Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern...
-
Upload
bathsheba-wilkinson -
Category
Documents
-
view
223 -
download
0
description
Transcript of Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern...
![Page 1: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/1.jpg)
Hyperproperties
Michael Clarkson and Fred B. SchneiderCornell UniversityPh.D. SeminarNortheastern UniversityOctober 14, 2010
![Page 2: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/2.jpg)
2
Security Policies Today Confidentiality
“Protection of assets from unauthorized disclosure”
Integrity“Protection of assets from unauthorized
modification” Availability
“Protection of assets from loss of use”
Formalize and verify any security policy?
![Page 3: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/3.jpg)
3
Program Correctness ca. 1970s Partial correctness (If program terminates, it
produces correct output) Termination Total correctness (Program terminates and
produces correct output) Mutual exclusion Deadlock freedom Starvation freedom
???
![Page 4: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/4.jpg)
4
Safety and Liveness PropertiesIntuition [Lamport 1977]:
Safety: “Nothing bad happens”
Liveness: “Something good happens”
Partial correctnessBad thing: program
terminates with incorrect output
Access controlBad thing: subject
completes operation without required rights
TerminationGood thing: termination
Guaranteed serviceGood thing: service
rendered
![Page 5: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/5.jpg)
5
Properties
Trace: Sequence of execution statest = s0s1…
Property: Set of infinite tracesTrace t satisfies property P iff t is an
element of PSatisfaction depends on the trace alone
System: Also a set of tracesSystem S satisfies property P iff all traces
of S satisfy P
![Page 6: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/6.jpg)
6
Properties
Property P
System S
= trace
![Page 7: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/7.jpg)
7
Properties
Property P
System S S satisfies P
= trace
![Page 8: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/8.jpg)
8
Properties
Property P
System S S does not satisfy P
= trace
![Page 9: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/9.jpg)
9
Safety and Liveness Properties
Formalized:
Safety property [Lamport 1985]Bad thing = trace prefix
Liveness property [Alpern and Schneider 1985]Good thing = trace suffix
![Page 10: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/10.jpg)
10
Success!
Alpern and Schneider (1985, 1987):Theorem. Every property is the
intersection of a safety property and a liveness property.
Theorem. Safety proved by invariance.Theorem. Liveness proved by well-
foundedness.Theorem. Topological characterization:
Safety = closed sets Liveness = dense sets
Formalize and verify any property?
![Page 11: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/11.jpg)
11
Back to Security Policies
Formalize and verify any property?Formalize and verify any security policy?
Security policy = Property?
![Page 12: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/12.jpg)
12
Information Flow is not a PropertySecure information flow: Secret inputs are not leaked to public outputs
p := 1;
p := s;
if (s) then p := 1 else p := 0;
if (s) then {consume power} else {don’t};
![Page 13: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/13.jpg)
13
Information Flow is not a PropertySecure information flow: Secret inputs are not leaked to public outputs
secret secret
public public
![Page 14: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/14.jpg)
14
Information Flow is not a Property
Noninterference [Goguen and Meseguer 1982]: Commands of high security users have no effect on observations of low security users
Not safety!
Satisfaction depends on pairs of traces …so not a property
4 23
8 15
42
16
10
8t1:
4 8 15
16
t2:
![Page 15: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/15.jpg)
15
Service Level Agreements are not Properties
Service level agreement: Acceptable performance of system
Not liveness!
Average response time: Average time, over all executions, to respond to request has given bound Satisfaction depends on all traces of system …not a
property
Any security policy that stipulates relations among traces is not a property
Need satisfaction to depend on sets of traces
![Page 16: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/16.jpg)
16
Hyperproperties
A hyperproperty is a set of properties
A system S satisfies a hyperproperty H iff S is an element of H…a hyperproperty specifies exactly the allowed
sets of traces
![Page 17: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/17.jpg)
17
Hyperproperties
Hyperproperty H
System S S does not satisfy H
= trace
![Page 18: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/18.jpg)
18
Hyperproperties
Hyperproperty H
System SS satisfies H
= trace
![Page 19: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/19.jpg)
19
Hyperproperties
Security policies are hyperproperties! Information flow: Noninterference, relational
noninterference, generalized noninterference, observational determinism, self-bisimilarity, probabilistic noninterference, quantitative leakage
Service-level agreements: Average response time, time service factor, percentage uptime
…
![Page 20: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/20.jpg)
20
Hyperproperties Safety and liveness? Verification?
![Page 21: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/21.jpg)
21
Safety
Safety proscribes “bad things”A bad thing is finitely observable and
irremediableS is a safety property [L85] iff
b is a finite trace
![Page 22: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/22.jpg)
22
Safety
Safety proscribes “bad things”A bad thing is finitely observable and
irremediableS is a safety property [L85] iff
b is a finite trace
![Page 23: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/23.jpg)
23
Safety
Safety proscribes “bad things”A bad thing is finitely observable and
irremediableS is a safety property [L85] iff
S is a safety hyperproperty (“hypersafety”) iff
B is a finite set of finite traces
b is a finite trace
![Page 24: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/24.jpg)
24
Prefix Ordering
An observation is a finite set of finite tracesIntuition: Observer sees a set of partial
executions
M ≤ T (M is a prefix of T) iff: M is an observation, and If observer watched longer, M could become T
![Page 25: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/25.jpg)
25
Safety Hyperproperties
Noninterference [Goguen and Meseguer 1982]
Bad thing is a pair of traces where removing high commands does change low observations
Observational determinism [Roscoe 1995]
Bad thing is a pair of traces that cause system to look nondeterministic to low observer
…
![Page 26: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/26.jpg)
26
Liveness
Liveness prescribes “good things”A good thing is always possible and
possibly infiniteL is a liveness property [AS85] iff
t is a finite trace
![Page 27: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/27.jpg)
27
Liveness
Liveness prescribes “good things”A good thing is always possible and
possibly infiniteL is a liveness property [AS85] iff
L is a liveness hyperproperty (“hyperliveness”) iff
t is a finite trace
T is a finite set of finite traces
![Page 28: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/28.jpg)
28
Liveness Hyperproperties
Average response timeGood thing is that average time is low enough
Possibilistic information flowClass of policies requiring “alternate possible explanations” to exist
e.g. generalized noninterference [McCullough 1987]
Theorem. All PIF policies are hyperliveness.
![Page 29: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/29.jpg)
29
Can lift property T to hyperproperty [T] Satisfaction is equivalent iff [T] = powerset(T)
Theorem. S is safety implies [S] is hypersafety.
Theorem. L is liveness implies [L] is hyperliveness.
…Verification techniques for safety and liveness now carry forward to hyperproperties
Relating Properties and Hyperproperties
8t =2 S : 9m · t : 8u ¸ m : u =2 S8t =2 S : 9m · t : 8u ¸ m : u =2 S
![Page 30: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/30.jpg)
30
Safety and Liveness is a Basis (still)
Theorem. Every hyperproperty is the intersection of a safety hyperproperty and a liveness hyperproperty.
A fundamental basis…
![Page 31: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/31.jpg)
31
Topology
Open set: Can always “wiggle” from point and stay in set
Closed set: “Wiggle” might move outside setDense set: Can always “wiggle” to get into set
open
closed
dense
![Page 32: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/32.jpg)
32
Topology of HyperpropertiesFor Plotkin topology on properties [AS85]:
Safety = closed sets Liveness = dense sets
Theorem. Hypersafety = closed sets.Theorem. Hyperliveness = dense sets.
Theorem. Our topology on hyperproperties is equivalent to the lower Vietoris construction applied to the Plotkin topology.
![Page 33: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/33.jpg)
33
Stepping Back… Safety and liveness? Verification?
![Page 34: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/34.jpg)
34
Verification of 2-Safety2-safety [Terauchi and Aiken 2005]:
“Property that can be refuted by observing two finite traces”
Methodology: Transform system with self-composition
construction [Barthe, D’Argenio, and Rezk 2004]
Verify safety property of transformed system Implies 2-safety property of original system
…Reduction from hyperproperty to property
![Page 35: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/35.jpg)
35
A k-safety hyperproperty is a safety hyperproperty in which the bad thing never has more than k traces
Examples: 1-hypersafety: the lifted safety properties 2-hypersafety: Terauchi and Aiken’s 2-safety
properties k-hypersafety: SEC(k) = “System can’t,
across all runs, output all shares of a k-secret sharing”
Not k-hypersafety for any k: SEC = k SEC (k)
k-Safety Hyperproperties
![Page 36: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/36.jpg)
36
Verifying k-Hypersafety
Theorem. Any k-safety hyperproperty of S is equivalent to a safety property of Sk.
Yields methodology for k-hypersafety Incomplete for hypersafetyHyperliveness? In general?
![Page 37: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/37.jpg)
37
Logic and Verification
Polices are predicates …but in what logic?Second-order logic suffices, first-order
logic does not.
Verify second-order logic?Can’t! (effectively and completely)Can for fragments
…might suffice for security policies
![Page 38: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/38.jpg)
38
Refinement Revisited
Stepwise refinement: Development methodology for properties
Start with specification and high-level (abstract) program
Repeatedly refine program to lower-level (concrete) program
Techniques for refinement well-developed
Long-known those techniques don’t work for security policies—i.e., hyperproperties Develop new techniques? Reuse known techniques?
![Page 39: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/39.jpg)
39
Refinement Revisited
Theorem. Known techniques work with all hyperproperties that are subset-closed.
Theorem. All safety hyperproperties are subset-closed.
Stepwise refinement applicable with hypersafety
Hyperliveness? In general?
![Page 40: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/40.jpg)
40
Beyond Hyperproperties? Security policies are predicates on
systems Hyperproperties are the extensions
of those predicates
Hyperproperties are expressively complete
(for predicates, systems, and trace semantics)
![Page 41: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/41.jpg)
41
Other System Models Relational semantics Labeled transition systems State machines Probabilistic systems
…can define hyperproperties for all these
![Page 42: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/42.jpg)
42
Probabilistic HyperpropertiesTo incorporate probability:
Assume probability on state transitions Construct probability measure on traces
[Halpern 2003] Use measure to express hyperproperties
We’ve expressed: Probabilistic noninterference [Gray and
Syverson 1998] Quantitative leakage Channel capacity
![Page 43: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/43.jpg)
43
Summary
We developed a theory of hyperproperties Parallels theory of properties
Safety, liveness (basis, topological characterization)
Verification (for k-hypersafety) Stepwise refinement (hypersafety)
Expressive completeness
Enables classification of security policies…
![Page 44: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/44.jpg)
44
Charting the landscape…
![Page 45: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/45.jpg)
45
All hyperproperties (HP)
HP
![Page 46: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/46.jpg)
46
HP
SHP LHP
Safety hyperproperties (SHP)Liveness hyperproperties (LHP)
![Page 47: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/47.jpg)
47
HP
SHP LHP
[SP] [LP]
Lifted safety properties [SP]Lifted liveness properties [LP]
![Page 48: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/48.jpg)
48
HP
SHP LHP
[SP] [LP]
AC GS
Access control (AC) is safetyGuaranteed service (GS) is liveness
![Page 49: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/49.jpg)
49
HP
SHP LHP
[SP] [LP]
AC GSGMNI
Goguen and Meseguer’s noninterference (GMNI)
is hypersafety
![Page 50: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/50.jpg)
50
HP
SHP LHP
[LP]
GS
2-safety hyperproperties (2SHP)
[SP]
AC
2SHP
GMNI
![Page 51: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/51.jpg)
51
HP
SHP LHP
[SP] [LP]
AC GSGMNI
SEC
Secret sharing (SEC) is not k-hypersafety for any k
2SHP
![Page 52: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/52.jpg)
52
HP
SHP LHP
[SP] [LP]
AC GSGMNIOD
PNI
GNI
Observational determinism (OD) is 2-hypersafety
Generalized noninterference (GNI) is hyperliveness
Probabilistic noninterference (PNI) is neither
2SHP
SEC
![Page 53: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/53.jpg)
53
HP
SHP LHP
[SP] [LP]
AC GSGMNIOD
PNI
GNI
PIF
2SHP
Possibilistic information flow (PIF) is hyperliveness
SEC
![Page 54: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/54.jpg)
54
Revisiting the CIA Landscape Confidentiality
Information flow is not a property Is a hyperproperty (HS: OD; HL: GNI)
Integrity Safety property? Dual to confidentiality, thus hyperproperty?
Availability Sometimes a property (max. response time) Sometimes a hyperproperty (HS: % uptime, HL:
avg. resp. time)
CIA seems orthogonal to hyperproperties
![Page 55: Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Ph.D. Seminar Northeastern University October 14, 2010.](https://reader036.fdocuments.us/reader036/viewer/2022062401/5a4d1af37f8b9ab05997f519/html5/thumbnails/55.jpg)
Hyperproperties
Michael Clarkson and Fred B. SchneiderCornell UniversityPh. D. SeminarNortheastern UniversityOctober 14, 2010