Hyperproperties
description
Transcript of Hyperproperties
Hyperproperties
Michael Clarkson George Washington University
Summer School on Formal Methods for the Science of SecurityUniversity of Illinois at Urbana-ChampaignJuly 25, 2013
2
Security Policies Today
Confidentiality“Protection of assets from unauthorized disclosure”
Integrity“Protection of assets from unauthorized modification”
Availability“Protection of assets from loss of use”
Formalize and verify any security policy?
3
Program Correctness ca. 1970s
Partial correctness (If program terminates, it produces correct output)
Termination Total correctness (Program terminates and
produces correct output)
Mutual exclusion Deadlock freedom Starvation freedom
???
4
Safety and Liveness Properties
Intuition [Lamport 1977]:
Safety: “Nothing bad happens”
Liveness: “Something good happens”
Partial correctnessBad thing: program
terminates with incorrect output
Access controlBad thing: subject
completes operation without required rights
TerminationGood thing: termination
Guaranteed serviceGood thing: service
rendered
5
Properties
Trace: Sequence of execution statest = s0s1…
Property: Set of infinite tracesTrace t satisfies property P iff t is an
element of PSatisfaction depends on the trace alone
System: Also a set of tracesSystem S satisfies property P iff all traces
of S satisfy P
6
Properties
Property P
System S
= trace
7
Properties
Property P
System S S satisfies P
= trace
8
Properties
Property P
System S S does not satisfy P
= trace
9
Safety and Liveness Properties
Formalized:
Safety property [Lamport 1985]Bad thing = trace prefix
Liveness property [Alpern and Schneider 1985]Good thing = trace suffix
10
Success!
Alpern and Schneider (1985, 1987):Theorem. Every property is the
intersection of a safety property and a liveness property.
Theorem. Safety proved by invariance.Theorem. Liveness proved by well-
foundedness.Theorem. Topological characterization:
Safety = closed sets Liveness = dense sets
Formalize and verify any property?
11
Back to Security Policies
Formalize and verify any property?Formalize and verify any security policy?
Security policy = Property?
12
Information Flow is not a Property
Secure information flow: Secret inputs are not leaked to public outputs
p := 1;
p := s;
if (s) then p := 1 else p := 0;
if (s) then {consume power} else {don’t};
13
Information Flow is not a Property
Secure information flow: Secret inputs are not leaked to public outputs
secret secret
public public
14
Information Flow is not a Property
Noninterference [Goguen and Meseguer 1982]: Commands of high security users have no effect on observations of low security users
Not safety!
Satisfaction depends on pairs of traces …so not a property
4 23
8 15
42
16
10
8t1:
4 8 15
16
t2:
15
Service Level Agreements are not Properties
Service level agreement: Acceptable performance of system
Not liveness!
Average response time: Average time, over all executions, to respond to request has given bound Satisfaction depends on all traces of system …not a
property
Any security policy that stipulates relations among traces is not a property
Need satisfaction to depend on sets of traces
16
Hyperproperties
A hyperproperty is a set of properties[Clarkson and Schneider 2008, 2010]
A system S satisfies a hyperproperty H iff S is an element of H…a hyperproperty specifies exactly the allowed
sets of traces
17
Hyperproperties
Hyperproperty H
System S S does not satisfy H
= trace
18
Hyperproperties
Hyperproperty H
System S
S satisfies H
= trace
19
Hyperproperties
Security policies are hyperproperties!
Information flow: Noninterference, relational noninterference, generalized noninterference, observational determinism, self-bisimilarity, probabilistic noninterference, quantitative leakage
Service-level agreements: Average response time, time service factor, percentage uptime
…
20
Beyond Hyperproperties?
Security policies are predicates on systems
Hyperproperties are the extensions of those predicates
Hyperproperties are expressively complete
(for predicates, systems, and trace semantics)
21
Other System Models
Relational semantics Labeled transition systems State machines Probabilistic systems
…can define hyperproperties for all these
22
Probabilistic Hyperproperties
To incorporate probability: Assume probability on state transitions Construct probability measure on traces
[Halpern 2003] Use measure to express hyperproperties
We’ve expressed: Probabilistic noninterference [Gray and
Syverson 1998] Quantitative leakage Channel capacity
23
Hyperproperties
Safety and liveness? Verification?
Questions??
24
Safety
Safety proscribes “bad things”A bad thing is finitely observable and
irremediableS is a safety property [Lamport 85] iff
b is a finite trace
25
Safety
Safety proscribes “bad things”A bad thing is finitely observable and
irremediableS is a safety property [Lamport 85] iff
b is a finite trace
26
Safety
Safety proscribes “bad things”A bad thing is finitely observable and
irremediableS is a safety property [Lamport 85] iff
S is a safety hyperproperty (“hypersafety”) iff
B is a finite set of finite traces
b is a finite trace
27
Prefix Ordering
An observation is a finite set of finite tracesIntuition: Observer sees a set of partial
executions
M ≤ T (M is a prefix of T) iff: M is an observation, and If observer watched longer, M could become T
28
Safety Hyperproperties
Noninterference [Goguen and Meseguer 1982]
Bad thing is a pair of traces where removing high commands does change low observations
Observational determinism [Roscoe 1995, Zdancewic and Myers 2003]
Bad thing is a pair of traces that cause system to look nondeterministic to low observer
…
29
Liveness
Liveness prescribes “good things”A good thing is always possible and
possibly infiniteL is a liveness property [AS85] iff
t is a finite trace
30
Liveness
Liveness prescribes “good things”A good thing is always possible and
possibly infiniteL is a liveness property [AS85] iff
L is a liveness hyperproperty (“hyperliveness”) iff
t is a finite trace
T is a finite set of finite traces
31
Liveness Hyperproperties
Average response timeGood thing is that average time is low enough
Possibilistic information flowClass of policies requiring “alternate possible explanations” to exist
e.g. generalized noninterference [McCullough 1987]
Theorem. All PIF policies are hyperliveness.
32
Can lift property T to hyperproperty [T] Satisfaction is equivalent iff [T] = powerset(T)
Theorem. S is safety implies [S] is hypersafety.
Theorem. L is liveness implies [L] is hyperliveness.
…Verification techniques for safety and liveness carry forward to hyperproperties
Relating Properties and Hyperproperties
8t =2 S : 9m · t : 8u ¸ m : u =2 S8t =2 S : 9m · t : 8u ¸ m : u =2 S
33
Safety and Liveness is a Basis (still)
Theorem. Every hyperproperty is the intersection of a safety hyperproperty and a liveness hyperproperty.
A fundamental basis…
34
Topology
Open set: Can always “wiggle” from point and stay in set
Closed set: “Wiggle” might move outside setDense set: Can always “wiggle” to get into set
open
closed
dense
35
Topology of Hyperproperties
For Plotkin topology on properties [AS85]: Safety = closed sets Liveness = dense sets
Theorem. Hypersafety = closed sets.Theorem. Hyperliveness = dense sets.
Theorem. Our topology on hyperproperties is equivalent to the lower Vietoris construction applied to the Plotkin topology.
36
Stepping Back…
Safety and liveness? Verification?
37
Logic and Verification
Polices are predicates …but in what logic? Second-order logic suffices, first-order logic
does not. Last summer: Meseguer says “find a concrete
logical syntax”
Verify second-order logic? Can’t! (effectively and completely)
Temporal logic: LTL, CTL*? Highly successful for trace properties But not for security policies [McLean 1994, Alur
et al. 2006] Let’s hyper-ize… with quantification over
multiple traces
Syntax
LTL: [Pnueli 1977]f ::= p | ¬f | f1 v f2 | … | X f | f1 U f2 | … | G f | …
State propositions: x-equals-42
HyperLTL: [Koleini, Clarkson, Micinski 2013]y ::= At: y | Et: y | f
State propositions annotated with trace variable: x-equals-42t
…LTL is a fragment of HyperLTL
Examples
Observational determinism [Zdancewic and Myers 2003]:
At: Au: t[0]=Lu[0] ⇒ t=Lu
t[0] =L u[0] is sugar for ∧p ∊ L pt ⇔ pu
(first state in both traces agrees on all propositions in L)
t =L u is sugar for G (t[0] =L u[0])(both traces agrees on all propositions in L)
Note: multiple paths in scope; syntax that reads like the “normal” math written in noninteference papers.
Examples
Noninference [McLean 1994]:
At: Eu: t=Lu ∧ G no-highu
state-based variant of GM noninterference
Can also express noninteference itself. And GNI, restrictiveness, separability, forward correctability…
Semantics
LTL: formula modeled by single trace: t ⊨ f system modeled by set T of traces
HyperLTL: formula modeled by set of traces (actually,
set of named traces i.e. valuation or environment)
system still modeled by set T of traces, which is what quantifiers range over:P ⊨ At : y iff for all t in T, have P, t=t ⊨ y
Semantics
P ⊨ At : y iff for all t in T, have P, t=t ⊨ yP ⊨ Et : y iff exists t in T, s.t. P, t=t ⊨ yP ⊨ pt iff p ∊ (P t)[0]
P ⊨ ¬f iff P ⊨ ¬ f doesn’t holdP ⊨ f1 v f2 iff P ⊨ f1 or P ⊨ f2
P ⊨ X f iff [P 1..] ⊨ fP ⊨ f1 U f2 iff there exists i ≥0 s.t. [P i..] ⊨ f2 and
for all j where 0 ≤ j < i, have [P j..] ⊨ f1
Model Checking
Adapts LTL algorithm based on Büchi automata[Wolper et al. 1983, Lichtenstein and Pnueli 1985, Vardi and Wolper 1994, …]
Prototype…• builds automata using self-composition [Barthe et al. 2004], • then outsources to GOAL [Tsay et al. 2007] for automata
constructions
Supports fragment of HyperLTL• Up to one quantifier alternation, e.g. AE, AAE, EA• Suffices for all our information-flow examples
Yields verification methodology for any linear-time hyperproperty
44
Model Checking: Complexity
Fragment with 1 alternation:Exponential in size of system andDoubly exponential in size of formula
Full HyperLTL:PSPACE-hard Reduction from quantified propositional
temporal logic (QPTL)
…price of security? Or do we need to be more clever?
45
Other Hyper Temporal Logics
HyperCTL* [Finkbeiner et al. 2013]Like HyperLTL, but quantifiers can be
nestedModel checking is
NSPACE(f(size of system))-completewhere f involves a tower of exponentials…
“Hyper modal m-calculus”Polyadic modal m-calculus [Andersen
1994]Used by Milushev and Clarke [2012] for
incremental hyperproperties
46
Stepping Back…
Safety and liveness? Verification?
Model-checking (expensive)Reduce to trace propertiesRefinement
47
Verification of 2-Safety
2-safety: “Property that can be refuted by observing two finite traces” [Terauchi and Aiken 2005]
Methodology: Transform system with self-composition
construction [Barthe, D’Argenio, and Rezk 2004]
Verify safety property of transformed system Implies 2-safety property of original system
…Reduction from hyperproperty to property
48
A k-safety hyperproperty is a safety hyperproperty in which the bad thing never has more than k traces
Examples: 1-hypersafety: the lifted safety properties 2-hypersafety: Terauchi and Aiken’s 2-safety
properties k-hypersafety: SEC(k) = “System can’t,
across all runs, output all shares of a k-secret sharing”
Not k-hypersafety for any k: SEC = k
SEC (k)
k-Safety Hyperproperties
49
Verifying k-Hypersafety
Theorem. Any k-safety hyperproperty of S is equivalent to a safety property of Sk.
Yields methodology for k-hypersafety Incomplete for hypersafetyHyperliveness? In general?
50
Refinement Revisited
Stepwise refinement: Development methodology for properties
Start with specification and high-level (abstract) program
Repeatedly refine program to lower-level (concrete) program
Techniques for refinement well-developed
Long-known those techniques don’t work for security policies—i.e., hyperproperties Develop new techniques? Reuse known techniques?
51
Refinement Revisited
Theorem. Known techniques work with all hyperproperties that are subset-closed.
Theorem. All safety hyperproperties are subset-closed.
Stepwise refinement applicable with hypersafety
Hyperliveness? In general?
52
Stepping Back…
Safety and liveness? Verification?
Model-checking (expensive)Reduce to trace properties (k-safety)Refinement (hypersafety)Proof system?
…verify by decomposing to safety+liveness?
53
Summary
Theory of hyperproperties : Parallels theory of properties
Safety, liveness (basis, topological characterization)
Verification (HyperLTL, k-hypersafety, stepwise refinement)
Expressive completeness Enables classification of security
policies…
54
Charting the landscape…
55
All hyperproperties (HP)
HP
56
HP
SHP LHP
Safety hyperproperties (SHP)Liveness hyperproperties (LHP)
57
HP
SHP LHP
[SP] [LP]
Lifted safety properties [SP]
Lifted liveness properties [LP]
58
HP
SHP LHP
[SP] [LP]
AC GS
Access control (AC) is safetyGuaranteed service (GS) is liveness
59
HP
SHP LHP
[SP] [LP]
AC GS
GMNI
Goguen and Meseguer’s noninterference (GMNI)
is hypersafety
60
HP
SHP LHP
[LP]
GS
2-safety hyperproperties (2SHP)
[SP]
AC
2SHP
GMNI
61
HP
SHP LHP
[SP] [LP]
AC GS
GMNISEC
Secret sharing (SEC) is not k-hypersafety for any k
2SHP
62
HP
SHP LHP
[SP] [LP]
AC GS
GMNIOD
PNI
GNI
Observational determinism (OD) is 2-hypersafety
Generalized noninterference (GNI) is hyperliveness
Probabilistic noninterference (PNI) is neither
2SHP
SEC
63
HP
SHP LHP
[SP] [LP]
AC GS
GMNIOD
PNI
GNI
PIF
2SHP
Possibilistic information flow (PIF) is hyperliveness
SEC
64
Revisiting the CIA Landscape
Confidentiality Information flow is not a property Is a hyperproperty (HS: OD; HL: GNI)
Integrity Safety property? Dual to confidentiality, thus hyperproperty?
Availability Sometimes a property (max. response time) Sometimes a hyperproperty (HS: % uptime, HL:
avg. resp. time)
CIA seems unrelated to hyperproperties
Reading
Hyperproperties. In Proc. CSF 2008, p. 51–65. With Fred B. Schneider.
Hyperproperties. Journal of Computer Security 18(6):1157–1210, 2010. With Fred B. Schneider.
A Temporal Logic of Security. Technical report http://arxiv.org/abs/1306.5678. June 2013. With Masoud Koleini and Kristopher Micinski.
Temporal Logics for Hyperproperties. In submission. July 2013. With Bernd Finkbeiner, Masoud Koleini, Kristopher Micinski, Markus Rabe, and Cesar Sanchez.
Hyperproperties
Michael Clarkson George Washington University
Summer School on Formal Methods for the Science of SecurityUniversity of Illinois at Urbana-ChampaignJuly 25, 2013
67
Extra Slides
68
Information-flow Hyperproperties
Noninterference: The set of all properties T where for each trace t in T, there exists another trace u in T, such that u contains no high commands, but yields the same low observation as t.
Generalized noninterference: The set of all properties T where for any traces t and u in T, there exists a trace v in T, such that v is an interleaving of the high inputs from t and the low events from u.
Observational determinism: The set of all properties T where for all traces t and u in T, and for all integer j, if t and u have the same first j-1 low events, then they have equivalent jth low events.
Self-bisimilarity: The set of all properties T where T represents a labeled transition system S, and for all low-equivalent initial memories m1 and m2, the execution of S starting from m1 is bisimilar to the execution of S starting from m2.
69
Representing LTS’s
Rich state is the key
70
Representing LTS’s
a a
b c
a
b c
{ab, ac} {ab, ac}
Different LTS’s, same trace sets
71
Representing LTS’s
a a
b c
a
b c
72
Representing LTS’s
x
zy
ut
m
n
po
a a
b c
a
b c
{(xa)(yb)(t$), (xa)(zc)(u$)}{(ma)(nb)(o$), (ma)(nc)(p$)}
Different LTS’s, different trace sets
73
Topological Definitions
Open sets: closed under finite intersections and infinite unions
Closed sets: complements of open sets= closed under infinite intersection and finite union= contains all its limit points= is its own closure
Dense sets: closure is the universe
74
Powerdomains
We use the lower (Hoare) powerdomain Our ≤ is the Hoare order Lower Vietoris = lower powerdomain [Smyth
1983]
Other powerdomains? Change the notion of “observable”
Upper: observations can disappear; impossibility of nondeterministic choices becomes observable
Convex: similar problem But might be useful on other semantic domains
75
Why not CTL*?
s ⊨ AA f= for all p ∊ M, if t[0] = s then p ⊨ A f= for all ,p r ∊ M, if t[0] = u[0] = s then r ⊨ f
…only the last trace is “remembered” by semantics
Work related to HyperLTL
SecLTL [Dimitrova et al. 12] LTL plus hide modality (high hidden from observation) Designed for output-deterministic systems
Can’t seem to express, e.g., generalized noninteference
LKU [Balliu et al. 11] Linear-time logic of knowledge Handles declassification policies Designed for observational determinism
Can’t seem to express, e.g., noninference
Incremental hyperproperties [Milushev and Clarke 12] Polyadic modal mu-calculus [Andersen 94]
Models are tuples of transition systems Verifiable by game-based model checking HyperLTL is simpler and seems to suffice for any state-based information-
flow policy