Secure Information Flow Typing in LUSTRE

by   Sanjiva Prasad, et al.

Synchronous reactive data flow is a paradigm that provides a high-level abstract programming model for embedded and cyber-physical systems, including the locally synchronous components of IoT systems. Security in such systems is severely compromised due to low-level programming, ill-defined interfaces and inattention to security classification of data. By incorporating a Denning-style lattice-based secure information flow framework into a synchronous reactive data flow language, we provide a framework in which correct-and-secure-by-construction implementations for such systems may be specified and derived. In particular, we propose an extension of the Lustre programming framework with a security type system. The novelty of our type system lies in a symbolic formulation of constraints over security type variables, in particular the treatment of node calls, which allows us to reason about secure flow with respect to any security class lattice. The main theorem is the soundness of our type system with respect to the co-inductive operational semantics of Lustre, which we prove by showing that well-typed programs exhibit non-interference. Rather than tackle the full language, we first prove the non-interference result for a well-behaved sub-language called "Normalised Lustre" (NLustre), for which our type system is far simpler. We then show that Bourke et al.'s semantics-preserving "normalisation" transformations from Lustre to NLustre are security-preserving as well. This preservation of security types by the normalisation transformations is a property akin to "subject reduction" but at the level of compiler transformations. The main result that well-security-typed Lustre programs are non-interfering follows from a reduction to our earlier result of non-interference for NLustre via the semantics-preservation (of Bourke et al.) and type preservation results.



There are no comments yet.


page 1

page 2

page 3

page 4


Normalising Lustre Preserves Security

The synchronous reactive data flow language LUSTRE is an expressive lang...

P4BID: Information Flow Control in P4

Modern programmable network switches can implement custom applications u...

Sheaf semantics of termination-insensitive noninterference

We propose a new sheaf semantics for secure information flow over a spac...

First-order Gradual Information Flow Types with Gradual Guarantees

Gradual type systems seamlessly integrate statically-typed programs with...

Secure Information Flow Connections

Denning's lattice model provided secure information flow analyses with a...

Oxide: The Essence of Rust

Rust is a major advancement in industrial programming languages due in l...

A Type System for First-Class Layers with Inheritance, Subtyping, and Swapping

Context-Oriented Programming (COP) is a programming paradigm to encourag...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.