A BSTRACT N ON -I NTERFERENCE (N ARROW ) Public Input Private Input - - PowerPoint PPT Presentation

a bstract n on i nterference n arrow
SMART_READER_LITE
LIVE PREVIEW

A BSTRACT N ON -I NTERFERENCE (N ARROW ) Public Input Private Input - - PowerPoint PPT Presentation

Oct 02, 2023 22 likes •805 views

A BSTRACT N ON -I NTERFERENCE A N A BSTRACT I NTERPRETATION - BASED VIEW ON C ODE S ECURITY Roberto Giacobazzi and Isabella Mastroeni Dipartimento di Informatica Universit` a di Verona Italy London, April 2012 Giaco London 2012

slide-1
SLIDE 1

ABSTRACT NON-INTERFERENCE

AN ABSTRACT INTERPRETATION-BASED VIEW ON CODE SECURITY Roberto Giacobazzi and Isabella Mastroeni Dipartimento di Informatica Universit` a di Verona Italy

London, April 2012

c Giaco – London 2012 – p.1/31

slide-2
SLIDE 2

THE DIMENSIONS OF NON-INTERFERENCE

We distinguish two points of view [Sabelfeld & Sands 2005]:

WHO observes the information flows?

WHAT information flows?

c Giaco – London 2012 – p.2/31

slide-3
SLIDE 3

THE DIMENSIONS OF NON-INTERFERENCE

We distinguish two points of view [Sabelfeld & Sands 2005]:

WHO observes the information flows? How can we weaken non-interference by characterizing the

  • bservational capability of who observes?

By means of Equivalence relations: PER MODEL, ROBUST

DECLASSIFICATION;

By means of Abstract domains: ABSTRACT NON-INTERFERENCE;

WHAT information flows?

c Giaco – London 2012 – p.2/31

slide-4
SLIDE 4

THE DIMENSIONS OF NON-INTERFERENCE

We distinguish two points of view [Sabelfeld & Sands 2005]:

WHO observes the information flows? How can we weaken non-interference by characterizing the

  • bservational capability of who observes?

WHAT information flows? How can we weaken non-interference by characterizing what of the private information flows?

c Giaco – London 2012 – p.2/31

slide-5
SLIDE 5

THE DIMENSIONS OF NON-INTERFERENCE

We distinguish two points of view [Sabelfeld & Sands 2005]:

WHO observes the information flows? How can we weaken non-interference by characterizing the

  • bservational capability of who observes?

WHAT information flows? How can we weaken non-interference by characterizing what of the private information flows?

Declassifying what can flow:SELECTIVE DEPENDENCY, ENFORCING

ROBUST DECLASSIFICATION, ABSTRACT NON-INTERFERENCE,

DELIMITED RELEASE, RELAXED NONINTERFERENCE;

c Giaco – London 2012 – p.2/31

slide-6
SLIDE 6

THE DIMENSIONS OF NON-INTERFERENCE

We distinguish two points of view [Sabelfeld & Sands 2005]:

WHO observes the information flows? How can we weaken non-interference by characterizing the

  • bservational capability of who observes?

WHAT information flows? How can we weaken non-interference by characterizing what of the private information flows?

Declassifying what can flow:SELECTIVE DEPENDENCY, ENFORCING

ROBUST DECLASSIFICATION, ABSTRACT NON-INTERFERENCE,

DELIMITED RELEASE, RELAXED NONINTERFERENCE;

Classifying what cannot flow:ABSTRACT NON-INTERFERENCE.

c Giaco – London 2012 – p.2/31

slide-7
SLIDE 7

DEFINING ABSTRACT NON-INTERFERENCE

c Giaco – London 2012 – p.3/31

slide-8
SLIDE 8

OUR IDEA

H

Secret H External observer Secret H Public L Public L L

SW

c Giaco – London 2012 – p.4/31

slide-9
SLIDE 9

OUR IDEA

H

L Secret H

SW

External observer

Observer:

Public L Secret H Public L

ρ

ρ

c Giaco – London 2012 – p.4/31

slide-10
SLIDE 10

OUR IDEA

Secret

SW

External observer

Observable:

Public L Secret H Public L L

ρ φ(H )

φ

φ(H )

c Giaco – London 2012 – p.4/31

slide-11
SLIDE 11

ABSTRACT INTERPRETATION

Design approximate semantics of programs [Cousot & Cousot ’77, ’79].

α

γ γ(α(x))

x

Abstract Concrete

⊤ ⊤

α

Galois Connection: C, α, γ, A, A and C are complete lattices. Closures: Abs(C), ⊑ set of all possible abstract domains,

A1 ⊑ A2 if A1 is more concrete than A2

c Giaco – London 2012 – p.5/31

slide-12
SLIDE 12

ABSTRACT INTERPRETATION

Design approximate semantics of programs [Cousot & Cousot ’77, ’79].

γ(α(x))

x

Abstract Concrete

γ◦α ∈ Abs(C) Galois Connection: C, α, γ, A, A and C are complete lattices. Closures: Abs(C), ⊑ set of all possible abstract domains,

A1 ⊑ A2 if A1 is more concrete than A2

c Giaco – London 2012 – p.6/31

slide-13
SLIDE 13

STANDARD NON-INTERFERENCE

Private Input Public Input Public Output

P

∀l : L, ∀h1, h2 : H. P(h1, l)L = P(h2, l)L

c Giaco – London 2012 – p.7/31

slide-14
SLIDE 14

STANDARD NON-INTERFERENCE

Private Input Public Input Public Output

P

∀l : L, ∀h1, h2 : H. P(h1, l)L = P(h2, l)L

c Giaco – London 2012 – p.7/31

slide-15
SLIDE 15

STANDARD NON-INTERFERENCE

Private Input Public Input Public Output

P

∀l : L, ∀h1, h2 : H. P(h1, l)L = P(h2, l)L

c Giaco – London 2012 – p.7/31

slide-16
SLIDE 16

STANDARD NON-INTERFERENCE

Private Input Public Input Public Output

P

∀l : L, ∀h1, h2 : H. P(h1, l)L = P(h2, l)L

c Giaco – London 2012 – p.7/31

slide-17
SLIDE 17

STANDARD NON-INTERFERENCE

Private Input Public Input Public Output

P

∀l : L, ∀h1, h2 : H. P(h1, l)L = P(h2, l)L

c Giaco – London 2012 – p.7/31

slide-18
SLIDE 18

STANDARD NON-INTERFERENCE

Private Input Public Input Public Output

P

∀l : L, ∀h1, h2 : H. P(h1, l)L = P(h2, l)L

c Giaco – London 2012 – p.7/31

slide-19
SLIDE 19

ABSTRACT NON-INTERFERENCE (NARROW)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): [η]P(ρ): η(l1) = η(l2) ⇒ ρ(P(h1, l1)L) = ρ(P(h2, l2)L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.8/31

slide-20
SLIDE 20

ABSTRACT NON-INTERFERENCE (NARROW)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): [η]P(ρ): η(l1) = η(l2) ⇒ ρ(P(h1, l1)L) = ρ(P(h2, l2)L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.8/31

slide-21
SLIDE 21

ABSTRACT NON-INTERFERENCE (NARROW)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): [η]P(ρ): η(l1) = η(l2) ⇒ ρ(P(h1, l1)L) = ρ(P(h2, l2)L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.8/31

slide-22
SLIDE 22

ABSTRACT NON-INTERFERENCE (NARROW)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): [η]P(ρ): η(l1) = η(l2) ⇒ ρ(P(h1, l1)L) = ρ(P(h2, l2)L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.8/31

slide-23
SLIDE 23

ABSTRACT NON-INTERFERENCE (NARROW)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): [η]P(ρ): η(l1) = η(l2) ⇒ ρ(P(h1, l1)L) = ρ(P(h2, l2)L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.8/31

slide-24
SLIDE 24

ABSTRACT NON-INTERFERENCE (NARROW)

Private Input Public Input Public Output

η P ρ

Deceptive flow!! ρ, η ∈ Abs(℘(VL)): [η]P(ρ): η(l1) = η(l2) ⇒ ρ(P(h1, l1)L) = ρ(P(h2, l2)L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.8/31

slide-25
SLIDE 25

ABSTRACT NON-INTERFERENCE (ANI)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): (η)P(ρ): η(l1)=η(l2) ⇒ ρ(P(h1, η(l1))L)=ρ(P(h2, η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.9/31

slide-26
SLIDE 26

ABSTRACT NON-INTERFERENCE (ANI)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): (η)P(ρ): η(l1)=η(l2) ⇒ ρ(P(h1, η(l1))L)=ρ(P(h2, η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.9/31

slide-27
SLIDE 27

ABSTRACT NON-INTERFERENCE (ANI)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): (η)P(ρ): η(l1)=η(l2) ⇒ ρ(P(h1, η(l1))L)=ρ(P(h2, η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.9/31

slide-28
SLIDE 28

ABSTRACT NON-INTERFERENCE (ANI)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): (η)P(ρ): η(l1)=η(l2) ⇒ ρ(P(h1, η(l1))L)=ρ(P(h2, η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.9/31

slide-29
SLIDE 29

ABSTRACT NON-INTERFERENCE (ANI)

Private Input Public Input Public Output

η P ρ

ρ, η ∈ Abs(℘(VL)): (η)P(ρ): η(l1)=η(l2) ⇒ ρ(P(h1, η(l1))L)=ρ(P(h2, η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.9/31

slide-30
SLIDE 30

EXAMPLES

EXAMPLE I: while h do (l := l + 2; h := h − 1). Standard Non-Interference ≡ [id]P(id)

h = 0, l = 1 ❀ l = 1 h = 1, l = 1 ❀ l = 3 h = n, l = 1 ❀ l = 1 + 2n

c Giaco – London 2012 – p.10/31

slide-31
SLIDE 31

EXAMPLES

EXAMPLE I: while h do (l := l + 2; h := h − 1). Standard Non-Interference ≡ [id]P(id)

h = 0, l = 1 ❀ l = 1 h = 1, l = 1 ❀ l = 3 h = n, l = 1 ❀ l = 1 + 2n

[id]P(Par)

h = 0, l = 1 ❀ Par(l) = odd h = 1, l = 1 ❀ Par(l) = odd h = n, l = 1 ❀ Par(l) = odd

c Giaco – London 2012 – p.10/31

slide-32
SLIDE 32

EXAMPLES

EXAMPLE II (DECEPTIVE FLOW):

P = l := 2 ∗ l ∗ h2.

[Par]P(Sign)

h = 1, l = 4 (Par(4) = even) ❀ Sign(l) = + h = 1, l = −4 (Par(−4) = even) ❀ Sign(l) = −

c Giaco – London 2012 – p.10/31

slide-33
SLIDE 33

EXAMPLES

EXAMPLE II:

P = l := 2 ∗ l ∗ h2.

[Par]P(Sign)

h = 1, l = 4 (Par(4) = even) ❀ Sign(l) = + h = 1, l = −4 (Par(−4) = even) ❀ Sign(l) = −

(Par)P(Sign)

h = −3, Par(l) = even ❀ Sign(l) = I don’t know h = 1, Par(l) = even ❀ Sign(l) = I don’t know

c Giaco – London 2012 – p.10/31

slide-34
SLIDE 34

EXAMPLES

EXAMPLE III:

P = l := l ∗ h2.

(id)P(Par)

h = 2, l = 1 ❀ Par(l) = even h = 3, l = 1 ❀ Par(l) = odd h = n, l = 1 ❀ Par(l) = Par(n)

c Giaco – London 2012 – p.10/31

slide-35
SLIDE 35

DECLASSIFIED ANI VIA BLOCKING

Private Input Public Input Public Output

η P ρ φ

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ [ ]ρ): η(l1)=η(l2) ⇒ ρ(P(φ(h1), η(l1))L)=ρ(P(φ(h2), η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.11/31

slide-36
SLIDE 36

DECLASSIFIED ANI VIA BLOCKING

Private Input Public Input Public Output

η P ρ φ

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ [ ]ρ): η(l1)=η(l2) ⇒ ρ(P(φ(h1), η(l1))L)=ρ(P(φ(h2), η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.11/31

slide-37
SLIDE 37

DECLASSIFIED ANI VIA BLOCKING

Private Input Public Input Public Output

η P ρ φ

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ [ ]ρ): η(l1)=η(l2) ⇒ ρ(P(φ(h1), η(l1))L)=ρ(P(φ(h2), η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.11/31

slide-38
SLIDE 38

DECLASSIFIED ANI VIA BLOCKING

Private Input Public Input Public Output

η P ρ φ

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ [ ]ρ): η(l1)=η(l2) ⇒ ρ(P(φ(h1), η(l1))L)=ρ(P(φ(h2), η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.11/31

slide-39
SLIDE 39

DECLASSIFIED ANI VIA BLOCKING

Private Input Public Input Public Output

η P ρ φ

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ [ ]ρ): η(l1)=η(l2) ⇒ ρ(P(φ(h1), η(l1))L)=ρ(P(φ(h2), η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.11/31

slide-40
SLIDE 40

DECLASSIFIED ANI VIA BLOCKING

Private Input Public Input Public Output

η P ρ φ

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ [ ]ρ): η(l1)=η(l2) ⇒ ρ(P(φ(h1), η(l1))L)=ρ(P(φ(h2), η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.11/31

slide-41
SLIDE 41

EXAMPLE

EXAMPLE:

P = l := l ∗ h2.

(id)P(Par)

h = 2, l = 1 ❀ Par(l) = even h = 3, l = 1 ❀ Par(l) = odd h = n, l = 1 ❀ Par(l) = Par(n)

(id)P(Sign [ ]Par) Sign(h) = +, l = 1 ❀ Par(l) = I don’t know Sign(h) = −, l = 1 ❀ Par(l) = I don’t know

c Giaco – London 2012 – p.12/31

slide-42
SLIDE 42

DECLASSIFIED ANI (VIA ALLOWING)

Private Input Public Input Public Output

η P ρ φ

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ ⇒ ρ): η(l1)=η(l2) and φ(h1)=φ(h2) ⇒ ρ(P(h1, η(l1))L)=ρ(P(h2, η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.13/31

slide-43
SLIDE 43

DECLASSIFIED ANI (VIA ALLOWING)

Private Input Public Input Public Output

η P ρ φ

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ ⇒ ρ): η(l1)=η(l2) and φ(h1)=φ(h2) ⇒ ρ(P(h1, η(l1))L)=ρ(P(h2, η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.13/31

slide-44
SLIDE 44

DECLASSIFIED ANI (VIA ALLOWING)

Private Input Public Input Public Output

η P ρ φ

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ ⇒ ρ): η(l1)=η(l2) and φ(h1)=φ(h2) ⇒ ρ(P(h1, η(l1))L)=ρ(P(h2, η(l2))L)

[Giacobazzi & Mastroeni ’04]

c Giaco – London 2012 – p.13/31

slide-45
SLIDE 45

MODELING ABSTRACT NON-INTERFERENCE

c Giaco – London 2012 – p.14/31

slide-46
SLIDE 46

DERIVING “HARMLESS” ATTACKERS

Abstract interpretation provides advanced methods for designing abstractions (refinement, simplification, compression ...) [Giacobazzi & Ranzato ’97] Transforming abstractions = transforming attackers

c Giaco – London 2012 – p.15/31

slide-47
SLIDE 47

DERIVING “HARMLESS” ATTACKERS

Abstract interpretation provides advanced methods for designing abstractions (refinement, simplification, compression ...) [Giacobazzi & Ranzato ’97] Transforming abstractions = transforming attackers

Characterize the most concrete δ such that (δ)P(φ [ ]δ) [The most powerful harmless public observer] ⇒ This would provide a “measure” of security!

c Giaco – London 2012 – p.15/31

slide-48
SLIDE 48

DERIVING “HARMLESS” ATTACKERS

EXAMPLE:

P =

while h do (l := l ∗ 2; h := h − 1) .... we derive a secure attacker π =

n{2}N

  • n ∈ 2N + 1
  • ∪ {{0}}
  • :

(π)P(id [ ]π)

h = 0, π(l) = 3{2}N ❀ π(l) = 3{2}N h = 2, π(l) = 3{2}N ❀ π(l) = 3{2}N ❀ In the program l is always multiplied by 2!

c Giaco – London 2012 – p.15/31

slide-49
SLIDE 49

OBSERVER VS OBSERVABLE

Consider | = (η)P(φ

[ ]ρ): In order to preserve non-interference...

c Giaco – London 2012 – p.16/31

slide-50
SLIDE 50

OBSERVER VS OBSERVABLE

Consider | = (η)P(φ

[ ]ρ): In order to preserve non-interference...

More concrete More concrete More abstract More abstract ρ φ

AND

uco(℘(VL)) uco(℘(VH))

c Giaco – London 2012 – p.16/31

slide-51
SLIDE 51

OBSERVER VS OBSERVABLE

Consider | = (η)P(φ

[ ]ρ): In order to preserve non-interference...

More concrete More concrete More abstract More abstract ρ φ

AND

uco(℘(VL)) uco(℘(VH))

c Giaco – London 2012 – p.16/31

slide-52
SLIDE 52

COMPLETENESS IN ABSTRACT INTERPRETATION

SOUNDNESS:

NO INFORMATION IS LOST BY APPROXIMATING THE INPUT/OUTPUT

ρ◦f ≤ ρ◦f ◦ρ ρ

f(x)

f

ρ(f(x))

ρ(f(ρ(x))) f♯(ρ(x))

Abstract

c Giaco – London 2012 – p.17/31

slide-53
SLIDE 53

COMPLETENESS IN ABSTRACT INTERPRETATION

COMPLETENESS:

NO LOSS OF PRECISION IS ACCUMULATED BY APPROXIMATING THE INPUT

ρ◦f = ρ◦f ◦ρ ρ

f(x)

f

ρ(f(x))

ρ(f(ρ(x))) f♯(ρ(x))

=

Abstract

c Giaco – London 2012 – p.17/31

slide-54
SLIDE 54

ANI IS A COMPLETENESS PROBLEM

Recall that [Joshi & Leino’00]

P is secure

iff HH ; P; HH . = P ; HH

c Giaco – London 2012 – p.18/31

slide-55
SLIDE 55

ANI IS A COMPLETENESS PROBLEM

Recall that [Joshi & Leino’00]

P is secure

iff HH ; P; HH . = P ; HH Let X = X H, X L ⇒ H(X)def = ⊤H, X L ∈ Abs(℘(V)) HH ; P; HH . =

P ; HH

H◦P◦H

=

H◦P

c Giaco – London 2012 – p.18/31

slide-56
SLIDE 56

ANI IS A COMPLETENESS PROBLEM

Recall that [Joshi & Leino’00]

P is secure

iff HH ; P; HH . = P ; HH Let X = X H, X L ⇒ H(X)def = ⊤H, X L ∈ Abs(℘(V)) HH ; P; HH . =

P ; HH

H◦P◦H

=

H◦P

⇒ A COMPLETENESS PROBLEM

c Giaco – London 2012 – p.18/31

slide-57
SLIDE 57

ANI IS A COMPLETENESS PROBLEM

Let X = X H, X L ⇒ H(X)def = ⊤H, X L ∈ Abs(℘(V))

H◦P◦H

=

H◦P

COMPLETENESS = NON-INTERFERENCE

Transform H vs Core: C

Transform H vs Shell: S [Giacobazzi et al. JACM’00]

c Giaco – London 2012 – p.18/31

slide-58
SLIDE 58

COMPLETENESS

x f

⊤ ⊤ ⊥

ρ

η COMPLETENESS: η◦f ◦ρ = η◦f

c Giaco – London 2012 – p.19/31

slide-59
SLIDE 59

COMPLETENESS

x f

⊤ ⊤ ⊥

ρ

η IN-COMPLETENESS: η◦f ◦ρ ≥ η◦f

c Giaco – London 2012 – p.19/31

slide-60
SLIDE 60

COMPLETENESS

x f

⊤ ⊤ ⊥

ρ

η Making ABSTRACTIONS COMPLETE: Refining input domains

[Giacobazzi et al. JACM’00]

c Giaco – London 2012 – p.19/31

slide-61
SLIDE 61

COMPLETENESS

x f

⊤ ⊤ ⊥

ρ

η Making ABSTRACTIONS COMPLETE: Simplifying output domains

[Giacobazzi et al. JACM’00]

c Giaco – London 2012 – p.19/31

slide-62
SLIDE 62

ANI AS COMPLETENESS

Let ρ ∈ Abs(℘(VL)) ⇒ Hρ(X)def = ⊤H, ρ(X L) ∈ Abs(℘(V))

Narrow abstract non-interference: Hρ◦P◦Hη = Hρ◦P;

Abstract non-interference: Hρ◦Pη,φ◦Hη = Hρ◦Pη,φ

c Giaco – London 2012 – p.20/31

slide-63
SLIDE 63

ANI AS COMPLETENESS

Let ρ ∈ Abs(℘(VL)) ⇒ Hρ(X)def = ⊤H, ρ(X L) ∈ Abs(℘(V))

Narrow abstract non-interference: Hρ◦P◦Hη = Hρ◦P;

Abstract non-interference: Hρ◦Pη,φ◦Hη = Hρ◦Pη,φ

PUBLIC “HARMLESS” OBSERVER AS COMPLETENESS CORE:

CHη

Pη,φ(H) = (η)P(φ

[ ]id)

c Giaco – London 2012 – p.20/31

slide-64
SLIDE 64

ANI AS COMPLETENESS

Let ρ ∈ Abs(℘(VL)) ⇒ Hρ(X)def = ⊤H, ρ(X L) ∈ Abs(℘(V))

Narrow abstract non-interference: Hρ◦P◦Hη = Hρ◦P;

Abstract non-interference: Hρ◦Pη,φ◦Hη = Hρ◦Pη,φ

PUBLIC “HARMLESS” ATTACKER AS COMPLETENESS CORE:

CHη

Pη,φ(H) = (η)P(φ

[ ]id)

PRIVATE “FLOWING” OBSERVABLE AS COMPLETENESS SHELL: (η)P(SHρ

Pη,id(Hη) ⇒ ρ)

c Giaco – London 2012 – p.20/31

slide-65
SLIDE 65

BACK TO DIMENSIONS

ADJOINING ATTACKERS AND DECLASSIFICATION BY COMPLETENESS

The most concrete observer The most abstract observable Declassification Secure

id id ⊤

c Giaco – London 2012 – p.21/31

slide-66
SLIDE 66

OBSCURITY

AND

NON-INTERFERENCE

c Giaco – London 2012 – p.22/31

slide-67
SLIDE 67

THE IDEA

c Giaco – London 2012 – p.23/31

slide-68
SLIDE 68

THE IDEA

c Giaco – London 2012 – p.24/31

slide-69
SLIDE 69

OBSCURITY AS INCOMPLETENESS

WhichChess : Img − → ℘(Chess) returns the type of chess on the chessboard.

ρ : Img − → Img such that: ρ

  • =

η : ℘(Chess) − → [0, 12] counts the number of different types of chess η

  • WhichChess
  • ρ
  • =

η

  • WhichChess
  • =

12

η

  • WhichChess
  • =

7

c Giaco – London 2012 – p.25/31

slide-70
SLIDE 70

OBSCURITY AS INCOMPLETENESS

Failing precision means failing completeness!

[Giacobazzi et al., 2008–12]

Obfuscating programs is making abstract interpreters incomplete

Let ρ ∈ Abs(Σ) with Σ semantic objects (data, traces etc)

A program transformation τ : P → P such that P = τ(P).

ρ B-complete for · if ρ(P) = Pρ τ obfuscates P if Pρ ❁ τ(P)ρ

Pρ ❁ τ(P)ρ ⇐

⇒ ρ(τ(P)) ❁ τ(P)ρ

c Giaco – London 2012 – p.26/31

slide-71
SLIDE 71

OBSCURITY AS INCOMPLETENESS

Failing precision means failing completeness!

[Giacobazzi et al., 2008–12]

Obfuscating programs is making abstract interpreters incomplete

P : x = a ∗ b Sign is an obvious abstraction of ℘(Z):

0− 0+ ℘(Z) . . . 1 . . . . . . . . . . . . 0+ 0− ∅ ℘(Z) {−1, −3, −4} {2, 3, 5} ∅

c Giaco – London 2012 – p.26/31

slide-72
SLIDE 72

OBSCURITY AS INCOMPLETENESS

Failing precision means failing completeness!

[Giacobazzi et al., 2008–12]

Obfuscating programs is making abstract interpreters incomplete

P : x = a ∗ b Sign is an abstraction of ℘(Z):

0− 0+ ℘(Z) . . . 1 . . . . . . . . . . . . 0+ 0− ∅ ℘(Z) {−1, −3, −4} {2, 3, 5} ∅

c Giaco – London 2012 – p.26/31

slide-73
SLIDE 73

OBSCURITY AS INCOMPLETENESS

Failing precision means failing completeness!

[Giacobazzi et al., 2008–12]

Obfuscating programs is making abstract interpreters incomplete x = 0;

P :

x = a ∗ b − → τ(P) : if b ≤ 0 then {a =−a; b =−b}; while b = 0 {x = a + x; b = b − 1}

Sign is complete for P:

PSign = λa, b. Sign(a ∗ b)

Sign is incomplete for τ(P):

τ(P)Sign = λa, b.

  • if a = 0 ∨ b = 0

  • therwise

There is a way to get τ(P) systematically from P [Giacobazzi et al, 2012]

c Giaco – London 2012 – p.26/31

slide-74
SLIDE 74

EXPLOITING INCOMPLETENESS

Maximize Pρ incompleteness!

[Giacobazzi et al., 2012]

The abstraction is the specification of the attacker

Profiling: Abstract memory keeping only (partial) resource usage

Tracing: Abstraction of traces (e.g., by trace compression)

Slicing: Abstraction of traces (relative to variables)

Monitoring: Abstraction of trace semantics ([Cousot&Cousot POPL02])

Decompilation: Abstracts syntactic structures (e.g., reducible loops)

Disassembly: Abstracts binary structures (e.g., recursive traversal)

Each abstraction is incomplete for a concrete enough trace semantics

Maximize incompleteness by code transformation: Obfuscation

Exploit incompleteness for hiding information: Steganography

c Giaco – London 2012 – p.27/31

slide-75
SLIDE 75

CODE OBFUSCATION AS ANI?

A challenging and open question!

OBFUSCATING NON-INTERFERENCE: means creating fake dependencies (interference)

Making non-interference incomplete

OBFUSCATING INTERFERENCE: means disconnecting dependencies

Making interference (dependence analysis) incomplete

ABSTRACT SLICING: is a way for de-obfuscating (e.g., watermark extraction) see Isabella’s talk next!

c Giaco – London 2012 – p.28/31

slide-76
SLIDE 76

CURRENT DIRECTIONS

ANI is general enough to weaken non-interference and deal with the

WHO and WHAT dimensions!

Transforming abstractions means modeling attackers in ANI

Transforming programs means making code secure

ANI for obfuscation & for information hiding

Isolate non-interfering code slices to act obfuscation

Associate with Φ a stegomark disclosable by ANI via allowing

Move from syntactic to semantic-based metrics for measuring the potency of obfuscation

measuring incompleteness as a measure of obscurity

measuring the difficulty of proving semantic equivalence (the Coq proof is indeed a deobfuscation)

c Giaco – London 2012 – p.29/31

slide-77
SLIDE 77

c Giaco – London 2012 – p.30/31

slide-78
SLIDE 78

MANY THANKS!!

c Giaco – London 2012 – p.31/31