Skip to main content
SpringerLink
Log in

Data Leakage Analysis of the Hibernate Query Language on a Propositional Formulae Domain

  • Chapter
  • First Online:
Transactions on Large-Scale Data- and Knowledge-Centered Systems XXIII

Part of the book series: Lecture Notes in Computer Science ((TLDKS,volume 9480))

Abstract

This paper presents an information flow analysis of Hibernate Query Language (HQL). We define a concrete semantics of HQL and we lift the semantics on an abstract domain of propositional formulae. This way, we capture variables dependences at each program point. This allows us to identify illegitimate information flow by checking the satisfiability of propositional formulae with respect to a truth value assignment based on their security levels.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This work is a revised and extended version of [10].

  2. 2.

    Observe that, for the sake of simplicity, we do not consider here the method REFRESH() which synchronize the in-memory objects state with that of the underlying database.

  3. 3.

    For a detailed abstract transition semantics of imperative statements, see [34].

References

  1. Amtoft, T., Banerjee, A.: A logic for information flow analysis with an application to forward slicing of simple imperative programs. Sci. Comput. Program. 64, 3–28 (2007)

    Article  MATH  MathSciNet  Google Scholar 

  2. Andrews, G.R., Reitman, R.P.: An axiomatic approach to information flow in programs. ACM Trans. Program. Lang. Syst. 2, 56–76 (1980)

    Article  MATH  Google Scholar 

  3. Bao, T., Zheng, Y., Lin, Z., Zhang, X., Xu, D.: Strict control dependence and its effect on dynamic information flow analyses. In: Proceedings of the 19th International Symposium on Software Testing and Analysis, pp. 13–24. ACM Press, Trento (2010)

    Google Scholar 

  4. Barbon, G., Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Privacy analysis of android apps: implicit flows and quantitative analysis. In: Saeed, K., Homenda, W. (eds.) CISIM 2015. LNCS, vol. 9339, pp. 3–23. Springer, New York (2015)

    Chapter  Google Scholar 

  5. Bauer, C., King, G.: Hibernate in Action. Manning Publications Co., Greenwich (2004)

    Google Scholar 

  6. Bauer, C., King, G.: Java Persistence with Hibernate. Manning Publications Co., Greenwich (2006)

    Google Scholar 

  7. Cavadini, S.: Secure slices of insecure programs. In: Proceedings of the ACM Symposium on Information, Computer and Communications Security, pp. 112–122. ACM Press, Tokyo (2008)

    Google Scholar 

  8. Cortesi, A., Dovier, A., Quintarelli, E., Tanca, L.: Operational and abstract semantics of the query language G-log. Theor. Comput. Sci. 275(1–2), 521–560 (2002)

    Article  MATH  MathSciNet  Google Scholar 

  9. Cortesi, A., Ferrara, P., Pistoia, M., Tripp, O.: Datacentric semantics for verification of privacy policy compliance by mobile applications. In: D’Souza, D., Lal, A., Larsen, K.G. (eds.) VMCAI 2015. LNCS, vol. 8931, pp. 61–79. Springer, Heidelberg (2015)

    Google Scholar 

  10. Cortesi, A., Halder, R.: Information-flow analysis of hibernate query language. In: Dang, T.K., Wagner, R., Neuhold, E., Takizawa, M., Küng, J., Thoai, N. (eds.) FDSE 2014. LNCS, vol. 8860, pp. 262–274. Springer, Heidelberg (2014)

    Google Scholar 

  11. Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the POPL 1977, pp. 238–252. ACM Press, Los Angeles (1977)

    Google Scholar 

  12. Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pp. 269–282. ACM Press, San Antonio (1979)

    Google Scholar 

  13. Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19, 236–243 (1976)

    Article  MATH  MathSciNet  Google Scholar 

  14. Dimitrova, R., Finkbeiner, B., Kovács, M., Rabe, M.N., Seidl, H.: Model checking information flow in reactive systems. In: Kuncak, V., Rybalchenko, A. (eds.) VMCAI 2012. LNCS, vol. 7148, pp. 169–185. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  15. Elliott, J., O’Brien, T., Fowler, R.: Harnessing Hibernate, 1st edn. O’Reilly, Sebastopol (2008)

    Google Scholar 

  16. Halder, R.: Language-based security analysis of database applications. In: Proceedings of the 3rd International Conference on Computer, Communication, Control and Information Technology (C3IT 2015), pp. 1–4. IEEE Press (2015)

    Google Scholar 

  17. Halder, R., Cortesi, A.: Abstract interpretation of database query languages. Comput. Lang. Syst. Struct. 38, 123–157 (2012)

    MATH  Google Scholar 

  18. Halder, R., Zanioli, M., Cortesi, A.: Information leakage analysis of database query languages. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing (SAC 2014), 24–28 March 2014, pp. 813–820. ACM Press, Gyeongju (2014)

    Google Scholar 

  19. Hammer, C.: Experiences with PDG-based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  20. Hammer, C., Krinke, J., Snelting, G.: Information flow control for java based on path conditions in dependence graphs. In: Proceedings of the IEEE International Symposium on Secure Software Engineering (ISSSE 2006), pp. 87–96. IEEE, Arlington (2006)

    Google Scholar 

  21. Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. Int. J. Inf. Secur. 8, 399–422 (2009)

    Article  Google Scholar 

  22. Joshi, R., Leino, K.R.M.: A semantic approach to secure information flow. Sci. Comput. Program. 37(1–3), 113–138 (2000)

    Article  MATH  MathSciNet  Google Scholar 

  23. Krinke, J.: Information flow control and taint analysis with dependence graphs. In: Proceedings of the Third International Workshop on Code Based Software Security Assessments (CoBaSSA). Technical report TUD-SERG-2007-023, Vancouver, Canada, Delft University of Technology, pp. 6–9 (2007)

    Google Scholar 

  24. Li, B.: Analyzing information-flow in java program based on slicing technique. SIGSOFT Softw. Eng. Notes 27, 98–103 (2002)

    Article  Google Scholar 

  25. Logozzo, F.: Class invariants as abstract interpretation of trace semantics. Comput. Lang. Syst. Struct. 35, 100–142 (2009)

    Google Scholar 

  26. Mantel, H., Sudbrock, H.: Types vs. PDGs in information flow analysis. In: Albert, E. (ed.) LOPSTR 2012. LNCS, vol. 7844, pp. 106–121. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  27. Myers, A.C.: Jflow: practical mostly-static information flow control. In: Proceedings of the 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 1999), January 20–22 1999, pp. 228–241. ACM Press, San Antonio (1999)

    Google Scholar 

  28. Pottier, F., Simonet, V.: Information flow inference for ML. ACM Trans. Program. Lang. Syst. 25, 117–158 (2003)

    Article  Google Scholar 

  29. Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21, 5–19 (2003)

    Article  Google Scholar 

  30. Sabelfeld, A., Sands, D.: Declassification: dimensions and principles. J. Comput. Secur. 17, 517–548 (2009)

    Google Scholar 

  31. Shroff, P., Smith, S., Thober, M.: Dynamic dependency monitoring to secure information flow. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium, CSF 2007, pp. 203–217. IEEE Computer Society, Washington DC (2007). http://dx.doi.org/10.1109/CSF.2007.20

  32. Smith, G.: Principles of secure information flow analysis. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection. Advances in Information Security, vol. 27, pp. 291–307. Springer, Nov Smokovec (2007)

    Chapter  Google Scholar 

  33. Volpano, D., Irvine, C., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4, 167–187 (1996)

    Google Scholar 

  34. Zanioli, M., Cortesi, A.: Information leakage analysis by abstract interpretation. In: Černá, I., Gyimóthy, T., Hromkovič, J., Jefferey, K., Králović, R., Vukolić, M., Wolf, S. (eds.) SOFSEM 2011. LNCS, vol. 6543, pp. 545–557. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  35. Zanioli, M., Ferrara, P., Cortesi, A.: Sails: static analysis of information leakage with sample. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing (SAC 2012), pp. 1308–1313. ACM Press, Trento (2012)

    Google Scholar 

Download references

Acknowledgement

This work is partially supported by PRIN “Security Horizons” project and by the research grant (SB/FTP/ETA-315/2013) from the Science&Engineering Research Board (SERB), Department of Science and Technology, Government of India. We thank the anonymous reviewers for their valuable comments and suggestions.

Author information

Authors and Affiliations

  1. Indian Institute of Technology Patna, Patna, India

    Raju Halder & Angshuman Jana

  2. Università Ca’ Foscari Venezia, Venice, Italy

    Agostino Cortesi

Authors
  1. Raju Halder
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Angshuman Jana
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Agostino Cortesi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Raju Halder .

Editor information

Editors and Affiliations

  1. IRIT, Paul Sabatier University, Toulouse, France

    Abdelkader Hameurlain

  2. FAW, University of Linz, Linz, Austria

    Josef Küng

  3. FAW, University of Linz, Linz, Austria

    Roland Wagner

  4. Ho Chi Minh City Univ. of Technology, Ho Chi Minh City, Vietnam

    Tran Khanh Dang

  5. Ho Chi Minh City Univ. of Technology, Ho Chi Minh City, Vietnam

    Nam Thoai

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Halder, R., Jana, A., Cortesi, A. (2016). Data Leakage Analysis of the Hibernate Query Language on a Propositional Formulae Domain. In: Hameurlain, A., Küng, J., Wagner, R., Dang, T., Thoai, N. (eds) Transactions on Large-Scale Data- and Knowledge-Centered Systems XXIII. Lecture Notes in Computer Science(), vol 9480. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-49175-1_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-49175-1_2

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-49174-4

  • Online ISBN: 978-3-662-49175-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation