Conditional Information Flow Amtoft et al 2-Assertion Logic Inference Algorithm Hoare-like Logics for Verifying and Applications Inferring Conditional Information Flow Loops and Arrays Foundations and Limitations Conclusion Torben Amtoft & Anindya Banerjee & John Hatcliff & Edwin Rodr´ ıguez & Joey Dodds & . . . Kansas State University 19th CREST Open workshop, May 1, 2012
Dependency and Non-Interference Conditional Information Flow Amtoft et al Consider command C 2-Assertion Logic z := x + y Inference Algorithm Applications Dependency perspective: Loops and Arrays the value of z after executing C Foundations and Limitations depends only on (at most) x,y Conclusion Non-interference perspective: if two stores agree on x,y before C then they will agree on z after C Expressed as triple in Hoare-like logic: { x ⋉ , y ⋉ } C { z ⋉ } where ⋉ introduces a two-store assertion: s 1 & s 2 | = E ⋉ iff [ [ E ] ] s 1 = [ [ E ] ] s 2
Semantics of Hoare Triples Conditional Information Flow Amtoft et al A Hoare-triple { Θ } C { Θ ′ } with 2-assertions denotes: 2-Assertion Logic Inference Algorithm if s 1 & s 2 | = Θ Applications and s 1 [ [ C ] ] s ′ 1 Loops and Arrays ] s ′ and s 2 [ [ C ] 2 Foundations and then s ′ 1 & s ′ 2 | = Θ ′ Limitations Conclusion This is termination-insensitive: ◮ if C loops on s 1 and/or on s 2 ◮ then correctness holds vacuously. To get termination sensitivity, one might introduce ⊥ ⋉ : { x ⋉ } C {⊥ ⋉ } would then say that if s 1 ( x ) = s 2 ( x ) then either 1. C terminates on s 1 and on s 2 , or 2. C loops on s 1 and on s 2
Conditional Dependencies Conditional Information Flow Amtoft et al Now consider command 2-Assertion Logic if B then z := x else z := y Inference Algorithm Applications In terms of noninterference: two stores will end up Loops and Arrays agreeing on z if they Foundations and Limitations 1. agree on B Conclusion 2. agree on x when B is true 3. agree on y when B is false This may be expressed as the 2-assertion Hoare triple: { B ⋉ , B ⇒ x ⋉ , ¬ B ⇒ y ⋉ } C { z ⋉ } Semantics of a conditional assertion: s 1 & s 2 | = φ ⇒ E ⋉ iff s 1 | = φ, s 2 | = φ implies [ [ E ] ] s 1 = [ [ E ] ] s 2
Inference Algorithm Conditional Information Flow Amtoft et al 2-Assertion Logic Goal: Inference Algorithm 1. given command Applications Loops and Arrays 2. given postcondition (often unconditional) Foundations and 3. infer precondition that yields correct Hoare triple Limitations Conclusion Applications: ◮ derive (procedure) contracts ◮ check user-supplied contract: does given precondition entail inferred precondition? The inferred precondition is not necessarily the weakest: ◮ loops are approximated ◮ for procedures, summaries are consulted ◮ . . . ?
Analyzing Assignments Conditional Information Flow Amtoft et al 2-Assertion Logic For assignment x := E , as in standard Hoare Logic, the Inference Algorithm Applications (weakest) precondition is found by substituting E for x in Loops and Arrays postcondition Foundations and Limitations Conclusion Θ y + z > 7 ⇒ w ⋉ w > 5 ⇒ ( y + z ) ⋉ x := y + z Θ ′ x > 7 ⇒ w ⋉ w > 5 ⇒ x ⋉
Special Case: Conclusion Not Modified Conditional Information Flow Amtoft et al 2-Assertion Logic When C does not modify z , consider the triple Inference Algorithm { φ ⇒ z ⋉ } C { φ ′ ⇒ z ⋉ } Applications Loops and Arrays Foundations and For this to be valid, it must hold that: Limitations ◮ if post-stores are forced to agree on z Conclusion ◮ then also pre-stores must be forced to agree on z which amounts to φ satisfying ∀ s , s ′ : if s [ ] s ′ and s ′ | = φ ′ then s | [ C ] = φ This kind of resembles saying φ = wp ( C , φ ′ ) ◮ but the direction is backwards ◮ and approximation is upwards: φ = true is safe We call this Necessary PreCondition (NPC)
Analyzing Conditionals Conditional Information Flow Amtoft et al 2-Assertion Logic Inference Algorithm Applications Loops and Arrays if y > 5 Foundations and Limitations Conclusion x := w z := v
Analyzing Conditionals Conditional Information Flow Amtoft et al 2-Assertion Logic Inference Algorithm v > 3 ⇒ w ⋉ Applications Loops and Arrays if y > 5 Foundations and Limitations Conclusion x := w z := v v > 3 ⇒ w ⋉
Analyzing Conditionals Conditional Information Flow Amtoft et al 2-Assertion Logic Inference Algorithm ( z > 3 ∧ y > 5) ∨ ( v > 3 ∧ y ≤ 5) ⇒ w ⋉ Applications Loops and Arrays if y > 5 Foundations and Limitations Conclusion x := w z := v z > 3 ⇒ w ⋉
Analyzing Conditionals Conditional Information Flow Amtoft et al 2-Assertion Logic z > 7 ∧ y > 5 ⇒ w ⋉ v > 7 ∧ y ≤ 5 ⇒ x ⋉ Inference Algorithm ( z > 7 ∧ y > 5) ∨ ( v > 7 ∧ y ≤ 5) ⇒ ( y > 5) ⋉ Applications Loops and Arrays if y > 5 Foundations and Limitations Conclusion z > 7 ⇒ w ⋉ v > 7 ⇒ x ⋉ x := w z := v z > 7 ⇒ x ⋉
Context Conditional Information Flow Amtoft et al ◮ Part of our work was motivated by a larger industrial 2-Assertion Logic collaboration effort with Rockwell Collins Inference Algorithm ◮ Rockwell Collins is developing multiple product lines Applications of embedded information security devices following Loops and Arrays the MILS architecture Foundations and Limitations ◮ Code size is relatively small (3-5K LOC) and Conclusion confined to a particular style: a lot of buffer processing, copying, filtering ◮ These products must be certified and secure information flow and separation policies are primary concerns ◮ Each of these products has critical subsystems code in SPARK, a safety-critical subset of Ada that is suitable for formal reasoning (no heap) ◮ SPARK information flow contracts are being used to support certification cases
Conditional Information Flow Amtoft et al 2-Assertion Logic Inference Algorithm Applications Loops and Arrays Foundations and Limitations Conclusion
Conditional Information Flow Amtoft et al 2-Assertion Logic Inference Algorithm Applications Loops and Arrays Foundations and Limitations Conclusion
Assessment Conditional Information Flow Amtoft et al ◮ Existing Praxis tools check these contracts 2-Assertion Logic (recent KSU tools also infer them) Inference Algorithm Applications ◮ While valuable, they are often too imprecise to Loops and Arrays describe realistic policies Foundations and ◮ to verify more complex information flow properties, Limitations Conclusion Rockwell Collins engineers previously manually constructed more precise verification models in the ACL2 theorem prover Our work on conditional information flow thus has the potential to ◮ extend the expressiveness of SPARK info flow contracts to allow more precise reasoning at the source code level ◮ significantly increase the automation of constructing and checking information flow contracts
Conditional Information Flow Amtoft et al 2-Assertion Logic Inference Algorithm Applications Loops and Arrays Foundations and Limitations Conclusion
Analyzing Arrays Conditional Information Flow Amtoft et al ◮ Since SPARK has no heap, all complex data 2-Assertion Logic structures are coded as arrays. Inference Algorithm ◮ Yet arrays were analyzed as atomic entities Applications (all flows are merged): Loops and Arrays ◮ an update to A [ q ] is treated as an update to A Foundations and (all elements of A) Limitations ◮ no way to say that, e.g., information at odd indices Conclusion only flows to other odd index positions ◮ We want to reason about individual array elements. ◮ for assignment A [ Q ] := E , as in standard Hoare Logic [Gries], the precondition is found by substituting A { Q : E } for A in postcondition. ◮ One can then simplify (and strengthen) the resulting precondition: Pre: x = y ⇒ w ⋉ , x � = y ⇒ A [ y ] ⋉ , ( x = y ) ⋉ A [ x ] := w Post: A [ y ] ⋉
Analyzing Loops Conditional Information Flow Amtoft et al Always possible to make crude approximation: 2-Assertion Logic 1. consider arrays to be atomic entities Inference Algorithm 2. Iterate over assertions φ x ⇒ x ⋉ , weakening the Applications antecedents Loops and Arrays 3. Use widening to ensure convergence Foundations and Limitations (worst case: each φ x becomes true ) Conclusion But for certain for loops we can do better: ◮ many applications have loops that process elements independently of each other ◮ we can handle such loop in uniform way, by processing once with special symbolic variables that range over index values of variables, and then generalize (universally quantify) ◮ exists checks to detect loop-carried dependencies, but such tests can actually be expressed within our logic, by examining preconditions
For Loops, Simple Examples Conditional Information Flow Amtoft et al 2-Assertion Logic –# derives Inference Algorithm –# forall u in { 1 .. n } : Applications –# A[u] from A[u+1] Loops and Arrays –# and Foundations and Limitations –# forall u notin { 1 .. n } : Conclusion –# A[u] from A[u] –# derives A from * for q ← 1 to n loop for q ← 1 to n loop A[q] := A[q+1] A[q] := A[q-1] end loop end loop ◮ not parallelizable ◮ not parallelizable ◮ but no loop-carried ◮ and loop-carried dependency dependency ◮ precise analysis ◮ crude analysis
Recommend
More recommend
