A (Co)inductive System Calculus for Security Properties [New title suggestions are welcome!] Eric Rothstein Morris Supervisor: Joachim Posegga Chair of IT Security University of Passau er@sec.uni-passau.de ESORICS 2015 - PhD Symposium October 2, 2015 !
Introduction Example Motivation Calculus Wrap-Up Enforcement Let Sys be a set of systems. Let P : Sys ! { false , true } be a system property. Definition A sound enforcer of P is a mechanism enf P : Sys ! Sys such that, for all σ 2 Sys , enf P ( σ ) satisfies P . Definition An enforcer enf P is transparent if and only if whenever σ satisfies P , then enf P ( σ ) = σ . 1 / 13
Introduction Example Motivation Calculus Wrap-Up Enforcement Relevant questions: What is Sys ? Sound and transparent enforcer for all properties? Usually: Systems: C, JavaScript, automata, hardware, etc. Properties: not vulnerable to ν , confidentiality, etc. Know the power of your enforcer 2 / 13
Introduction Example Motivation Calculus Wrap-Up Enforcing via Equations: An Artificial Toy Example Consider the following Let Sys = R ! R Let P : Sys ! { false , true } defined, for f 2 Sys , by P ( f ) = f ( r ) � 0 , for all r 2 R . Let | · | : Sys ! Sys defined, for f 2 Sys , by ⇢ f ( r ) , if f ( r ) � 0; | f | ( r ) = � f ( r ) , otherwise ; The function | · | is one sound and transparent enforcer for P 3 / 13
Introduction Example Motivation Calculus Wrap-Up Enforcing via Equations: An Artificial Toy Example Your competition proposes ⇢ f ( r ) , if f ( r ) � 0; enf P ( f )( r ) = 0 , otherwise ; Enforcement policy: use enf P or | · | ? Enforcement: not only about what, but also about how. Verifying vs. enforcing Verify: prove f ( r ) � 0 for all r 2 R (maybe hard). Enforce: use | f | or enf P instead of f (easy) 4 / 13
Introduction Example Motivation Calculus Wrap-Up Motivation It would be nice if we could do the same for complex systems and for practical security properties Can we actually do this? 5 / 13
Introduction Example Motivation Calculus Wrap-Up Motivation It would be nice if we could do the same for complex systems and for practical security properties Can we actually do this? Hopefully yes, using coinductive calculus 5 / 13
Introduction Example Motivation Calculus Wrap-Up Before we continue I will try to convince you that... Coinduction: break systems apart, rebuild them back. Enforcement: rebuild systems so they satisfy a property. Implementation: equations lazily evaluated in Haskell. 6 / 13
Introduction Example Motivation Calculus Wrap-Up Coinduction: Breaking Streams Appart Streams (Single-threaded, non-interactive systems) Let R ω = { [ r 0 , r 1 , . . . ] | r i 2 R } Let head : R ω ! R defined by head ([ r 0 , r 1 , . . . ]) = r 0 . Let tail : R ω ! R ω defined by tail ([ r 0 , r 1 , . . . ]) = [ r 1 , . . . ] . Stream σ is coinductively defined by its head and tail 7 / 13
Introduction Example Motivation Calculus Wrap-Up Coinduction: Rebuilding Streams from Pieces Let pack : R ⇥ R ω ! R ω be defined by pack ( r, [ r 0 , r 1 , ... ]) = [ r, r 0 , r 1 , ... ] pack is the “compiler” of the specification h r, [ r 0 , r 1 , ... ] i R ⇥ R ω ⇠ = R ω Modify the head and/or tail to obtain a di ff erent stream. enf P ( σ ) = pack ( f � head ( σ ) , g � tail ( σ )) 8 / 13
Introduction Example Motivation Calculus Wrap-Up Another Toy Example Define enforcers using head , tail and pack Let | · | : R ω ! R ω defined, for σ 2 R ω by ⇢ pack ( h head ( σ ) , | tail ( σ ) | i ) , if head ( σ ) � 0; | σ | = (1) | tail ( σ ) | , otherwise ; | · | soundly and transparently enforces “always � 0 ” Equation (1) is a behavioural (di ff erential) equation. 9 / 13
Introduction Example Motivation Calculus Wrap-Up From Streams to Arbitrary Types Let X be a Haskell type implementing: observe : X ! R next : X ! X Enforce “always � 0 ” on X using | · | by projecting X into R ω 10 / 13
Introduction Example Motivation Calculus Wrap-Up From Streams to Arbitrary Types Let X be a Haskell type implementing: observe : X ! R next : X ! X Enforce “always � 0 ” on X using | · | by projecting X into R ω Let J · K : X ! R ω be defined, for x 2 X , by J x K = pack ( h observe ( x ) , J next ( x ) K i ) | J x K | satisfies “always � 0 ” and x and J x K are behaviourally equivalent. 10 / 13
Introduction Example Motivation Calculus Wrap-Up Non-interference Let I be a set of inputs, lvl : I ! { L , H } be an input classification function, and X be a Haskell type implementing: observe : X ! I ! R (an L -channel) next : X ! I ! X Non-interference: the presence of H -actions does not impact L -channels. ⇢ observe ( σ , i ) , if lvl ( i ) = L ; observe ( enf P ( σ ) , i ) = ε , otherwise . ⇢ enf P � next ( σ , i ) , if lvl ( i ) = L ; next ( enf P ( σ ) , i ) = enf P ( σ ) , otherwise . 11 / 13
Introduction Example Motivation Calculus Wrap-Up Contribution Illustrate how systems, properties and enforcement mechanisms can be brought down to the same abstraction level; resulting in a practical framework for the enforcement of security properties. 12 / 13
Introduction Example Motivation Calculus Wrap-Up Objective Find and solve systems of behavioural equations to obtain systems that satisfy security properties. Milestones: Find equations that define security properties Prove expressivity: “benchmark” properties Classify properties according to enforceability Develop tool support: Haskell 13 / 13
Introduction Example Motivation Calculus Wrap-Up Questions Questions? Thank you for your attention! 13 / 13
Recommend
More recommend
