Skip to main content
SpringerLink
Log in

Scenario of Information Flow Analysis Implementation in PL/SQL Program Units with PLIF Platform

  • Published:
Programming and Computer Software Aims and scope Submit manuscript

Abstract

Formal proof of security measure effectiveness and computation security is vitally important for trust in critical information systems. It should be realized that formal security verification must be carried out at each infrastructural level (from the hardware level to the application level) in the process of system design. Currently, computation security analysis on the application level remains the major challenge as it requires complex labeling of computing environment elements. Traditionally, to solve this problem, information flow control (IFC) methods are employed. Unlike access control mechanisms widely used in modern operating systems (OSs) and database management systems (DBMSs), IFC has limited application in software design and mostly comes down to trivial taint tracking. This paper describes an approach to full-fledged implementation of IFC in PL/SQL program units with the use of the PLIF platform. In addition, a general scheme of computation security analysis for enterprise applications that work with relational DBMSs is considered. The key advantage of our approach is the explicit separation of functions between software developers and security analysts.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.
Fig. 10.
Fig. 11.
Fig. 12.

Similar content being viewed by others

Notes

  1. By the global variables of the computing environment, we mean attributes of relations.

  2. The fulfillment of the CompInv property can be achieved in a finite number of iterations, because the policy alphabet is a finite lattice and the transition functions for calculating policies of global variables are monotonically increasing.

  3. Specifications generated by PLIF describe the state of each user session, including the domain of local variables and parameters (stack), pointers to the current stack frame and to the instruction currently executed in the session, and the domain of return values.

REFERENCES

  1. Latham, D.C., Department of defense trusted computer system evaluation criteria, 1986.

  2. Infrastructure, P.K. and Profile, T.P., Common criteria for information technology security evaluation, 2002.

  3. Devyanin, P.N. and Leonova, M.A., Use of subtypes and total functions of the formal Event-B method for description and verification of the MROSL DP model, Program. Inzheneriya, 2020, vol. 11, no. 4, pp. 230–241.

    Article  Google Scholar 

  4. Timakov, A.A., Information flow control in software DB units based on formal verification, Program. Comput. Software, 2022, vol. 48, pp. 265–285.

    Article  MathSciNet  MATH  Google Scholar 

  5. Denning, E.D., A lattice model of secure information flow, Commun. ACM, 1976, no. 5, pp. 236–243.

  6. Shaitura, S.V. and Pitkevich, P.N., Data backup methods for critical enterprise information systems, Ross. Tekhnol. Zh., 2022, vol. 10, no. 1, pp. 28–34.

    Google Scholar 

  7. Timakov, A., PLIF, 2021. https://github.com/timimin/plif.

  8. Konnov, I., Kukovec, J., and Tran, T.-H., TLA+ model checking made symbolic, Proc. ACM Programming Languages, 2019, vol. 3, pp. 1–30.

  9. Broberg, N. and Sands, D., Paralocks: Role-based information flow control and beyond, Conf. Rec. Annu. ACM Symp. Principles of Programming Languages, 2010, pp. 431–444.

  10. Broberg, N. and Sands, D., Flow locks: Towards a core calculus for dynamic flow policies, Lect. Notes Comput. Sci., 2006, pp. 180–196.

  11. Broberg, N., Practical flexible programming with information flow control, Thesis for the Degree of Doctor of Engineering, 2011.

  12. Hedin, D. and Sabelfeld, A., A perspective on information-flow control, Software Saf. Secur., 2012, pp. 319–347.

    Google Scholar 

  13. Methni, A., Lemerre, M., Hedia, B.B., Barkaoui, K., and Haddad, S., An approach for verifying concurrent C programs, Proc. 8th Jr. Res. Workshop Real-Time Computing, 2014, pp. 33–36.

  14. Fernandes, A., tlaplus-graph-explorer, 2021. https://github.com/afonsonf/tlaplusgraph-explorer.

  15. Kozyri, E. et al., Expressing information flow properties, Found. Trends Privacy Secur., 2022, vol. 3, no. 1, pp. 1–102.

    Article  Google Scholar 

  16. Kristensen, E., CodeQL, 2022. https://github.com/github/codeql.

  17. Delfit, V.B., Broberg, N., and Sands, D., A Datalog semantics for Paralocks, Lect. Notes Comput. Sci., 2013, pp. 305–320.

  18. Harrison, M.A., Ruzzo, W.L., and Ullman, J.D., Protection in operating systems, Commun. ACM, 1976, vol. 19, no. 8, pp. 461–471.

    Article  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. MIREA – Russian Technological University, pr. Vernadskogo 78, 119454, Moscow, Russia

    A. A. Timakov

Authors
  1. A. A. Timakov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to A. A. Timakov.

Ethics declarations

The author declares that he has no conflicts of interest.

Additional information

Translated by Yu. Kornienko

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Timakov, A.A. Scenario of Information Flow Analysis Implementation in PL/SQL Program Units with PLIF Platform. Program Comput Soft 49, 215–231 (2023). https://doi.org/10.1134/S0361768823040114

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1134/S0361768823040114

Search

Navigation