Verification of Information Flow and Access Control Policies with Dependent Types

被引：38

作者：

Nanevski, Aleksandar ^{[1
]}

Banerjee, Anindya ^{[1
]}

Garg, Deepak ^{[2
]}

机构：

[1] IMDEA Software Inst, Madrid, Spain

[2] Carnegie Mellon Univ, Pittsburgh, PA 15213 USA

来源：

2011 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP 2011) | 2011年

关键词：

Information Flow; Access Control; Type Theory;

D O I：

10.1109/SP.2011.12

中图分类号：

TP [自动化技术、计算机技术];

学科分类号：

0812 ;

摘要：

We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include conditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. The system, theorems and examples have all been formalized in Coq.

引用

页码：165 / 179

页数：15

共 50 条

[1] Dependent Type Theory for Verification of Information Flow and Access Control Policies
Nanevski, Aleksandar
Banerjee, Anindya
Garg, Deepak
ACM TRANSACTIONS ON PROGRAMMING LANGUAGES AND SYSTEMS, 2013, 35 (02):
[2] Detecting violations of access control and information flow policies in data flow diagrams
Seifermann, Stephan
Heinrich, Robert
Werle, Dominik
Reussner, Ralf
JOURNAL OF SYSTEMS AND SOFTWARE, 2022, 184
[3] Dynamic Access Control Policies: Specification and Verification
Janicke, H.
Cau, A.
Siewe, F.
Zedan, H.
COMPUTER JOURNAL, 2013, 56 (04) : 440 - 463
[4] Dependent Information Flow Types
Lourenco, Luisa
Caires, Luis
ACM SIGPLAN NOTICES, 2015, 50 (01) : 317 - 328
[5] UML specification of access control policies and their formal verification
Koch M.
Parisi-Presicce F.
Software & Systems Modeling, 2006, 5 (4) : 429 - 447
[6] A Formal Approach for the Verification of AWS IAM Access Control Policies
Zahoor, Ehtesham
Asma, Zubaria
Perrin, Olivier
SERVICE-ORIENTED AND CLOUD COMPUTING (ESOCC 2017), 2017, 10465 : 59 - 74
[7] Automated verification of access control policies using a SAT solver
Graham Hughes
Tevfik Bultan
International Journal on Software Tools for Technology Transfer, 2008, 10 (6) : 503 - 520
[8] A comprehensive approach to the automatic refinement and verification of access control policies
Cherninod, Manuel
Durante, Luca
Seno, Lucia
Valenza, Fulvio
Valenzano, Adriano
COMPUTERS & SECURITY, 2019, 80 : 186 - 199
[9] The development of access control policies for information technology systems
Ward, P
Smith, CL
COMPUTERS & SECURITY, 2002, 21 (04) : 356 - 371
[10] Toward Formal Verification of Role-Based Access Control Policies
Jha, Somesh
Li, Ninghui
Tripunitara, Mahesh
Wang, Qihua
Winsborough, William H.
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, 2008, 5 (04) : 242 - 255

← 1 2 3 4 5 →