A (Co)inductive System Calculus for Security Properties [New title - - PowerPoint PPT Presentation

A (Co)inductive System Calculus for Security Properties

[New title suggestions are welcome!] Eric Rothstein Morris Supervisor: Joachim Posegga

Chair of IT Security University of Passau er@sec.uni-passau.de

ESORICS 2015 - PhD Symposium October 2, 2015

!

Introduction Example Motivation Calculus Wrap-Up

Enforcement

Let Sys be a set of systems. Let P: Sys ! { false, true } be a system property. Definition A sound enforcer of P is a mechanism enf P : Sys ! Sys such that, for all σ 2 Sys, enf P(σ) satisfies P. Definition An enforcer enf P is transparent if and only if whenever σ satisfies P, then enf P(σ) = σ.

1 / 13

Introduction Example Motivation Calculus Wrap-Up

Enforcement

Relevant questions: What is Sys? Sound and transparent enforcer for all properties? Usually: Systems: C, JavaScript, automata, hardware, etc. Properties: not vulnerable to ν, confidentiality, etc. Know the power of your enforcer

2 / 13

Introduction Example Motivation Calculus Wrap-Up

Enforcing via Equations: An Artificial Toy Example

Consider the following Let Sys = R ! R Let P : Sys ! { false, true } defined, for f 2 Sys, by P(f) = f(r) 0, for all r 2 R. Let | · |: Sys ! Sys defined, for f 2 Sys, by |f|(r) = ⇢ f(r), if f(r) 0; f(r),

• therwise;

The function | · | is one sound and transparent enforcer for P

3 / 13

Introduction Example Motivation Calculus Wrap-Up

Enforcing via Equations: An Artificial Toy Example

Your competition proposes enf P(f)(r) = ⇢ f(r), if f(r) 0; 0,

• therwise;

Enforcement policy: use enf P or | · |? Enforcement: not only about what, but also about how. Verifying vs. enforcing Verify: prove f(r) 0 for all r 2 R (maybe hard). Enforce: use |f| or enf P instead of f (easy)

4 / 13

Introduction Example Motivation Calculus Wrap-Up

Motivation

It would be nice if we could do the same for complex systems and for practical security properties Can we actually do this?

5 / 13

Introduction Example Motivation Calculus Wrap-Up

Motivation

It would be nice if we could do the same for complex systems and for practical security properties Can we actually do this? Hopefully yes, using coinductive calculus

5 / 13

Introduction Example Motivation Calculus Wrap-Up

Before we continue

I will try to convince you that... Coinduction: break systems apart, rebuild them back. Enforcement: rebuild systems so they satisfy a property. Implementation: equations lazily evaluated in Haskell.

6 / 13

Introduction Example Motivation Calculus Wrap-Up

Coinduction: Breaking Streams Appart

Streams (Single-threaded, non-interactive systems) Let Rω = { [r0, r1, . . .] | ri 2 R } Let head: Rω ! R defined by head([r0, r1, . . .]) = r0. Let tail: Rω ! Rω defined by tail([r0, r1, . . .]) = [r1, . . .]. Stream σ is coinductively defined by its head and tail

7 / 13

Introduction Example Motivation Calculus Wrap-Up

Coinduction: Rebuilding Streams from Pieces

Let pack: R ⇥ Rω ! Rω be defined by pack(r, [r0, r1, ...]) = [r, r0, r1, ...] pack is the “compiler” of the specification hr, [r0, r1, ...]i R ⇥ Rω ⇠ = Rω Modify the head and/or tail to obtain a different stream. enf P(σ) = pack(f head(σ), g tail(σ))

8 / 13

Introduction Example Motivation Calculus Wrap-Up

Another Toy Example

Define enforcers using head, tail and pack Let | · |: Rω ! Rω defined, for σ 2 Rω by |σ| = ⇢ pack(hhead(σ), |tail(σ)|i), if head(σ) 0; |tail(σ)|,

• therwise;

(1) | · | soundly and transparently enforces “always 0” Equation (1) is a behavioural (differential) equation.

9 / 13

Introduction Example Motivation Calculus Wrap-Up

From Streams to Arbitrary Types

Let X be a Haskell type implementing:

• bserve: X ! R

next: X ! X Enforce “always 0” on X using | · | by projecting X into Rω

10 / 13

Introduction Example Motivation Calculus Wrap-Up

From Streams to Arbitrary Types

Let X be a Haskell type implementing:

• bserve: X ! R

next: X ! X Enforce “always 0” on X using | · | by projecting X into Rω Let J·K: X ! Rω be defined, for x 2 X, by JxK = pack(hobserve(x), Jnext(x)Ki) |JxK| satisfies “always 0” and x and JxK are behaviourally equivalent.

10 / 13

Introduction Example Motivation Calculus Wrap-Up

Non-interference

Let I be a set of inputs, lvl: I ! { L, H } be an input classification function, and X be a Haskell type implementing:

• bserve: X ! I ! R (an L-channel)

next: X ! I ! X Non-interference: the presence of H -actions does not impact L-channels.

• bserve(enf P(σ), i)

= ⇢ observe(σ, i), if lvl(i) = L; ε,

• therwise.

next(enf P(σ), i) = ⇢ enf P next(σ, i), if lvl(i) = L; enf P(σ),

• therwise.

11 / 13

Introduction Example Motivation Calculus Wrap-Up

Contribution

Illustrate how systems, properties and enforcement mechanisms can be brought down to the same abstraction level; resulting in a practical framework for the enforcement

• f security properties.

12 / 13

Introduction Example Motivation Calculus Wrap-Up

Objective

Find and solve systems of behavioural equations to obtain systems that satisfy security properties. Milestones: Find equations that define security properties

Prove expressivity: “benchmark” properties Classify properties according to enforceability

Develop tool support: Haskell

13 / 13

Introduction Example Motivation Calculus Wrap-Up

Questions

Questions? Thank you for your attention!

13 / 13