PPT

Download Report

Transcript PPT 

Hyperproperties
Michael Clarkson and Fred B. Schneider
Cornell University
Air Force Office of Scientific Research
December 4, 2008
Security Policies Today
Confidentiality
 Integrity
 Availability

Formalize and verify any security policy?
Clarkson and Schneider: Hyperproperties

2
Program Correctness ca. 1970s
Partial correctness
 Termination
 Total correctness
 Mutual exclusion
 Deadlock freedom
 Starvation freedom

(If program terminates, it produces correct output)
(Program terminates and produces correct output)
???
Clarkson and Schneider: Hyperproperties
3
Safety and Liveness Properties
Intuition [Lamport 1977]:
Safety:
“Nothing bad happens”

Partial correctness
Bad thing: program terminates with
incorrect output

Access control
Bad thing: subject completes
operation without required rights
Liveness:
“Something good happens”

Termination
Good thing: termination

Guaranteed service
Good thing: service rendered
Clarkson and Schneider: Hyperproperties
4
Properties
Trace: Sequence of execution states
t = s0s1…
Property: Set of infinite traces
Trace t satisfies property P iff t 2 P
 Satisfaction depends on the trace alone
System: Also a set of traces
System S satisfies property P iff all traces of S satisfy P
Clarkson and Schneider: Hyperproperties
5
Properties
System S
Property P
= trace
Clarkson and Schneider: Hyperproperties
6
Properties
System S
S satisfies P
Property P
= trace
Clarkson and Schneider: Hyperproperties
7
Properties
System S
S does not satisfy P
Property P
= trace
Clarkson and Schneider: Hyperproperties
8
Safety and Liveness Properties
Formalized:
Safety property [Lamport 1985]
Bad thing = trace prefix
Liveness property [Alpern and Schneider 1985]
Good thing = trace suffix
Clarkson and Schneider: Hyperproperties
9
Success!
Alpern and Schneider (1985, 1987):
Theorem.
 Theorem.
 Theorem.
 Theorem.

8 P : P = Safe(P) Å Live(P)
Safety proved by invariance.
Liveness proved by well-foundedness.
Topological characterization:
Safety = closed sets
Liveness = dense sets
Formalize and verify any property?
Clarkson and Schneider: Hyperproperties

10
Back to Security Policies
Formalize and verify any property?
Formalize and verify any security policy?


?
Security policy = Property
Clarkson and Schneider: Hyperproperties
11
Information Flow is not a Property
Secure information flow: secret inputs are not leaked to public
outputs
L := 0;
L := H;


Not safety!
Noninterference [Goguen and Meseguer 1982]: Commands of high
users have no effect on observations of low users

Satisfaction depends on pairs of traces
) not a property
Information flow occurs when traces are correlated
 Satisfaction does not depend on each trace alone
Clarkson and Schneider: Hyperproperties
12
Service Level Agreements are not Properties
Service level agreement: Acceptable performance of system
Not liveness!
Average response time: Average time, over all executions, to
respond to request has given bound

Satisfaction depends on all traces of system
) not a property
Any security policy that stipulates relations among traces is not a
property

Need satisfaction to depend on sets of traces
Clarkson and Schneider: Hyperproperties
13
Hyperproperties
A hyperproperty is a set of properties
A system S satisfies a hyperproperty H iff S 2 H
…a hyperproperty specifies exactly the allowed sets of traces
Clarkson and Schneider: Hyperproperties
14
Hyperproperties
System S
S does not satisfy H
Hyperproperty H
= trace
Clarkson and Schneider: Hyperproperties
15
Hyperproperties
S satisfies H
System S
Hyperproperty H
= trace
Clarkson and Schneider: Hyperproperties
16
Hyperproperties
Security policies are hyperproperties!



Information flow: Noninterference, relational
noninterference, generalized noninterference, observational
determinism, self-bisimilarity, probabilistic noninterference,
quantitative leakage
Service-level agreements: Average response time, time
service factor, percentage uptime
…
Clarkson and Schneider: Hyperproperties
17
Hyperproperties
Safety and liveness?
 Verification?

Clarkson and Schneider: Hyperproperties
18
Safety
Safety proscribes “bad things”
A bad thing is finitely observable and irremediable
 S is a safety property [L85] iff

b is a finite trace
Clarkson and Schneider: Hyperproperties
19
Safety
Safety proscribes “bad things”
A bad thing is finitely observable and irremediable
 S is a safety property [L85] iff

b is a finite trace
Clarkson and Schneider: Hyperproperties
20
Safety
Safety proscribes “bad things”
A bad thing is finitely observable and irremediable
 S is a safety property [L85] iff

b is a finite trace

S is a safety hyperproperty (“hypersafety”) iff
B is a finite set of finite traces
Clarkson and Schneider: Hyperproperties
21
Prefix Ordering
An observation is a finite set of finite traces
Intuition: Observer sees a set of partial executions
M · T (is a prefix of) iff:

M is an observation, and

8m 2 M : (9t 2 T : (m · t))

If observer watched longer, M could become T
Clarkson and Schneider: Hyperproperties
22
Safety Hyperproperties

Noninterference [Goguen and Meseguer 1982]


Bad thing is a pair of traces where removing high
commands does change low observations
Observational determinism [Roscoe 1995]

Bad thing is a pair of traces that cause system to look
nondeterministic to low observer
Clarkson and Schneider: Hyperproperties
23
Liveness
Liveness prescribes “good things”
A good thing is always possible and possibly infinite
 L is a liveness property [AS85] iff

t is a finite trace
Clarkson and Schneider: Hyperproperties
24
Liveness
Liveness prescribes “good things”
A good thing is always possible and possibly infinite
 L is a liveness property [AS85] iff

t is a finite trace

L is a liveness hyperproperty (“hyperliveness”) iff
T is a finite set of finite traces
Clarkson and Schneider: Hyperproperties
25
Liveness Hyperproperties

Average response time


Good thing is that average time is low enough
Possibilistic information flow

Class of policies requiring “alternate possible
explanations” to exist
 e.g.,
generalized noninterference [McCullough 1987]
 Long known that these are harder to verify

Theorem. All PIF policies are hyperliveness.
Clarkson and Schneider: Hyperproperties
26
Relating Properties and Hyperproperties
Can lift property T to hyperproperty [T]



Satisfaction is equivalent iff [T] = P(T)
Theorem. S is safety ) [S] is hypersafety.
Theorem. L is liveness ) [L] is hyperliveness.
…Verification techniques for safety and liveness now carry
forward to hyperproperties
Clarkson and Schneider: Hyperproperties
27
Safety and Liveness is a Basis
(still)
Theorem. (8 H : H = Safe(H) Å Live(H))
A fundamental basis…
Clarkson and Schneider: Hyperproperties
28
Topology
Topology: Branch of mathematics that studies the structure of
spaces
Open set: Can always “wiggle” from point and stay in set
Closed set: “Wiggle” might move outside set
Dense set: Can always “wiggle” to get into set
open
closed
dense
Clarkson and Schneider: Hyperproperties
29
Topology of Hyperproperties
For Plotkin topology on properties [AS85]:


Safety = closed sets
Liveness = dense sets
Theorem. Hypersafety = closed sets.
Theorem. Hyperliveness = dense sets.
Theorem. Our topology on hyperproperties is equivalent to
the lower Vietoris construction applied to the Plotkin
topology.
Clarkson and Schneider: Hyperproperties
30
Stepping Back…
Safety and liveness?
 Verification?

Clarkson and Schneider: Hyperproperties

31
Verification of 2-Safety
2-safety [Terauchi and Aiken 2005]: “Property that can be
refuted by observing two finite traces”
Methodology:


Transform system with self-composition construction
[Barthe, D’Argenio, and Rezk 2004]
Verify safety property of transformed system

Implies 2-safety property of original system
…Reduction from hyperproperty to property
Clarkson and Schneider: Hyperproperties
32
k-Safety Hyperproperties
A k-safety hyperproperty is a safety hyperproperty in
which the bad thing never has more than k traces
Examples:




1-hypersafety: the lifted safety properties
2-hypersafety: Terauchi and Aiken’s 2-safety properties
k-hypersafety: SEC(k) = “System can’t, across all runs,
output all shares of a k-secret sharing”
Not k-hypersafety for any k: SEC = k SEC(k)
Clarkson and Schneider: Hyperproperties
33
Verifying k-Hypersafety
Theorem. Any k-safety hyperproperty of S is
equivalent to a safety property of Sk.
 Yields
methodology for k-hypersafety
Incomplete for hypersafety
 Hyperliveness? In general?

Clarkson and Schneider: Hyperproperties
34
Logic and Verification
Polices are predicates

…in what logic?
Second-order logic suffices, first-order logic does not.
Verify second-order logic?
Can’t! (effectively and completely)
 Can for fragments

…might suffice for security policies
Clarkson and Schneider: Hyperproperties
35
Refinement Revisited
Stepwise refinement:

Development methodology for properties



Start with specification and high-level (abstract) program
Repeatedly refine program to lower-level (concrete) program
Techniques for refinement well-developed
Long-known those techniques don’t work for security
policies—i.e., hyperproperties


Develop new techniques?
Reuse known techniques?
Clarkson and Schneider: Hyperproperties
36
Refinement Revisited
Theorem. Known techniques work with all
hyperproperties that are subset-closed.
Theorem. All safety hyperproperties are subsetclosed.
 Stepwise refinement applicable with
hypersafety
Hyperliveness? In general?
Clarkson and Schneider: Hyperproperties
37
Beyond Hyperproperties?
Add another level of sets?
Theorem. Set of hyperproperties ´ hyperproperty.
Logical interpretation:



Policies are predicates on systems
Hyperproperties are the extensions of those predicates
Hyperproperties are expressively complete
(for systems and trace semantics)
Clarkson and Schneider: Hyperproperties
38
Probabilistic Hyperproperties
To incorporate probability:



Assume probability on state transitions
Construct probability measure on traces [Halpern 2003]
Use measure to express hyperproperties
We’ve expressed:



Probabilistic noninterference [Gray and Syverson 1998]
Quantitative leakage
Channel capacity
Clarkson and Schneider: Hyperproperties
39
Summary
We developed a theory of hyperproperties

Parallels theory of properties
 Safety,
liveness (basis, topological characterization)
 Verification (for k-hypersafety)
 Stepwise refinement (hypersafety)

Expressive completeness
Enables classification of security policies…
Clarkson and Schneider: Hyperproperties
40
Charting the landscape…
Clarkson and Schneider: Hyperproperties
41
HP
All hyperproperties (HP)
Clarkson and Schneider: Hyperproperties
42
HP
SHP
LHP
Safety hyperproperties (SHP)
Liveness hyperproperties (LHP)
Clarkson and Schneider: Hyperproperties
43
HP
SHP
LHP
[SP]
[LP]
Lifted safety properties [SP]
Lifted liveness properties [LP]
Clarkson and Schneider: Hyperproperties
44
HP
SHP
LHP
[SP]
[LP]
AC
GS
Access control (AC) is safety
Guaranteed service (GS) is liveness
Clarkson and Schneider: Hyperproperties
45
HP
SHP
LHP
[SP]
[LP]
AC
GS
GMNI
Goguen and Meseguer’s noninterference (GMNI)
is hypersafety
Clarkson and Schneider: Hyperproperties
46
HP
SHP
LHP
2SHP
[SP]
[LP]
AC
GS
GMNI
2-safety hyperproperties (2SHP)
Clarkson and Schneider: Hyperproperties
47
HP
SHP
LHP
2SHP
[SP]
[LP]
AC
GS
GMNI
SEC
Secret sharing (SEC) is not k-hypersafety for any k
Clarkson and Schneider: Hyperproperties
48
HP
PNI
SHP
LHP
2SHP
SEC
GMNI
OD
[SP]
[LP]
AC
GS
GNI
Observational determinism (OD) is 2-hypersafety
Generalized noninterference (GNI) is hyperliveness
Probabilistic noninterference (PNI) is neither
Clarkson and Schneider: Hyperproperties
49
HP
PNI
SHP
LHP
2SHP
SEC
GMNI
OD
[SP]
[LP]
AC
GS
PIF
GNI
Possibilistic information flow (PIF) is hyperliveness
Clarkson and Schneider: Hyperproperties
50
Revisiting the CIA Landscape

Confidentiality



Integrity



Safety property?
Dual to confidentiality, thus hyperproperty?
Availability



Information flow is not a property
Is a hyperproperty (HS: OD; HL: GNI)
Sometimes a property (max. response time)
Sometimes a hyperproperty (HS: % uptime, HL: avg. resp. time)
CIA seems orthogonal to hyperproperties
Clarkson and Schneider: Hyperproperties
51
Hyperproperties
Michael Clarkson and Fred B. Schneider
Cornell University
Air Force Office of Scientific Research
December 4, 2008
Extra Slides
Clarkson and Schneider: Hyperproperties
53
Future Work

Verification methodology
Hyperliveness?
 Axiomatizable fragments of second order logic?

CIA: express with hyperproperties?
 Hyperproperties in other semantic domains

Clarkson and Schneider: Hyperproperties
54
Information-flow Hyperproperties

Noninterference: The set of all properties T where for each trace t 2 T, there
exists another trace u 2 T, such that u contains no high commands, but yields
the same low observation as t.

Generalized noninterference: The set of all properties T where for any traces
t and u 2 T, there exists a trace v 2 T, such that v is an interleaving of the high
inputs from t and the low events from u.

Observational determinism: The set of all properties T where for all traces t
and u 2 T, and for all j 2 N, if t and u have the same first j-1 low events, then
they have equivalent jth low events.

Self-bisimilarity: The set of all properties T where T represents a labeled
transition system S, and for all low-equivalent initial memories m1 and m2, the
execution of S starting from m1 is bisimilar to the execution of S starting from
m2.
Clarkson and Schneider: Hyperproperties
55
Topological Definitions
Open sets: closed under finite intersections and
infinite unions
Closed sets: complements of open sets
= closed under infinite intersection and finite union
= contains all its limit points
= is its own closure
Dense sets: closure is the universe
Clarkson and Schneider: Hyperproperties
56
Powerdomains

We use the lower (Hoare) powerdomain
Our · is the Hoare order
 Lower Vietoris = lower powerdomain [Smyth 1983]


Other powerdomains?

Change the notion of “observable”
 Upper:
observations can disappear; impossibility of
nondeterministic choices becomes observable
 Convex: similar problem

But might be useful on other semantic domains
Clarkson and Schneider: Hyperproperties
57