Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Air Force Office of...
-
Upload
amber-jenkins -
Category
Documents
-
view
228 -
download
0
Transcript of Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Air Force Office of...
HyperpropertiesHyperproperties
Michael Clarkson and Fred B. SchneiderCornell University
Air Force Office of Scientific ResearchDecember 4, 2008
Clarkson and Schneider: Hyperproperties 2
Security Policies Today
Confidentiality Integrity Availability
Formalize and verify any security policy?
Clarkson and Schneider: Hyperproperties 3
Program Correctness ca. 1970s
Partial correctness (If program terminates, it produces correct output)
Termination Total correctness (Program terminates and
produces correct output)
Mutual exclusion Deadlock freedom Starvation freedom
???
Clarkson and Schneider: Hyperproperties 4
Safety and Liveness Properties
Intuition [Lamport 1977]:
Safety: “Nothing bad happens”
Liveness: “Something good happens”
Partial correctnessBad thing: program
terminates with incorrect output
Access controlBad thing: subject completes
operation without required rights
TerminationGood thing: termination
Guaranteed serviceGood thing: service rendered
Clarkson and Schneider: Hyperproperties 5
Properties
Trace: Sequence of execution statest = s0s1…
Property: Set of infinite tracesTrace t satisfies property P iff t 2 PSatisfaction depends on the trace alone
System: Also a set of tracesSystem S satisfies property P iff all traces of S
satisfy P
Clarkson and Schneider: Hyperproperties 8
Properties
Property P
System S S does not satisfy P
= trace
Clarkson and Schneider: Hyperproperties 9
Safety and Liveness Properties
Formalized:
Safety property [Lamport 1985]Bad thing = trace prefix
Liveness property [Alpern and Schneider 1985]Good thing = trace suffix
Clarkson and Schneider: Hyperproperties 10
Success!
Alpern and Schneider (1985, 1987):Theorem. 8 P : P = Safe(P) Å Live(P)Theorem. Safety proved by invariance.Theorem. Liveness proved by well-
foundedness.Theorem. Topological characterization:
Safety = closed sets Liveness = dense sets
Formalize and verify any property?
Clarkson and Schneider: Hyperproperties 11
Back to Security Policies
Formalize and verify any property?Formalize and verify any security policy?
Security policy = Property
?
Clarkson and Schneider: Hyperproperties 12
Information Flow is not a Property
Secure information flow: secret inputs are not leaked to public outputs
L := 0; L := H;
Not safety!
Noninterference [Goguen and Meseguer 1982]: Commands of high users have no effect on observations of low users Satisfaction depends on pairs of traces )
not a property
Information flow occurs when traces are correlated
Satisfaction does not depend on each trace alone
Clarkson and Schneider: Hyperproperties 13
Service Level Agreements are not Properties
Service level agreement: Acceptable performance of system
Not liveness!
Average response time: Average time, over all executions, to respond to request has given bound Satisfaction depends on all traces of system ) not a
property
Any security policy that stipulates relations among traces is not a property
Need satisfaction to depend on sets of traces
Clarkson and Schneider: Hyperproperties 14
Hyperproperties
A hyperproperty is a set of properties
A system S satisfies a hyperproperty H iff S 2 H…a hyperproperty specifies exactly the allowed
sets of traces
Clarkson and Schneider: Hyperproperties 15
Hyperproperties
Hyperproperty H
System S S does not satisfy H
= trace
Clarkson and Schneider: Hyperproperties 16
Hyperproperties
Hyperproperty H
System S
S satisfies H
= trace
Clarkson and Schneider: Hyperproperties 17
Hyperproperties
Security policies are hyperproperties!
Information flow: Noninterference, relational noninterference, generalized noninterference, observational determinism, self-bisimilarity, probabilistic noninterference, quantitative leakage
Service-level agreements: Average response time, time service factor, percentage uptime
…
Clarkson and Schneider: Hyperproperties 19
Safety
Safety proscribes “bad things”A bad thing is finitely observable and
irremediableS is a safety property [L85] iff
b is a finite trace
Clarkson and Schneider: Hyperproperties 20
Safety
Safety proscribes “bad things”A bad thing is finitely observable and
irremediableS is a safety property [L85] iff
b is a finite trace
Clarkson and Schneider: Hyperproperties 21
Safety
Safety proscribes “bad things”A bad thing is finitely observable and
irremediableS is a safety property [L85] iff
S is a safety hyperproperty (“hypersafety”) iff
B is a finite set of finite traces
b is a finite trace
Clarkson and Schneider: Hyperproperties 22
Prefix Ordering
An observation is a finite set of finite tracesIntuition: Observer sees a set of partial
executions
M · T (is a prefix of) iff: M is an observation, and If observer watched longer, M could become T
8m 2 M : (9t 2 T : (m · t))
Clarkson and Schneider: Hyperproperties 23
Safety Hyperproperties
Noninterference [Goguen and Meseguer 1982]Bad thing is a pair of traces where
removing high commands does change low observations
Observational determinism [Roscoe 1995]Bad thing is a pair of traces that cause
system to look nondeterministic to low observer
Clarkson and Schneider: Hyperproperties 24
Liveness
Liveness prescribes “good things”A good thing is always possible and
possibly infiniteL is a liveness property [AS85] iff
t is a finite trace
Clarkson and Schneider: Hyperproperties 25
Liveness
Liveness prescribes “good things”A good thing is always possible and
possibly infiniteL is a liveness property [AS85] iff
L is a liveness hyperproperty (“hyperliveness”) iff
t is a finite trace
T is a finite set of finite traces
Clarkson and Schneider: Hyperproperties 26
Liveness Hyperproperties
Average response timeGood thing is that average time is low enough
Possibilistic information flowClass of policies requiring “alternate possible
explanations” to exist e.g., generalized noninterference [McCullough
1987] Long known that these are harder to verify
Theorem. All PIF policies are hyperliveness.
Clarkson and Schneider: Hyperproperties 27
Can lift property T to hyperproperty [T] Satisfaction is equivalent iff [T] = P(T)
Theorem. S is safety ) [S] is hypersafety. Theorem. L is liveness ) [L] is hyperliveness.
…Verification techniques for safety and liveness now carry forward to hyperproperties
Relating Properties and Hyperproperties
8t =2 S : 9m · t : 8u ¸ m : u =2 S8t =2 S : 9m · t : 8u ¸ m : u =2 S
Clarkson and Schneider: Hyperproperties 28
Safety and Liveness is a Basis (still)
Theorem. (8 H : H = Safe(H) Å Live(H))
A fundamental basis…
Clarkson and Schneider: Hyperproperties 29
Topology
Topology: Branch of mathematics that studies the structure of spaces
Open set: Can always “wiggle” from point and stay in set
Closed set: “Wiggle” might move outside setDense set: Can always “wiggle” to get into set
open
closed
dense
Clarkson and Schneider: Hyperproperties 30
Topology of Hyperproperties
For Plotkin topology on properties [AS85]: Safety = closed sets Liveness = dense sets
Theorem. Hypersafety = closed sets.Theorem. Hyperliveness = dense sets.
Theorem. Our topology on hyperproperties is equivalent to the lower Vietoris construction applied to the Plotkin topology.
Clarkson and Schneider: Hyperproperties 32
Verification of 2-Safety
2-safety [Terauchi and Aiken 2005]: “Property that can be refuted by observing two finite traces”
Methodology: Transform system with self-composition
construction [Barthe, D’Argenio, and Rezk 2004]
Verify safety property of transformed system Implies 2-safety property of original system
…Reduction from hyperproperty to property
Clarkson and Schneider: Hyperproperties 33
A k-safety hyperproperty is a safety hyperproperty in which the bad thing never has more than k traces
Examples: 1-hypersafety: the lifted safety properties 2-hypersafety: Terauchi and Aiken’s 2-safety
properties k-hypersafety: SEC(k) = “System can’t, across all
runs, output all shares of a k-secret sharing” Not k-hypersafety for any k: SEC = k SEC(k)
k-Safety Hyperproperties
Clarkson and Schneider: Hyperproperties 34
Verifying k-Hypersafety
Theorem. Any k-safety hyperproperty of S is equivalent to a safety property of Sk.
Yields methodology for k-hypersafety Incomplete for hypersafetyHyperliveness? In general?
Clarkson and Schneider: Hyperproperties 35
Logic and Verification
Polices are predicates …in what logic?Second-order logic suffices, first-order
logic does not.
Verify second-order logic?Can’t! (effectively and completely)
Can for fragments…might suffice for security policies
Clarkson and Schneider: Hyperproperties 36
Refinement Revisited
Stepwise refinement: Development methodology for properties
Start with specification and high-level (abstract) program Repeatedly refine program to lower-level (concrete)
program Techniques for refinement well-developed
Long-known those techniques don’t work for security policies—i.e., hyperproperties Develop new techniques? Reuse known techniques?
Clarkson and Schneider: Hyperproperties 37
Refinement Revisited
Theorem. Known techniques work with all hyperproperties that are subset-closed.
Theorem. All safety hyperproperties are subset-closed.
Stepwise refinement applicable with hypersafety
Hyperliveness? In general?
Clarkson and Schneider: Hyperproperties 38
Beyond Hyperproperties?
Add another level of sets?Theorem. Set of hyperproperties ´ hyperproperty.
Logical interpretation: Policies are predicates on systems Hyperproperties are the extensions of those
predicates
Hyperproperties are expressively complete(for systems and trace semantics)
Clarkson and Schneider: Hyperproperties 39
Probabilistic Hyperproperties
To incorporate probability: Assume probability on state transitions Construct probability measure on traces
[Halpern 2003] Use measure to express hyperproperties
We’ve expressed: Probabilistic noninterference [Gray and
Syverson 1998] Quantitative leakage Channel capacity
Clarkson and Schneider: Hyperproperties 40
Summary
We developed a theory of hyperproperties Parallels theory of properties
Safety, liveness (basis, topological characterization) Verification (for k-hypersafety) Stepwise refinement (hypersafety)
Expressive completeness
Enables classification of security policies…
Clarkson and Schneider: Hyperproperties 43
HP
SHP LHP
Safety hyperproperties (SHP)Liveness hyperproperties (LHP)
Clarkson and Schneider: Hyperproperties 44
HP
SHP LHP
[SP] [LP]
Lifted safety properties [SP]
Lifted liveness properties [LP]
Clarkson and Schneider: Hyperproperties 45
HP
SHP LHP
[SP] [LP]
AC GS
Access control (AC) is safetyGuaranteed service (GS) is liveness
Clarkson and Schneider: Hyperproperties 46
HP
SHP LHP
[SP] [LP]
AC GS
GMNI
Goguen and Meseguer’s noninterference (GMNI)
is hypersafety
Clarkson and Schneider: Hyperproperties 47
HP
SHP LHP
[LP]
GS
2-safety hyperproperties (2SHP)
[SP]
AC
2SHP
GMNI
Clarkson and Schneider: Hyperproperties 48
HP
SHP LHP
[SP] [LP]
AC GS
GMNISEC
Secret sharing (SEC) is not k-hypersafety for any k
2SHP
Clarkson and Schneider: Hyperproperties 49
HP
SHP LHP
[SP] [LP]
AC GS
GMNIOD
PNI
GNI
Observational determinism (OD) is 2-hypersafety
Generalized noninterference (GNI) is hyperliveness
Probabilistic noninterference (PNI) is neither
2SHP
SEC
Clarkson and Schneider: Hyperproperties 50
HP
SHP LHP
[SP] [LP]
AC GS
GMNIOD
PNI
GNI
PIF
2SHP
Possibilistic information flow (PIF) is hyperliveness
SEC
Clarkson and Schneider: Hyperproperties 51
Revisiting the CIA Landscape
Confidentiality Information flow is not a property Is a hyperproperty (HS: OD; HL: GNI)
Integrity Safety property? Dual to confidentiality, thus hyperproperty?
Availability Sometimes a property (max. response time) Sometimes a hyperproperty (HS: % uptime, HL:
avg. resp. time)
CIA seems orthogonal to hyperproperties
HyperpropertiesHyperproperties
Michael Clarkson and Fred B. SchneiderCornell University
Air Force Office of Scientific ResearchDecember 4, 2008
Clarkson and Schneider: Hyperproperties 54
Future Work
Verification methodologyHyperliveness?Axiomatizable fragments of second
order logic? CIA: express with hyperproperties? Hyperproperties in other semantic
domains
Clarkson and Schneider: Hyperproperties 55
Information-flow Hyperproperties
Noninterference: The set of all properties T where for each trace t 2 T, there exists another trace u 2 T, such that u contains no high commands, but yields the same low observation as t.
Generalized noninterference: The set of all properties T where for any traces t and u 2 T, there exists a trace v 2 T, such that v is an interleaving of the high inputs from t and the low events from u.
Observational determinism: The set of all properties T where for all traces t and u 2 T, and for all j 2 N, if t and u have the same first j-1 low events, then they have equivalent jth low events.
Self-bisimilarity: The set of all properties T where T represents a labeled transition system S, and for all low-equivalent initial memories m1 and m2, the execution of S starting from m1 is bisimilar to the execution of S starting from m2.
Clarkson and Schneider: Hyperproperties 56
Topological Definitions
Open sets: closed under finite intersections and infinite unions
Closed sets: complements of open sets= closed under infinite intersection and finite union= contains all its limit points= is its own closure
Dense sets: closure is the universe
Clarkson and Schneider: Hyperproperties 57
Powerdomains
We use the lower (Hoare) powerdomainOur · is the Hoare orderLower Vietoris = lower powerdomain [Smyth
1983] Other powerdomains?
Change the notion of “observable” Upper: observations can disappear; impossibility of
nondeterministic choices becomes observable Convex: similar problem
But might be useful on other semantic domains