A weakest precondition approach to active attacks A weakest precondition approach to active analysis attacks analysis Musard Balliu, Isabella Mastroeni Musard Balliu Isabella Mastroeni School of Computer Science and Communication Royal Institute of Technology (KTH) Stockholm, Sweden Dipartimento di Informatica Universit` a di Verona Italy Dublin, June 15th, 2009 Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Security Background A weakest Goal: Protect data confidentiality from malicious attackers. precondition approach to System data: active attacks analysis • H stands for private, unmodifiable Musard Balliu, • L stands for public, modifiable Isabella Mastroeni Standard Non Interference Aims to protect private inputs. (H � � L ) ∀ l ∈ V L , ∀ h 1 , h 2 ∈ V H . � P � ( h 1 , l ) L = � P � ( h 2 , l ) L PROBLEM ⇓ Real systems release private information intentionally. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Security Background A weakest Goal: Protect data confidentiality from malicious attackers. precondition approach to System data: active attacks analysis • H stands for private, unmodifiable Musard Balliu, • L stands for public, modifiable Isabella Mastroeni Standard Non Interference Aims to protect private inputs. (H � � L ) ∀ l ∈ V L , ∀ h 1 , h 2 ∈ V H . � P � ( h 1 , l ) L = � P � ( h 2 , l ) L PROBLEM ⇓ Real systems release private information intentionally. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Security Background A weakest Goal: Protect data confidentiality from malicious attackers. precondition approach to System data: active attacks analysis • H stands for private, unmodifiable Musard Balliu, • L stands for public, modifiable Isabella Mastroeni Standard Non Interference Aims to protect private inputs. (H � � L ) ∀ l ∈ V L , ∀ h 1 , h 2 ∈ V H . � P � ( h 1 , l ) L = � P � ( h 2 , l ) L PROBLEM ⇓ Real systems release private information intentionally. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Security Background A weakest precondition Goal: Protect data confidentiality from malicious attackers. approach to active attacks analysis Solution Musard ⇓ Balliu, Isabella Mastroeni Declassified Non Interference φ ( H ) : declassified private property ( φ ( H ) � L ) ∀ l ∈ V L , ∀ h 1 , h 2 ∈ V H . φ ( h 1 ) = φ ( h 2 ) ⇒ � P � ( h 1 , l ) L = � P � ( h 2 , l ) L No property stronger than φ ( H ) can be disclosed. [Myers and Liskov 1997, Sabelfeld and Myers 2003] Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Robustness [Myers et al. 2004] A weakest Goal: Active attacks vs Passive attacks power. precondition approach to active attacks • Additional integrity level. analysis • Active attackers: Can modify data in fixed points called Musard Balliu, holes [ • ] . Isabella Mastroeni • Security type: LL , LH , HL and HH (confidentiality, integrity) c [ • ] ::= skip | x := e | c 1 ; c 2 | if e then c 1 else c 2 | while e do c | [ • ] • Fair attacks: Programs on LL variables. Robustness P [ • ] is robust if no active fair attack can disclose more private information than a passive attacker. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Robustness [Myers et al. 2004] A weakest Goal: Active attacks vs Passive attacks power. precondition approach to active attacks • Additional integrity level. analysis • Active attackers: Can modify data in fixed points called Musard Balliu, holes [ • ] . Isabella Mastroeni • Security type: LL , LH , HL and HH (confidentiality, integrity) c [ • ] ::= skip | x := e | c 1 ; c 2 | if e then c 1 else c 2 | while e do c | [ • ] • Fair attacks: Programs on LL variables. Robustness P [ • ] is robust if no active fair attack can disclose more private information than a passive attacker. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Abstract Interpretation [Cousot and Cousot ’77,’79] A weakest Abstract Interpretation: precondition approach to A general theory of sound approximation of program semantics. active attacks analysis ⊤ Musard Balliu, ⊤ Isabella 0 − Mastroeni 0+ Even Odd 0 ∅ ∅ def sum ( x , y ) = x + y � • sum ∗ (+ , +) = + • sum ∗ ( even , even ) = even • sum ∗ ( − , − ) = − • sum ∗ ( odd , odd ) = even • sum ∗ (+ , − ) = ⊤ • sum ∗ ( even , odd ) = odd Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Abstract Interpretation [Cousot and Cousot ’77,’79] A weakest Abstract Interpretation: precondition approach to A general theory of sound approximation of program semantics. active attacks analysis ⊤ Musard Balliu, ⊤ Isabella 0 − Mastroeni 0+ Even Odd 0 ∅ ∅ def sum ( x , y ) = x + y � • sum ∗ (+ , +) = + • sum ∗ ( even , even ) = even • sum ∗ ( − , − ) = − • sum ∗ ( odd , odd ) = even • sum ∗ (+ , − ) = ⊤ • sum ∗ ( even , odd ) = odd Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Declassification by Wlp [Banerjee et al. 2007] A weakest precondition Wlp: approach to active attacks Greatest set of input states leading to a given output analysis observation. Musard Balliu, Isabella def = if ( h 1 = h 2 ) then l := 0; else l := 1; Mastroeni P Wlp ( P , l = a ) = ( h 1 = h 2 ∧ a = 0) ∨ ( h 1 � = h 2 ∧ a = 1) ⇓ Maximal information released ⊤ {� h 1 , h 2 , l �| h 1 � = h 2 } {� h 1 , h 2 , l �| h 1 = h 2 } ∅ Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Declassification by Wlp [Banerjee et al. 2007] A weakest precondition Wlp: approach to active attacks Greatest set of input states leading to a given output analysis observation. Musard Balliu, Isabella ⊤ Mastroeni {� h 1 , h 2 , l �| h 1 � = h 2 } {� h 1 , h 2 , l �| h 1 = h 2 } ∅ From non-interference point of view h 1 = 0 , h 2 = 0 , l = 0 � l = 0 h 1 = 1 , h 2 = 0 , l = 0 � l = 1 Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Maximal release by active attackers A weakest precondition Goal: approach to active attacks Compute the maximal information disclosed by active attackers. analysis Musard Balliu, ⇒ Unfair attacks: Programs on LL and HL variables. Isabella Mastroeni P ::= l := h ; [ • ]; with variables h : HH , l : LL and k : HL . � � • Wlp l := h ; [ skip ] , { l = a } = { h = a } � � • Wlp l := h ; [ l := k ] , { l = a } = { k = a } � � • Wlp l := h ; [ l := l + k ] , { l = a } = { h + k = a } • Active attackers ⇒ Semantic transformation. • Different attacks ⇒ Different information release. Active attacks can be potentially infinite! Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Maximal release by active attackers A weakest precondition Goal: approach to active attacks Compute the maximal information disclosed by active attackers. analysis Musard Balliu, ⇒ Unfair attacks: Programs on LL and HL variables. Isabella Mastroeni P ::= l := h ; [ • ]; with variables h : HH , l : LL and k : HL . � � • Wlp l := h ; [ skip ] , { l = a } = { h = a } � � • Wlp l := h ; [ l := k ] , { l = a } = { k = a } � � • Wlp l := h ; [ l := l + k ] , { l = a } = { h + k = a } • Active attackers ⇒ Semantic transformation. • Different attacks ⇒ Different information release. Active attacks can be potentially infinite! Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Maximal release by active attackers A weakest precondition Goal: approach to active attacks Compute the maximal information disclosed by active attackers. analysis Musard Balliu, ⇒ Unfair attacks: Programs on LL and HL variables. Isabella Mastroeni P ::= l := h ; [ • ]; with variables h : HH , l : LL and k : HL . � � • Wlp l := h ; [ skip ] , { l = a } = { h = a } � � • Wlp l := h ; [ l := k ] , { l = a } = { k = a } � � • Wlp l := h ; [ l := l + k ] , { l = a } = { h + k = a } • Active attackers ⇒ Semantic transformation. • Different attacks ⇒ Different information release. Active attacks can be potentially infinite! Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Parametric attacks Active attack ≡ function on LL and HL variables. A weakest precondition • Extend the Wlp computation parametric on f ( � approach to l ) . active attacks analysis • Analyze the final formula containing f as parameter. Musard Balliu, Back to the example Isabella Mastroeni Consider the above example. Represent the possible unfair attacks in [ • ] with � l , k � := � f ( l , k ) , g ( l , k ) � . { f ( h , k ) = a } l := h ; { f ( l , k ) = a } [ � l , k � := � f ( l , k ) , g ( l , k ) � ;] { l = a } ⇒ { f ( h , k ) = a } : f “measures” the information of h and k . Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis
Recommend
More recommend