Software Model Checking for Confidentiality Rajeev Alur University of Pennsylvania Joint work with...
-
Upload
nico-tinsley -
Category
Documents
-
view
215 -
download
1
Transcript of Software Model Checking for Confidentiality Rajeev Alur University of Pennsylvania Joint work with...
Software Model Checking for Confidentiality
Rajeev AlurUniversity of Pennsylvania
Joint work with Pavol Cerny
2
download programs
online banking
store health records
Confidentiality
2
“Data Leaks Abound And No One Is Safe“ (Feb 9th)
“Indian Foreign Ministry hit by spyware” (Feb 15th)
“Cell Phones a Much Bigger Privacy Risk Than Facebook” (Feb 20th)
Confidentiality
How do data leaks happen?
“Unauthorized application use: … the use of unauthorized programs resulted in as many as half of their companies' data loss incidents.” (“Data leakage worldwide, …”,Cisco, 2008)
Focus of our case study: J2ME
midlets for mobile devices can buy spyware (flexispy.com,..) “A malicious signed application could read all the PIM data
and send it to an attacker using the variety of transport mechanisms outlined in this document.” (Symantec, 2007)
3
4
J2ME midlets
void sendEvent(…) {
…
contactList = (ContactList)
PIM.getInstance().openPIMlists(
PIM.Contact_LIST, PIM.READ_ONLY,
listname)
…
conn.send(message)
…
}
Accesses phone’s native data
Sends something
How do we know that information does not leak?
EventSharingMidlet:
5
How can information be leaked?
public void sendEvent() {
doUsefulWork();
…
low = 0;
if (phoneBook.contains(“555-55”)) {
low = 1;
}
conn.send(low);
}
Information leaked due to malicious (or buggy) code.
Confidentiality is not a property of a single trace.
public void sendEvent(…) {
doUsefulWork();
...
conn.send (secret_message);
}
Model:The attacker a) knows the
programb) observes all
external communication
Checking Confidentiality
6
createEvent Midlet//get the phone numbernumber =
phoneBook.elementAt(selected);
//test if the number is valid if ((number==null)||(number==“”)){ //output error} else { String message = inputMessage(); //send a message to the receiver sendMessage(number,message); }
• Taint analysis too strict
• Language-based approaches would require annotations for downgrading
7
Software Model Checking
Software model checker
Yes /
No (counterexample)
Specification φProgram P
(source code)
Abstraction
Successful and widely used, e.g. SLAM → SDV.
• Is every acquired lock eventually released?
• Is the system deadlock free?
Not applicable to specifying and verifying of confidentiality:
1. Confidentiality is not a property of a single execution (thus not specifiable in LTL and in fact is not specifiable in μ-calculus).
2. Both over- and under- approximation needed.
3. Main strength of software model checking – Finding bugs in control-oriented programs .
8
Goal
programConfidentiality analysis tool
Specification
No
Yes
What we need: Specification framework
Analysis method
Reachability
9
Reachability
Temporal Specifications
LTL, CTL, μ-calculus
Finite-state systems NL-complete
Programs (Java methods)
Undecidable.Over-approximation for sound analysis (of unreachability)
Talk Overview
10
Reachability “Confidentiality” ??
Temporal Specifications
LTL, CTL, μ-calculus ??
Finite-state systems NL-complete ??
Programs (Java methods)
Undecidable.Over-approximation for sound analysis (of unreachability)
??
11
Defining Confidentiality
Secret: Property to be kept confidential; typically a predicate over state variables
Observation h of an execution: What can the attacker observe? Two executions with same observation are equivalent Examples: Outputs; Sequence of messages sent More generally, each state is labeled with observable propositions,
and observation of an execution is a sequence of observable propositions of states
Executions of interest specified by a condition cond Terminating executions Executions where input satisfies some constraint
12
Conditional Confidentiality
Given a notion of observation, a property secret, and a condition cond of interesting executions, a program P satisfies conditional confidentiality iff
For every execution r satisfying cond, there exists an execution r’ such that
1. r and r’ have the same observation2. r and r’ differ on the value of secret
13
Temporal Logics for Confidentiality
Motivation: In multi-agent systems and for protocols, how to specify requirements concerning order in which secrets are revealed
Classical model of systems/programs: Trees
Existing branching-time logics are not adequate Thm: Confidentiality cannot be expressed in m-calculus Cannot capture “equivalence” of executions
Agent a observes proposition p, b observes q
Labeled Trees
p q
p q
p q p q
p qp qp q
Agent a observes proposition p, b observes q
a-labeled edge between nodes: a considers them equivalent
a
Labeled Trees with Equivalence Edges
p q
p q
p q p q
p qp qp qb a
a
The logic CTL≈
CTL≈ f = p | ¬ f | f1 or f2
| EX f | f1 EU f2 | EG f
| EIa f
EIa f: f holds in some world considered plausible by a
• Confidentiality: AG (EIa α and EIa ¬α)
• Agent a does not reveal x before agent b reveals y
A (EIa x and EIa ~x) U ( AIb y or AIb ~y)
Analogous extension of m-calculus: µ≈
f
EX fEIa g
ga
a
17
Model Checking
Nesting-free fragments
CTL≈ :PSPACE complete
μ≈ -calculus: EXPTIME complete In general – nonelementary (resp. undecidable)
Good news: Typical confidentiality properties captured in the nesting-free fragments
Does a finite-state system satisfy a temporal logic formula?
Talk Overview
18
Reachability Conditional Confidentiality
Temporal logics CTL, μ-calculus CTL≈, μ≈-calculus
Finite-state systems NL-complete PSPACE-complete
Programs (Java methods)
Undecidable.Over-approximation for sound analysis (of unreachability)
??
19
Confidentiality for programs
res = -1;i=0;while (i<n) { if (A[i]==key)
{ res=A[i]; } i++;}send res;
For all observations h, if h is valid (consistent with the condition cond), then h leads to a state where secret holds, and h leads to a state where the secret does not hold.
Example: suppose the observer sees 3 (that is, res = 3):
There exists a state: A= [7,3]; key = 3 (observation valid)
There exists a state: A= [7,3]; key = 3 (secret holds)
There exists a state: A= [1,3]; key = 3 (secret does not hold)
• secret: Does A contain 7?
• Observer sees the value of res
• cond: key is not 7
Confidentiality for programs
res = -1;i=0;while (i<n) { if (A[i]==key)
{ res =A[i]; } i++;}send res;
• secret: Does A contain 7?
• Observer sees the value of res.
• cond: key is not 7.
Confidentiality:
For all possible observations h,
if h is valid (consistent with the condition cond),
if there exists s: s in R and cond(s) and s[res]=h
then h leads to a state where secret holds,
then there exists s: s in R and secret(s) and s[res]=h
and h leads to a state where the secret does not hold.
and there exists s: s in R and ¬secret(s) and s[res]=hR - set of reachable states
21
Over- / under- approximationComputing reachable states exactly is impractical. Approximation: R+ (an over-approximation (R R+)),
R- (an under-approximation (R R-))
Lemma: The approximate formula implies confidentiality.
Confidentiality:
For all possible observations h,
if h is valid (consistent with the condition cond),
if there exists s: s in R+ and cond(s) and s[res]=h
then h leads to a state where secret holds,
then there exists s: s in R- and secret(s) and s[res]=h
and h leads to a state where the secret does not hold.
and there exists s: s in R- and ¬secret(s) and s[res]=h
R-
R+
R
22
Over- / under- approximation
Computing the over-approximation R+ :invariants (user-supplied or computed):
Example:res = -1;i=0;while (i<n) { if (A[i]==key) { res =A[i]; } i++;}send res;
Invariant:
(res ==key) or (res ==-1)
23
Over- / under- approximation
Computing the under-approximation R- :(loop unrolling, bounding the data structure size)
res = -1;i=0;while (i<n) { if (A[i]==key) { res =A[i]; } i++;}send res;
res = -1;i=0;if (i<n) { if (A[i]==key) { res =A[i]; } i++;}if (i<n) { if (A[i]==key) { res =A[i]; } i++;}assume(i>=n);send res;
24
Confidentiality as a logical formula
for all h:
if there exist pv: inv(pv) and cond(pv) and res=h implies
there exist pv: WP(P’,(secret and res=h)) and
there exist pv: WP(P’,(¬secret and res=h))
)))secret(,'(:(
)))secret(,'(:(
))cond()(:(:
hhistpvPWPpv
hhistpvPWPpv
hhistpvpvinvpvh
Invariant
Program with unrolled loops
Confidentiality holds only if:
Program vars
Weakest pre-condition
25
Deciding validity of confidentiality formula
Problem: Quantifier alternation. Complexity of decision procedures (QBF, Pressburger) high, tools not well engineered.
Question: Could we use SMT solvers?
Idea: Restrict the expression language to contain only equality (order). Rationale: Many programs do not perform arithmetic on the data, only tasks like searching, inserting, deleting, (sorting).
res = -1;i=0;while (i<n) { if (A[i]=key) { res =A[i]; } i++;}send res;
26
Deciding validity of confidentiality formula
Result: If universal quantifier is over a domain with only equality, we can replace it by checking the formula at a fixed number of specific values
res = -1;i=0;while (i<n) { if (A[i]=key) { res =A[i]; } i++;}send result;
):():(
)))7(
))()1((:,(:
21 pvpv
hreskey
keyresreskeyresh
Values 7, -1, and one other (e.g. 1) need to be checked.
Thus, an SMT solver can be used (checking three formulas per constant).
27
ConAn (CONfidentiality ANalysis)
Java Bytecode
WALA
ConAn
Yices
Valid
Unsat
Secret
Cond
Invariant
Narray
Nunroll
Processes bytecode to produce an intermediate representation of SSA instructions organized in a control-flow graph.
Performs SMT solving.
28
Applications
Case study: J2ME Java methods• third party programs, accessing PIM information
(managing contacts, calendars, to-do lists) and sending messages
Other Java methods: • methods from other PIM managing programs
(chat clients, calendars..). • data structure accessing methods from Java
standard library.
Experimental results
29
Project/Class
Method Name # of lines
unroll running time (s)
result
1 Java.lang/Vector
elementAt 6 1 0.18 valid
2 EventSharing sendEvent 122 2 1.83 valid
3 EventSharing sendEvent(bug)
126 2 1.80 unsat
4 find 9 1 0.31 unsat
5 find 9 2 0.34 valid
6 Funambol/Contact
getContact 13 2 0.32 valid
7 Blackchat/ICQContact
getContact--ByReference
23 2 0.24 valid
8 password check 9 2 0.22 valid
30
Conclusions
Algorithmic, specification-driven analysis is an effective way of establishing that programs do not leak confidential information.