Dependent Type Theory for Verification of Information Flow and Access Control Policies

Aleksandar Nanevski, Anindya Banerjee, Deepak Garg
2013 ACM Transactions on Programming Languages and Systems  
We present Relational Hoare Type Theory (RHTT), a novel language and verification system capable of expressing and verifying rich information flow and access control policies via dependent types. We show that a number of security policies which have been formalized separately in the literature can all be expressed in RHTT using only standard type-theoretic constructions such as monads, higher-order functions, abstract types, abstract predicates, and modules. Example security policies include
more » ... ditional declassification, information erasure, and state-dependent information flow and access control. RHTT can reason about such policies in the presence of dynamic memory allocation, deallocation, pointer aliasing and arithmetic. A. Nanevski et al. considered (e.g., [Askarov and Myers 2010; Banerjee et al. 2008; Broberg and Sands 2010] ), policy conformance is typically formalized for simple languages without important programming features such as dynamic allocation, mutable state and pointer aliasing, or without modern modularity mechanisms that aid programming in the large. There has been little work on confidentiality policies pertaining to linked data structures (lists, trees, graphs, etc.), and even less work exists for structures that are heterogeneous; that is, data structures that contain mixed secret and public data as well as mixed secret and public links. Third, despite their efficiency, enforcement mechanisms are often imprecise in their handling of implicit information flow (that arises due to program control structures such as conditionals or procedure calls) and reject perfectly secure programs. In this article we revisit the foundations of information flow-its specification as well as its static enforcement-and address the given challenges of policy specificity, language expressiveness and precision, simultaneously. The key insight of our work is that all the three problems can be addressed using standard linguistic features from dependent type theory [Martin-Löf 1984] : (a) higher-order functions, abstract data types and modules, that provide for software engineering concepts such as abstraction and information hiding, and (b) a logic for higher-order assertions, including quantification over predicates, that serves as the foundation for a rich policy specification language. We additionally consider an extension of dependent types with (c) general recursion, mutable state, dynamic allocation, and pointer aliasing. We use the dependent types as a policy specification language, and typechecking (i.e., program verification) to enforce conformance of programs to policy. As is standard in type theory, we assume that programs are typechecked before they are executed. As our first contribution, we show that a number of security policies which have been previously considered in isolation, such as declassification [Chong and Myers 2004; Sabelfeld and Sands 2009], information erasure [Chong and Myers 2005, 2008], statedependent access control [Borgström et al. 2011b; Broberg and Sands 2010] and statedependent information flow policies [Banerjee et al. 2008], can be combined in the same system using the mentioned type-theoretic abstractions. We explain this point further on, and illustrate it through several verified examples in the article. As our second contribution, we show that these policies can be enforced in the presence of dynamic allocation, deallocation, and pointer aliasing, and in particular, over programs involving linked, heterogeneous data structures. To achieve this, we employ a semantic definition of what constitutes confidential (high) vs. public (low) data, in contrast to most related work where variables are syntactically labeled with a desired security level [Myers 1999; Volpano et al. 1996 ]. The semantic characterization allows the same variable or pointer to contain data of different security levels at different points in program execution, which gives us the needed flexibility of enforcement. The semantic characterization also facilitates precise specification of programs with implicit information flow such as procedure calls or (possibly nested) conditionals. Our third and technically central contribution is a novel verification system, Relational Hoare Type Theory (RHTT), that integrates a programming language and a logic into a common substrate underlying all of (a)-(c) as presented. In more detail, RHTT provides (a) and (b) by including the type theory of the Calculus of Inductive Constructions (CiC) [Coq development team 2009, Chapter 4], as implemented in the Coq proof assistant. To provide for (c), RHTT introduces a novel type constructor STsec, which classifies side-effectful computations similar to Haskell monads [Peyton Jones and Wadler 1993] , except that the STsec monad is indexed with a precondition and a postcondition, as in a Hoare triple. STsec types separate the imperative from the purely functional fragment of the type theory, ensuring soundness of their combination. 1 The semantic model (Section 3.3) and the logic for discharging verification conditions (Section 4) are additional material not present in the conference version of the article [Nanevski et al. 2011] . A worked-out example (Section 4.4) shows how the logic is used.
doi:10.1145/2491522.2491523 fatcat:jbtjngt3e5fdtkvyntam2bx33u