Abstract
This paper presents an information flow analysis of Hibernate Query Language (HQL). We define a concrete semantics of HQL and we lift the semantics on an abstract domain of propositional formulae. This way, we capture variables dependences at each program point. This allows us to identify illegitimate information flow by checking the satisfiability of propositional formulae with respect to a truth value assignment based on their security levels.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This work is a revised and extended version of [10].
- 2.
Observe that, for the sake of simplicity, we do not consider here the method REFRESH() which synchronize the in-memory objects state with that of the underlying database.
- 3.
For a detailed abstract transition semantics of imperative statements, see [34].
References
Amtoft, T., Banerjee, A.: A logic for information flow analysis with an application to forward slicing of simple imperative programs. Sci. Comput. Program. 64, 3–28 (2007)
Andrews, G.R., Reitman, R.P.: An axiomatic approach to information flow in programs. ACM Trans. Program. Lang. Syst. 2, 56–76 (1980)
Bao, T., Zheng, Y., Lin, Z., Zhang, X., Xu, D.: Strict control dependence and its effect on dynamic information flow analyses. In: Proceedings of the 19th International Symposium on Software Testing and Analysis, pp. 13–24. ACM Press, Trento (2010)
Barbon, G., Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Privacy analysis of android apps: implicit flows and quantitative analysis. In: Saeed, K., Homenda, W. (eds.) CISIM 2015. LNCS, vol. 9339, pp. 3–23. Springer, New York (2015)
Bauer, C., King, G.: Hibernate in Action. Manning Publications Co., Greenwich (2004)
Bauer, C., King, G.: Java Persistence with Hibernate. Manning Publications Co., Greenwich (2006)
Cavadini, S.: Secure slices of insecure programs. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security, pp. 112–122. ACM Press, Tokyo (2008)
Cortesi, A., Dovier, A., Quintarelli, E., Tanca, L.: Operational and abstract semantics of the query language G-log. Theor. Comput. Sci. 275(1–2), 521–560 (2002)
Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Datacentric semantics for verification of privacy policy compliance by mobile applications. In: D’Souza, D., Lal, A., Larsen, K.G. (eds.) VMCAI 2015. LNCS, vol. 8931, pp. 61–79. Springer, Heidelberg (2015)
Cortesi, A., Halder, R.: Information-flow analysis of hibernate query language. In: Dang, T.K., Wagner, R., Neuhold, E., Takizawa, M., Küng, J., Thoai, N. (eds.) FDSE 2014. LNCS, vol. 8860, pp. 262–274. Springer, Heidelberg (2014)
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the POPL 1977, pp. 238–252. ACM Press, Los Angeles (1977)
Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 269–282. ACM Press, San Antonio (1979)
Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19, 236–243 (1976)
Dimitrova, R., Finkbeiner, B., Kovács, M., Rabe, M.N., Seidl, H.: Model checking information flow in reactive systems. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI 2012. LNCS, vol. 7148, pp. 169–185. Springer, Heidelberg (2012)
Elliott, J., O’Brien, T., Fowler, R.: Harnessing Hibernate, 1st edn. O’Reilly, Sebastopol (2008)
Halder, R.: Language-based security analysis of database applications. In: Proceedings of the 3rd International Conference on Computer, Communication, Control and Information Technology (C3IT 2015), pp. 1–4. IEEE Press (2015)
Halder, R., Cortesi, A.: Abstract interpretation of database query languages. Comput. Lang. Syst. Struct. 38, 123–157 (2012)
Halder, R., Zanioli, M., Cortesi, A.: Information leakage analysis of database query languages. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing (SAC 2014), 24–28 March 2014, pp. 813–820. ACM Press, Gyeongju (2014)
Hammer, C.: Experiences with PDG-based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010)
Hammer, C., Krinke, J., Snelting, G.: Information flow control for java based on path conditions in dependence graphs. In: Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE 2006), pp. 87–96. IEEE, Arlington (2006)
Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8, 399–422 (2009)
Joshi, R., Leino, K.R.M.: A semantic approach to secure information flow. Sci. Comput. Program. 37(1–3), 113–138 (2000)
Krinke, J.: Information flow control and taint analysis with dependence graphs. In: Proceedings of the Third International Workshop on Code Based Software Security Assessments (CoBaSSA). Technical report TUD-SERG-2007-023, Vancouver, Canada, Delft University of Technology, pp. 6–9 (2007)
Li, B.: Analyzing information-flow in java program based on slicing technique. SIGSOFT Softw. Eng. Notes 27, 98–103 (2002)
Logozzo, F.: Class invariants as abstract interpretation of trace semantics. Comput. Lang. Syst. Struct. 35, 100–142 (2009)
Mantel, H., Sudbrock, H.: Types vs. PDGs in information flow analysis. In: Albert, E. (ed.) LOPSTR 2012. LNCS, vol. 7844, pp. 106–121. Springer, Heidelberg (2013)
Myers, A.C.: Jflow: practical mostly-static information flow control. In: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 1999), January 20–22 1999, pp. 228–241. ACM Press, San Antonio (1999)
Pottier, F., Simonet, V.: Information flow inference for ML. ACM Trans. Program. Lang. Syst. 25, 117–158 (2003)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21, 5–19 (2003)
Sabelfeld, A., Sands, D.: Declassification: dimensions and principles. J. Comput. Secur. 17, 517–548 (2009)
Shroff, P., Smith, S., Thober, M.: Dynamic dependency monitoring to secure information flow. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium, CSF 2007, pp. 203–217. IEEE Computer Society, Washington DC (2007). http://dx.doi.org/10.1109/CSF.2007.20
Smith, G.: Principles of secure information flow analysis. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection. Advances in Information Security, vol. 27, pp. 291–307. Springer, Nov Smokovec (2007)
Volpano, D., Irvine, C., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4, 167–187 (1996)
Zanioli, M., Cortesi, A.: Information leakage analysis by abstract interpretation. In: Černá, I., Gyimóthy, T., Hromkovič, J., Jefferey, K., Králović, R., Vukolić, M., Wolf, S. (eds.) SOFSEM 2011. LNCS, vol. 6543, pp. 545–557. Springer, Heidelberg (2011)
Zanioli, M., Ferrara, P., Cortesi, A.: Sails: static analysis of information leakage with sample. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC 2012), pp. 1308–1313. ACM Press, Trento (2012)
Acknowledgement
This work is partially supported by PRIN “Security Horizons” project and by the research grant (SB/FTP/ETA-315/2013) from the Science&Engineering Research Board (SERB), Department of Science and Technology, Government of India. We thank the anonymous reviewers for their valuable comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Halder, R., Jana, A., Cortesi, A. (2016). Data Leakage Analysis of the Hibernate Query Language on a Propositional Formulae Domain. In: Hameurlain, A., Küng, J., Wagner, R., Dang, T., Thoai, N. (eds) Transactions on Large-Scale Data- and Knowledge-Centered Systems XXIII. Lecture Notes in Computer Science(), vol 9480. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49175-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-662-49175-1_2
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-49174-4
Online ISBN: 978-3-662-49175-1
eBook Packages: Computer ScienceComputer Science (R0)