Transcript PPT
Hyperproperties
Michael Clarkson and Fred B. Schneider
Cornell University
Air Force Office of Scientific Research
December 4, 2008
Security Policies Today
Confidentiality
Integrity
Availability
Formalize and verify any security policy?
Clarkson and Schneider: Hyperproperties
2
Program Correctness ca. 1970s
Partial correctness
Termination
Total correctness
Mutual exclusion
Deadlock freedom
Starvation freedom
(If program terminates, it produces correct output)
(Program terminates and produces correct output)
???
Clarkson and Schneider: Hyperproperties
3
Safety and Liveness Properties
Intuition [Lamport 1977]:
Safety:
“Nothing bad happens”
Partial correctness
Bad thing: program terminates with
incorrect output
Access control
Bad thing: subject completes
operation without required rights
Liveness:
“Something good happens”
Termination
Good thing: termination
Guaranteed service
Good thing: service rendered
Clarkson and Schneider: Hyperproperties
4
Properties
Trace: Sequence of execution states
t = s0s1…
Property: Set of infinite traces
Trace t satisfies property P iff t 2 P
Satisfaction depends on the trace alone
System: Also a set of traces
System S satisfies property P iff all traces of S satisfy P
Clarkson and Schneider: Hyperproperties
5
Properties
System S
Property P
= trace
Clarkson and Schneider: Hyperproperties
6
Properties
System S
S satisfies P
Property P
= trace
Clarkson and Schneider: Hyperproperties
7
Properties
System S
S does not satisfy P
Property P
= trace
Clarkson and Schneider: Hyperproperties
8
Safety and Liveness Properties
Formalized:
Safety property [Lamport 1985]
Bad thing = trace prefix
Liveness property [Alpern and Schneider 1985]
Good thing = trace suffix
Clarkson and Schneider: Hyperproperties
9
Success!
Alpern and Schneider (1985, 1987):
Theorem.
Theorem.
Theorem.
Theorem.
8 P : P = Safe(P) Å Live(P)
Safety proved by invariance.
Liveness proved by well-foundedness.
Topological characterization:
Safety = closed sets
Liveness = dense sets
Formalize and verify any property?
Clarkson and Schneider: Hyperproperties
10
Back to Security Policies
Formalize and verify any property?
Formalize and verify any security policy?
?
Security policy = Property
Clarkson and Schneider: Hyperproperties
11
Information Flow is not a Property
Secure information flow: secret inputs are not leaked to public
outputs
L := 0;
L := H;
Not safety!
Noninterference [Goguen and Meseguer 1982]: Commands of high
users have no effect on observations of low users
Satisfaction depends on pairs of traces
) not a property
Information flow occurs when traces are correlated
Satisfaction does not depend on each trace alone
Clarkson and Schneider: Hyperproperties
12
Service Level Agreements are not Properties
Service level agreement: Acceptable performance of system
Not liveness!
Average response time: Average time, over all executions, to
respond to request has given bound
Satisfaction depends on all traces of system
) not a property
Any security policy that stipulates relations among traces is not a
property
Need satisfaction to depend on sets of traces
Clarkson and Schneider: Hyperproperties
13
Hyperproperties
A hyperproperty is a set of properties
A system S satisfies a hyperproperty H iff S 2 H
…a hyperproperty specifies exactly the allowed sets of traces
Clarkson and Schneider: Hyperproperties
14
Hyperproperties
System S
S does not satisfy H
Hyperproperty H
= trace
Clarkson and Schneider: Hyperproperties
15
Hyperproperties
S satisfies H
System S
Hyperproperty H
= trace
Clarkson and Schneider: Hyperproperties
16
Hyperproperties
Security policies are hyperproperties!
Information flow: Noninterference, relational
noninterference, generalized noninterference, observational
determinism, self-bisimilarity, probabilistic noninterference,
quantitative leakage
Service-level agreements: Average response time, time
service factor, percentage uptime
…
Clarkson and Schneider: Hyperproperties
17
Hyperproperties
Safety and liveness?
Verification?
Clarkson and Schneider: Hyperproperties
18
Safety
Safety proscribes “bad things”
A bad thing is finitely observable and irremediable
S is a safety property [L85] iff
b is a finite trace
Clarkson and Schneider: Hyperproperties
19
Safety
Safety proscribes “bad things”
A bad thing is finitely observable and irremediable
S is a safety property [L85] iff
b is a finite trace
Clarkson and Schneider: Hyperproperties
20
Safety
Safety proscribes “bad things”
A bad thing is finitely observable and irremediable
S is a safety property [L85] iff
b is a finite trace
S is a safety hyperproperty (“hypersafety”) iff
B is a finite set of finite traces
Clarkson and Schneider: Hyperproperties
21
Prefix Ordering
An observation is a finite set of finite traces
Intuition: Observer sees a set of partial executions
M · T (is a prefix of) iff:
M is an observation, and
8m 2 M : (9t 2 T : (m · t))
If observer watched longer, M could become T
Clarkson and Schneider: Hyperproperties
22
Safety Hyperproperties
Noninterference [Goguen and Meseguer 1982]
Bad thing is a pair of traces where removing high
commands does change low observations
Observational determinism [Roscoe 1995]
Bad thing is a pair of traces that cause system to look
nondeterministic to low observer
Clarkson and Schneider: Hyperproperties
23
Liveness
Liveness prescribes “good things”
A good thing is always possible and possibly infinite
L is a liveness property [AS85] iff
t is a finite trace
Clarkson and Schneider: Hyperproperties
24
Liveness
Liveness prescribes “good things”
A good thing is always possible and possibly infinite
L is a liveness property [AS85] iff
t is a finite trace
L is a liveness hyperproperty (“hyperliveness”) iff
T is a finite set of finite traces
Clarkson and Schneider: Hyperproperties
25
Liveness Hyperproperties
Average response time
Good thing is that average time is low enough
Possibilistic information flow
Class of policies requiring “alternate possible
explanations” to exist
e.g.,
generalized noninterference [McCullough 1987]
Long known that these are harder to verify
Theorem. All PIF policies are hyperliveness.
Clarkson and Schneider: Hyperproperties
26
Relating Properties and Hyperproperties
Can lift property T to hyperproperty [T]
Satisfaction is equivalent iff [T] = P(T)
Theorem. S is safety ) [S] is hypersafety.
Theorem. L is liveness ) [L] is hyperliveness.
…Verification techniques for safety and liveness now carry
forward to hyperproperties
Clarkson and Schneider: Hyperproperties
27
Safety and Liveness is a Basis
(still)
Theorem. (8 H : H = Safe(H) Å Live(H))
A fundamental basis…
Clarkson and Schneider: Hyperproperties
28
Topology
Topology: Branch of mathematics that studies the structure of
spaces
Open set: Can always “wiggle” from point and stay in set
Closed set: “Wiggle” might move outside set
Dense set: Can always “wiggle” to get into set
open
closed
dense
Clarkson and Schneider: Hyperproperties
29
Topology of Hyperproperties
For Plotkin topology on properties [AS85]:
Safety = closed sets
Liveness = dense sets
Theorem. Hypersafety = closed sets.
Theorem. Hyperliveness = dense sets.
Theorem. Our topology on hyperproperties is equivalent to
the lower Vietoris construction applied to the Plotkin
topology.
Clarkson and Schneider: Hyperproperties
30
Stepping Back…
Safety and liveness?
Verification?
Clarkson and Schneider: Hyperproperties
31
Verification of 2-Safety
2-safety [Terauchi and Aiken 2005]: “Property that can be
refuted by observing two finite traces”
Methodology:
Transform system with self-composition construction
[Barthe, D’Argenio, and Rezk 2004]
Verify safety property of transformed system
Implies 2-safety property of original system
…Reduction from hyperproperty to property
Clarkson and Schneider: Hyperproperties
32
k-Safety Hyperproperties
A k-safety hyperproperty is a safety hyperproperty in
which the bad thing never has more than k traces
Examples:
1-hypersafety: the lifted safety properties
2-hypersafety: Terauchi and Aiken’s 2-safety properties
k-hypersafety: SEC(k) = “System can’t, across all runs,
output all shares of a k-secret sharing”
Not k-hypersafety for any k: SEC = k SEC(k)
Clarkson and Schneider: Hyperproperties
33
Verifying k-Hypersafety
Theorem. Any k-safety hyperproperty of S is
equivalent to a safety property of Sk.
Yields
methodology for k-hypersafety
Incomplete for hypersafety
Hyperliveness? In general?
Clarkson and Schneider: Hyperproperties
34
Logic and Verification
Polices are predicates
…in what logic?
Second-order logic suffices, first-order logic does not.
Verify second-order logic?
Can’t! (effectively and completely)
Can for fragments
…might suffice for security policies
Clarkson and Schneider: Hyperproperties
35
Refinement Revisited
Stepwise refinement:
Development methodology for properties
Start with specification and high-level (abstract) program
Repeatedly refine program to lower-level (concrete) program
Techniques for refinement well-developed
Long-known those techniques don’t work for security
policies—i.e., hyperproperties
Develop new techniques?
Reuse known techniques?
Clarkson and Schneider: Hyperproperties
36
Refinement Revisited
Theorem. Known techniques work with all
hyperproperties that are subset-closed.
Theorem. All safety hyperproperties are subsetclosed.
Stepwise refinement applicable with
hypersafety
Hyperliveness? In general?
Clarkson and Schneider: Hyperproperties
37
Beyond Hyperproperties?
Add another level of sets?
Theorem. Set of hyperproperties ´ hyperproperty.
Logical interpretation:
Policies are predicates on systems
Hyperproperties are the extensions of those predicates
Hyperproperties are expressively complete
(for systems and trace semantics)
Clarkson and Schneider: Hyperproperties
38
Probabilistic Hyperproperties
To incorporate probability:
Assume probability on state transitions
Construct probability measure on traces [Halpern 2003]
Use measure to express hyperproperties
We’ve expressed:
Probabilistic noninterference [Gray and Syverson 1998]
Quantitative leakage
Channel capacity
Clarkson and Schneider: Hyperproperties
39
Summary
We developed a theory of hyperproperties
Parallels theory of properties
Safety,
liveness (basis, topological characterization)
Verification (for k-hypersafety)
Stepwise refinement (hypersafety)
Expressive completeness
Enables classification of security policies…
Clarkson and Schneider: Hyperproperties
40
Charting the landscape…
Clarkson and Schneider: Hyperproperties
41
HP
All hyperproperties (HP)
Clarkson and Schneider: Hyperproperties
42
HP
SHP
LHP
Safety hyperproperties (SHP)
Liveness hyperproperties (LHP)
Clarkson and Schneider: Hyperproperties
43
HP
SHP
LHP
[SP]
[LP]
Lifted safety properties [SP]
Lifted liveness properties [LP]
Clarkson and Schneider: Hyperproperties
44
HP
SHP
LHP
[SP]
[LP]
AC
GS
Access control (AC) is safety
Guaranteed service (GS) is liveness
Clarkson and Schneider: Hyperproperties
45
HP
SHP
LHP
[SP]
[LP]
AC
GS
GMNI
Goguen and Meseguer’s noninterference (GMNI)
is hypersafety
Clarkson and Schneider: Hyperproperties
46
HP
SHP
LHP
2SHP
[SP]
[LP]
AC
GS
GMNI
2-safety hyperproperties (2SHP)
Clarkson and Schneider: Hyperproperties
47
HP
SHP
LHP
2SHP
[SP]
[LP]
AC
GS
GMNI
SEC
Secret sharing (SEC) is not k-hypersafety for any k
Clarkson and Schneider: Hyperproperties
48
HP
PNI
SHP
LHP
2SHP
SEC
GMNI
OD
[SP]
[LP]
AC
GS
GNI
Observational determinism (OD) is 2-hypersafety
Generalized noninterference (GNI) is hyperliveness
Probabilistic noninterference (PNI) is neither
Clarkson and Schneider: Hyperproperties
49
HP
PNI
SHP
LHP
2SHP
SEC
GMNI
OD
[SP]
[LP]
AC
GS
PIF
GNI
Possibilistic information flow (PIF) is hyperliveness
Clarkson and Schneider: Hyperproperties
50
Revisiting the CIA Landscape
Confidentiality
Integrity
Safety property?
Dual to confidentiality, thus hyperproperty?
Availability
Information flow is not a property
Is a hyperproperty (HS: OD; HL: GNI)
Sometimes a property (max. response time)
Sometimes a hyperproperty (HS: % uptime, HL: avg. resp. time)
CIA seems orthogonal to hyperproperties
Clarkson and Schneider: Hyperproperties
51
Hyperproperties
Michael Clarkson and Fred B. Schneider
Cornell University
Air Force Office of Scientific Research
December 4, 2008
Extra Slides
Clarkson and Schneider: Hyperproperties
53
Future Work
Verification methodology
Hyperliveness?
Axiomatizable fragments of second order logic?
CIA: express with hyperproperties?
Hyperproperties in other semantic domains
Clarkson and Schneider: Hyperproperties
54
Information-flow Hyperproperties
Noninterference: The set of all properties T where for each trace t 2 T, there
exists another trace u 2 T, such that u contains no high commands, but yields
the same low observation as t.
Generalized noninterference: The set of all properties T where for any traces
t and u 2 T, there exists a trace v 2 T, such that v is an interleaving of the high
inputs from t and the low events from u.
Observational determinism: The set of all properties T where for all traces t
and u 2 T, and for all j 2 N, if t and u have the same first j-1 low events, then
they have equivalent jth low events.
Self-bisimilarity: The set of all properties T where T represents a labeled
transition system S, and for all low-equivalent initial memories m1 and m2, the
execution of S starting from m1 is bisimilar to the execution of S starting from
m2.
Clarkson and Schneider: Hyperproperties
55
Topological Definitions
Open sets: closed under finite intersections and
infinite unions
Closed sets: complements of open sets
= closed under infinite intersection and finite union
= contains all its limit points
= is its own closure
Dense sets: closure is the universe
Clarkson and Schneider: Hyperproperties
56
Powerdomains
We use the lower (Hoare) powerdomain
Our · is the Hoare order
Lower Vietoris = lower powerdomain [Smyth 1983]
Other powerdomains?
Change the notion of “observable”
Upper:
observations can disappear; impossibility of
nondeterministic choices becomes observable
Convex: similar problem
But might be useful on other semantic domains
Clarkson and Schneider: Hyperproperties
57