operations, respectively. In contrast, DSD is a rather modest extension to a standard object-oriented language, with security domains as first-class values. This also enables a straight-forward translation to a standard bytecode language. Most important, how- ever, is that the notion of “dynamic” security environments in Paralocks and RTI differs from this thesis: there, the focus lies on security environments that can be updated dynamically at runtime, possibly causing a declassification of data. (Indeed, the major purpose of roles is to provide a controlled way of declassification simply by adding a principal to a specific role.) The type system is defined with respect to a given initial policy and a set of principals, and then statically tracks and approximates the runtime changes to the security environment. In contrast, a DSD program is executed with respect to a security environment that is fixed for each particular execution; the type system analyses the program abstractly and gives a proof that the program is secure for any environment (domain values and policies) that may occur.
Finally, our own previous works [Gra08; GB09] have laid the foundations for a type- based analysis of privacy-aware programs. While most of the high-level DSD language has already been present in these papers, there has not been a proper parametrization of the security policy in the definition of noninterference, and the verification of DSD bytecode programs has only been outlined.
In summary, all the presented approaches tackle aspects of dynamic information flow security in expressive and sophisticated ways. However, they are in my opinion not directly applicable to the mobile code scenario, as they are all defined on the source code level only, and there is no translation given for an analysis on a lower level. Indeed, many of these works require a domain-specific language or larger extensions to the syntax, which makes it harder to build on existing techniques for the compilation to JVM-like bytecode and the subsequent information flow analysis for bytecode.
7.3 Bytecode Information Flow Analysis
A first information flow type system for an unstructured bytecode language has been presented by Kobayashi and Shirane [KS02]. They applied ideas from the field of Typed Assembly Languages [Mor+99] to information flow security. Bytecode languages are usually defined using a small-step semantics, hence the type system assigns typing information to each instruction address. Semantically, noninterference is defined in terms of a bisimulation: two bytecode executions continually need to reach low- equivalent program states at corresponding instruction addresses. (This is in contrast to the Volpano-Smith system, where the typing judgements and their interpretations refer to entire program statements.)
Following Kobayashi and Shirane, a number of similar approaches have been de- veloped which handle more advanced language features. In particular, the MOBIUS project [Bar+06] has examined the type-based certification of bytecode for information
flows, as presented in the works by Gilles Barthe et al. [BPR07; BR05]. Additionally, the authors have presented a compilation from a fragment of Java that preserves security types [BRN06]. This research had a large influence on the bytecode language and the type-preserving compilation presented in this thesis.
To handle indirect information flows with thepclevel correctly, these type systems rely on a computation of control dependence regions [Bal93] to determine the parts of the code that are governed by a conditional branching instruction. The soundness result for the type system relies on the correctness of the computed control dependence regions, expressed in form of safe over-approximation properties. In contrast, the typed assembly language SIF by Medel, Compagnoni, and Bonelli [MCB05] includes pseudo- instructions that are used as control dependence markers. Here, the correctness of these region markers can be directly checked by the type system. My low-level type system uses this latter approach with small modifications.
Beyond type systems, relational program logics for bytecode programs have been used to analyse information flow security in a more precise manner. An example are Lennart Beringer’s Relational Shape Descriptions [Ber10], which provide an expressive way to describe correspondences between two related program states, such that fine- grained noninterference properties can be expressed. Additionally, the proof rules place no restrictions on the control flow structure of the program.
In the MOBIUS project, information flow type systems and logics have been ex- pressed in a generic bytecode logic, such that one can build on a general framework for proof-carrying code (PCC) [Nec97]. In this thesis, I have followed the PCC paradigm, although the proof certificates are much simpler and require a larger trusted comput- ing base: the certificates are just the type derivations, and the code consumer must trust the correctness of the soundness proof and the type checker.
In the presence of symbolic expressions in the analysis, such as used for the con- straint sets here, it becomes rather cumbersome to define a type system on the byte- code level. For this reason, I have chosen a simplified version of the approach by Demange, Jensen, and Pichardie [DJP10] where a bytecode language is “disassem- bled” into an intermediate representation, which, among others, eases the symbolic reasoning required for DSD.
To my knowledge, this thesis presents the first definition of a privacy-aware bytecode language that contains constructs for inspecting the security environment. Further- more, it is the first application of the stackless intermediate representation by Demange et al. to verify information flow security properties of bytecode programs.