A New Enforcement on Declassification with Reachability Analysis

A Ne w Enforcement on Decla ssification with Reachabili ty A nalysis Cong Sun Liyong T ang Zhong Chen Institute of Software, School of E lectronics Engineering a nd Computer Scienc e, Pek ing Uni versity , China Ke y Lab oratory o f High Confid ence Software T echnolog ies, Ministry of E ducation , China Ke y Lab oratory o f Network and Software Secu rity Assurance, Ministry of Educatio n, China Email: { suncon g,tly ,ch en } @info sec.pku.edu.cn Abstract —Language-based informa tion flow security aims to decide whether an action-observ able progra m can unintentionally leak confidential info rmation if it has the authority to access confidential data. Recent concer ns about declassification polices hav e p ro vided many choices for practical int ended information release, but more precise enfor cement mechanism fo r these policies is insufficientl y stud ied. In t his paper , w e propose a security property on the where-dimension of declassification and present an enf orcem ent based on automated verification. The approach automatically transfor ms the abstract model with a variant of self-composition, and checks th e reachability of illegal- flow state of the model after transforma tion. The self- composition is equi pped with a store-match pattern to reduce the state space and to model th e equivalence of declassified expressions in the premise of property . The ev aluation shows th at our approach is more precise than t ype-based enfor cement. Index T erms —inf ormation flo w security; declassification; push- down system; p rogra m analysis I . I N T R O D U C T I O N Inform ation flow security is concer ned with finding n ew technique s to en sure that the co nfidential data will no t be illegally leaked to the pub lic o bservation. T he topic is popular at both lang uage level and op erating system level. La nguag e- based techn iques have been pervasiv ely adopted in the stud y on infor mation flow security . This is comp rehensively sur- veyed in [ 1]. Noninter ference [2] is commonly known as the baseline property of inform ation flow security . The sema ntic- based definition of n oninterf erence [3] on batch-job model characterizes a secu rity co ndition specifying that the system behavior is indistinguishable from a perspective of attacker regardless of th e con fidential inpu ts. Non interferen ce is crit- icized for the restriction th at forbids any flow fro m high to low . It will influ ence the usability o f system because the de- liberate relea se is pervasi ve in many situ ations, e.g . password authenticatio n, onlin e shoppin g an d encry ption. T herefor e, it is important to specify more relaxed and practical po licies for r eal application scen arios and d evelop precise enf orcemen t mechanisms for these policies. The confidentiality asp ect o f in formatio n downgrading, i.e. declassification [4], allows infor mation re lease with different intentions along fo ur dimensions [5]: what is released, wher e does the release h appen , when the inform ation can be released and who releases it. Th e security policy we propo se is on the where-dim ension. On this dimension , there have been several polices, e. g. intransitive no ninterfer ence [6], non- disclosur e [7], WHERE [8], fl ow lo cks [9], and gradua l r elease [1 0]. Each of them leverages a certain cate gory of type system to enforce the secur ity p olicy . In this work, we first use an app roach based on automate d verification to enfor ce declassification policy on the where- dimension. As a flow-sensiti ve and context-sen siti ve tech- nique, a utomated verification h as bee n u sed as an enforceme nt to nonin terferenc e on both imp erative lan guages [11,12] and object-or iented lang uages [13,14]. In these works declassifi- cation is only discussed in [1 2], wher e the specific pro perty r e laxed n oninterference [15] is m ostly o n th e what-dimension . The approaches based on automated verificatio n usually rely on som e form of self- compo sition [11] that comp oses the progr am model with a variable-rename d copy to r educe the security pr operty on original model to a safety property on the m odel after transfor mation. In our p revious work [14], we have d eveloped a fr amework th at uses reachability analysis to ease the specification of temporal logic form ula o r the man ual assertion encod ing partial correctn ess judgement. The self- composition doubles the size of m emory stor e and largely increases the state space of model. When the I/O ch annels are considered , this effect becomes more serio us since each store of channel is mo deled explicitly . On the other hand , th e security pr operty o ften req uires the equiv alence of declassified expressions to be satisfied. Theref ore in our enforcem ent we propo se a store-match pattern to 1. av o id duplicating th e output channels, and 2. facilitate the self-com position by modeling the equ iv a lence of decla ssified expressions in th e pr emise of security property . W e also e valuated the similarity of th e proper ties and the p reciseness of our enforce ment mech anism compare d with type sy stem. The m ain co ntributions of th e pa per inclu de: ( i) W e p ropo se a mo re relaxed security pro perty enforceab le with autom ated verification on the wh ere-dimen sion; (ii) W e g iv e a flow- sensiti ve an d c ontext-sensitive en forcem ent based on rea cha- bility analysis of pushdown system. W e show the mechanism is mor e precise than type-based app roaches; (iii) W e pr opose a store-match pattern that can b e in commo n u se for automated verifications to r educe the state spac e of mod el and the cost of security an alysis. The rest of the paper is organized as fo llows. In Section II, we introduce the language model an d the baseline p roperty . e ::= v | x | e ⊕ e ′ C ::= skip | x := e | x := declass ( e ) | if e then C else C ′ | while e do C | C ; C ′ | input ( x, I i ) | output ( e, O i ) Fig. 1. Program Syntax ( µ, I , O , p, q , skip ; C ) → ( µ, I , O , p, q , C ) µ ( e ) = v ( µ, I , O , p, q , x := e ; C ) → ( µ [ x 7→ v ] , I , O , p , q , C ) µ ( e ) = b ( µ, I , O , p, q , if e then C true else C false ) → ( µ, I , O , p, q , C b ) µ ( e ) = true ( µ, I , O , p , q, while e do C ) → ( µ, I , O , p, q , C ; while e do C ) µ ( e ) = false ( µ, I , O , p , q, while e do C ) → ( µ, I , O , p, q , skip ) ( µ, I , O , p, q , C 1 ) → ( µ ′ , I ′ , O ′ , p ′ , q ′ , C ′ 1 ) ( µ, I , O , p , q, C 1 ; C 2 ) → ( µ ′ , I ′ , O ′ , p ′ , q ′ , C ′ 1 ; C 2 ) I i [ p i ] = v p ′ i = p i + 1 ( µ, I , O , p, q , input ( x, I i ); C ) → ( µ [ x 7→ v ] , I , O , p ′ , q , C ) µ ( e ) = O ′ i [ q i ] q ′ i = q i + 1 ( µ, I , O , p, q , output ( e, O i ); C ) → ( µ, I , O ′ , p, q ′ , C ) µ ( e ) = v σ ( e )  σ ( x ) ( µ, I , O , p , q, x := dec lass ( e ); C ) → ( µ [ x 7→ v ] , I , O , p, q , C ) µ ( e ) = v σ ( x ) ≺ σ ( e ) σ ( e ) σ ( x ) ( µ, I , O , p, q , x := dec lass ( e ); C ) → d ( µ [ x 7→ v ] , I , O , p , q , C ) Fig. 2. Opera tional Semantics In Sectio n II I, we define the where-security an d prove the complianc e of property with the pru dent principles. Section IV describes the enforcemen t me chanism. W e show th e e valuation in Section V and conclu de in Section V I. I I . P R O G R A M M O D E L A N D B A S E L I N E P R O P E RT Y W e u se a sequential imper ativ e lang uage with I/O channels as the presentation language to illustrate our a pproach . The syntax is listed in Fig.1. The language is determ inistic. The primitive declass stands for declassification that do wngrad es the confidential data of expression e to be assigned to variable x with a lower security do main. Here x can be considered as a low-lev el sink of data o bservable to the attac ker . I and O are respectively the set of inpu t an d output chan nels. They ar e formally defined as a ma pping from each channel iden tifier i to a linear list, e.g. I i resp. O i . The co mmand input ( x, I i ) indicates that the inpu t from I i is assigned to x , an d the command o utput ( e, O i ) stor es the value o f expr ession e into the correct p osition of O i . The c omputatio n is modeled by the sma ll-step operatio nal semantics in Fig.2. The inductive rules are defined over configur ations of th e form ( µ, I , O , p, q , C ) . µ : V ar 7→ N is a memor y store map ping variables to values and C is the command to b e executed. p and q are set of ind ices. p i denotes the index of n ext ele ment to be inpu t f rom I i , and q i is th e index o f locatio n o f O i where the next outp ut value will be stored. The elements in p an d q are explicitly increased by the computatio n of inputs an d outputs. The security po licy is a tup le ( D ,  , , σ ) wh ere ( D ,  ) is a finite security lattice on security domain s and is an excep- tional downgrad ing relation of security dom ains ( ∩  = ∅ ) statically g athered f rom the pr ogram. Let σ : V ar ∪ I ∪ O 7→ D be the map ping from I/O chan nels and variables to security domains, and let σ ( e ) ≡ F x ∈ e σ ( x ) be th e least upp er bo und of the security domain s of variables containe d in e . When com- mand x := declass ( e ) in program ha s σ ( x ) ≺ σ ( e ) , the declass operation perform s a r eal downgrading from some variable in e and only th en an element ( σ ( e ) , σ ( x )) is c ontained in the relation , oth erwise the operation is iden tical to an o rdinary assignment. W e label th e tran sition of declassification with → d in Fig.2. The secur ity po licy is dif ferent fro m the MLS policy with exceptio ns prop osed in [6 ,8,16], where the set o f exceptional relation s is independen t to the declassification operation s. I n our p olicy the exceptions are gath ered from the declass commands. Our tre atment is reasonable since developer should h av e rig ht to d ecide the exception wh en th ey use the primitive declass explicitly . This is also suppo rted in other work, e.g. [17]. W e specify non interfer ence with the semantic-based PER- model [3 ]. Intuitiv ely speakin g, it specifies a relation b etween states of a ny two corr elativ e r uns of program , which is variation in the confidential initial state cannot cause variation in the pub lic final state. In anoth er word , the runs starting from indistinguish able initial states derive indistinguish able final states a s well. For the la nguag e with I /Os, the indistin- guishability relatio n on memory stores an d I/O channels with respect to ce rtain security doma in ℓ is defined as below . Definition 1 ( ℓ -indisting uishability) . Memory sto r e µ i and µ j ar e indistingu ishable on ℓ ( ℓ ∈ D ) , denoted by µ i ∼ ℓ µ j , iff ∀ x ∈ V ar .σ ( x )  ℓ ⇒ µ i ( x ) = µ j ( x ) . F or input channel I i and I j , I i ∼ ℓ I j iff ( σ ( I i ) = σ ( I j )  ℓ ) ∧ ( p i = p j ∧ ∀ 0 ≤ k < p i . I i [ k ] = I j [ k ]) . S imilarly , for output channel O i and O j , O i ∼ ℓ O j iff ( σ ( O i ) = σ ( O j )  ℓ ) ∧ ( q i = q j ∧ ∀ 0 ≤ k < q i . O i [ k ] = O j [ k ]) . For the two observable channels with same security domain , the indistingu ishable linear lists should have the same leng th and identical conten t. Let I ℓ be the set of input channe ls with security do main ℓ ′ ( ℓ ′  ℓ ) . If th e set I an d I ′ have the sam e d omain, e.g. as the inputs o f th e sam e p rogram , we can u se I ∼ ℓ I ′ to expr ess ∀ i. I i ∈ I ℓ ⇒ I i ∼ ℓ I ′ i . The noninter ference formalized here takes into co nsideration the I/O chan nels an d is therefore different from what for batch- job model [ 1]. I t is given as follows. Definition 2 (Noninter ference) . Pr ogram P satisfies n oninter- fer ence w .r .t. secu rity domain ℓ 0 , iff ∀ ℓ  ℓ 0 , we h ave ∀I , µ, I ′ , µ ′ , O f , µ f . ( µ, I , O , p, q , P ) → ∗ ( µ f , I , O f , p f , q f , skip ) ∧ I ∼ ℓ I ′ ∧ µ ∼ ℓ µ ′ ! ⇒ ∃O ′ f , µ ′ f . ( µ ′ , I ′ , O ′ , p ′ , q ′ , P ) → ∗ ( µ ′ f , I ′ , O ′ f , p ′ f , q ′ f , skip ) ∧ O f ∼ ℓ O ′ f ∧ µ f ∼ ℓ µ ′ f ! . In this de finition, th e n oninterf erence proper ty is related to a secu rity d omain ℓ 0 . The content of chan nels with security domain ℓ ′ ( ℓ ′ ≻ ℓ 0 ) is u nobservable and irr elev ant to the proper ty . A mor e spec ific way to define noninter ference is to require ℓ 0 = F D . That means the pro position in Definition 2 has to be satisfied f or e ach secu rity domain in D . W e u se this definition in the following. Our d efinition ado pts a manner to consider th e ind istinguishability of the in itial and final states but not to characterize the relation in each co mputation step as d id b y th e bisimu lation-ba sed approach [1 8]. Ano ther use of th e security domain of variables is to specify where a valid declassification occurs. This will be discussed b elow . I I I . W H E R E - S E C U R I T Y A N D P R U D E N T P R I N C I P L E S In this section, we give a security c ondition to contro l the legitimate release o f co nfidential in formatio n on the where- dimension of secu rity go als. It co nsiders bo th the co de locality where the release o ccurs a nd the level locality to wh ich secu- rity doma in the release is legal. Let ։ r epresent a (possible empty) seq uence o f d eclassification-free transitions. A trace of com putations is separated to the declassifications labeled with → d and dec lassification-free computatio n sequences. The wher e-security is for mally spec ified as below . Definition 3 (Where-Security) . P r ogram P satisfies where- security iff ∀ ℓ ∈ D , we have ∀I , µ, I ′ , µ ′ . ∃ n ≥ 0 :      ∀O n +1 , µ n +1 : ( µ, I , O , p, q , P )[ ։ ( µ k s , I , O k , p k , q k , x k := declass ( e k ); P k ) → d ( µ k t , I , O k , p k , q k , P k )] k =1 ..n ։ ( µ n +1 , I , O n +1 , p n +1 , q n +1 , skip ) ∧I ∼ ℓ I ′ ∧ µ ∼ ℓ µ ′      ⇒           ∃O ′ n +1 , µ ′ n +1 : ( µ ′ , I ′ , O ′ , p ′ , q ′ , P )[ ։ ( µ ′ k s , I ′ , O ′ k , p ′ k , q ′ k , x ′ k := declass ( e ′ k ); P ′ k ) → d ( µ ′ k t , I ′ , O ′ k , p ′ k , q ′ k , P ′ k )] k =1 ..n ։ ( µ ′ n +1 , I ′ , O ′ n +1 , p n +1 , q ′ n +1 , skip ) ∧ V k =1 ..n ( µ k s ∼ ℓ µ ′ k s ∧ µ k s ( e k ) = µ ′ k s ( e ′ k ) ⇒ µ k t ∼ ℓ µ ′ k t ) ∧  V k =1 ..n ( µ k s ( e k ) = µ ′ k s ( e ′ k )) ⇒ µ n +1 ∼ ℓ µ ′ n +1 ∧ O n +1 ∼ ℓ O ′ n +1            Intuitively speaking, wh en the ind istinguishable relation on the final states is violated , the contrap ositiv e im plies th at it is cau sed by the v ariation of d eclassified expressions. This variation is indicated valid by the prem ise our pro perty . If the leakage of confid ential information is caused by a comp utation other than the prim iti ve declass , it will be captur ed becau se without constrain ing the equality of released expression, the fi- nal indistinguisha bility cannot hold. Ou r where-secur ity prop- erty is more relaxed than WHERE [8,16] which u ses strong- bisimulation and req uires each declassification- free compu- tation step meets th e baseline noninterf erence. W e can use explicit fina l o utput of public variables to adapt th e judgem ent of µ n +1 ∼ ℓ µ ′ n +1 to the judgement of O n +1 ∼ ℓ O ′ n +1 . Sabelfeld and San ds [5] clar ify four basic p ruden t principles for declassification policies as sanity check s for the new definition: semantic consistency , con servativity , mono tonicity of r e lease , and non-o cclusion . Ou r where-secu rity pr operty can be proved to comply with the first thre e principles. L et P [ C ] rep resent a program contains command C . P [ C ′ /C ] substitutes each o ccurren ce of C in P with C ′ . Th e p rinciples with r espect to the wher e-security are defin ed as follows. Lemma 1 (Semantic Consistency) . Supp ose C an d C ′ ar e declassification -fr ee co mmands an d seman tically equ ivalent on the same domain of co nfiguration. If pr ogram P [ C ] is wher e-secur e, the P [ C ′ /C ] is wher e -secur e. Lemma 2 (Con servati vity) . If pr ogram P is wher e-secur e and P contains no declassificatio n, then P satisfies noninterfer- ence pr operty . Lemma 3 (Mon otonicity of Release) . If pr ogram P [ x := e ] is wher e-secur e, then P [ x := declass ( e ) / x := e ] is where-secur e. Corollary 1 . The wher e- security satisfies semantic consis- tency , conservativity , and monotonicity of r elease. This corollary indic ates that the where-security comp lies with th e th ree pru dent prin ciples given by the above lemm as. The pro ofs of the lemmas are pr esented in [19]. The n on- occlusion principle can not be for mally proved since a proof would requ ire a characterization o f secu re in formatio n flo w which is wh at we want to check again st the prud ent principle s. I V . E N F O R C E M E N T In this section, we provide a new enforcem ent for the where-secur ity based o n reachab ility a nalysis of symbolic pushdown system [2 0]. A pu shdown system is a stack-based state tr ansition system who se stack contained in each state can be unbo unded . It is a natu ral model of sequential pro gram with proced ures. Symbo lic pushdown system is a co mpact representatio n of p ushdown system enc oding the variables and computatio ns symbolically . Definition 4 (Symb olic Pushdown System, SPDS) . Symbolic Pushdown System is a triple P = ( G , Γ × L , ∆) . G and L ar e r espective ly the domain of glob al varia bles and local variables. Γ is the stack alphabet. ∆ is the set of symbolic pushdo wn rules {h γ i ֒ → h γ 1 · · · γ n i ( R ) | γ , γ 1 , · · · , γ n ∈ Γ ∧ R ⊆ ( G × L ) × ( G × L n ) ∧ n ≤ 2 } . The stack symb ols de note th e flo w g raph n odes o f program . The relation R specifies the variation of abstract variables before and after a single step of symbolic execution directed by the pu shdown r ules. T he o peration s o n R are comp actedly implemented with binary decision diagr ams (BDDs) [21] in Moped [22] which we u se as the back-en d verification engine. The mod el constru ction of co mmands other than I/O o p- erations is similar to the one in our pr evious work [23]. In the p ushdown system, the public channels are repr esented b y global linear lists. In another word, for a security d omain ℓ ∈ D , we o nly mo del the ch annels in I ℓ and O ℓ . T ake a input com mand f or example, if the so urce channel is I i , the pushdown rule has a fo rm of IR H for σ ( I i ) ≻ ℓ an d I R L for σ ( I i )  ℓ in T able I, where ⊥ d enotes an indefin ite v alue. T ABLE I P D S R U L E S F O R M O D E L C O N S T R U C T I O N IR H h γ j i ֒ → h γ k i ( x ′ = ⊥ ) ∧ r t ( µ \ { x } , I ℓ , O ℓ , p ℓ , q ℓ , · · · ) IR L h γ j i ֒ → h γ k i ( x ′ = I i [ p i ]) ∧ ( p ′ i = p i + 1) ∧ r t ( µ \ { x } , I ℓ , O ℓ , p ℓ \ { p i } , q ℓ , · · · ) OR H h γ j i ֒ → h γ k i r t ( µ, I ℓ , O ℓ , p ℓ , q ℓ , · · · ) OR L h γ j i ֒ → h output entry γ k i ( tmp ′ = e ) ∧ r t ( µ, I ℓ , O ℓ , p ℓ , q ℓ , · · · ) ∧ r t 2 ( · · · ) h output exit i ֒ → h ǫ i r t ( µ, I ℓ , O ℓ , p ℓ , q ℓ , · · · ) DR h γ j i ֒ → h decl ass γ j entry i ( tmp ′ = e ) ∧ r t ( µ, I ℓ , O ℓ , p ℓ , q ℓ , · · · ) h declass γ j exit i ֒ → h γ k i rt ( µ, I ℓ , O ℓ , p ℓ , q ℓ , · · · ) T ABLE II S T U FF E R P D S R U L E S F O R M O D E L T R A N S F O R M AT I O N RST h γ j i ֒ → h ξ ( γ 0 ) i ( ∀ p i ∈ p ℓ .p ′ i = 0) ∧ ( ∀ q i ∈ q ℓ .q ′ i = 0) ∧ r t ( µ, ξ ( µ ) , I ℓ , O ℓ , · · · ) OS i h output entry i ֒ → h output exit i ( O ′ i [ q i ] = tmp ) ∧ ( q ′ i = q i + 1) ∧ r t ( µ, ξ ( µ ) , I ℓ , O ℓ \ {O i [ q i ] } , p ℓ , q ℓ \ { q i } , · · · ) OM i h ξ ( output entry ) i ֒ → h err or i ( O i [ q i ] 6 = tmp ) ∧ r t ( · · · ) h ξ ( output entry ) i ֒ → h ξ ( output exit ) i ( O i [ q i ] = tmp ) ∧ ( q ′ i = q i + 1) ∧ rt ( µ, ξ ( µ ) , I ℓ , O ℓ , p ℓ , q ℓ \ { q i } , · · · ) DS γ j h declass γ j entry i ֒ → h declass γ j exit i ( D ′ [ ρ ( γ j )] = tmp ) ∧ ( x ′ = tmp ) ∧ rt ( D \ {D [ ρ ( γ j )] } , µ \ { x } , ξ ( µ ) , · · · ) DM γ j h ξ ( declass γ j entry ) i ֒ → h idle i ( D [ ρ ( γ j )] 6 = tmp ) ∧ r t ( D , · · · ) h ξ ( declass γ j entry ) i ֒ → h ξ ( declass γ j exit ) i ( D [ ρ ( γ j )] = tmp ) ∧ ( ξ ( x ) ′ = tmp ) ∧ rt ( D , µ, ξ ( µ ) \ { ξ ( x ) } , · · · ) On the other hand, if the target chann el of ou tput is O i , the pushdown rule h as a form of OR H for σ ( O i ) ≻ ℓ and OR L for σ ( O i )  ℓ in T able I. OR H is ju st like a tra nsition of skip since the con fidential ou tputs do not influence the pu blic part o f su bsequent states. The variable tmp sto res the value o f expression to be outputted or declassified. rt m eans retainment on v alue o f global variables and on value of local variables in h γ j i ֒ → h γ k i . r t 2 for a rule h γ j i ֒ → h f entry γ k i denotes retainment on value of local v ariables of the caller of procedur e f . The declassifications are mod eled with D R in T able I. The bodies of outpu ts to different public chann el and th e b odies of declassifications are vacuous. These absen t parts o f mode l will be filled by the self-composition . This treatment is decided by the store-match pattern wh ich we de velop to av oid the duplication of public chan nels and to guide the instrumente d computatio n to fulfil th e premise o f where-security pro perty . W e fo llow the principle of rea chability analysis for nonin - terference which we p roposed in [ 14]. The self- compo sition is ev olved into thr ee phases: b asic self-comp osition, auxiliary initial interleaving assignments, and illegal-flow state con - struction. For simplicity , we use the co mpact self-co mposition [23] as basic self-co mposition. T o a void duplicating the inp ut channels, we reuse the content of public input ch annels by resetting the indices of p ℓ to 0 at the beginn ing of the p airing part of model, see RST in T able II. Th is treatment is safe because from the semantics we know that no computation actually mo difies the content o f inpu t chan nels. In order to av o id d uplicating the output ch annels, we propo se a store- match patter n of o utput actions. Th is is to stuff the model af ter basic self-com position with the pushdown ru les OS and OM in T able II param eterized with the channel identifier i . The OM rules show that when the o utput to c hannel O i is comp uted in the second run, it is compar ed with the correspo nding outp ut stored durin g th e first run . If they are not equ al, the symbo lic Algorithm 1 Model T r ansforma tion 1. ∆ ′ ← {h γ init i ֒ → h startConf ( P ) i ( ∀ x ∈ dom ( µ ℓ ) .ξ ( x ) ′ = x ) ∧ r t ( µ, I ℓ , O ℓ , p ℓ , q ℓ ) } 2. for all r ∈ ∆ ∧ r 6 = LastT rans ( P ) do 3. ∆ ′ ← ∆ ′ ∪ { r.expr r. R ∧ r t ( ξ ( µ )) } 4. end for 5. for all r ∈ ∆ do 6. if r.expr = h γ j i ֒ → h γ s γ k i then 7. ∆ ′ ← ∆ ′ ∪ {h ξ ( γ j ) i ֒ → h ξ ( γ s ) ξ ( γ k ) i r. R ξ ( x ) x ∈ V ar ∧ r t ( µ ) } 8. else if r.expr = h γ j i ֒ → h d eclass γ j entry i then 9. ∆ ′ ← ∆ ′ ∪ {h ξ ( γ j ) i ֒ → h ξ ( d eclass γ j entry ) i r. R ξ ( x ) x ∈ V ar ∧ r t ( µ ) } ∪ DS γ j ∪ DM γ j 10. else if r.expr = h γ j i ֒ → h γ k i then 11. ∆ ′ ← ∆ ′ ∪ {h ξ ( γ j ) i ֒ → h ξ ( γ k ) i r. R ξ ( x ) x ∈ V ar ∧ r t ( µ ) } 12. else if r 6 = LastT rans ( P ) then 13. ∆ ′ ← ∆ ′ ∪ {h ξ ( γ j ) i ֒ → h ǫ i r. R ξ ( x ) x ∈ V ar ∧ r t ( µ ) } 14. else 15. ∆ ′ ← ∆ ′ ∪ {h ξ ( γ j ) i ֒ → h ξ ( γ j ) i r. R ξ ( x ) x ∈ V ar ∧ r t ( µ ) } ∪ {h γ j i ֒ → h ξ ( s tartConf ( P )) i RST } 16. end if 17. end for 18. ∆ ′ ← ∆ ′ ∪ S O i ∈O ℓ ( OS i ∪ OM i ) execution is directed to the illegal-flo w state err or . Compared with the no ninterfer ence property , the pr emise o f where-secur ity contain s equ ality relations on the declassified expressions, th erefore we need som e structure to in strument the sema ntics of abstract mo del to make sure the computation can proceed only when the equality re lations are satisfied. W e defin e an other global linear list D . Su ppose there are m declassifications r espectively at code location γ d i (0 ≤ i < m ) and a fun ction ρ map ping γ d i to i . W e give an other p attern of store-match that stores the value of expression decla ssified at γ d i to the site D [ ρ ( γ d i )] , see DS in T able II. T he correspond ing match o peration has a form of DM in T able II. No te th at ξ is the rename function on the stack symb ols to generate new flow graph nodes as well as on the variables to gene rate the compan ion v ariables f or the pairing part of mod el. The state idle h as o nly itself as the next state. From the reachability o f err or we can ensure the v iolation o f where-security withou t T ABLE III D I F F E R E N C E B E T W E E N P R O P E RT I E S WHERE gradual release whe re noninte rference up-to X X × persisten ce X × × considerin g the equality relation s on the subsequent o utputs. The self-co mposition algorithm is given in Alg orithm 1. The LastT rans return s the pushdown rule with re spect to the la st return command o f progr am. The first rule added to ∆ ′ denotes the in itial interlea ving assign ments fro m p ublic variables to their compan ion v a riables. r . R ξ ( x ) x ∈ V ar means a relation substitut- ing each variable in V ar with the renamed compan ion v ariable. Theorem 1 (Co rrectness) . Let S C ( P ℓ ) be the pushdo wn sys- tem w .r .t. security domain ℓ generated b y our self-compo sition on the model of pr ogram P . If ∀ ℓ ∈ D , the state error of S C ( P ℓ ) is unr eachable fr o m any initial state, we have P satisfies the where-security . (The proof is sketched in the techn ical re port [ 19]) V . E V A L U A T I O N W e imp lement Algorith m 1 as p art of th e parser of Rem opla [24] an d use Mo ped as th e black-bo x back-en d engine for the reachability analysis. Here we use experiments to ev aluate: 1. whether the property defined by where-secur ity is similar to the existing proper ties on the wh ere-dim ension, e. g. [8,10], and what is the real difference between these pro perties. 2. the preciseness of the mechanism comp ared with the type systems on en forcing th e respectiv e security proper ties. 3. whether the store-match pattern ca n really red uce the state space a s well as the cost of verificatio n. The experiments ar e perform ed on a laptop with 1.66GHz Intel Core 2 CPU, 1 GB RAM and Linu x kernel 2.6 .27-1 4-gen eric. The test cases are chosen from re lated w orks, see T able IV. Firstly , we illustrate that wher e-security is more relaxed than WHERE [8,16] and g radual re lease [ 10]. Lux an d Man tel [16] have proposed another two prude nt principles: no ninterfer ence up-to and p ersistence . Comp ared with the four basic princi- ples, the two p rinciples are n ot gener ally used for p olicies on different dime nsions. The conf ormanc es of th e prop erties with these principles are given in T able III. Similar to the gradua l release, th e pr ogram P1 in T able IV is secure (deno ted by X ) w .r .t. wher e-security . This indicates the two proper ties do no t comply with p ersistence since the reachable comman d l := h is obviously not secure. On the co ntrary , WHERE rejects this program . Our where-secur ity does not comp ly with noninter ference up- to b ecause the definition deduces relations on final states but no t o n the states befor e declas s primitives. A typical example is P0. It is where -secure but judged insecure by WHERE and gr adual release. Althoug h dif ferent on these special cases, the where-security can characterize a similar proper ty to WHERE and grad ual release fo r the mo st cases in T able IV, see th e c olumn WHERE , GR and wher e . F 1 F 2 F 3 F 4 F 5 F 6 F 7 F 8 1 E - 4 1 E - 3 0 . 0 1 T i m e ( s) T r R A Fig. 3. Cost Reduction with Store-Mat ch Pattern Then we evaluate the preciseness o f our e nforcem ent mech- anism. In T ab le IV τ 1 is the well-typ eness o f pro gram jud ged by the ty pe system in Fig .4, [8] . τ 2 is the ju dgemen t of the type system gi ven in Fig.3, [10]. RA is the reachability analysis result using ou r mechanism. X mean s the state err or is not reachab le. Th e analysis time T is re lated to the n umber of bits of each variable, which we set to 3 and that means each variable in the model h as a r ange of 0 ∼ 2 3 -1. Larger number of bits correspo nds to the increase on state space of model an d th e ana lysis time. On the oth er han d, the numb er of bits of variable is mean ingful also be cause if it is to o small for the model of insecure progr am, the illegal path cannot be caugh t. This causes a false-positiv e which can be av o ided by setting the n umber of bits of variable sufficiently large. W e reco rd th e min imum n umber of b its to av oid false- positive as N min . The analysis might be time consuming when N min is large. For secure prog ram, the illegal-flo w state will be unreac hable for any num ber of bits therefore N min is not r ecorded . The progr am filter in T able IV ha s a more comp lex policy . From the escap e h atch in formatio n we have r eader  n etwork . Th e mod el is co nstructed an d transform ed o n respective security domains. On each secu rity domain d ifferent public variables are modeled o utputted in the end and state err or o f transform ed mod el is unreach able. Our enforce ment is more p recise compare d with the type system s that reject some secure program s (P2, P6,P7 for WHERE an d P1,P2,P6 f or gradual re lease). Finally , we ev aluate the redu ction on the co st of verifica- tion provided by the store-match pattern. W e compar e our mechanism with a model transfor mation, i.e. T r in Fig.3, which d uplicates the public output ch annels and constru cts the illegal-flow state following the pairing p art o f m odel. Th e test cases c ontaining I/Os a re fr om Fig.4, [ 26], a nd named F 1 ∼ F 8 in Fig.3. The se exp eriments show that the store-match pattern can give an overall 41.4% redu ction on the c ost of verification . The number o f bits of variable is set to 3 as well. V I . C O N C L U S I O N W e pro pose a secu rity property on the where-dime nsion of declassification. The property is proved com plying with the th ree classical pr udent p rinciples. W e also give a precise enforce ment based on the reachability analy sis of p ushdown system deri ved by a variant of self-com position. T o immi- grate o ur approach to the properties on oth er d imensions of declassification, e.g. the delimited r elease [17] o n the what- T ABLE IV P R O P E RT Y A N D E N F O R C E M E N T C O M PA R I S O N W I T H W H E R E A N D G R A D UA L R E L E A S E Case From WHERE τ 1 GR τ 2 wher e RA T(ms) N min Ex2 Example 2, [6] × × × × × × 39.2 2 RSA Example 5, [6] × × × × × × 1.09 1 C1 Example 1, [8] × × × × × × 0.55 1 C2 Example 1, [8] X X X X X X 0.59 – C3 Example 1, [8] X X X X X X 0.49 – filter Fig.6, [8 ] X X X X X X 5.47 – P0 Sec .1, [25] × × × × X X 0.44 – P1 Sec .2, [10] × × X × X X 0.53 – P2 Sec .3, [25] X × X × X X 0.64 – P3 Sec .2, [10] × × × × × × 3.53 1 P4 Sec .4, [25] × × × × × × 2.03 1 P5 Sec .4, [25] × × × × × × 0.61 1 P6 Sec .5, [25] X × X × X X 0.37 – P7 Sec .2, [10] X × X X X X 1.91 – P0 l := h ; l := declass ( h ); P1 l := declass ( h ); l : = h ; P2 h 1 := h 2 ; l := declass ( h 1 ); P3 h 1 := h 2 ; h 2 := 0; l 1 := declass ( h 2 ); h 2 := h 1 ; l 2 := h 2 ; P4 h 2 := 0; if h 1 then l := declass ( h 1 ) else l := declass ( h 2 ); P5 l := 0; if l then l := dec lass ( h ) else skip ; l := h ; P6 h 2 := 0; if h 1 then l := declass ( h 2 ) else l := 0; P7 l := declass ( h ! = 0); if l then l 1 := declass ( h 1 ) else skip ; dimension, the key p oint is to focu s on the indistinguish ability of declassified expressions on the pair of in itial states. The study on the en forceme nt of proper ties on the other dimensions is left to ou r f uture work . A C K N O W L E D G M E N T W e thank Alexand er Lux f or pr oviding the valuable pro ofs and explanations of the theorems in their work. W e also thank En nan Zhai f or helpf ul commen ts and the anonym ous revie wers for useful feedback . This research is partially sup- ported b y the National Natural Science Foundatio n of China under Grant No.6077 3163, No.609 11140 102, The National Ke y T ech nology R&D Progr am in the 11th fi ve-y ear Period under Gran t No .2008 B AH33B01, as well as the PKU Project PKU-PY2010 -005. R E F E R E N C E S [1] A. Sabelfeld and A. C. Myers, “Language- based information-flo w se- curity , ” IEEE Journal on Selected Areas in Communications , vol. 21, no. 1, pp. 5–19, 2003. [2] J. A. Goguen and J. Mese guer , “Security policies and security models, ” in IEEE Symposium on Security and Privacy , 1982, pp. 11–20. [3] A. S abelfe ld and D. Sands, “ A per m odel of secure information flow in sequenti al programs, ” Higher-Or der and Symbolic Computation , vol. 14, no. 1, pp. 59–91, 2001. [4] A. C. Myers and B. Liskov , “ A decentrali zed model for information flow control , ” in SOSP , 1997, pp. 129–142. [5] A. Sabelfeld and D. Sands, “Declassificat ion: Dimensions and princ i- ples, ” Journa l of Computer Security , vol. 17, no. 5, pp. 517–548, 2009. [6] H. Mantel and D. Sands, “Controlle d declassificati on based on in- transiti ve nonint erferen ce, ” in AP LAS , ser . Lecture Notes in Computer Science , W .-N. Chin, Ed., vol. 3302. Spri nger , 2004, pp. 129–145. [7] A. A. Matos and G. Boudol, “On declassificati on and the non-disclosure polic y , ” Journal of Computer Securi ty , vol. 17, no. 5, pp. 549–597, 2009. [8] H. Mantel and A. Rei nhard, “Contro lling the what and where of decla ssification in language-based security , ” in ESOP , ser . L ecture Notes in Computer Scie nce, R. D. N icola , Ed., vol. 4421. Springer , 2007, pp. 141–156. [9] N. Brober g and D. Sands, “Flow locks: T o ward s a core calculu s for dynamic flow policies, ” in ESOP , ser . Lect ure Notes in Computer Science , P . Sestoft, Ed., vol. 3924. Springer , 2006, pp. 180–196. [10] A. Askarov and A. Sabelfe ld, “Gradual release: Unifyi ng decla ssifi- catio n, enc ryption and key release poli cies, ” in IEEE Symposium on Securit y and Privacy . IE EE Computer Society , 2007, pp. 207–221. [11] G. Barthe, P . R. D’Argen io, and T . Rezk, “Secure informati on flow by self-composi tion, ” in CSFW . IEEE Computer S ociety , 2004, pp. 100– 114. [12] T . T erauchi and A. Aiken, “Sec ure information flo w as a safety prob lem, ” in SAS , ser . L ecture Notes in Compute r Science, C. Hankin and I. S i vero ni, Eds., vol. 3672. Springer , 2005, pp. 352–367. [13] D. A. Naumann, “From coupling relations to mated in v aria nts for check- ing informati on flo w , ” in ESORICS , ser . Lecture Notes in Computer Science , D. Gollmann, J. Meier , and A. Sabelfe ld, Eds., vol . 418 9. Springer , 2006, pp. 279–296. [14] C. Sun, L . T ang, and Z. Chen, “Secure information flow in ja v a via reacha bility analysis of pushdo wn s ystem, ” in QSIC ’10 . IEEE Computer Socie ty , 2010, pp. 142–150. [15] P . Li and S. Zdance wic, “Down grading polic ies and relax ed noni nter - ference , ” in POPL , J. Pal sberg and M. Abadi, Eds. A CM, 2005, pp. 158–170. [16] A. L ux and H. Mantel, “Who can decla ssify?” in F AST , ser . L ecture Notes in Computer Science, P . Degano, J. D. Guttman, and F . Martinell i, Eds., vol. 5491. Springer , 2008, pp. 35–49. [17] A. Sabelfel d and A. C. Myers, “ A model for delimit ed informat ion release , ” in ISSS , ser . Lecture Notes in Computer Science , K. Futatsugi, F . Mizoguchi, and N. Y onezaki , Eds., vol. 3233. Sprin ger , 2003, pp. 174–191. [18] A. Sabelfel d and D. Sand s, “Proba bilisti c noninterferen ce for multi- threade d programs, ” in CSFW , 2000, pp. 200–214. [19] C. Sun, L. T ang, and Z. Chen, “ A ne w enforcement on decla ssification with reachabili ty analy sis, ” Institute of Software, School of EECS, Peking Uni ve rsity , T ech. Rep., 2010, http:/ /infosec .pku.edu.cn/ ∼ suncong/sun 2010d- tr . pdf . [20] S. Schwoon, “Model checki ng pushdown systems, ” Ph.D. dissertat ion, T echnica l Unive rsity of Munich, Munich, German y , 2002. [21] R. E . Bryant, “Graph-base d algorith ms for boolean function manipula- tion, ” IEEE T rans. Computers , vol. 35, no. 8, pp. 677–691, 1986. [22] S. Kiefer , S. Schwoon, and D. Suwimontee rabut h, “Moped: A model-check er for pushdown systems, ” 2002, http:/ /www .fmi.uni- stuttgart .de/szs/tools/moped/ . [23] C. Sun, L . T ang, and Z. Chen, “Secure informati on flo w by model checki ng pushdown system, ” in UIC-ATC ’09 . IEEE Computer Society , 2009, pp. 586–591. [24] J. Hole ˇ cek, D. Suwimontee rabut h, S. Schwo on, and J. Esparza , “Introductio n to remopla , ” 2006, http:/ /www .fmi.uni- stuttgart .de/szs/tools/moped/remopla- intro.pdf . [25] A. Askaro v and A. Sabelfeld, “Locali zed delimited release: combining the what and w here dimensions of information release , ” in PLAS , M. W . Hicks, Ed. A CM, 2007, pp. 53–60. [26] N. De Francesco and L . Martini, “Instruction-le vel security typing by abstrac t interpretat ion, ” Int. J . Inf. Sec. , vol. 6, no. 2-3, pp. 85–106, 2007. A P P E N D I X Pr oo f o f Lemma 1 : Suppose any trace of the p rogra m P [ C ′ /C ] is in a f orm of ( µ, I , O , p, q , P [ C ′ /C ]) → ∗ ( µ j , I , O j , p j , q j , C ′ ; P j ) ։ ( µ k , I , O k , p k , q k , P j ) → ∗ ( µ f , I , O f , p f , q f , skip ) . Because C an d C ′ are semantically equ iv a lent, we also hav e ( µ j , I , O j , p j , q j , C ; P j ) ։ ( µ k , I , O k , p k , q k , P j ) . Moreover, since C and C ′ are declassification-free , the sub stitution will not influen ce the conju nction of equiv alence on declassified expressions in P [ C ′ /C ] . Th erefore the indistingu ishability on the final c onfigur ations, that is µ n +1 ∼ ℓ µ ′ n +1 ∧ O n +1 ∼ ℓ O ′ n +1 , holds b efore and afte r th e substitution. Pr oo f of Lemma 2: Fro m the operationa l semantics we can see → d can only o ccurs when a declass com mand is executed and the d eclassified expression contain s so me in- formation with a security d omain hig her than the security domain of x . P h as no declassification implies that in any trace of comp utation of P there is no → d . The whe re-security of P degenerates to have n = 0 . Theref ore th e where- security b ecomes noninterferen ce accord ing to the definition and µ f ≡ µ 1 , O f ≡ O 1 . Pr oo f of Lemma 3: Ther e are actually two cases on whether th e substitution introduces a real declassification. 1. If σ ( e )  σ ( x ) , the comp utation of x := declass ( e ) is iden- tical to t he ordinar y assignme nt x := e an d → is not labeled as → d . The where-security of P [ x := d eclass ( e ) /x := e ] does not change co mpared with the whe re-security o f P [ x := e ] . 2. Suppose we have σ ( x ) ≺ σ ( e ) . Th e computa tion of x := e in the two correlative r uns of P [ x := e ] ar e lik e ( µ, I , O , p, q , P [ x := e ]) → ∗ ( µ j , I , O j , p j , q j , x := e ; P j ) → ( µ j [ x 7→ µ j ( e )] , I , O j , p j , q j , P j ) → ∗ ( µ n +1 , I , O n +1 , p n +1 , q n +1 , skip ) and ( µ ′ , I ′ , O ′ , p ′ , q ′ , P [ x := e ]) → ∗ ( µ ′ j , I ′ , O ′ j , p ′ j , q ′ j , x := e ; P j ) → ( µ ′ j [ x 7→ µ ′ j ( e )] , I ′ , O ′ j , p ′ j , q ′ j , P ′ j ) → ∗ ( µ ′ n +1 , I ′ , O ′ n +1 , p ′ n +1 , q ′ n +1 , skip ) . Fro m the p remise of wh ere-security o f P [ x := declass ( e ) /x := e ] we have V k =1 ..n ( µ k s ∼ ℓ µ ′ k s ∧ µ k s ( e k ) = µ ′ k s ( e k )) . That implies V k =1 ..n,k 6 = j ( µ k s ∼ ℓ µ ′ k s ∧ µ k s ( e k ) = µ ′ k s ( e k )) and because P [ x := e ] is where-secu re, we hav e V k =1 ..n,k 6 = j ( µ k t ∼ ℓ µ ′ k t ) . Because µ j ∼ ℓ µ ′ j ∧ µ j ( e ) = µ ′ j ( e ) , according to the semantics, we hav e µ j [ x 7→ µ j ( e )] ∼ ℓ µ ′ j [ x 7→ µ ′ j ( e )] , that is µ j t ∼ ℓ µ ′ j t for P [ x := declass ( e ) / x := e ] an d th erefore V k =1 ..n ( µ k t ∼ ℓ µ ′ k t ) . On th e other han d, since th e substitution doe s not c hange the semantics o f pr ogram, restricting the premise V k =1 ..n,k 6 = j ( µ k s ( e k ) = µ ′ k s ( e ′ k )) with a co njunction to µ j ( e ) = µ ′ j ( e ) will n ot influen ce the consequen ce that µ n +1 ∼ ℓ µ ′ n +1 ∧ O n +1 ∼ ℓ O ′ n +1 . The where-secur ity of P [ x := declass ( e ) /x := e ] is p roved. Pr oo f of Theorem 1 : Suppose pro gram P violates the where-secur ity proper ty , that means ∃ k 0 .µ k 0 ,s ∼ ℓ µ ′ k 0 ,s ∧ µ k 0 ,s ( e k ) = µ ′ k 0 ,s ( e ′ k ) ∧¬ ( µ k 0 ,t ∼ ℓ µ ′ k 0 ,t ) or ^ k =1 ..n ( µ k s ( e k ) = µ ′ k s ( e ′ k )) ∧ ¬ ( O n +1 ∼ ℓ O ′ n +1 ) Here the µ n +1 ∼ ℓ µ ′ n +1 has been adapted to O n +1 ∼ ℓ O ′ n +1 by m odeling final outputs of public variables. If the first relation is satisfied, we h av e in x k := declass ( e k ) and x ′ k := declass ( e ′ k ) the variable x k and x ′ k are different variables. Therefo re the respec ti ve p ushdown rules mu st h av e different γ j as the lab el for th e stack symb ol declass γ j entry , which we suppose to be γ k , γ k ′ and γ k 6 = γ k ′ . From the DS γ k and DM γ k ′ we have D [ ρ ( γ k ′ )] = e ′ k . The value in D [ ρ ( γ k ′ )] is irrelev ant to e k and x k in the secon d run is not r estricted by DM γ k ′ . Wh en th e final x k and x ′ k are o utputted , the ineq uality of final x k of correlative executions makes the state err or reachable according to the rule OM σ ( x k ) . If the second relation is satisfied, ∃ i .q i 6 = q ′ i ∨ ( ∃ 0 ≤ k 0 < q i . O i [ k 0 ] 6 = O ′ i [ k 0 ]) . If q i 6 = q ′ i , we can sup pose q i < q ′ i because the corr elativ e r uns are symm etrical. The n there must be some e o f output ( e, O ′ i ) in P th at sh ould be compared with the indefinite value in O i,n +1 [ q i ] during th e execution of the second run . Oth erwise we have O i,n +1 [ k 0 ] 6 = O ′ i,n +1 [ k 0 ] . Then if O ′ i,n +1 [ k 0 ] is generated by o utput ( e, O i ) , the second run is directed by O i [ k 0 ] 6 = e according to th e rule OM i and err or is reach able. From the con trapositive the theore m is proved.