Hyperproperties Hypersafety Hyperliveness Presenter: Priyanka - - PowerPoint PPT Presentation

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Hyperproperties

Presenter: Priyanka Mondal October 7, 2017

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Correctness

To prove the correctness of a system, one must prove two essentially different types of properties about it, which we call safety and liveness properties. [LESLIE LAMPORT]

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Trace Property

Defn

A set of infinite traces which satisfies some property.

Properties

◮ Safety Property: Proscribes “bad things“ ◮ Liveness Property: Prescribes “good things“

Intersection of a safety property and a liveness property.

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Trace Property

Think a trace property T as a system, and each trace as its execution.

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Trace Property

Traces may be finite or infinite sequences of states. t = s0s1... Ψfin Σ∗, Ψinf Σω, Ψ Ψinf ∪ Ψfin t[i] si, t[i..] sisi+1..., t[..i] s0...si−1si Prop P(Ψinf ) T | = P T ⊆ P

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Hyperproperty

◮ Mean response time. ◮ Noninterference.

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Hyperproperty

Defn

Set of trace properties.

Properties

◮ Hypersafety ◮ Hyperliveness

Intersection of a hypersafety and a hyperliveness.

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Hyperproperty

HP P(P(Ψinf )) T | = H T ∈ H Additional level of sets means that hyperproperties can be more expressive than trace properties For every trace property P there exixts a unique hyperproperty called lift of P or [P]. [P] is powerset of P.

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Hypersafety

◮ finitely observable ◮ irremediable

A trace property S is a safety property iff (∀t ∈ Ψinf : t / ∈ S = ⇒ (∃m ∈ Ψfin : m t ∧ (∀t′ ∈ Ψinf : m t′ = ⇒ t′ / ∈ S))) A bad thing is a finite trace that cannot be a prefix of any execution satisfying the safety property. A hyperproperty S is a hypersafety iff (∀T ∈ Prop : T / ∈ S = ⇒ (∃M ∈ Obs : M T ∧ (∀T ′ ∈ Prop : M T ′ = ⇒ T ′ / ∈ S)))

◮ Noninterference is hypersafety.

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Hypersafety

(∀S ∈ Prop : S ∈ SP ⇐ ⇒ [SP] ∈ SHP)

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

k-safety Hyperproperty

◮ One more conjunct added to the definition of hypersafety :

|M| ≤ k

◮ Think of a system with secret split into k shares. ◮ KSHP(1) = {[S]|S ∈ SP} ◮ SecS ∪kSecSk

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Hyperliveness

◮ Always possible ◮ Possibly infinite

A trace property L is a liveness property iff (∀t ∈ Ψfin : (∃t′ ∈ Ψinf : t t′ ∧ t′ ∈ L)) A good thing is an infinite suffix of a finite trace. A hyperproperty L is a hyperliveness iff (∀T ∈ Obs : (∃T ′ ∈ Prop : T T ′ ∧ T ′ ∈ L))

◮ Mean-response time is hyperliveness.

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

Hyperliveness

(∀L ∈ Prop : L ∈ LP ⇐ ⇒ [LP] ∈ LHP)

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

...

◮ Confidentiality: Hypersafety in case of OD and

hyperliveness in case of noninterference

◮ Availability: Maximum response time is hypersafety

(also a safety property) and mean response time is hyperliveness.

◮ Integrity:

Hyperproperties Presenter: Priyanka Mondal Correctness Trace property Hyperproperty Hypersafety Hyperliveness

...

◮ Set of all safety properties SP is not hypersafety. ◮ LP ?