A weakest precondition approach to active analysis attacks analysis - - PowerPoint PPT Presentation

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A weakest precondition approach to active attacks analysis

Musard Balliu Isabella Mastroeni

School of Computer Science and Communication Royal Institute of Technology (KTH) Stockholm, Sweden Dipartimento di Informatica Universit` a di Verona Italy

Dublin, June 15th, 2009

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Security Background

Goal: Protect data confidentiality from malicious attackers. System data:

• H stands for private, unmodifiable
• L stands for public, modifiable

Standard Non Interference Aims to protect private inputs. (H L ) ∀l ∈ VL, ∀h1, h2 ∈ VH.P(h1, l)L = P(h2, l)L PROBLEM ⇓ Real systems release private information intentionally.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Security Background

Goal: Protect data confidentiality from malicious attackers. System data:

• H stands for private, unmodifiable
• L stands for public, modifiable

Standard Non Interference Aims to protect private inputs. (H L ) ∀l ∈ VL, ∀h1, h2 ∈ VH.P(h1, l)L = P(h2, l)L PROBLEM ⇓ Real systems release private information intentionally.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Security Background

Goal: Protect data confidentiality from malicious attackers. System data:

• H stands for private, unmodifiable
• L stands for public, modifiable

Standard Non Interference Aims to protect private inputs. (H L ) ∀l ∈ VL, ∀h1, h2 ∈ VH.P(h1, l)L = P(h2, l)L PROBLEM ⇓ Real systems release private information intentionally.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Security Background

Goal: Protect data confidentiality from malicious attackers. Solution ⇓ Declassified Non Interference φ(H ): declassified private property (φ(H ) L ) ∀l ∈ VL, ∀h1, h2 ∈ VH. φ(h1) = φ(h2) ⇒ P(h1, l)L = P(h2, l)L No property stronger than φ(H ) can be disclosed. [Myers and Liskov 1997, Sabelfeld and Myers 2003]

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Robustness [Myers et al. 2004]

Goal: Active attacks vs Passive attacks power.

• Additional integrity level.
• Active attackers: Can modify data in fixed points called

holes [•].

• Security type: LL, LH, HL and HH (confidentiality, integrity)

c[•] ::= skip | x := e | c1; c2 | if e then c1 else c2 | while e do c | [•]

• Fair attacks: Programs on LL variables.

Robustness P[•] is robust if no active fair attack can disclose more private information than a passive attacker.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Robustness [Myers et al. 2004]

Goal: Active attacks vs Passive attacks power.

• Additional integrity level.
• Active attackers: Can modify data in fixed points called

holes [•].

• Security type: LL, LH, HL and HH (confidentiality, integrity)

c[•] ::= skip | x := e | c1; c2 | if e then c1 else c2 | while e do c | [•]

• Fair attacks: Programs on LL variables.

Robustness P[•] is robust if no active fair attack can disclose more private information than a passive attacker.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Abstract Interpretation [Cousot and Cousot ’77,’79]

Abstract Interpretation: A general theory of sound approximation of program semantics.

∅ 0− ⊤ ∅ Even 0+ Odd ⊤

sum(x, y)

def

= x + y

• sum∗(+, +) = +
• sum∗(−, −) = −
• sum∗(+, −) = ⊤
• sum∗(even, even) = even
• sum∗(odd, odd) = even
• sum∗(even, odd) = odd

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Abstract Interpretation [Cousot and Cousot ’77,’79]

Abstract Interpretation: A general theory of sound approximation of program semantics.

∅ 0− ⊤ ∅ Even 0+ Odd ⊤

sum(x, y)

def

= x + y

• sum∗(+, +) = +
• sum∗(−, −) = −
• sum∗(+, −) = ⊤
• sum∗(even, even) = even
• sum∗(odd, odd) = even
• sum∗(even, odd) = odd

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Declassification by Wlp [Banerjee et al. 2007]

Wlp: Greatest set of input states leading to a given output

• bservation.

P

def

= if (h1 = h2) then l := 0; else l := 1; Wlp(P, l = a) = (h1 = h2 ∧ a = 0) ∨ (h1 = h2 ∧ a = 1) ⇓

Maximal information released

⊤ ∅ {h1, h2, l|h1 = h2} {h1, h2, l|h1 = h2}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Declassification by Wlp [Banerjee et al. 2007]

Wlp: Greatest set of input states leading to a given output

• bservation.

⊤ ∅ {h1, h2, l|h1 = h2} {h1, h2, l|h1 = h2}

From non-interference point of view h1 = 0, h2 = 0, l = 0 l = 0 h1 = 1, h2 = 0, l = 0 l = 1

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Maximal release by active attackers

Goal: Compute the maximal information disclosed by active attackers. ⇒ Unfair attacks: Programs on LL and HL variables. P ::= l := h; [•]; with variables h : HH, l : LL and k : HL.

• Wlp
• l := h; [skip], {l = a}
• ={h = a}
• Wlp
• l := h; [l := k], {l = a}
• ={k = a}
• Wlp
• l := h; [l := l + k], {l = a}
• ={h + k = a}
• Active attackers ⇒ Semantic transformation.
• Different attacks ⇒ Different information release.

Active attacks can be potentially infinite!

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Maximal release by active attackers

Goal: Compute the maximal information disclosed by active attackers. ⇒ Unfair attacks: Programs on LL and HL variables. P ::= l := h; [•]; with variables h : HH, l : LL and k : HL.

• Wlp
• l := h; [skip], {l = a}
• ={h = a}
• Wlp
• l := h; [l := k], {l = a}
• ={k = a}
• Wlp
• l := h; [l := l + k], {l = a}
• ={h + k = a}
• Active attackers ⇒ Semantic transformation.
• Different attacks ⇒ Different information release.

Active attacks can be potentially infinite!

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Maximal release by active attackers

Goal: Compute the maximal information disclosed by active attackers. ⇒ Unfair attacks: Programs on LL and HL variables. P ::= l := h; [•]; with variables h : HH, l : LL and k : HL.

• Wlp
• l := h; [skip], {l = a}
• ={h = a}
• Wlp
• l := h; [l := k], {l = a}
• ={k = a}
• Wlp
• l := h; [l := l + k], {l = a}
• ={h + k = a}
• Active attackers ⇒ Semantic transformation.
• Different attacks ⇒ Different information release.

Active attacks can be potentially infinite!

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Parametric attacks

Active attack ≡ function on LL and HL variables.

• Extend the Wlp computation parametric on f (

l).

• Analyze the final formula containing f as parameter.

Back to the example Consider the above example. Represent the possible unfair attacks in [•] with l, k := f (l, k), g(l, k). {f (h, k) = a} l := h; {f (l, k) = a} [l, k := f (l, k), g(l, k);] {l = a} ⇒ {f (h, k) = a}: f “measures” the information of h and k.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Parametric attacks

Active attack ≡ function on LL and HL variables.

• Extend the Wlp computation parametric on f (

l).

• Analyze the final formula containing f as parameter.

Back to the example Consider the above example. Represent the possible unfair attacks in [•] with l, k := f (l, k), g(l, k). {f (h, k) = a} l := h; {f (l, k) = a} [l, k := f (l, k), g(l, k);] {l = a} ⇒ {f (h, k) = a}: f “measures” the information of h and k.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

I/O Analysis

{h2 mod 2 = a} h1 := h2; {h2 mod 2 = a} h2 := h2 mod 2; {h2 = a} l1 := h2; {l1 = a} h2 := h1; {l1 = a} l2 := h2; {l1 = a} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

I/O Analysis

{h2 mod 2 = a} h1 := h2; {h2 mod 2 = a} h2 := h2 mod 2; {h2 = a} l1 := h2; {l1 = a} h2 := h1; {l1 = a} l2 := h2; {l1 = a} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

I/O Analysis

{h2 mod 2 = a} h1 := h2; {h2 mod 2 = a} h2 := h2 mod 2; {h2 = a} l1 := h2; {l1 = a} h2 := h1; {l1 = a} l2 := h2; {l1 = a} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

I/O Analysis

{h2 mod 2 = a} h1 := h2; {h2 mod 2 = a} h2 := h2 mod 2; {h2 = a} l1 := h2; {l1 = a} h2 := h1; {l1 = a} l2 := h2; {l1 = a} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

I/O Analysis

{h2 mod 2 = a} h1 := h2; {h2 mod 2 = a} h2 := h2 mod 2; {h2 = a} l1 := h2; {l1 = a} h2 := h1; {l1 = a} l2 := h2; {l1 = a} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

I/O Analysis

{h2 mod 2 = a} h1 := h2; {h2 mod 2 = a} h2 := h2 mod 2; {h2 = a} l1 := h2; {l1 = a} h2 := h1; {l1 = a} l2 := h2; {l1 = a} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

I/O Analysis

{h2 mod 2 = a} h1 := h2; {h2 mod 2 = a} h2 := h2 mod 2; {h2 = a} l1 := h2; {l1 = a} h2 := h1; {l1 = a} l2 := h2; {l1 = a} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Trace Analysis [Mastroeni and Banerjee 2008]

{h2 mod 2 = a ∧ h2 = b ∧ l2 = c ∧ l1 = d} h1 := h2; {h2 mod 2 = a ∧ h1 = b ∧ l2 = c ∧ l1 = d} h2 := h2 mod 2; {h2 = a ∧ h1 = b ∧ l2 = c ∧ [l1 = d]} l1 := h2; {l1 = a ∧ h1 = b ∧ l2 = c} h2 := h1; {l1 = a ∧ h2 = b ∧ [l2 = c]} l2 := h2; {l1 = a ∧ [l2 = b]} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Trace Analysis [Mastroeni and Banerjee 2008]

{h2 mod 2 = a ∧ h2 = b ∧ l2 = c ∧ l1 = d} h1 := h2; {h2 mod 2 = a ∧ h1 = b ∧ l2 = c ∧ l1 = d} h2 := h2 mod 2; {h2 = a ∧ h1 = b ∧ l2 = c ∧ [l1 = d]} l1 := h2; {l1 = a ∧ h1 = b ∧ l2 = c} h2 := h1; {l1 = a ∧ h2 = b ∧ [l2 = c]} l2 := h2; {l1 = a ∧ [l2 = b]} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Trace Analysis [Mastroeni and Banerjee 2008]

{h2 mod 2 = a ∧ h2 = b ∧ l2 = c ∧ l1 = d} h1 := h2; {h2 mod 2 = a ∧ h1 = b ∧ l2 = c ∧ l1 = d} h2 := h2 mod 2; {h2 = a ∧ h1 = b ∧ l2 = c ∧ [l1 = d]} l1 := h2; {l1 = a ∧ h1 = b ∧ l2 = c} h2 := h1; {l1 = a ∧ h2 = b ∧ [l2 = c]} l2 := h2; {l1 = a ∧ [l2 = b]} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Trace Analysis [Mastroeni and Banerjee 2008]

{h2 mod 2 = a ∧ h2 = b ∧ l2 = c ∧ l1 = d} h1 := h2; {h2 mod 2 = a ∧ h1 = b ∧ l2 = c ∧ l1 = d} h2 := h2 mod 2; {h2 = a ∧ h1 = b ∧ l2 = c ∧ [l1 = d]} l1 := h2; {l1 = a ∧ h1 = b ∧ l2 = c} h2 := h1; {l1 = a ∧ h2 = b ∧ [l2 = c]} l2 := h2; {l1 = a ∧ [l2 = b]} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Trace Analysis [Mastroeni and Banerjee 2008]

{h2 mod 2 = a ∧ h2 = b ∧ l2 = c ∧ l1 = d} h1 := h2; {h2 mod 2 = a ∧ h1 = b ∧ l2 = c ∧ l1 = d} h2 := h2 mod 2; {h2 = a ∧ h1 = b ∧ l2 = c ∧ [l1 = d]} l1 := h2; {l1 = a ∧ h1 = b ∧ l2 = c} h2 := h1; {l1 = a ∧ h2 = b ∧ [l2 = c]} l2 := h2; {l1 = a ∧ [l2 = b]} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Trace Analysis [Mastroeni and Banerjee 2008]

{h2 mod 2 = a ∧ h2 = b ∧ l2 = c ∧ l1 = d} h1 := h2; {h2 mod 2 = a ∧ h1 = b ∧ l2 = c ∧ l1 = d} h2 := h2 mod 2; {h2 = a ∧ h1 = b ∧ l2 = c ∧ [l1 = d]} l1 := h2; {l1 = a ∧ h1 = b ∧ l2 = c} h2 := h1; {l1 = a ∧ h2 = b ∧ [l2 = c]} l2 := h2; {l1 = a ∧ [l2 = b]} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Trace Analysis [Mastroeni and Banerjee 2008]

{h2 mod 2 = a ∧ h2 = b ∧ l2 = c ∧ l1 = d} h1 := h2; {h2 mod 2 = a ∧ h1 = b ∧ l2 = c ∧ l1 = d} h2 := h2 mod 2; {h2 = a ∧ h1 = b ∧ l2 = c ∧ [l1 = d]} l1 := h2; {l1 = a ∧ h1 = b ∧ l2 = c} h2 := h1; {l1 = a ∧ h2 = b ∧ [l2 = c]} l2 := h2; {l1 = a ∧ [l2 = b]} l2 := l1; {l1 = l2 = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Maximal release on traces

If Holes ⊆ Obs then all fair attacks are l := c. ⇓ Compute the maximal private information disclosed independently of the active attacker! {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ d = 0} l := 0; {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ [l = d]} [l := c;] {((h > 0 ∧ l = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ [l = b]} if (h > 0) then skip else l := 0; {l = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Maximal release on traces

If Holes ⊆ Obs then all fair attacks are l := c. ⇓ Compute the maximal private information disclosed independently of the active attacker! {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ d = 0} l := 0; {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ [l = d]} [l := c;] {((h > 0 ∧ l = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ [l = b]} if (h > 0) then skip else l := 0; {l = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Maximal release on traces

If Holes ⊆ Obs then all fair attacks are l := c. ⇓ Compute the maximal private information disclosed independently of the active attacker! {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ d = 0} l := 0; {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ [l = d]} [l := c;] {((h > 0 ∧ l = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ [l = b]} if (h > 0) then skip else l := 0; {l = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Maximal release on traces

If Holes ⊆ Obs then all fair attacks are l := c. ⇓ Compute the maximal private information disclosed independently of the active attacker! {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ d = 0} l := 0; {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ [l = d]} [l := c;] {((h > 0 ∧ l = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ [l = b]} if (h > 0) then skip else l := 0; {l = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Maximal release on traces

If Holes ⊆ Obs then all fair attacks are l := c. ⇓ Compute the maximal private information disclosed independently of the active attacker! {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ d = 0} l := 0; {((h > 0 ∧ c = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ c = b ∧ [l = d]} [l := c;] {((h > 0 ∧ l = a) ∨ (h ≤ 0 ∧ a = 0)) ∧ [l = b]} if (h > 0) then skip else l := 0; {l = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

The program (h : HH and l, k : LL) k := h; [•] if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1);

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Passive attacker (h : HH and l, k : LL) {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} k := h; {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} [skip] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Passive attacker (h : HH and l, k : LL) {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} k := h; {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} [skip] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Passive attacker (h : HH and l, k : LL) {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} k := h; {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} [skip] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Passive attacker (h : HH and l, k : LL) {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} k := h; {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} [skip] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Unsuccessful active attacker (h : HH and l, k : LL) {(c1 = 0 ∧ a = 0 ∧ b = 0) ∨ (c1 = 0 ∧ a = 1 ∧ b = 1)} k := h; {(c1 = 0 ∧ a = 0 ∧ b = 0) ∨ (c1 = 0 ∧ a = 1 ∧ b = 1)} [l := c1; k := c2;] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Unsuccessful active attacker (h : HH and l, k : LL) {(c1 = 0 ∧ a = 0 ∧ b = 0) ∨ (c1 = 0 ∧ a = 1 ∧ b = 1)} k := h; {(c1 = 0 ∧ a = 0 ∧ b = 0) ∨ (c1 = 0 ∧ a = 1 ∧ b = 1)} [l := c1; k := c2;] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Unsuccessful active attacker (h : HH and l, k : LL) {(c1 = 0 ∧ a = 0 ∧ b = 0) ∨ (c1 = 0 ∧ a = 1 ∧ b = 1)} k := h; {(c1 = 0 ∧ a = 0 ∧ b = 0) ∨ (c1 = 0 ∧ a = 1 ∧ b = 1)} [l := c1; k := c2;] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Successful active attacker (h : HH and l, k : LL) {(h = 0 ∧ a = 0 ∧ b = 0) ∨ (h = 0 ∧ a = 1 ∧ b = 1)} k := h; {(k = 0 ∧ a = 0 ∧ b = 0) ∨ (k = 0 ∧ a = 1 ∧ b = 1)} [l := k;] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Successful active attacker (h : HH and l, k : LL) {(h = 0 ∧ a = 0 ∧ b = 0) ∨ (h = 0 ∧ a = 1 ∧ b = 1)} k := h; {(k = 0 ∧ a = 0 ∧ b = 0) ∨ (k = 0 ∧ a = 1 ∧ b = 1)} [l := k;] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Enforcing robustness Goal: Enforce robust programs independently of the attack.

Successful active attacker (h : HH and l, k : LL) {(h = 0 ∧ a = 0 ∧ b = 0) ∨ (h = 0 ∧ a = 1 ∧ b = 1)} k := h; {(k = 0 ∧ a = 0 ∧ b = 0) ∨ (k = 0 ∧ a = 1 ∧ b = 1)} [l := k;] {(l = 0 ∧ a = 0 ∧ b = 0) ∨ (l = 0 ∧ a = 1 ∧ b = 1)} if (l = 0) then (l := 0; k := 0) else (l := 1; k := 1); {l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A sufficient condition

Let P = P2[•]P1 be a program and Φ = Wlp(P1, Φ0). FV(Φ) ∩ (LL ∪ HL) = ∅ ⇒ P robust wrt unfair attacks Example l : LL, h : HH and k : HL P ::= l := h + l; [•]; l := 1; k := h; while (h > 0) do (l := l − 1; l := h); l, k ∈ {(h ≤ 0 ∧ a = 1) ∨ (h > 0 ∧ a = 0)} l := 1; k := h; {(h ≤ 0 ∧ l = a) ∨ (h > 0 ∧ a = 0)} while (h > 0) do (l := l − 1; l := h); {l = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A sufficient condition

Let P = P2[•]P1 be a program and Φ = Wlp(P1, Φ0). FV(Φ) ∩ (LL ∪ HL) = ∅ ⇒ P robust wrt unfair attacks Example l : LL, h : HH and k : HL P ::= l := h + l; [•]; l := 1; k := h; while (h > 0) do (l := l − 1; l := h); l, k ∈ {(h ≤ 0 ∧ a = 1) ∨ (h > 0 ∧ a = 0)} l := 1; k := h; {(h ≤ 0 ∧ l = a) ∨ (h > 0 ∧ a = 0)} while (h > 0) do (l := l − 1; l := h); {l = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = d} k := h1 + h2; [skip;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} k := h3 mod 2; {k = a ∧ h3 = b ∧ [l = c]} l := h3; {k = a ∧ [l = b]} l := k; {l = k = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = d} k := h1 + h2; [skip;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} k := h3 mod 2; {k = a ∧ h3 = b ∧ [l = c]} l := h3; {k = a ∧ [l = b]} l := k; {l = k = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = d} k := h1 + h2; [skip;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} k := h3 mod 2; {k = a ∧ h3 = b ∧ [l = c]} l := h3; {k = a ∧ [l = b]} l := k; {l = k = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = d} k := h1 + h2; [skip;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} k := h3 mod 2; {k = a ∧ h3 = b ∧ [l = c]} l := h3; {k = a ∧ [l = b]} l := k; {l = k = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = d} k := h1 + h2; [skip;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} k := h3 mod 2; {k = a ∧ h3 = b ∧ [l = c]} l := h3; {k = a ∧ [l = b]} l := k; {l = k = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = d} k := h1 + h2; [skip;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} k := h3 mod 2; {k = a ∧ h3 = b ∧ [l = c]} l := h3; {k = a ∧ [l = b]} l := k; {l = k = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) P ::= k := h1 + h2; [•]; k := h3 mod 2; l := h3; l := k; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = e} k := h1 + h2; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ d = d1 ∧ [k = e]} [k := d1;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} Let P = P2[•]P1, Holes ⊆ Obs and Φ = Wlp(P1, Φ0). FV(Φ) ∩ LL = ∅ ⇒ P robust wrt fair attacks

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) P ::= k := h1 + h2; [•]; k := h3 mod 2; l := h3; l := k; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = e} k := h1 + h2; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ d = d1 ∧ [k = e]} [k := d1;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} Let P = P2[•]P1, Holes ⊆ Obs and Φ = Wlp(P1, Φ0). FV(Φ) ∩ LL = ∅ ⇒ P robust wrt fair attacks

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) P ::= k := h1 + h2; [•]; k := h3 mod 2; l := h3; l := k; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = e} k := h1 + h2; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ d = d1 ∧ [k = e]} [k := d1;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} Let P = P2[•]P1, Holes ⊆ Obs and Φ = Wlp(P1, Φ0). FV(Φ) ∩ LL = ∅ ⇒ P robust wrt fair attacks

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) P ::= k := h1 + h2; [•]; k := h3 mod 2; l := h3; l := k; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = e} k := h1 + h2; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ d = d1 ∧ [k = e]} [k := d1;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} Let P = P2[•]P1, Holes ⊆ Obs and Φ = Wlp(P1, Φ0). FV(Φ) ∩ LL = ∅ ⇒ P robust wrt fair attacks

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

A robustness condition on traces

Example (l : LH, k : LL and h1, h2, h3 : HH) P ::= k := h1 + h2; [•]; k := h3 mod 2; l := h3; l := k; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ h1 + h2 = e} k := h1 + h2; {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ d = d1 ∧ [k = e]} [k := d1;] {h3 mod 2 = a ∧ h3 = b ∧ l = c ∧ [k = d]} Let P = P2[•]P1, Holes ⊆ Obs and Φ = Wlp(P1, Φ0). FV(Φ) ∩ LL = ∅ ⇒ P robust wrt fair attacks

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Relative Robustness

Let P[•] be a program and A a set of attacks so that Var(A) ⊆ LL ∪ HL. P[•] relatively robust

• ∀

a ∈ A, P[ a] does not release more than P[− − → skip]. Robustness wrt unfair (⊇ fair) P ::= l := h; [•]; with variables h : HH, l : LL and k : HL.

• Wlp
• l := h; [skip], {l = a}
• ={h = a}
• Wlp
• l := h; [l := k], {l = a}
• ={k = a}
• Wlp
• l := h; [l := l + k], {l = a}
• ={h + k = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Relative Robustness

Let P[•] be a program and A a set of attacks so that Var(A) ⊆ LL ∪ HL. P[•] relatively robust

• ∀

a ∈ A, P[ a] does not release more than P[− − → skip]. Robustness wrt unfair (⊇ fair) P ::= l := h; [•]; with variables h : HH, l : LL and k : HL.

• Wlp
• l := h; [skip], {l = a}
• ={h = a}
• Wlp
• l := h; [l := k], {l = a}
• ={k = a}
• Wlp
• l := h; [l := l + k], {l = a}
• ={h + k = a}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Relative Robustness

Let P[•] be a program and A a set of attacks so that Var(A) ⊆ LL ∪ HL. P[•] relatively robust

• ∀

a ∈ A, P[ a] does not release more than P[− − → skip]. Robustness wrt fair P ::= l := h; [•]; with variables h : HH, l : LL and k : HL.

• Wlp
• l := h; [skip], {l = a}
• ={h = a}
• Wlp
• l := h; [l := l + 1], {l = a}
• ={h = a − 1}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Relative Robustness

Let P[•] be a program and A a set of attacks so that Var(A) ⊆ LL ∪ HL. P[•] relatively robust

• ∀

a ∈ A, P[ a] does not release more than P[− − → skip]. Proposition Let P = P2[•]P1 be a program and Φ = Wlp(P1, Φ0). P is relatively robust wrt the attacks in A if FV(Φ) ∩ Var(A) = ∅

FV(Φ) ∩ X = ∅ (LL ∪ HL) LL · · · · · · Var(A)

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Certifying (relative) robustness

Express the sufficient condition in the opposite direction. ⇒ P := P2[•]P1 ∧ Φ = Wlp(P1, Φ0) ⇒ V = {x|(x : LL ∨ x : HL) ∧ x ∈ FV(Φ)} ⇓ P is relatively robust wrt {a|Var(a) ⊆ V} Example h1, h2 : HH, l1, l3 : LL and l2 : HL P1 [•] {(h2 > 0 ∧ h1 mod 2 = a ∧ b = 0) ∨ (h2 ≤ 0 ∧ l2 = b = a)} if (h2 > 0) then l1 := h1 mod 2; l3 := 0 else l3 := l2; l1 := l3 {l1 = a ∧ l3 = b} P is relatively robust wrt attacks on l1 and l3!

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Certifying (relative) robustness

Express the sufficient condition in the opposite direction. ⇒ P := P2[•]P1 ∧ Φ = Wlp(P1, Φ0) ⇒ V = {x|(x : LL ∨ x : HL) ∧ x ∈ FV(Φ)} ⇓ P is relatively robust wrt {a|Var(a) ⊆ V} Example h1, h2 : HH, l1, l3 : LL and l2 : HL P1 [•] {(h2 > 0 ∧ h1 mod 2 = a ∧ b = 0) ∨ (h2 ≤ 0 ∧ l2 = b = a)} if (h2 > 0) then l1 := h1 mod 2; l3 := 0 else l3 := l2; l1 := l3 {l1 = a ∧ l3 = b} P is relatively robust wrt attacks on l1 and l3!

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Certifying (relative) robustness

Express the sufficient condition in the opposite direction. ⇒ P := P2[•]P1 ∧ Φ = Wlp(P1, Φ0) ⇒ V = {x|(x : LL ∨ x : HL) ∧ x ∈ FV(Φ)} ⇓ P is relatively robust wrt {a|Var(a) ⊆ V} Example h1, h2 : HH, l1, l3 : LL and l2 : HL P1 [•] {(h2 > 0 ∧ h1 mod 2 = a ∧ b = 0) ∨ (h2 ≤ 0 ∧ l2 = b = a)} if (h2 > 0) then l1 := h1 mod 2; l3 := 0 else l3 := l2; l1 := l3 {l1 = a ∧ l3 = b} P is relatively robust wrt attacks on l1 and l3!

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Certifying (relative) robustness

Express the sufficient condition in the opposite direction. ⇒ P := P2[•]P1 ∧ Φ = Wlp(P1, Φ0) ⇒ V = {x|(x : LL ∨ x : HL) ∧ x ∈ FV(Φ)} ⇓ P is relatively robust wrt {a|Var(a) ⊆ V} Example h1, h2 : HH, l1, l3 : LL and l2 : HL P1 [•] {(h2 > 0 ∧ h1 mod 2 = a ∧ b = 0) ∨ (h2 ≤ 0 ∧ l2 = b = a)} if (h2 > 0) then l1 := h1 mod 2; l3 := 0 else l3 := l2; l1 := l3 {l1 = a ∧ l3 = b} P is relatively robust wrt attacks on l1 and l3!

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Relative VS Decentralized Robustness

Decentralized Robustness: Principals distrusting each other.

• Analysis and Attacker: Fixes which data principal p

believes the attacker q can read or write.

• Robustness: Must hold for all pairs p, q with power

Rp→q, Wp←q Relative Robustness: Fixed principals p and q.

• Static confidentiality levels Cp→q and integrity levels Ip←q.
• If Ip←q(x) = L p believes that q can modify x.

P = P2[•]P1 be a program and Φ = Wlp(P1, Φ0). P satisfies decentralized robustness wrt the principals p, q if we have that FV(Φ) ∩ (LL ∪ HL)p→q = ∅ where (LL ∪ HL)p→q

def

=

• x
• Ip→q(x) = L
• Musard Balliu, Isabella Mastroeni

A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Relative VS Decentralized Robustness

Decentralized Robustness: Principals distrusting each other.

• Analysis and Attacker: Fixes which data principal p

believes the attacker q can read or write.

• Robustness: Must hold for all pairs p, q with power

Rp→q, Wp←q Relative Robustness: Fixed principals p and q.

• Static confidentiality levels Cp→q and integrity levels Ip←q.
• If Ip←q(x) = L p believes that q can modify x.

P = P2[•]P1 be a program and Φ = Wlp(P1, Φ0). P satisfies decentralized robustness wrt the principals p, q if we have that FV(Φ) ∩ (LL ∪ HL)p→q = ∅ where (LL ∪ HL)p→q

def

=

• x
• Ip→q(x) = L
• Musard Balliu, Isabella Mastroeni

A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Conclusions:

Conclusions

• Robustness in language-based security.
• Maximal information released by active attackers.
• Condition to check robust programs.
• Considerations for both I/O and trace semantics.

Future work

• An algorithm for static certification of robust programs.
• Extend this work to deal with abstract active attackers.
• Extend this work to concurrent attackers or other attacker

models.

• Relation between relative robustness and decentralized

robustness.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Conclusions:

Conclusions

• Robustness in language-based security.
• Maximal information released by active attackers.
• Condition to check robust programs.
• Considerations for both I/O and trace semantics.

Future work

• An algorithm for static certification of robust programs.
• Extend this work to deal with abstract active attackers.
• Extend this work to concurrent attackers or other attacker

models.

• Relation between relative robustness and decentralized

robustness.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

THANK YOU!

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Relative robustness dependent on the attack

Let P[•] be a program and A a set of attacks so that |A| ω.

⇓

• Compute the maximal information disclosed for all

attacks.

⇒ Requires a finite number of tests.

• Compare with the passive attacker.

⇒ Check robustness in a finite number of tests.

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

A weakest precondition approach to active attacks analysis Musard Balliu, Isabella Mastroeni

Example: Holes inside conditionals or loops

Consider the program P P ::=   k := h mod 3; if (h mod 2 = 0) then[•]; l := 0; k := l else l := 1; where h : HH, l : LL and k : LL.

• (h mod 2 = 0 ∧ a = 0 ∧ b = 0)∨

(h mod 2 = 0 ∧ a = 1 ∧ k = b)

• if (h mod 2 = 0) then [•]; l := 0; k := l else l := 1;

{l = a ∧ k = b}

Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis