Using Dynamic Pushdown Networks to Automate a Modular Information-Flow Analysis

  • Heiko Mantel
  • Markus Müller-Olm
  • Matthias PernerEmail author
  • Alexander Wenner
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9527)


In this article, we propose a static information-flow analysis for multi-threaded programs with shared memory communication and synchronization via locks. In contrast to many prior analyses, our analysis does not only prevent information leaks due to synchronization, but can also benefit from synchronization for its precision. Our analysis is a novel combination of type systems and a reachability analysis based on dynamic pushdown networks. The security type system supports flow-sensitive tracking of security levels for shared variables in the analysis of one thread by exploiting assumptions about variable accesses by other threads. The reachability analysis based on dynamic pushdown networks verifies that these assumptions are sound using the result of an automatic guarantee inference. The combined analysis is the first automatic static analysis that supports flow-sensitive tracking of security levels while being sound with respect to termination-sensitive noninterference.


Information-flow security Concurrency Static analysis 



This work was funded by the DFG under the projects RSCP (MA 3326/4-1/2/3) and IFC4MC (MU 1508/2-1/2/3) in the priority program RS\(^3\) (SPP 1496) and under project OpIAT (MU 1508/1-1/2).


  1. 1.
    Andrews, G., Reitman, R.: An axiomatic approach to information flow in programs. ACM Trans. Program. Lang. Syst. 2(1), 56–76 (1980)CrossRefzbMATHGoogle Scholar
  2. 2.
    Arden, O., Chong, S., Liu, J., Myers, A.C., Nystrom, N., Vikram, K., Zdancewic, S., Zhang, D., Zheng, L.: Jif. Software release: (2014)
  3. 3.
    Askarov, A., Chong, S., Mantel, H.: Hybrid monitors for concurrent noninterference. In: 28th IEEE Computer Security Foundations Symposium, pp. 137–151 (2015)Google Scholar
  4. 4.
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: 13th European Symposium on Research in Computer Security, pp. 333–348 (2008)Google Scholar
  5. 5.
    Broberg, N., van Delft, B., Sands, D.: Paragon for practical programming with information-flow control. In: Shan, C. (ed.) APLAS 2013. LNCS, vol. 8301, pp. 217–232. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  6. 6.
    Giffhorn, D., Snelting, G.: A new algorithm for low-deterministic security. International Journal of Information Security pp. 1–25 (2014)Google Scholar
  7. 7.
    Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8(6), 399–422 (2009)CrossRefGoogle Scholar
  8. 8.
    Huisman, M., Blondeel, H.-C.: Model-checking secure information flow for multi-threaded programs. In: Mödersheim, S., Palamidessi, C. (eds.) TOSCA 2011. LNCS, vol. 6993, pp. 148–165. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  9. 9.
    Lammich, P., Müller-Olm, M., Wenner, A.: Predecessor sets of dynamic pushdown networks with tree-regular constraints. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 525–539. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  10. 10.
    Mantel, H., Sands, D., Sudbrock, H.: Assumptions and guarantees for compositional noninterference. In: 24th IEEE Computer Security Foundations Symposium, pp. 218–232 (2011)Google Scholar
  11. 11.
    Mantel, H., Sudbrock, H., Kraußer, T.: Combining different proof techniques for verifying information flow security. In: Puebla, G. (ed.) LOPSTR 2006. LNCS, vol. 4407, pp. 94–110. Springer, Heidelberg (2007) CrossRefGoogle Scholar
  12. 12.
    Myers, A.C.: JFlow: practical mostly-static information flow control. In: 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 228–241 (1999)Google Scholar
  13. 13.
    Ngo, T.M., Stoelinga, M., Huisman, M.: Confidentiality for probabilistic multi-threaded programs and its verification. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 107–122. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  14. 14.
    Sabelfeld, A.: The impact of synchronisation on secure information flow in concurrent programs. In: Bjørner, D., Broy, M., Zamulin, A.V. (eds.) PSI 2001. LNCS, vol. 2244, pp. 225–239. Springer, Heidelberg (2001) CrossRefGoogle Scholar
  15. 15.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRefGoogle Scholar
  16. 16.
    Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: 13th IEEE Computer Security Foundations Workshop, pp. 200–214 (2000)Google Scholar
  17. 17.
    Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 355–364 (1998)Google Scholar
  18. 18.
    Sudbrock, H.: Compositional and Scheduler-Independent Information Flow Security. Ph.D. thesis, Technische Universität Darmstadt, Germany (2013)Google Scholar
  19. 19.
    Terauchi, T.: A type system for observational determinism. In: 21st IEEE Computer Security Foundations Symposium, pp. 287–300 (2008)Google Scholar
  20. 20.
    Vaughan, J., Millstein, T.: Secure information flow for concurrent programs under total store order. In: 25th IEEE Computer Security Foundations Symposium, pp. 19–29 (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Heiko Mantel
    • 1
  • Markus Müller-Olm
    • 2
  • Matthias Perner
    • 1
    Email author
  • Alexander Wenner
    • 2
  1. 1.Computer Science DepartmentTU DarmstadtDarmstadtGermany
  2. 2.Institut Für InformatikWestfälische Wilhelms-Universität MünsterMünsterGermany

Personalised recommendations