A weakest precondition approach to active attacks analysis

Authors:
Musard Balliu;Isabella Mastroeni
Affiliations:
Royal Institute of Technology (KTH), Stockholm, Sweden;Università di Verona, Verona, Italy
Venue:
Proceedings of the ACM SIGPLAN Fourth Workshop on Programming Languages and Analysis for Security
Year:
2009

Citing 10
Cited 2

The formal semantics of programming languages: an introduction

The formal semantics of programming languages: an introduction
Guarded commands, nondeterminacy and formal derivation of programs

Communications of the ACM
Protecting privacy using the decentralized label model

ACM Transactions on Software Engineering and Methodology (TOSEM)
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints

POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
A Discipline of Programming

A Discipline of Programming
Systematic design of program analysis frameworks

POPL '79 Proceedings of the 6th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Robust Declassification

CSFW '01 Proceedings of the 14th IEEE workshop on Computer Security Foundations
Decentralized Robustness

CSFW '06 Proceedings of the 19th IEEE workshop on Computer Security Foundations
What You Lose is What You Leak: Information Leakage in Declassification Policies

Electronic Notes in Theoretical Computer Science (ENTCS)
Language-based information-flow security

IEEE Journal on Selected Areas in Communications

A weakest precondition approach to robustness

Transactions on computational science X
A semantic framework for declassification and endorsement

ESOP'10 Proceedings of the 19th European conference on Programming Languages and Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Information flow controls can be used to protect both data confidentiality and data integrity. The certification of the security degree of a program that runs in untrusted environments still remains an open problem in language-based security. The notion of robustness asserts that an active attacker, who can modify program code in some fixed points (holes), is not able to disclose more private information than a passive attacker, who merely observes public data. In this paper, we extend a method recently proposed for checking declassified non-interference in presence of passive attackers only, in order to check robustness by means of the weakest precondition semantics. In particular, this semantics simulates the kind of analysis that can be performed by an attacker, i.e., from the public output towards the private input. The choice of the semantics lets us distinguish between different attacks models. In this paper, we also introduce relative robustness that is a relaxed notion of robustness for restricted classes of attacks.