Introduction Noninteference BSPs Results Conclusion On the Decidability of Model-Checking Information Flow Properties Raghavendra K. R. Joint Work: Deepak D’Souza, Janardhan Kulkarni, Barbara Sprick, Raveendra Holla Indian Institute of Science, Bangalore On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Introduction to Software Security Protecting the confidentiality of information manipulated by computing systems is a long standing yet increasingly important problem. There is little assurance that current computing systems protect data confidentiality and integrity. - Myers (FM for Security) Access Control subject allowed object AC Ref Monitor access type denied Limitation: Does NOT address end-to-end security. On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Introduction to Software Security Protecting the confidentiality of information manipulated by computing systems is a long standing yet increasingly important problem. There is little assurance that current computing systems protect data confidentiality and integrity. - Myers (FM for Security) Access Control subject allowed object AC Ref Monitor access type denied Limitation: Does NOT address end-to-end security. On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Noninterference [GM82] Addresses end-to-end security. ( s , c ) M = ( Q , S , I , O , δ, o , s 0 ) δ : Q × ( S × I ) → Q , o : Q × S → O . S 1 noninterferes with S 2 for all s ∈ S 2 , o (ˆ δ ( s 0 , w ) , s ) = o (ˆ δ ( s 0 , purge S 1 ( w )) , s ) . On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Noninterference [GM82] Addresses end-to-end security. ( s , c ) M = ( Q , S , I , O , δ, o , s 0 ) δ : Q × ( S × I ) → Q , o : Q × S → O . S 1 noninterferes with S 2 for all s ∈ S 2 , o (ˆ δ ( s 0 , w ) , s ) = o (ˆ δ ( s 0 , purge S 1 ( w )) , s ) . On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Verifying Noninterference = Reachability Check M S 1 S 2 = ( Q × Q , S , I , O , δ ′ , o ′ , ( s 0 , s 0 )) � ( δ ( t 1 , ( s , a )) , t 2 ) if s ∈ S 1 δ ′ (( t 1 , t 2 ) , ( s , a )) = ( δ ( t 1 , ( s , a )) , δ ( t 2 , ( s , a ))) otherwise o ′ (( t 1 , t 2 ) , s ) = ( o ( t 1 , s ) , o ( t 2 , s )) M | = NI w.r.t S 1 , S 2 [MZ07] iff for all reachable states ( t 1 , t 2 ) of M S 1 S 2 , o ′ (( t 1 , t 2 ) , s ) = ( o 1 , o 2 ) ⇒ o 1 = o 2 for all s ∈ S 2 . Decidable for finite state systems. On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Verifying Noninterference = Reachability Check M S 1 S 2 = ( Q × Q , S , I , O , δ ′ , o ′ , ( s 0 , s 0 )) � ( δ ( t 1 , ( s , a )) , t 2 ) if s ∈ S 1 δ ′ (( t 1 , t 2 ) , ( s , a )) = ( δ ( t 1 , ( s , a )) , δ ( t 2 , ( s , a ))) otherwise o ′ (( t 1 , t 2 ) , s ) = ( o ( t 1 , s ) , o ( t 2 , s )) M | = NI w.r.t S 1 , S 2 [MZ07] iff for all reachable states ( t 1 , t 2 ) of M S 1 S 2 , o ′ (( t 1 , t 2 ) , s ) = ( o 1 , o 2 ) ⇒ o 1 = o 2 for all s ∈ S 2 . Decidable for finite state systems. On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Generalized Noninterference - GNI Limitation: Non-determinism for interrupts and concurrency. McCullough’87 S 1 � � GNI S 2 iff ∀ s ∈ S 2 ∀ w ∈ ( S × I ) ∗ ∀ c ∈ ( S 1 × I ) , o (ˆ δ ( s 0 , w ) , s ) = o (ˆ δ ( s 0 , w · c ) , s ) . Event Systems: ( E , I , O , L ) I , O ⊆ E , I ∩ O = ∅ , L ⊆ E ∗ . Assume security levels: L ≤ H . ∀ t 1 , t 2 , t 3 ∈ E ∗ , (( t 1 . t 2 ∈ L ∧ t 3 ↾ E \ ( H ∩ I ) = t 2 ↾ E \ ( H ∩ I ) ) ⇒ ∃ t 4 ∈ E ∗ . ( t 1 . t 4 ∈ L ∧ t 4 ↾ L ∪ ( H ∩ I ) = t 3 ↾ L ∪ ( H ∩ I ) ) On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Generalized Noninterference - GNI Limitation: Non-determinism for interrupts and concurrency. McCullough’87 S 1 � � GNI S 2 iff ∀ s ∈ S 2 ∀ w ∈ ( S × I ) ∗ ∀ c ∈ ( S 1 × I ) , o (ˆ δ ( s 0 , w ) , s ) = o (ˆ δ ( s 0 , w · c ) , s ) . Event Systems: ( E , I , O , L ) I , O ⊆ E , I ∩ O = ∅ , L ⊆ E ∗ . Assume security levels: L ≤ H . ∀ t 1 , t 2 , t 3 ∈ E ∗ , (( t 1 . t 2 ∈ L ∧ t 3 ↾ E \ ( H ∩ I ) = t 2 ↾ E \ ( H ∩ I ) ) ⇒ ∃ t 4 ∈ E ∗ . ( t 1 . t 4 ∈ L ∧ t 4 ↾ L ∪ ( H ∩ I ) = t 3 ↾ L ∪ ( H ∩ I ) ) On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Generalized Noninterference - GNI Limitation: Non-determinism for interrupts and concurrency. McCullough’87 S 1 � � GNI S 2 iff ∀ s ∈ S 2 ∀ w ∈ ( S × I ) ∗ ∀ c ∈ ( S 1 × I ) , o (ˆ δ ( s 0 , w ) , s ) = o (ˆ δ ( s 0 , w · c ) , s ) . Event Systems: ( E , I , O , L ) I , O ⊆ E , I ∩ O = ∅ , L ⊆ E ∗ . Assume security levels: L ≤ H . ∀ t 1 , t 2 , t 3 ∈ E ∗ , (( t 1 . t 2 ∈ L ∧ t 3 ↾ E \ ( H ∩ I ) = t 2 ↾ E \ ( H ∩ I ) ) ⇒ ∃ t 4 ∈ E ∗ . ( t 1 . t 4 ∈ L ∧ t 4 ↾ L ∪ ( H ∩ I ) = t 3 ↾ L ∪ ( H ∩ I ) ) On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Generalized Noninterference - GNI Limitation: Non-determinism for interrupts and concurrency. McCullough’87 S 1 � � GNI S 2 iff ∀ s ∈ S 2 ∀ w ∈ ( S × I ) ∗ ∀ c ∈ ( S 1 × I ) , o (ˆ δ ( s 0 , w ) , s ) = o (ˆ δ ( s 0 , w · c ) , s ) . Event Systems: ( E , I , O , L ) I , O ⊆ E , I ∩ O = ∅ , L ⊆ E ∗ . Assume security levels: L ≤ H . ∀ t 1 , t 2 , t 3 ∈ E ∗ , (( t 1 . t 2 ∈ L ∧ t 3 ↾ E \ ( H ∩ I ) = t 2 ↾ E \ ( H ∩ I ) ) ⇒ ∃ t 4 ∈ E ∗ . ( t 1 . t 4 ∈ L ∧ t 4 ↾ L ∪ ( H ∩ I ) = t 3 ↾ L ∪ ( H ∩ I ) ) On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Variants of Noninterference Noninference (NF) [ZL97] ∀ t ∈ L , t ↾ L ∈ L . Separability (SEP) [McL94] ∀ τ, τ ′ ∈ L , interleaving ( τ ↾ H , τ ′ ↾ L ) ⊆ L . Non Deducibility for UI ⊆ I (NDO) [GN88] ∀ t 1 , t 2 ∈ L , ∀ t ∈ E ∗ , ( t ↾ L = t 1 ↾ L ∧ t ↾ H ∪ ( L ∩ UI ) = t 2 ↾ H ∪ ( L ∩ UI ) ⇒ t ∈ L . . . . On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Variants of Noninterference Noninference (NF) [ZL97] ∀ t ∈ L , t ↾ L ∈ L . Separability (SEP) [McL94] ∀ τ, τ ′ ∈ L , interleaving ( τ ↾ H , τ ′ ↾ L ) ⊆ L . Non Deducibility for UI ⊆ I (NDO) [GN88] ∀ t 1 , t 2 ∈ L , ∀ t ∈ E ∗ , ( t ↾ L = t 1 ↾ L ∧ t ↾ H ∪ ( L ∩ UI ) = t 2 ↾ H ∪ ( L ∩ UI ) ⇒ t ∈ L . . . . On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Variants of Noninterference Noninference (NF) [ZL97] ∀ t ∈ L , t ↾ L ∈ L . Separability (SEP) [McL94] ∀ τ, τ ′ ∈ L , interleaving ( τ ↾ H , τ ′ ↾ L ) ⊆ L . Non Deducibility for UI ⊆ I (NDO) [GN88] ∀ t 1 , t 2 ∈ L , ∀ t ∈ E ∗ , ( t ↾ L = t 1 ↾ L ∧ t ↾ H ∪ ( L ∩ UI ) = t 2 ↾ H ∪ ( L ∩ UI ) ⇒ t ∈ L . . . . On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion An example Alice wants to change her PIN. EncRepl SendEncPIN GenPIN EncRepl SendEncPIN Noninference holds. Noninference violated. On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion An example Alice wants to change her PIN. EncRepl SendEncPIN GenPIN EncRepl SendEncPIN Noninference violated. On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Basic Security Predicates (BSPs) [Mantel’00] BSP w.r.t a view = ( V , N , C ) . BSP R ∀ τ ∈ L , ⇒ ∃ τ ′ , τ ′ ↾ C = ǫ ∧ τ ↾ V = τ ′ ↾ V BSP D ∀ c ∈ C , ∀ α c β ∈ L ∧ β ↾ C = ǫ ⇒ ∃ α ′ β ′ , α ′ β ′ ∈ L , ∧ α = N α ′ ∧ β = N β ′ BSP I ∀ c ∈ C , ∀ αβ ∈ L ⇒ ∃ α ′ β ′ α ′ c β ′ ∈ L ∧ α = N α ′ ∧ β = N β ′ . . . . 13 BSPs On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Information Flow Properties and BSPs Let H = ( L , ∅ , H ) , and HI = ( L , H \ I , H ∩ I ) . GNI ( E ) ⇔ BSD HI ( E ) ∧ BSI HI ( E ) . NDO ( E ) ⇔ BSD H ( E ) ∧ BSIA UI H ( E ) . NF ( E ) ⇔ R H ( E ) . SEP ( E ) ⇔ BSD H ( E ) ∧ BSIA C H ( E ) . . . . On the Decidability of Model-Checking Information Flow Properties
Introduction Noninteference BSPs Results Conclusion Model Checking BSPs For finite state systems, decidable [DKS’05]. For pushdown systems (PDS), undecidable. Information flow properties for PDS, undecidable [To be submitted] On the Decidability of Model-Checking Information Flow Properties
Recommend
More recommend
![Bounded Model Checking bmc Revision: 1.11 1 [BiereCimattiClarkeZhu99] uses SAT for model](https://c.sambuz.com/809780/bounded-model-checking-s.jpg)
