Software Model Checking for Confidentiality

Rajeev AlurUniversity of Pennsylvania

Joint work with Pavol Cerny

2

email

download programs

online banking

store health records

Confidentiality

2

“Data Leaks Abound And No One Is Safe“ (Feb 9th)

“Indian Foreign Ministry hit by spyware” (Feb 15th)

“Cell Phones a Much Bigger Privacy Risk Than Facebook” (Feb 20th)

Confidentiality

How do data leaks happen?

“Unauthorized application use: … the use of unauthorized programs resulted in as many as half of their companies' data loss incidents.” (“Data leakage worldwide, …”,Cisco, 2008)

Focus of our case study: J2ME

midlets for mobile devices can buy spyware (flexispy.com,..) “A malicious signed application could read all the PIM data

and send it to an attacker using the variety of transport mechanisms outlined in this document.” (Symantec, 2007)

3

4

J2ME midlets

void sendEvent(…) {

…

contactList = (ContactList)

PIM.getInstance().openPIMlists(

PIM.Contact_LIST, PIM.READ_ONLY,

listname)

…

conn.send(message)

…

}

Accesses phone’s native data

Sends something

How do we know that information does not leak?

EventSharingMidlet:

5

How can information be leaked?

public void sendEvent() {

doUsefulWork();

…

low = 0;

if (phoneBook.contains(“555-55”)) {

low = 1;

}

conn.send(low);

}

Information leaked due to malicious (or buggy) code.

Confidentiality is not a property of a single trace.

public void sendEvent(…) {

doUsefulWork();

...

conn.send (secret_message);

}

Model:The attacker a) knows the

programb) observes all

external communication

Checking Confidentiality

6

createEvent Midlet//get the phone numbernumber =

phoneBook.elementAt(selected);

//test if the number is valid if ((number==null)||(number==“”)){ //output error} else { String message = inputMessage(); //send a message to the receiver sendMessage(number,message); }

• Taint analysis too strict

• Language-based approaches would require annotations for downgrading

7

Software Model Checking

Software model checker

Yes /

No (counterexample)

Specification φProgram P

(source code)

Abstraction

Successful and widely used, e.g. SLAM → SDV.

• Is every acquired lock eventually released?

• Is the system deadlock free?

Not applicable to specifying and verifying of confidentiality:

1. Confidentiality is not a property of a single execution (thus not specifiable in LTL and in fact is not specifiable in μ-calculus).

2. Both over- and under- approximation needed.

3. Main strength of software model checking – Finding bugs in control-oriented programs .

8

Goal

programConfidentiality analysis tool

Specification

No

Yes

What we need: Specification framework

Analysis method

Reachability

9

Reachability

Temporal Specifications

LTL, CTL, μ-calculus

Finite-state systems NL-complete

Programs (Java methods)

Undecidable.Over-approximation for sound analysis (of unreachability)

Talk Overview

10

Reachability “Confidentiality” ??

Temporal Specifications

LTL, CTL, μ-calculus ??

Finite-state systems NL-complete ??

Programs (Java methods)

Undecidable.Over-approximation for sound analysis (of unreachability)

??

11

Defining Confidentiality

Secret: Property to be kept confidential; typically a predicate over state variables

Observation h of an execution: What can the attacker observe? Two executions with same observation are equivalent Examples: Outputs; Sequence of messages sent More generally, each state is labeled with observable propositions,

and observation of an execution is a sequence of observable propositions of states

Executions of interest specified by a condition cond Terminating executions Executions where input satisfies some constraint

12

Conditional Confidentiality

Given a notion of observation, a property secret, and a condition cond of interesting executions, a program P satisfies conditional confidentiality iff

For every execution r satisfying cond, there exists an execution r’ such that

1. r and r’ have the same observation2. r and r’ differ on the value of secret

13

Temporal Logics for Confidentiality

Motivation: In multi-agent systems and for protocols, how to specify requirements concerning order in which secrets are revealed

Classical model of systems/programs: Trees

Existing branching-time logics are not adequate Thm: Confidentiality cannot be expressed in m-calculus Cannot capture “equivalence” of executions

Agent a observes proposition p, b observes q

Labeled Trees

p q

p q

p q p q

p qp qp q

Agent a observes proposition p, b observes q

a-labeled edge between nodes: a considers them equivalent

a

Labeled Trees with Equivalence Edges

p q

p q

p q p q

p qp qp qb a

a

The logic CTL≈

CTL≈ f = p | ¬ f | f1 or f2

| EX f | f1 EU f2 | EG f

| EIa f

EIa f: f holds in some world considered plausible by a

• Confidentiality: AG (EIa α and EIa ¬α)

• Agent a does not reveal x before agent b reveals y

A (EIa x and EIa ~x) U ( AIb y or AIb ~y)

Analogous extension of m-calculus: µ≈

f

EX fEIa g

ga

a

17

Model Checking

Nesting-free fragments

CTL≈ :PSPACE complete

μ≈ -calculus: EXPTIME complete In general – nonelementary (resp. undecidable)

Good news: Typical confidentiality properties captured in the nesting-free fragments

Does a finite-state system satisfy a temporal logic formula?

Talk Overview

18

Reachability Conditional Confidentiality

Temporal logics CTL, μ-calculus CTL≈, μ≈-calculus

Finite-state systems NL-complete PSPACE-complete

Programs (Java methods)

Undecidable.Over-approximation for sound analysis (of unreachability)

??

19

Confidentiality for programs

res = -1;i=0;while (i<n) { if (A[i]==key)

{ res=A[i]; } i++;}send res;

For all observations h, if h is valid (consistent with the condition cond), then h leads to a state where secret holds, and h leads to a state where the secret does not hold.

Example: suppose the observer sees 3 (that is, res = 3):

There exists a state: A= [7,3]; key = 3 (observation valid)

There exists a state: A= [7,3]; key = 3 (secret holds)

There exists a state: A= [1,3]; key = 3 (secret does not hold)

• secret: Does A contain 7?

• Observer sees the value of res

• cond: key is not 7

Confidentiality for programs

res = -1;i=0;while (i<n) { if (A[i]==key)

{ res =A[i]; } i++;}send res;

• secret: Does A contain 7?

• Observer sees the value of res.

• cond: key is not 7.

Confidentiality:

For all possible observations h,

if h is valid (consistent with the condition cond),

if there exists s: s in R and cond(s) and s[res]=h

then h leads to a state where secret holds,

then there exists s: s in R and secret(s) and s[res]=h

and h leads to a state where the secret does not hold.

and there exists s: s in R and ¬secret(s) and s[res]=hR - set of reachable states

21

Over- / under- approximationComputing reachable states exactly is impractical. Approximation: R+ (an over-approximation (R R+)),

R- (an under-approximation (R R-))

Lemma: The approximate formula implies confidentiality.

Confidentiality:

For all possible observations h,

if h is valid (consistent with the condition cond),

if there exists s: s in R+ and cond(s) and s[res]=h

then h leads to a state where secret holds,

then there exists s: s in R- and secret(s) and s[res]=h

and h leads to a state where the secret does not hold.

and there exists s: s in R- and ¬secret(s) and s[res]=h

R-

R+

R

22

Over- / under- approximation

Computing the over-approximation R+ :invariants (user-supplied or computed):

Example:res = -1;i=0;while (i<n) { if (A[i]==key) { res =A[i]; } i++;}send res;

Invariant:

(res ==key) or (res ==-1)

23

Over- / under- approximation

Computing the under-approximation R- :(loop unrolling, bounding the data structure size)

res = -1;i=0;while (i<n) { if (A[i]==key) { res =A[i]; } i++;}send res;

res = -1;i=0;if (i<n) { if (A[i]==key) { res =A[i]; } i++;}if (i<n) { if (A[i]==key) { res =A[i]; } i++;}assume(i>=n);send res;

24

Confidentiality as a logical formula

for all h:

if there exist pv: inv(pv) and cond(pv) and res=h implies

there exist pv: WP(P’,(secret and res=h)) and

there exist pv: WP(P’,(¬secret and res=h))

)))secret(,'(:(

)))secret(,'(:(

))cond()(:(:

hhistpvPWPpv

hhistpvPWPpv

hhistpvpvinvpvh

Invariant

Program with unrolled loops

Confidentiality holds only if:

Program vars

Weakest pre-condition

25

Deciding validity of confidentiality formula

Problem: Quantifier alternation. Complexity of decision procedures (QBF, Pressburger) high, tools not well engineered.

Question: Could we use SMT solvers?

Idea: Restrict the expression language to contain only equality (order). Rationale: Many programs do not perform arithmetic on the data, only tasks like searching, inserting, deleting, (sorting).

res = -1;i=0;while (i<n) { if (A[i]=key) { res =A[i]; } i++;}send res;

26

Deciding validity of confidentiality formula

Result: If universal quantifier is over a domain with only equality, we can replace it by checking the formula at a fixed number of specific values

res = -1;i=0;while (i<n) { if (A[i]=key) { res =A[i]; } i++;}send result;

):():(

)))7(

))()1((:,(:

21 pvpv

hreskey

keyresreskeyresh

Values 7, -1, and one other (e.g. 1) need to be checked.

Thus, an SMT solver can be used (checking three formulas per constant).

27

ConAn (CONfidentiality ANalysis)

Java Bytecode

WALA

ConAn

Yices

Valid

Unsat

Secret

Cond

Invariant

Narray

Nunroll

Processes bytecode to produce an intermediate representation of SSA instructions organized in a control-flow graph.

Performs SMT solving.

28

Applications

Case study: J2ME Java methods• third party programs, accessing PIM information

(managing contacts, calendars, to-do lists) and sending messages

Other Java methods: • methods from other PIM managing programs

(chat clients, calendars..). • data structure accessing methods from Java

standard library.

Experimental results

29

Project/Class

Method Name # of lines

unroll running time (s)

result

1 Java.lang/Vector

elementAt 6 1 0.18 valid

2 EventSharing sendEvent 122 2 1.83 valid

3 EventSharing sendEvent(bug)

126 2 1.80 unsat

4 find 9 1 0.31 unsat

5 find 9 2 0.34 valid

6 Funambol/Contact

getContact 13 2 0.32 valid

7 Blackchat/ICQContact

getContact--ByReference

23 2 0.24 valid

8 password check 9 2 0.22 valid

30

Conclusions

Algorithmic, specification-driven analysis is an effective way of establishing that programs do not leak confidential information.