: 10.5220/0006209301790189


in Bibtex Style

@conference{icissp17,
author={Zeineb Zhioua and Yves Roudier and Rabéa Ameur Boulifa and Takoua Kechiche and Stuart Short},
title={Tracking Dependent Information Flows},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={179-189},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006209301790189},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Tracking Dependent Information Flows
SN - 978-989-758-209-7
AU - Zhioua Z.
AU - Roudier Y.
AU - Ameur Boulifa R.
AU - Kechiche T.
AU - Short S.
PY - 2017
SP - 179
EP - 189
DO - 10.5220/0006209301790189