Section: New Results
Participants : Ilaria Castellani, Bernard Serpette [correspondant] , José Santos.
Stateful Declassification Policies for Event-Driven Programs
Report and mechanization can be found in http://people.cs.kuleuven.be/~mathy.vanhoef/declass .
Report can be found in http://www-sop.inria.fr/indes/ifJS . See also software section.
Modular Extensions of Security Monitors for Web APIs: The DOM API Case Study
Report can be found in http://www-sop.inria.fr/indes/ifJS .
A Certified Lightweight Non-Interference Java Bytecode Verifier
We propose a type system to verify the non-interference property in the Java Virtual Machine. We verify the system in the Coq theorem prover.
Noninterference guarantees the absence of illicit information flow throughout program execution. It can be enforced by appropriate information flow type systems. Much of the previous work on type systems for non-interference has focused on calculi or high-level programming languages, and existing type systems for low-level languages typically omit objects, exceptions and method calls. We define an information flow type system for a sequential JVM-like language that includes all these programming features, and we prove, in the Coq proof assistant, that it guarantees non-interference. An additional benefit of the formalisation is that we have extracted from our proof a certified lightweight bytecode verifier for information flow. Our work provides, to the best of our knowledge, the first sound and certified information flow type system for such an expressive fragment of the JVM.
This work appeared in the journal of Mathematical Structures in Computer Science  .
Session types for liveness and security
Within the COST Action BETTY, we have started studying the interplay between liveness properties and secure information flow properties in session calculi, in collaboration with a colleague from Torino University. Recent developments in static analysis techniques have shown that behavioural types, and in particular session types, may be used to enforce liveness properties of communicating systems. Examples of such properties are deadlock freedom, eventual message delivery and session termination. Because secure information flow in communicating systems depends on the observation of messages, there is a clear connection between information flow analysis and the liveness properties of the systems under consideration. We have been examining the joint application of liveness enforcement and secure information flow analysis in session calculi. It appears that, by strengthening the assumptions on the liveness of systems, it is possible to relax the conditions under which a system satisfies secure information flow properties. This is ongoing work, which is expected to continue within the BETTY Action.
Noninterference in reactive synchronous languages
We defined two properties of Reactive Noninterference (RNI) for a core synchronous reactive language called CRL formalising secure information flow. Both properties are time-insensitive and termination-insensitive. Again, coarse-grained RNI is more abstract than fine-grained RNI.
Finally, a type system guaranteeing both security properties was presented. Thanks to a design choice of CRL, which offers two separate constructs for loops and iteration, and to refined typing rules, this type system allows for a precise treatment of termination leaks, which are an issue in parallel languages.
This work has been presented at the International Symposium on Trustworthy Global Computing (TGC 2013)  . It is also described in Attar's PhD thesis pejman:tel-00920152.