Abstract
This paper presents an approach to specify and check discretionary information flow properties of concurrent systems. The approach is inspired by the success of the interaction-oriented paradigm to concurrent systems (cf. choreographies, behavioural types, protocols,...) in providing behavioural guarantees of global properties such as deadlock-absence. We show how some information flow properties are easier to formalise and check on a global interaction-oriented description of a concurrent system rather than on a local process-oriented description of the components of the system. We use a simple choreography description language adapted from the literature of choreographies and session types. We provide a generic method to instrument the semantics with information flow annotations. Policies are used to specify the admissible flows of information. The main contribution of the paper is a sound type system for statically checking if a system specification ensures an information flow policy. The approach is illustrated with two archetypal examples of distributed and parallel computing systems: a protocol for an identity-secured data providing service and a parallel MapReduce computation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aananthakrishnan, S., Bronevetsky, G., Gopalakrishnan, G.: Hybrid approach for data-flow analysis of MPI programs. In: Malony, A.D., Nemirovsky, M., Midkiff, S.P. (eds.) International Conference on Supercomputing, ICS 2013, pp. 455–456. ACM, Eugene, OR, USA, 10–14 June 2013. http://doi.acm.org/10.1145/2464996.2467286
Bartoletti, M., Castellani, I., Denielou, P.M., Dezani-Ciancaglini, M., Ghilezan, S., Pantovic, J., Pérez, J.A., Thiemann, P., Toninho, B., Vieira, H.T.: Combining behavioural types with security analysis, state of The Art Report of WG2 - European Cost Action IC1201 BETTY (Behavioural Types for Reliable Large-Scale Software Systems). http://www.behavioural-types.eu/publications/WG2-State-of-the-Art.pdf/at_download/file
Bocchi, L., Melgratti, H., Tuosto, E.: Resolving non-determinism in choreographies. In: Shao, Z. (ed.) ESOP 2014. LNCS, vol. 8410, pp. 493–512. Springer, Heidelberg (2014). http://dx.doi.org/10.1007/978-3-642-54833-8_26
Boudol, G.: Secure information flow as a safety property. In: Degano, P., Guttman, J., Martinelli, F. (eds.) FAST 2008. LNCS, vol. 5491, pp. 20–34. Springer, Heidelberg (2009). http://dx.doi.org/10.1007/978-3-642-01465-9_2
Bronevetsky, G.: Communication-sensitive static dataflow for parallel message passing applications. In: Proceedings of the CGO 2009, The Seventh International Symposium on Code Generation and Optimization, pp. 1–12, Seattle, Washington, USA, 22–25 March 2009. IEEE Computer Society (2009). http://dx.doi.org/10.1109/CGO.2009.32
Bruni, R., Gadducci, F., Montanari, U.: Normal forms for algebras of connection. Theor. Comput. Sci. 286(2), 247–292 (2002). http://dx.doi.org/10.1016/S0304-3975(01)00318–8
Capecchi, S., Castellani, I., Dezani-Ciancaglini, M.: Typing access control and secure information flow in sessions. Inf. Comput. 238, 68–105 (2014). http://dx.doi.org/10.1016/j.ic.2014.07.005
Carbone, M., Montesi, F.: Deadlock-freedom-by-design: multiparty asynchronous global programming. In: Giacobazzi, R., Cousot, R. (eds.) The 40th Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2013), pp. 263–274. ACM (2013). http://doi.acm.org/10.1145/2429069.2429101
Castagna, G., Dezani-Ciancaglini, M., Padovani, L.: On global types and multi-party session. Log. Methods Comput. Sci. 8(1), 1–45 (2012). http://dx.doi.org/10.2168/LMCS-8(1:24)2012
Cohen, E.: Information transmission in computational systems. In: Sixth ACM Symposium on Operating Systems Principles, SOSP 1977, pp. 133–139. ACM, New York, NY, USA (1977). http://doi.acm.org/10.1145/800214.806556
Corradini, A., Gadducci, F.: An algebraic presentation of term graphs, via GS-monoidal categories. Appl. Categorical Struct. 7(4), 299–331 (1999). http://dx.doi.org/10.1023/A:1008647417502
Dean, J., Ghemawat, S.: Mapreduce: simplified data processing on large clusters. Commun. ACM 51(1), 107–113 (2008)
Dezani-Ciancaglini, M., Ghilezan, S., Jakśić, S., Pantović, J.: Types for role-based access control of dynamic web data. In: Mariño, J. (ed.) WFLP 2010. LNCS, vol. 6559, pp. 1–29. Springer, Heidelberg (2010)
Dezani-Ciancaglini, M., Horne, R., Sassone, V.: Tracing where and who provenance in linked data: a calculus. Theor. Comput. Sci. 464, 113–129 (2012). http://dx.doi.org/10.1016/j.tcs.2012.06.020
Gadducci, F.: Graph rewriting for the pi-calculus. Math. Struct. Comput. Sci. 17(3), 407–437 (2007). http://dx.doi.org/10.1017/S096012950700610X
Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20 (1982)
Gopalakrishnan, G., Kirby, R.M., Siegel, S.F., Thakur, R., Gropp, W., Lusk, E.L., de Supinski, B.R., Schulz, M., Bronevetsky, G.: Formal analysis of MPI-based parallel programs. Commun. ACM 54(12), 82–91 (2011). http://doi.acm.org/10.1145/2043174.2043194
Honda, K., Marques, E.R.B., Martins, F., Ng, N., Vasconcelos, V.T., Yoshida, N.: Verification of MPI programs using session types. In: Träaff, J.L., Benkner, S., Dongarra, J.J. (eds.) EuroMPI 2012. lncs, vol. 7490, pp. 291–293. Springer, Heidelberg (2012). http://dx.doi.org/10.1007/978-3-642-33518-1_37
Honda, K., Yoshida, N., Carbone, M.: Multiparty asynchronous session types. In: Necula, G.C., Wadler, P. (eds.) 35th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2008), pp. 273–284. ACM (2008). http://doi.acm.org/10.1145/1328438.1328472
Lanese, I., Guidi, C., Montesi, F., Zavattaro, G.: Bridging the gap between interaction- and process-oriented choreographies. In: Cerone, A., Gruner, S. (eds.) Sixth IEEE International Conference on Software Engineering and Formal Methods, SEFM 2008, pp. 323–332, Cape Town, South Africa, 10–14 November 2008. IEEE Computer Society (2008). http://dx.doi.org/10.1109/SEFM.2008.11
Lohmann, N., Wolf, K.: Decidability results for choreography realization. In: Kappel, G., Maamar, Z., Motahari-Nezhad, H.R. (eds.) ICSOC 2011. LNCS, vol. 7084, pp. 92–107. Springer, Heidelberg (2011). http://dx.doi.org/10.1007/978-3-642-25535-9_7
Montesi, F.: Choreographic Programming. Ph.D. thesis, IT University of Copenhagen (2013). http://www.fabriziomontesi.com/files/m13_phdthesis.pdf
Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: SOSP. pp. 129–142 (1997). http://doi.acm.org/10.1145/268998.266669
Nielson, F., Nielson, H.R., Hankin, C.: Principles of Program Analysis. Springer, Heidelberg (1999)
Acknowledgement
We would like to dedicate this work to José Meseguer, for his inspiring and influencing works in the areas of Concurrency Theory, Algebraic Specifications and Security. We hope that José will understand (and forgive!) the absence of a non-interference result in our work. The first author would like to express his gratitude to José for honouring him with his friendship and giving him the unique experience of scientific collaboration. The first author is also grateful to Fabrizio Montesi, Emilio Tuosto and Marco Carbone for fruitful feedback on early versoins of this work, and to the organizers of the BETTY COST Action for their gentle invitation to present an early version of the work in a meeting.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Graphs with Interfaces
A Graphs with Interfaces
We recall and adapt a few definitions concerning graphs, and their extension with interfaces, referring to [6, 11, 15] for a more detailed presentation.
Definition 10
(graphs). A is a four-tuple \(\langle V, E, s, t \rangle \) where V is the set of nodes, E is the set of edges and \(s, t : E \rightarrow V\) are the source and target functions. A graph morphism is a pair of functions \(\langle f_V, f_E \rangle \) preserving the source and target functions, i.e. \(f_V \circ s = s \circ f_E\) and \(f_V \circ t = t \circ f_E\).
Definition 11
(graphs with interfaces). A graph with interfaces is a span of graph morphisms \(I \xrightarrow {_{i}} G \xleftarrow {_{o}} O\), where G is a body graph, I and O are the input and output graph interfaces, and \(i: I \rightarrow G\), \(o: O \rightarrow G\) are the input and output graph morphisms. An interface graph morphism \(f:\mathbb {G} \Rightarrow \mathbb {H}\) is a triple of graph morphisms \(\langle f_I, f, f_O \rangle \), preserving the input and output morphisms.
With an abuse of notation, we sometimes refer to the image of the input and output morphisms as inputs and outputs, respectively, and we use the term graph to refer to abbreviate graphs with interfaces. We restrict our attention to graphs with discrete interfaces, i.e., such that their set of edges is empty.
The following definitions define the sequential and parallel composition of graphs with interfaces, whose informal description can be found in Sect. 4.
Definition 12
(sequential composition of graphs). Let \(\mathbb {G}=I \xrightarrow {_{i}} G \xleftarrow {_{j}} J\) and \(\mathbb {G'}=J \xrightarrow {_{j'}} G' \xleftarrow {_{o}} O\) be graphs with interfaces. Then, their sequential composition is the graph  \(\mathbb {G} \circ \mathbb {G'}= I \xrightarrow {_{i'}} G'' \xleftarrow {_{o'}} O\), for \(G''\) the disjoint union \(G \uplus G'\), modulo the equivalence on nodes induced by \(j(x) = j'(x)\) for all \(x \in N_{J}\), and \(i', o'\) the uniquely induced arrows.
Definition 13
(parallel composition of graphs). Let \(\mathbb {G} = I \xrightarrow {_{i}} G \xleftarrow {_{o}} O\) and \(\mathbb {H} = I' \xrightarrow {_{i'}} H \xleftarrow {_{o'}} O'\) be two graphs with interfaces. Then, their parallel composition is the gwdi \(\mathbb {G} \otimes \mathbb {H}= (I \cup I')\xrightarrow {_{i''}} G' \xleftarrow {_{o''}} (O \cup O')\), for \(G'\) the disjoint union \(G \uplus H\), modulo the equivalence on nodes induced by \(o(y) = o'(y)\) for all \(y \in N_{O} \cap N_{O'}\) and \(i(y) = i'(y)\) for all \(y \in N_{I} \cap N_{I'}\), and \(i'', o''\) the uniquely induced arrows.
With an abuse of notation, the set-theoretic operators are defined component-wise. The operations are concretely defined, modulo the choice of canonical representatives for the set-theoretic operations: the result is independent of such a choice, up-to isomorphism of the body graphs.
A graph expression is a term over the syntax containing all graphs with discrete interfaces as constants, and parallel and sequential composition as binary operators. An expression is well-formed if all occurrences of those operators are defined for the interfaces of their arguments, according to Definitions 12 and 13; its interfaces are computed inductively from the interfaces of the graphs occurring in it, and its value is the graph obtained by evaluating all operators in it. For the axiomatic properties of the operations (e.g. associativity, identity of \(\circ \), associativity, commutativity and identity of \(\otimes \)) we refer to [6, 11].
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Lluch Lafuente, A., Nielson, F., Nielson, H.R. (2015). Discretionary Information Flow Control for Interaction-Oriented Specifications. In: MartÃ-Oliet, N., Ölveczky, P., Talcott, C. (eds) Logic, Rewriting, and Concurrency. Lecture Notes in Computer Science(), vol 9200. Springer, Cham. https://doi.org/10.1007/978-3-319-23165-5_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-23165-5_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-23164-8
Online ISBN: 978-3-319-23165-5
eBook Packages: Computer ScienceComputer Science (R0)