On the Decidability of Model-Checking Information Flow Properties - - PowerPoint PPT Presentation

on the decidability of model checking information flow
SMART_READER_LITE
LIVE PREVIEW

On the Decidability of Model-Checking Information Flow Properties - - PowerPoint PPT Presentation

Dec 20, 2023 453 likes •717 views

Introduction Noninteference BSPs Results Conclusion On the Decidability of Model-Checking Information Flow Properties Raghavendra K. R. Joint Work: Deepak DSouza, Janardhan Kulkarni, Barbara Sprick, Raveendra Holla Indian Institute of

slide-1
SLIDE 1

Introduction Noninteference BSPs Results Conclusion

On the Decidability of Model-Checking Information Flow Properties

Raghavendra K. R. Joint Work: Deepak D’Souza, Janardhan Kulkarni, Barbara Sprick, Raveendra Holla Indian Institute of Science, Bangalore

On the Decidability of Model-Checking Information Flow Properties

slide-2
SLIDE 2

Introduction Noninteference BSPs Results Conclusion

Introduction to Software Security

Protecting the confidentiality of information manipulated by computing systems is a long standing yet increasingly important

  • problem. There is little assurance that current computing systems

protect data confidentiality and integrity. - Myers (FM for Security) Access Control subject access type AC Ref Monitor

  • bject

allowed denied Limitation: Does NOT address end-to-end security.

On the Decidability of Model-Checking Information Flow Properties

slide-3
SLIDE 3

Introduction Noninteference BSPs Results Conclusion

Introduction to Software Security

Protecting the confidentiality of information manipulated by computing systems is a long standing yet increasingly important

  • problem. There is little assurance that current computing systems

protect data confidentiality and integrity. - Myers (FM for Security) Access Control subject access type AC Ref Monitor

  • bject

allowed denied Limitation: Does NOT address end-to-end security.

On the Decidability of Model-Checking Information Flow Properties

slide-4
SLIDE 4

Introduction Noninteference BSPs Results Conclusion

Noninterference [GM82]

Addresses end-to-end security. M = (Q, S, I, O, δ, o, s0)

δ : Q × (S × I) → Q,

  • : Q × S → O.

(s, c)

S1 noninterferes with S2 for all s ∈ S2, o(ˆ

δ(s0, w), s) = o(ˆ δ(s0, purgeS1(w)), s).

On the Decidability of Model-Checking Information Flow Properties

slide-5
SLIDE 5

Introduction Noninteference BSPs Results Conclusion

Noninterference [GM82]

Addresses end-to-end security. M = (Q, S, I, O, δ, o, s0)

δ : Q × (S × I) → Q,

  • : Q × S → O.

(s, c)

S1 noninterferes with S2 for all s ∈ S2, o(ˆ

δ(s0, w), s) = o(ˆ δ(s0, purgeS1(w)), s).

On the Decidability of Model-Checking Information Flow Properties

slide-6
SLIDE 6

Introduction Noninteference BSPs Results Conclusion

Verifying Noninterference = Reachability Check

MS1S2 = (Q × Q, S, I, O, δ′, o′, (s0, s0))

δ′((t1, t2), (s, a)) = (δ(t1, (s, a)), t2)

if s ∈ S1

(δ(t1, (s, a)), δ(t2, (s, a)))

  • therwise
  • ′((t1, t2), s) = (o(t1, s), o(t2, s))

M |= NI w.r.t S1, S2 [MZ07] iff for all reachable states (t1, t2) of MS1S2,

  • ′((t1, t2), s) = (o1, o2) ⇒ o1 = o2 for all s ∈ S2.

Decidable for finite state systems.

On the Decidability of Model-Checking Information Flow Properties

slide-7
SLIDE 7

Introduction Noninteference BSPs Results Conclusion

Verifying Noninterference = Reachability Check

MS1S2 = (Q × Q, S, I, O, δ′, o′, (s0, s0))

δ′((t1, t2), (s, a)) = (δ(t1, (s, a)), t2)

if s ∈ S1

(δ(t1, (s, a)), δ(t2, (s, a)))

  • therwise
  • ′((t1, t2), s) = (o(t1, s), o(t2, s))

M |= NI w.r.t S1, S2 [MZ07] iff for all reachable states (t1, t2) of MS1S2,

  • ′((t1, t2), s) = (o1, o2) ⇒ o1 = o2 for all s ∈ S2.

Decidable for finite state systems.

On the Decidability of Model-Checking Information Flow Properties

slide-8
SLIDE 8

Introduction Noninteference BSPs Results Conclusion

Generalized Noninterference - GNI

Limitation: Non-determinism for interrupts and concurrency. McCullough’87 S1 GNI S2 iff ∀s ∈ S2 ∀w ∈ (S × I)∗ ∀c ∈ (S1 × I),

δ(s0, w), s) = o(ˆ δ(s0, w · c), s).

Event Systems: (E, I, O, L) I, O ⊆ E, I ∩ O = ∅, L ⊆ E∗. Assume security levels: L ≤ H.

∀t1, t2, t3 ∈ E∗, ((t1.t2 ∈ L ∧ t3 ↾E\(H∩I)= t2 ↾E\(H∩I)) ⇒ ∃t4 ∈ E∗.(t1.t4 ∈ L ∧ t4 ↾L∪(H∩I)= t3 ↾L∪(H∩I))

On the Decidability of Model-Checking Information Flow Properties

slide-9
SLIDE 9

Introduction Noninteference BSPs Results Conclusion

Generalized Noninterference - GNI

Limitation: Non-determinism for interrupts and concurrency. McCullough’87 S1 GNI S2 iff ∀s ∈ S2 ∀w ∈ (S × I)∗ ∀c ∈ (S1 × I),

δ(s0, w), s) = o(ˆ δ(s0, w · c), s).

Event Systems: (E, I, O, L) I, O ⊆ E, I ∩ O = ∅, L ⊆ E∗. Assume security levels: L ≤ H.

∀t1, t2, t3 ∈ E∗, ((t1.t2 ∈ L ∧ t3 ↾E\(H∩I)= t2 ↾E\(H∩I)) ⇒ ∃t4 ∈ E∗.(t1.t4 ∈ L ∧ t4 ↾L∪(H∩I)= t3 ↾L∪(H∩I))

On the Decidability of Model-Checking Information Flow Properties

slide-10
SLIDE 10

Introduction Noninteference BSPs Results Conclusion

Generalized Noninterference - GNI

Limitation: Non-determinism for interrupts and concurrency. McCullough’87 S1 GNI S2 iff ∀s ∈ S2 ∀w ∈ (S × I)∗ ∀c ∈ (S1 × I),

δ(s0, w), s) = o(ˆ δ(s0, w · c), s).

Event Systems: (E, I, O, L) I, O ⊆ E, I ∩ O = ∅, L ⊆ E∗. Assume security levels: L ≤ H.

∀t1, t2, t3 ∈ E∗, ((t1.t2 ∈ L ∧ t3 ↾E\(H∩I)= t2 ↾E\(H∩I)) ⇒ ∃t4 ∈ E∗.(t1.t4 ∈ L ∧ t4 ↾L∪(H∩I)= t3 ↾L∪(H∩I))

On the Decidability of Model-Checking Information Flow Properties

slide-11
SLIDE 11

Introduction Noninteference BSPs Results Conclusion

Generalized Noninterference - GNI

Limitation: Non-determinism for interrupts and concurrency. McCullough’87 S1 GNI S2 iff ∀s ∈ S2 ∀w ∈ (S × I)∗ ∀c ∈ (S1 × I),

δ(s0, w), s) = o(ˆ δ(s0, w · c), s).

Event Systems: (E, I, O, L) I, O ⊆ E, I ∩ O = ∅, L ⊆ E∗. Assume security levels: L ≤ H.

∀t1, t2, t3 ∈ E∗, ((t1.t2 ∈ L ∧ t3 ↾E\(H∩I)= t2 ↾E\(H∩I)) ⇒ ∃t4 ∈ E∗.(t1.t4 ∈ L ∧ t4 ↾L∪(H∩I)= t3 ↾L∪(H∩I))

On the Decidability of Model-Checking Information Flow Properties

slide-12
SLIDE 12

Introduction Noninteference BSPs Results Conclusion

Variants of Noninterference

Noninference (NF) [ZL97]

∀t ∈ L, t ↾L∈ L.

Separability (SEP) [McL94]

∀τ, τ′ ∈ L, interleaving(τ↾H, τ′ ↾L) ⊆ L.

Non Deducibility for UI ⊆ I (NDO) [GN88]

∀t1, t2 ∈ L, ∀t ∈ E∗, (t ↾L= t1 ↾L ∧t ↾H∪(L∩UI)= t2 ↾H∪(L∩UI) ⇒ t ∈ L. . . .

On the Decidability of Model-Checking Information Flow Properties

slide-13
SLIDE 13

Introduction Noninteference BSPs Results Conclusion

Variants of Noninterference

Noninference (NF) [ZL97]

∀t ∈ L, t ↾L∈ L.

Separability (SEP) [McL94]

∀τ, τ′ ∈ L, interleaving(τ↾H, τ′ ↾L) ⊆ L.

Non Deducibility for UI ⊆ I (NDO) [GN88]

∀t1, t2 ∈ L, ∀t ∈ E∗, (t ↾L= t1 ↾L ∧t ↾H∪(L∩UI)= t2 ↾H∪(L∩UI) ⇒ t ∈ L. . . .

On the Decidability of Model-Checking Information Flow Properties

slide-14
SLIDE 14

Introduction Noninteference BSPs Results Conclusion

Variants of Noninterference

Noninference (NF) [ZL97]

∀t ∈ L, t ↾L∈ L.

Separability (SEP) [McL94]

∀τ, τ′ ∈ L, interleaving(τ↾H, τ′ ↾L) ⊆ L.

Non Deducibility for UI ⊆ I (NDO) [GN88]

∀t1, t2 ∈ L, ∀t ∈ E∗, (t ↾L= t1 ↾L ∧t ↾H∪(L∩UI)= t2 ↾H∪(L∩UI) ⇒ t ∈ L. . . .

On the Decidability of Model-Checking Information Flow Properties

slide-15
SLIDE 15

Introduction Noninteference BSPs Results Conclusion

An example

Alice wants to change her PIN.

SendEncPIN EncRepl GenPIN SendEncPIN EncRepl

Noninference holds. Noninference violated.

On the Decidability of Model-Checking Information Flow Properties

slide-16
SLIDE 16

Introduction Noninteference BSPs Results Conclusion

An example

Alice wants to change her PIN.

SendEncPIN EncRepl GenPIN SendEncPIN EncRepl

Noninference violated.

On the Decidability of Model-Checking Information Flow Properties

slide-17
SLIDE 17

Introduction Noninteference BSPs Results Conclusion

Basic Security Predicates (BSPs) [Mantel’00]

BSP w.r.t a view = (V, N, C). BSP R

∀τ ∈ L, ⇒ ∃τ′, τ′ ↾C= ǫ ∧ τ↾V= τ′ ↾V

BSP D

∀c ∈ C, ∀αcβ ∈ L ∧ β↾C= ǫ ⇒ ∃α′β′, α′β′ ∈ L, ∧ α =N α′ ∧ β =N β′

BSP I

∀c ∈ C, ∀αβ ∈ L ⇒ ∃α′β′ α′cβ′ ∈ L ∧ α =N α′ ∧ β =N β′. . . .

13 BSPs

On the Decidability of Model-Checking Information Flow Properties

slide-18
SLIDE 18

Introduction Noninteference BSPs Results Conclusion

Information Flow Properties and BSPs

Let H = (L, ∅, H), and HI = (L, H \ I, H ∩ I). GNI(E) ⇔ BSDHI(E) ∧ BSIHI(E). NDO(E) ⇔ BSDH(E) ∧ BSIAUI

H (E).

NF(E) ⇔ RH(E). SEP(E) ⇔ BSDH(E) ∧ BSIAC

H(E).

. . .

On the Decidability of Model-Checking Information Flow Properties

slide-19
SLIDE 19

Introduction Noninteference BSPs Results Conclusion

Model Checking BSPs

For finite state systems, decidable [DKS’05]. For pushdown systems (PDS), undecidable. Information flow properties for PDS, undecidable [To be submitted]

On the Decidability of Model-Checking Information Flow Properties

slide-20
SLIDE 20

Introduction Noninteference BSPs Results Conclusion

Undecidability for PDS

Recall NF(E) ⇔ RH. Emptiness Problem of Turing Machines to PDS satisfying NF. Configuration sequence is encoded on {v1, v2}. Given a TM M, let L be the prefix closure of L1 ∪ L2 L1 = {c · enc(#x1#x2 · · · xn#) | x1 is a starting configuration, xn is an accepting configuration} L2 = {enc(#x1#x2 · · · xn#) | x1 is a starting configuration, xn is an accepting configuration, exists i : xi xi+1 invalid transition} L satisfies NF iff L(M) = ∅.

On the Decidability of Model-Checking Information Flow Properties

slide-21
SLIDE 21

Introduction Noninteference BSPs Results Conclusion

Undecidability for PDS

Recall NF(E) ⇔ RH. Emptiness Problem of Turing Machines to PDS satisfying NF. Configuration sequence is encoded on {v1, v2}. Given a TM M, let L be the prefix closure of L1 ∪ L2 L1 = {c · enc(#x1#x2 · · · xn#) | x1 is a starting configuration, xn is an accepting configuration} L2 = {enc(#x1#x2 · · · xn#) | x1 is a starting configuration, xn is an accepting configuration, exists i : xi xi+1 invalid transition} L satisfies NF iff L(M) = ∅.

On the Decidability of Model-Checking Information Flow Properties

slide-22
SLIDE 22

Introduction Noninteference BSPs Results Conclusion

Undecidability for PDS

Recall NF(E) ⇔ RH. Emptiness Problem of Turing Machines to PDS satisfying NF. Configuration sequence is encoded on {v1, v2}. Given a TM M, let L be the prefix closure of L1 ∪ L2 L1 = {c · enc(#x1#x2 · · · xn#) | x1 is a starting configuration, xn is an accepting configuration} L2 = {enc(#x1#x2 · · · xn#) | x1 is a starting configuration, xn is an accepting configuration, exists i : xi xi+1 invalid transition} L satisfies NF iff L(M) = ∅.

On the Decidability of Model-Checking Information Flow Properties

slide-23
SLIDE 23

Introduction Noninteference BSPs Results Conclusion

Weak Non-Inference

WNI

∀τ ∈ L, τ↾C= ǫ ⇒ ∃τ′ ∈ L, τ↾V= τ′ ↾V ∧ τ↾C τ′ ↾C.

Undecidable for finite state systems. PCP has a solution iff TP does not satisfy WNI.

On the Decidability of Model-Checking Information Flow Properties

slide-24
SLIDE 24

Introduction Noninteference BSPs Results Conclusion

Logic Characterization for BSPs

WNI not definable with BSPs.

|V| = |C| = 1: decidable for PDS - reduced to PA

Natural: FO=(·, ↾) is undecidable.

On the Decidability of Model-Checking Information Flow Properties

slide-25
SLIDE 25

Introduction Noninteference BSPs Results Conclusion

Summary and Future Work

Model-Checking noninterference and its variants for PDS is undecidable. Attempted logic characterization for BSPs is undecidable. For Future Decidable Logic characterization of noninterference and its variants. Static / Dynamic analysis of programs for refined noninterference.

On the Decidability of Model-Checking Information Flow Properties

slide-26
SLIDE 26

Introduction Noninteference BSPs Results Conclusion

Thank You

On the Decidability of Model-Checking Information Flow Properties