a weakest precondition approach to active
play

A weakest precondition approach to active analysis attacks analysis - PowerPoint PPT Presentation

Jan 31, 2023 •134 likes •887 views

A weakest precondition approach to active attacks A weakest precondition approach to active analysis attacks analysis Musard Balliu, Isabella Mastroeni Musard Balliu Isabella Mastroeni School of Computer Science and Communication Royal

  1. A weakest precondition approach to active attacks A weakest precondition approach to active analysis attacks analysis Musard Balliu, Isabella Mastroeni Musard Balliu Isabella Mastroeni School of Computer Science and Communication Royal Institute of Technology (KTH) Stockholm, Sweden Dipartimento di Informatica Universit` a di Verona Italy Dublin, June 15th, 2009 Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  2. Security Background A weakest Goal: Protect data confidentiality from malicious attackers. precondition approach to System data: active attacks analysis • H stands for private, unmodifiable Musard Balliu, • L stands for public, modifiable Isabella Mastroeni Standard Non Interference Aims to protect private inputs. (H � � L ) ∀ l ∈ V L , ∀ h 1 , h 2 ∈ V H . � P � ( h 1 , l ) L = � P � ( h 2 , l ) L PROBLEM ⇓ Real systems release private information intentionally. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  3. Security Background A weakest Goal: Protect data confidentiality from malicious attackers. precondition approach to System data: active attacks analysis • H stands for private, unmodifiable Musard Balliu, • L stands for public, modifiable Isabella Mastroeni Standard Non Interference Aims to protect private inputs. (H � � L ) ∀ l ∈ V L , ∀ h 1 , h 2 ∈ V H . � P � ( h 1 , l ) L = � P � ( h 2 , l ) L PROBLEM ⇓ Real systems release private information intentionally. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  4. Security Background A weakest Goal: Protect data confidentiality from malicious attackers. precondition approach to System data: active attacks analysis • H stands for private, unmodifiable Musard Balliu, • L stands for public, modifiable Isabella Mastroeni Standard Non Interference Aims to protect private inputs. (H � � L ) ∀ l ∈ V L , ∀ h 1 , h 2 ∈ V H . � P � ( h 1 , l ) L = � P � ( h 2 , l ) L PROBLEM ⇓ Real systems release private information intentionally. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  5. Security Background A weakest precondition Goal: Protect data confidentiality from malicious attackers. approach to active attacks analysis Solution Musard ⇓ Balliu, Isabella Mastroeni Declassified Non Interference φ ( H ) : declassified private property ( φ ( H ) � L ) ∀ l ∈ V L , ∀ h 1 , h 2 ∈ V H . φ ( h 1 ) = φ ( h 2 ) ⇒ � P � ( h 1 , l ) L = � P � ( h 2 , l ) L No property stronger than φ ( H ) can be disclosed. [Myers and Liskov 1997, Sabelfeld and Myers 2003] Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  6. Robustness [Myers et al. 2004] A weakest Goal: Active attacks vs Passive attacks power. precondition approach to active attacks • Additional integrity level. analysis • Active attackers: Can modify data in fixed points called Musard Balliu, holes [ • ] . Isabella Mastroeni • Security type: LL , LH , HL and HH (confidentiality, integrity) c [ • ] ::= skip | x := e | c 1 ; c 2 | if e then c 1 else c 2 | while e do c | [ • ] • Fair attacks: Programs on LL variables. Robustness P [ • ] is robust if no active fair attack can disclose more private information than a passive attacker. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  7. Robustness [Myers et al. 2004] A weakest Goal: Active attacks vs Passive attacks power. precondition approach to active attacks • Additional integrity level. analysis • Active attackers: Can modify data in fixed points called Musard Balliu, holes [ • ] . Isabella Mastroeni • Security type: LL , LH , HL and HH (confidentiality, integrity) c [ • ] ::= skip | x := e | c 1 ; c 2 | if e then c 1 else c 2 | while e do c | [ • ] • Fair attacks: Programs on LL variables. Robustness P [ • ] is robust if no active fair attack can disclose more private information than a passive attacker. Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  8. Abstract Interpretation [Cousot and Cousot ’77,’79] A weakest Abstract Interpretation: precondition approach to A general theory of sound approximation of program semantics. active attacks analysis ⊤ Musard Balliu, ⊤ Isabella 0 − Mastroeni 0+ Even Odd 0 ∅ ∅ def sum ( x , y ) = x + y � • sum ∗ (+ , +) = + • sum ∗ ( even , even ) = even • sum ∗ ( − , − ) = − • sum ∗ ( odd , odd ) = even • sum ∗ (+ , − ) = ⊤ • sum ∗ ( even , odd ) = odd Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  9. Abstract Interpretation [Cousot and Cousot ’77,’79] A weakest Abstract Interpretation: precondition approach to A general theory of sound approximation of program semantics. active attacks analysis ⊤ Musard Balliu, ⊤ Isabella 0 − Mastroeni 0+ Even Odd 0 ∅ ∅ def sum ( x , y ) = x + y � • sum ∗ (+ , +) = + • sum ∗ ( even , even ) = even • sum ∗ ( − , − ) = − • sum ∗ ( odd , odd ) = even • sum ∗ (+ , − ) = ⊤ • sum ∗ ( even , odd ) = odd Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  10. Declassification by Wlp [Banerjee et al. 2007] A weakest precondition Wlp: approach to active attacks Greatest set of input states leading to a given output analysis observation. Musard Balliu, Isabella def = if ( h 1 = h 2 ) then l := 0; else l := 1; Mastroeni P Wlp ( P , l = a ) = ( h 1 = h 2 ∧ a = 0) ∨ ( h 1 � = h 2 ∧ a = 1) ⇓ Maximal information released ⊤ {� h 1 , h 2 , l �| h 1 � = h 2 } {� h 1 , h 2 , l �| h 1 = h 2 } ∅ Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  11. Declassification by Wlp [Banerjee et al. 2007] A weakest precondition Wlp: approach to active attacks Greatest set of input states leading to a given output analysis observation. Musard Balliu, Isabella ⊤ Mastroeni {� h 1 , h 2 , l �| h 1 � = h 2 } {� h 1 , h 2 , l �| h 1 = h 2 } ∅ From non-interference point of view h 1 = 0 , h 2 = 0 , l = 0 � l = 0 h 1 = 1 , h 2 = 0 , l = 0 � l = 1 Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  12. Maximal release by active attackers A weakest precondition Goal: approach to active attacks Compute the maximal information disclosed by active attackers. analysis Musard Balliu, ⇒ Unfair attacks: Programs on LL and HL variables. Isabella Mastroeni P ::= l := h ; [ • ]; with variables h : HH , l : LL and k : HL . � � • Wlp l := h ; [ skip ] , { l = a } = { h = a } � � • Wlp l := h ; [ l := k ] , { l = a } = { k = a } � � • Wlp l := h ; [ l := l + k ] , { l = a } = { h + k = a } • Active attackers ⇒ Semantic transformation. • Different attacks ⇒ Different information release. Active attacks can be potentially infinite! Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  13. Maximal release by active attackers A weakest precondition Goal: approach to active attacks Compute the maximal information disclosed by active attackers. analysis Musard Balliu, ⇒ Unfair attacks: Programs on LL and HL variables. Isabella Mastroeni P ::= l := h ; [ • ]; with variables h : HH , l : LL and k : HL . � � • Wlp l := h ; [ skip ] , { l = a } = { h = a } � � • Wlp l := h ; [ l := k ] , { l = a } = { k = a } � � • Wlp l := h ; [ l := l + k ] , { l = a } = { h + k = a } • Active attackers ⇒ Semantic transformation. • Different attacks ⇒ Different information release. Active attacks can be potentially infinite! Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  14. Maximal release by active attackers A weakest precondition Goal: approach to active attacks Compute the maximal information disclosed by active attackers. analysis Musard Balliu, ⇒ Unfair attacks: Programs on LL and HL variables. Isabella Mastroeni P ::= l := h ; [ • ]; with variables h : HH , l : LL and k : HL . � � • Wlp l := h ; [ skip ] , { l = a } = { h = a } � � • Wlp l := h ; [ l := k ] , { l = a } = { k = a } � � • Wlp l := h ; [ l := l + k ] , { l = a } = { h + k = a } • Active attackers ⇒ Semantic transformation. • Different attacks ⇒ Different information release. Active attacks can be potentially infinite! Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

  15. Parametric attacks Active attack ≡ function on LL and HL variables. A weakest precondition • Extend the Wlp computation parametric on f ( � approach to l ) . active attacks analysis • Analyze the final formula containing f as parameter. Musard Balliu, Back to the example Isabella Mastroeni Consider the above example. Represent the possible unfair attacks in [ • ] with � l , k � := � f ( l , k ) , g ( l , k ) � . { f ( h , k ) = a } l := h ; { f ( l , k ) = a } [ � l , k � := � f ( l , k ) , g ( l , k ) � ;] { l = a } ⇒ { f ( h , k ) = a } : f “measures” the information of h and k . Musard Balliu, Isabella Mastroeni A weakest precondition approach to active attacks analysis

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling termination Operational semantics Adding non-determinism Refinement calculus 2 Summary Weakest precondition reasoning Handling termination

1.22k views • 85 slides
Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran

Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran

Null Dereference Verification Via Over-approximated Weakest Precondition analysis Ravichandhran Madhavan Microsoft Research, India Joint work with Raghavan Komondoor, Indian Institute of Science Problem Definition Verify absence of Null

1.04k views • 71 slides
Weakest Precondition Reasoning for Expected RunTimes of Probabilistic Programs Benjamin

Weakest Precondition Reasoning for Expected RunTimes of Probabilistic Programs Benjamin

Weakest Precondition Reasoning for Expected RunTimes of Probabilistic Programs Benjamin Kaminski Joost-Pieter Katoen Christoph Matheja Federico Olmedo 25th European Symposium on Programming 19th edition of the European Joint Conferences on

1.29k views • 112 slides
Towards Weakest Precondition Calculus for Local Store Miriam Polzer February 5, 2019 wp

Towards Weakest Precondition Calculus for Local Store Miriam Polzer February 5, 2019 wp

Towards Weakest Precondition Calculus for Local Store Miriam Polzer February 5, 2019 wp semantics via modality 1 : T ( T 1 ) T 1 Ex ample (Powerset Monad P ) P 1 = 2 = { , } : P 2 2 {} , {} {} , { , }

487 views • 36 slides
COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling

COMP2111 Week 9 Term 1, 2020 Hoare Logic 1 Summary Weakest precondition reasoning Handling termination Operational semantics Adding non-determinism Refinement calculus 2 Finding a proof Consider the following code: Pow r := 1; i := 0;

538 views • 37 slides
Managing the Weakest Link: A Game-Theoretic Approach for the Mitigation of Insider Threats Aron

Managing the Weakest Link: A Game-Theoretic Approach for the Mitigation of Insider Threats Aron

Managing the Weakest Link: A Game-Theoretic Approach for the Mitigation of Insider Threats Aron Laszka 1 , 2 Benjamin Johnson 3 ottle 4 Pascal Sch Jens Grossklags 1 ohme 4 Rainer B 1 Pennsylvania State University 2 Budapest University of

456 views • 44 slides
The weakest failure detectors to solve certain fundamental problems in distributed computing

The weakest failure detectors to solve certain fundamental problems in distributed computing

The weakest failure detectors to solve certain fundamental problems in distributed computing Carole Delporte-Gallet Hugues Fauconnier Vassos Hadzilacos Rachid Guerraoui Petr Kouznetsov Sam Toueg Contribution The weakest failure detectors

690 views • 38 slides
GOALS & OBJECTIVES PRECONDITION PRECONDITION (GOAL 1) (GOAL 2) Strong goals and

GOALS & OBJECTIVES PRECONDITION PRECONDITION (GOAL 1) (GOAL 2) Strong goals and

UNITED MIDCOAST CHARITIES DESIRED OUTCOME GOALS & OBJECTIVES PRECONDITION PRECONDITION (GOAL 1) (GOAL 2) Strong goals and objectives build toward your desired SMART STEP SMART STEP SMART STEP SMART STEP (OBJECTIVE) (OBJECTIVE)

362 views • 14 slides
Everybody Active, Every Day: An evidence-based approach to physical activity Dr Mike Brannan

Everybody Active, Every Day: An evidence-based approach to physical activity Dr Mike Brannan

Everybody Active, Every Day: An evidence-based approach to physical activity Dr Mike Brannan Adult Life Course Lead, Public Health England SRA PH Working Group 24 June 2015 Everybody Active Every Day Consolidates international evidence

360 views • 18 slides
Index Investing Core and Satellite Approach to Portfolio Construction Active approach

Index Investing Core and Satellite Approach to Portfolio Construction Active approach

Index Investing Core and Satellite Approach to Portfolio Construction Active approach Core-Satellite approach Index approach Combines best of both worlds Seeks market returns Seeks to outperform Lower cost Higher cost Low

642 views • 29 slides
Cross media energy marketing for tweens in The Netherlands Highlights marketing approach

Cross media energy marketing for tweens in The Netherlands Highlights marketing approach

Cross media energy marketing for tweens in The Netherlands Highlights marketing approach Vertical approach: family marketing (aiming at parents and their tweens); Indirect approach: attitude is a precondition for changing

325 views • 17 slides
The Active Card An Active Mind in an Active Body More people, More Active, More often! The

The Active Card An Active Mind in an Active Body More people, More Active, More often! The

The Active Card An Active Mind in an Active Body More people, More Active, More often! The Active vision Active The Olympic Legacy 100,000 card holders by 2012 SMART card technology Improved communications for

421 views • 21 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

1.22k views • 98 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

1.34k views • 118 slides
Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline

Symbolic Computation and Theorem Proving in Program Analysis Laura Kov acs Chalmers Outline Part 1: Weakest Precondition for Program Analysis and Verification Part 2: Polynomial Invariant Generation (TACAS08, LPAR10) Part 3:

589 views • 44 slides
Loop invariants <precondition: n>0> int i = 0; while (i < n){ i = i+1; We want to

Loop invariants <precondition: n>0> int i = 0; while (i < n){ i = i+1; We want to

4/23/16 Loop invariants as a way of reasoning about the state of your program Loop invariants <precondition: n>0> int i = 0; while (i < n){ i = i+1; We want to prove: } i==n right after the loop <post condition: i==n>

80 views • 7 slides
Newsvendor Model Of Capacity Sharing Vijay G Subramanian EECS Dept., Northwestern University

Newsvendor Model Of Capacity Sharing Vijay G Subramanian EECS Dept., Northwestern University

Newsvendor Model Of Capacity Sharing Vijay G Subramanian EECS Dept., Northwestern University Joint work with R. Berry, M. Honig, T. Nguyen, H. Zhou & R. Vohra 11 th June 2012 W-PIN 2012 Imperial College, London Facing A Spectrum Crunch?

556 views • 39 slides
Banking Case study: Scaling with low latency using NewSQL Jags Ramnarayan (VMWare) Jim

Banking Case study: Scaling with low latency using NewSQL Jags Ramnarayan (VMWare) Jim

Banking Case study: Scaling with low latency using NewSQL Jags Ramnarayan (VMWare) Jim Bedenbaugh (VMWare) Qcon 2012 Agenda Business Requirements Operational data Analysis Problem Statement Scaling pain Introduction to SQLfire Driving

865 views • 47 slides
Problems Caused by Failures Update all account balances at a bank branch. Accounts(Anum, CId,

Problems Caused by Failures Update all account balances at a bank branch. Accounts(Anum, CId,

Transactions 1 Problems Caused by Failures Update all account balances at a bank branch. Accounts(Anum, CId, BranchId, Balance) update Accounts set Balance = Balance * 1.05 where BranchId = 12345 If the system crashes while processing

251 views • 22 slides
External Consistency and Spanner CS425/ECE428 SPRING 2020 NIKITA BORISOV, UIUC Transactions

External Consistency and Spanner CS425/ECE428 SPRING 2020 NIKITA BORISOV, UIUC Transactions

External Consistency and Spanner CS425/ECE428 SPRING 2020 NIKITA BORISOV, UIUC Transactions so far Objects distributed / partitioned among different servers For load balancing (sharding) For separation of concerns /

748 views • 31 slides
Advanced Systems Security: Attacks on SGX Trent Jaeger Systems and Internet Infrastructure

Advanced Systems Security: Attacks on SGX Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Attacks on SGX Trent Jaeger

523 views • 19 slides
Chapter 0 Readers Guide Cryptography and Network Security The art of war teaches us to rely

Chapter 0 Readers Guide Cryptography and Network Security The art of war teaches us to rely

Chapter 0 Readers Guide Cryptography and Network Security The art of war teaches us to rely not on the Overview & Chapter 1 likelihood of the enemy's not coming, but on our own readiness to receive him; not on the ; chance of his not

450 views • 4 slides
CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1

Diffie-Hellman key exchange Secure against passive eavesdropping but insecure against a man-in-the-middle attack CS 4803 Computer and Network Security Alexandra (Sasha) Boldyreva Authenticated key exchange 1 2 Adding key

492 views • 5 slides
Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M.

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M.

Cryptographically Sound Security Proofs for Basic and Public-key Kerberos ESORICS 2006 M. Backes 1 , I. Cervesato 2 , A. D. Jaggard 3 , A. Scedrov 4 , and J.-K. Tsay 4 1 Saarland University, 2 Carnegie Mellon University - Qatar, 3 Tulane

370 views • 18 slides

More recommend