1 / 57

Hyperproperties

Hyperproperties. Michael Clarkson and Fred B. Schneider Cornell University Air Force Office of Scientific Research December 4, 2008. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A A A. Security Policies Today. Confidentiality Integrity

lara-love
Download Presentation

Hyperproperties

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Air Force Office of Scientific Research December 4, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAAAA

  2. Security Policies Today • Confidentiality • Integrity • Availability Formalize and verify any security policy?  Clarkson and Schneider: Hyperproperties

  3. Program Correctness ca. 1970s • Partial correctness (If program terminates, it produces correct output) • Termination • Total correctness (Program terminates and produces correct output) • Mutual exclusion • Deadlock freedom • Starvation freedom ??? Clarkson and Schneider: Hyperproperties

  4. Intuition [Lamport 1977]: Safety:“Nothing bad happens” Liveness:“Something good happens” Partial correctness Bad thing: program terminates with incorrect output Access control Bad thing: subject completes operation without required rights Termination Good thing: termination Guaranteed service Good thing: service rendered Safety and Liveness Properties Clarkson and Schneider: Hyperproperties

  5. Properties Trace: Sequence of execution states t = s0s1… Property: Set of infinite traces Trace t satisfies property P iff t2P • Satisfaction depends on the trace alone System: Also a set of traces System S satisfies property P iff all traces of S satisfy P Clarkson and Schneider: Hyperproperties

  6. Properties System S Property P = trace Clarkson and Schneider: Hyperproperties

  7. Properties System S S satisfies P Property P = trace Clarkson and Schneider: Hyperproperties

  8. Properties System S S does not satisfy P Property P = trace Clarkson and Schneider: Hyperproperties

  9. Safety and Liveness Properties Formalized: Safety property [Lamport 1985] Bad thing = trace prefix Liveness property [Alpern and Schneider 1985] Good thing = trace suffix Clarkson and Schneider: Hyperproperties

  10. Success! Alpern and Schneider (1985, 1987): • Theorem.8P : P = Safe(P) Å Live(P) • Theorem.Safety proved by invariance. • Theorem.Liveness proved by well-foundedness. • Theorem. Topological characterization: Safety = closed sets Liveness = dense sets Formalize and verify any property?  Clarkson and Schneider: Hyperproperties

  11. Back to Security Policies  Formalize and verify any property? Formalize and verify any security policy?  ? Security policy = Property Clarkson and Schneider: Hyperproperties

  12. Information Flow is not a Property Secure information flow: secret inputs are not leaked to public outputs L := 0; L := H; Not safety! Noninterference [Goguen and Meseguer 1982]: Commands of high users have no effect on observations of low users • Satisfaction depends on pairs of traces ) not a property Information flow occurs when traces are correlated • Satisfaction does not depend on each trace alone   Clarkson and Schneider: Hyperproperties

  13. Service Level Agreements are not Properties Service level agreement: Acceptable performance of system Not liveness! Average response time: Average time, over all executions, to respond to request has given bound • Satisfaction depends on all traces of system ) not a property Any security policy that stipulates relations among traces is not a property • Need satisfaction to depend on sets of traces Clarkson and Schneider: Hyperproperties

  14. Hyperproperties A hyperpropertyis a set of properties A system Ssatisfies a hyperproperty H iff S2H …a hyperproperty specifies exactly the allowed sets of traces Clarkson and Schneider: Hyperproperties

  15. Hyperproperties System S Sdoes not satisfyH Hyperproperty H = trace Clarkson and Schneider: Hyperproperties

  16. Hyperproperties SsatisfiesH System S Hyperproperty H = trace Clarkson and Schneider: Hyperproperties

  17. Hyperproperties Security policies are hyperproperties! • Information flow: Noninterference, relational noninterference, generalized noninterference, observational determinism, self-bisimilarity, probabilistic noninterference, quantitative leakage • Service-level agreements: Average response time, time service factor, percentage uptime • … Clarkson and Schneider: Hyperproperties

  18. Hyperproperties • Safety and liveness? • Verification? Clarkson and Schneider: Hyperproperties

  19. Safety Safety proscribes “bad things” • A bad thing is finitely observableand irremediable • S is a safety property [L85] iff bis a finite trace Clarkson and Schneider: Hyperproperties

  20. Safety Safety proscribes “bad things” • A bad thing is finitely observableand irremediable • S is a safety property [L85] iff bis a finite trace Clarkson and Schneider: Hyperproperties

  21. Safety Safety proscribes “bad things” • A bad thing is finitely observableand irremediable • S is a safety property [L85] iff • S is a safety hyperproperty (“hypersafety”) iff bis a finite trace Bis a finite set of finite traces Clarkson and Schneider: Hyperproperties

  22. Prefix Ordering An observation is a finite set of finite traces Intuition: Observer sees a set of partial executions M·T (is a prefix of) iff: • M is an observation, and • If observer watched longer, Mcould become T Clarkson and Schneider: Hyperproperties

  23. Safety Hyperproperties • Noninterference [Goguen and Meseguer 1982] • Bad thing is a pair of traces where removing high commands does change low observations • Observational determinism [Roscoe 1995] • Bad thing is a pair of traces that cause system to look nondeterministic to low observer Clarkson and Schneider: Hyperproperties

  24. Liveness Liveness prescribes “good things” • A good thing is always possibleand possibly infinite • L is a liveness property [AS85] iff tis a finite trace Clarkson and Schneider: Hyperproperties

  25. Liveness Liveness prescribes “good things” • A good thing is always possibleand possibly infinite • L is a liveness property [AS85] iff • L is a liveness hyperproperty (“hyperliveness”) iff tis a finite trace Tis a finite set of finite traces Clarkson and Schneider: Hyperproperties

  26. Liveness Hyperproperties • Average response time • Good thing is that average time is low enough • Possibilistic information flow • Class of policies requiring “alternate possible explanations” to exist • e.g., generalized noninterference [McCullough 1987] • Long known that these are harder to verify • Theorem. All PIF policies are hyperliveness. Clarkson and Schneider: Hyperproperties

  27. Relating Properties and Hyperproperties Can lift property T to hyperproperty [T] • Satisfaction is equivalent iff [T] = P(T) • Theorem. S is safety)[S] is hypersafety. • Theorem. L is liveness )[L] is hyperliveness. …Verification techniques for safety and liveness now carry forward to hyperproperties Clarkson and Schneider: Hyperproperties

  28. Safety and Liveness is a Basis (still) Theorem. (8H : H = Safe(H) Å Live(H)) A fundamental basis… Clarkson and Schneider: Hyperproperties

  29. Topology Topology: Branch of mathematics that studies the structure of spaces Open set: Can always “wiggle” from point and stay in set Closed set: “Wiggle” might move outside set Dense set: Can always “wiggle” to get into set open closed dense Clarkson and Schneider: Hyperproperties

  30. Topology of Hyperproperties For Plotkin topology on properties [AS85]: • Safety = closed sets • Liveness = dense sets Theorem. Hypersafety = closed sets. Theorem. Hyperliveness = dense sets. Theorem. Our topology on hyperproperties is equivalent to the lower Vietoris construction applied to the Plotkin topology. Clarkson and Schneider: Hyperproperties

  31. Stepping Back…  • Safety and liveness? • Verification? Clarkson and Schneider: Hyperproperties

  32. Verification of 2-Safety 2-safety [Terauchi and Aiken 2005]: “Property that can be refuted by observing two finite traces” Methodology: • Transform system with self-composition construction [Barthe, D’Argenio, and Rezk 2004] • Verify safety property of transformed system • Implies 2-safety property of original system …Reduction from hyperproperty to property Clarkson and Schneider: Hyperproperties

  33. k-Safety Hyperproperties A k-safety hyperproperty is a safety hyperproperty in which the bad thing never has more than k traces Examples: • 1-hypersafety: the lifted safety properties • 2-hypersafety: Terauchi and Aiken’s 2-safety properties • k-hypersafety:SEC(k) = “System can’t, across all runs, output all shares of a k-secret sharing” • Not k-hypersafety for any k: SEC = kSEC(k) Clarkson and Schneider: Hyperproperties

  34. Verifying k-Hypersafety Theorem. Any k-safety hyperproperty of S is equivalent to a safety property of Sk. • Yields methodology for k-hypersafety • Incomplete for hypersafety • Hyperliveness? In general? Clarkson and Schneider: Hyperproperties

  35. Logic and Verification Polices are predicates …in what logic? • Second-order logic suffices, first-order logic does not. Verify second-order logic? • Can’t!(effectively and completely) • Can for fragments …might suffice for security policies Clarkson and Schneider: Hyperproperties

  36. Refinement Revisited Stepwise refinement: • Development methodology for properties • Start with specification and high-level (abstract) program • Repeatedly refine program to lower-level (concrete) program • Techniques for refinement well-developed Long-known those techniques don’t work for security policies—i.e., hyperproperties • Develop new techniques? • Reuse known techniques? Clarkson and Schneider: Hyperproperties

  37. Refinement Revisited Theorem. Known techniques work with all hyperproperties that are subset-closed. Theorem. All safety hyperproperties are subset-closed. • Stepwise refinement applicable with hypersafety Hyperliveness? In general? Clarkson and Schneider: Hyperproperties

  38. Beyond Hyperproperties? Add another level of sets? Theorem. Set of hyperproperties ´ hyperproperty. Logical interpretation: • Policies are predicates on systems • Hyperproperties are the extensions of those predicates • Hyperproperties are expressively complete (for systems and trace semantics) Clarkson and Schneider: Hyperproperties

  39. Probabilistic Hyperproperties To incorporate probability: • Assume probability on state transitions • Construct probability measure on traces [Halpern 2003] • Use measure to express hyperproperties We’ve expressed: • Probabilistic noninterference [Gray and Syverson 1998] • Quantitative leakage • Channel capacity Clarkson and Schneider: Hyperproperties

  40. Summary We developed a theory of hyperproperties • Parallels theory of properties • Safety, liveness (basis, topological characterization) • Verification (for k-hypersafety) • Stepwise refinement (hypersafety) • Expressive completeness Enables classification of security policies… Clarkson and Schneider: Hyperproperties

  41. Charting the landscape… Clarkson and Schneider: Hyperproperties

  42. HP All hyperproperties (HP) Clarkson and Schneider: Hyperproperties

  43. HP SHP LHP Safety hyperproperties (SHP)Liveness hyperproperties (LHP) Clarkson and Schneider: Hyperproperties

  44. HP SHP LHP [SP] [LP] Lifted safety properties [SP]Lifted liveness properties [LP] Clarkson and Schneider: Hyperproperties

  45. HP SHP LHP [SP] [LP] AC GS Access control (AC) is safetyGuaranteed service (GS) is liveness Clarkson and Schneider: Hyperproperties

  46. HP SHP LHP [SP] [LP] GMNI AC GS Goguen and Meseguer’s noninterference (GMNI) is hypersafety Clarkson and Schneider: Hyperproperties

  47. HP SHP LHP 2SHP [SP] [LP] GMNI AC GS 2-safety hyperproperties (2SHP) Clarkson and Schneider: Hyperproperties

  48. HP SHP LHP 2SHP [SP] [LP] GMNI SEC AC GS Secret sharing (SEC) is not k-hypersafety for any k Clarkson and Schneider: Hyperproperties

  49. HP PNI SHP LHP 2SHP [SP] [LP] GMNI GNI SEC OD AC GS Observational determinism (OD) is 2-hypersafetyGeneralized noninterference (GNI) is hyperlivenessProbabilistic noninterference (PNI) is neither Clarkson and Schneider: Hyperproperties

  50. HP PNI SHP LHP 2SHP [SP] [LP] PIF GMNI GNI SEC OD AC GS Possibilistic information flow (PIF) is hyperliveness Clarkson and Schneider: Hyperproperties

More Related