Synopsis Motivation Synchronous reactive model Syntax of CRL (Core - PowerPoint PPT Presentation

Secure information flow for synchronous reactive programs Ilaria Castellani INRIA Sophia Antipolis OPCT Workshop Bertinoro, 18-21 June, 2014 [Based on TGC’13 talk, joint work with Pejman Attar]

1 Synopsis ‣ Motivation ‣ Synchronous reactive model ‣ Syntax of CRL (Core Reactive Language) ‣ Semantics of CRL and properties ‣ Fine-grained and coarse-grained bisimilarity ‣ Secure information flow: f-grained and c-grained reactive noninterference (RNI) ‣ Security type system ‣ Related work and open questions

2 Problem and motivation Current systems (e.g., web browsers) are often reactive: they listen and react to the environment by means of events Mutually distrusting parties need confidentiality guarantees for their data -> Goal : ensure secure information flow (end-to-end protection of data confidentiality) in reactive systems

Synchronous Reactive Model 3 Synchronous areas within a GALS architecture (GALS = Globally Asynchronous, Locally Synchronous). clock1 clock2 synchronous area events clock4 async. clock3 interaction async. migration GALS Model

4 Synchronous Languages Cooperative parallelism + broadcast events instant = period of time during which all threads compute up to termination or suspension (suspension = control yield or waiting for an event) Reactive variant of ESTEREL [Berry et al., mid 80’ s]: -> SL (Synchronous Language) [Boussinot, 1996] Delayed reaction to absence of events => no causality cycles, monotonic computations

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ Priority to the left

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 E = ∅ Programs are executed in an event environment E

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 E = { ev 1 } suspension s 1 executes first, generating ev 1

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 suspension ev 2 ev 2 E = { ev 1 , ev 2 } suspends, s 2 gets the control and generates ev 2 s 1

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 suspension ev 2 ev 2 E = { ev 1 , ev 2 } unblocks and gets back the control s 1

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 suspension ev 2 ev 2 E = { ev 1 , ev 2 } suspends again, s 2 gets the control s 1

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 suspension ev 2 ev 2 E = { ev 1 , ev 2 } both and are suspended, gets the control s 1 s 2 s 3

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 suspension ev 2 ev 2 E = { ev 1 , ev 2 , ev 4 } ev 4 termination executes till termination, generating s 3 ev 4

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 suspension ev 2 ev 2 E = { ev 1 , ev 2 , ev 4 } ev 4 termination the control goes back to s 2

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 suspension ev 2 ev 2 ev 3 ev 4 E = { ev 1 , ev 2 , ev 3 , ev 4 } the control goes back to s 1

5 Synchronous parallelism Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 suspension ev 2 ev 2 ev 3 ev 4 E = { ev 1 , ev 2 , ev 3 , ev 4 } termination

5 End of instant Asymmetric parallel operator s ∤ s ′ ∤ ∤ s 1 s 2 s 3 ev 1 suspension ev 2 ev 2 ev 3 ev 4 E = { ev 1 , ev 2 , ev 3 , ev 4 } termination Synchronisation barrier

6 Syntax of CRL Expressions exp ::= v | x | f ( − → exp ) Programs s ::= nothing | ( if exp then s else s ) | s ; s | ( s ∤ s ) | cooperate | generate ev | await ev | do s watching ev | ( loop s ) | ( repeat exp do s )

7 Syntax of CRL Expressions exp ::= v | x | f ( − → exp ) Programs s ::= nothing | ( if exp then s else s ) | s ; s | ( s ∤ s ) | cooperate | generate ev | await ev | do s watching ev | ( loop s ) | ( repeat exp do s )

8 Reactive constructs ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; cooperate ; await ev 3 ; generate ev 3 E = ∅

8 Reactive constructs ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; cooperate ; await ev 3 ; generate ev 3 ev 1 E = { ev 1 }

8 Reactive constructs ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; cooperate ; await ev 3 ; generate ev 3 ev 1 E = { ev 1 }

8 Reactive constructs ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; cooperate ; await ev 3 ; generate ev 3 ev 1 ev 2 E = { ev 1 , ev 2 }

8 Reactive constructs ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; cooperate ; await ev 3 ; generate ev 3 ev 1 ev 2 E = { ev 1 , ev 2 }

8 End of instant ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; cooperate ; await ev 3 ; generate ev 3 ev 1 ev 2 E = { ev 1 , ev 2 } Synchronisation barrier

8 Reconditioning ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; cooperate ; await ev 3 ; generate ev 3 ev 1 ev 2 reconditioning Synchronisation barrier

8 Instant passing ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; generate ev 3 await ev 3 ; ev 1 ev 2 E = ∅ next instant

9 Next instant ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; generate ev 3 await ev 3 ; ev 1 ev 2 next instant ev 3 E = { ev 3 }

9 Next instant ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; generate ev 3 await ev 3 ; ev 1 ev 2 next instant ev 3 E = { ev 3 }

9 Termination ∤ generate ev 1 ; await ev 1 ; s 1 = s 2 = await ev 2 ; generate ev 2 ; generate ev 3 await ev 3 ; ev 1 ev 2 next instant ev 3 E = { ev 3 } Synchronisation barrier

10 Time out s ′ do s 1 watching ev 4 await ev 1 ; s 2 = = 1 generate ev 2 await ev 2 ; s 3 = await ev 3 ; generate ev 4 ev 1 ev 2 ev 2 ev 4 ev 3

10 Time out s ′′ 1 = do ( cooperate ; s ′ 2 = await ev 3 generate ev 3 ) s ′ 3 = nothing watching ev 4 ev 1 ev 2 ev 2 ev 4 ev 3 E = { ev 1 , ev 2 , ev 4 }

Reconditioning 11 s ′′′ s ′ = nothing 2 = await ev 3 1 s ′ 3 = nothing ev 1 ev 2 ev 2 ev 4 next instant E = ∅

12 Syntax of CRL Expressions exp ::= v | x | f ( − → exp ) Programs s ::= nothing | ( if exp then s else s ) | s ; s | ( s ∤ s ) | cooperate | generate ev | await ev | do s watching ev | ( loop s ) | ( repeat exp do s )

13 Semantics of CRL Event environment E ⊆ Events Small-step transition relation: � s, E � → � s ′ , E ′ � Tick transition relation: � s, E � ֒ → � [ s ] E , ∅�

14 Semantics: suspension : Suspension predicate � s, E � ‡ s is suspended in E . ev / ∈ E ( wait s ) � cooperate, E � ‡ ( coop ) � await ev, E � ‡ � s 1 , E � ‡ � s 1 , E � ‡ � s 2 , E � ‡ ( seq s ) ( par s ) � s 1 ; s 2 , E � ‡ � s 1 ∤ s 2 , E � ‡ � s, E � ‡ ( watch s ) � do s watching ev, E � ‡

15 Program reconditioning Function : [ s ] E erases guarding cooperate , kills “timed-out” watching . [ cooperate ] E = nothing [ await ev ] E = await ev [ s 1 ; s 2 ] E = [ s 1 ] E ; s 2 [ s 1 ∤ s 2 ] E = [ s 1 ] E ∤ [ s 2 ] E � if ev ∈ E nothing [ do s watching ev ] E = do [ s ] E watching ev otherwise

15 Program reconditioning Function : [ s ] E erases guarding cooperate , kills “timed-out” watching . [ cooperate ] E = nothing [ await ev ] E = await ev [ s 1 ; s 2 ] E = [ s 1 ] E ; s 2 [ s 1 ∤ s 2 ] E = [ s 1 ] E ∤ [ s 2 ] E � if ev ∈ E nothing [ do s watching ev ] E = do [ s ] E watching ev otherwise � s, E � ‡ Tick transition relation: ( tick ) � s, E � ֒ → � [ s ] E , ∅�

16 Semantics: reactive operators � generate ev, E � → � nothing , E ∪ { ev } � ( gen ) ev ∈ E ( wait ) � await ev, E � → � nothing , E � � s, E � → � s ′ , E ′ � ( watch 1 ) � do s watching ev, E � → � do s ′ watching ev, E ′ � � do nothing watching ev, E � → � nothing , E � ( watch 2 )

17 Semantics: sequence & parallel � s 1 , E � → � s ′ 1 , E ′ � ( seq 1 ) � nothing ; s, E � → � s, E � ( seq 2 ) � s 1 ; s 2 , E � → � s ′ 1 ; s 2 , E ′ � � s 1 , E � → � s ′ 1 , E ′ � ( par 1 ) � nothing ∤ s, E � → � s, E � ( par 2 ) � s 1 ∤ s 2 , E � → � s ′ 1 ∤ s 2 , E ′ � � s 1 , E � ‡ � s 2 , E � → � s ′ 2 , E ′ � � s, E � ‡ ( par 3 ) ( par 4 ) � s 1 ∤ s 2 , E � → � s 1 ∤ s ′ 2 , E ′ � � s ∤ nothing , E � → � s, E �

18 Semantics: loop/repeat � loop s, E � → � ( s ∤ cooperate ); loop s, E � ( loop ) exp � n ( repeat ) � repeat exp do s, E � → � s ; . . . ; s , E � � �� � n times

19 Semantics: conditional exp � tt ( if 1 ) � if exp then s 1 else s 2 , E � → � s 1 , E � exp � ff ( if 2 ) � if exp then s 1 else s 2 , E � → � s 2 , E �