Privacy and Computer Science (ECI 2015) Day 3 - Non Interference - - PowerPoint PPT Presentation

Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes

• F. Prost

Frederic.Prost@ens-lyon.fr

Ecole Normale Sup´ erieure de Lyon

July 2015

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 1 / 73

Data Privacy from a programming point of view

From a programming point of view the question of privacy becomes: how can we prove/certify that a program does not reveal secret information to the public space ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 2 / 73

Data Privacy from a programming point of view

From a programming point of view the question of privacy becomes: how can we prove/certify that a program does not reveal secret information to the public space ? It is an instance of the more general problem of non-interference: x, y do not interfere in P if any modification on the value of x can not be “observed” on y.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 2 / 73

Data Privacy from a programming point of view

From a programming point of view the question of privacy becomes: how can we prove/certify that a program does not reveal secret information to the public space ? It is an instance of the more general problem of non-interference: x, y do not interfere in P if any modification on the value of x can not be “observed” on y. Non-Interference is a very general problem:

Proof-theory: useless hypotheses. Non-computational content of proofs: extraction of programs throught the Curry-Howard correspondance. Parallelism. Strictness analyzis. etc.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 2 / 73

Non-interferenceS analyzes

NI analyzis depends very much on the semantics and programming paradigm in use.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 3 / 73

Non-interferenceS analyzes

NI analyzis depends very much on the semantics and programming paradigm in use. = ⇒ How do we model the fact that two programs are “equivalent”? = ⇒ What is the exact nature or quality of “observations”?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 3 / 73

Non-interferenceS analyzes

NI analyzis depends very much on the semantics and programming paradigm in use. = ⇒ How do we model the fact that two programs are “equivalent”? = ⇒ What is the exact nature or quality of “observations”? It is a very strict approach to privacy: for instance a password check is an intereference.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 3 / 73

Non-interferenceS analyzes

NI analyzis depends very much on the semantics and programming paradigm in use. = ⇒ How do we model the fact that two programs are “equivalent”? = ⇒ What is the exact nature or quality of “observations”? It is a very strict approach to privacy: for instance a password check is an intereference. = ⇒ Can we define policies allowing such interferences? Non-Interference is a yes/no approach. = ⇒ Can we quantify the amount of information released?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 3 / 73

NI in a Purely Functional Setting

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 4 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 5 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Dependencies in pure λ-calculus [Abadi et al., 1996]

What parts of a term contributes to the final result? Suppose a →∗ v, what can be removed from a while still having a term reducing to v? Pure λ-terms: t ::= x | λx.t | (t1 t2) Prefixes: p ::= | x | λx.p | (p1 p2)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 6 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Prefix order

Let a, b be prefixes: a b if a can be produced by b replacing some subterms with . Example: (λx.(t ) ) (λx.(t u) v) The question is: how behaves wrt β-reduction ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 7 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Two results about

Th´ eor` eme (Monotonicity) t

• u

t′

• u′

∗ − →∗

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 8 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Two results about

Th´ eor` eme (Monotonicity) t

• u

t′

• u′

∗ − →∗ Th´ eor` eme (Stability) If a →∗ v, and v is in normal form, there is a minimal prefix a0 a such that a0 →∗ v. The minimal prefix is the mathematical solution of the non-interference computattion: how can it be effectively computed ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 8 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Labeled terms

Extension of the pure λ-calculus: l ::= x | λx.l | (l1 l2) | e : l We add the reduction rule: (e : l1 l2) → e : (l1 l2) which makes possible the usual β-reduction : (e0 : [λx.(x x)] e1 : y) → e0 : (λx.(x x) e1 : y) → e0 : (e1 : y e1 : y)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 9 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Minimal prefix computation

1 Attribute a unique label to each subterm of a. 2 If a has nf v, we write L(a), the set of all labels occuring in v. 3 Define G(a) as the one obtained by replacing each subterm of a

whom the label is not in L(a) by . (ef : (λx.e5 : 5) et : t)→ ef : (λx.e5 : 5 et : t) → ef : e5 : 5 Hence t does not interfere with the rest of the program.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 10 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

NI in a typed setting [Berardi, 1996]

How to statically compute the minimum prefix ? The problem in its whole generality undecidable

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 11 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

NI in a typed setting [Berardi, 1996]

How to statically compute the minimum prefix ? The problem in its whole generality undecidable Easy reduction to the halting problem. Is it possible to statically approximate the result ? = ⇒ yes with a surprising use of types in the simply typed λ-calculus.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 11 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Dependancies in simply-typed λ-calculus

Simply typed λ-calculus with base type N and constants S : N → N and 0 : N. Introduction of a constant ∅, only term of type U. Definition of an order relation w.r.t. ∅. two terms t1, t2 : A are observationnelly equivalents iff: ∀C[.A] : N, C[t1] =β C[t2]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 12 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Dead code in simply typed λ-calculus

Th´ eor` eme ([Berardi, 1996]) If t, t′ : A and t t′ then t and t′ are obervationnaly equivalent.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 13 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Dead code in simply typed λ-calculus

Th´ eor` eme ([Berardi, 1996]) If t, t′ : A and t t′ then t and t′ are obervationnaly equivalent. Proof. If A = N then by subject reduction, strong normalization and monotonicity we have t →∗ v and t′ → v′ with v v′, but closed nf of type N are either 0 or (S . . . (S 0) . . .), hence v ≡ v′.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 13 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Dead code in simply typed λ-calculus

Th´ eor` eme ([Berardi, 1996]) If t, t′ : A and t t′ then t and t′ are obervationnaly equivalent. Proof. If A = N then by subject reduction, strong normalization and monotonicity we have t →∗ v and t′ → v′ with v v′, but closed nf of type N are either 0 or (S . . . (S 0) . . .), hence v ≡ v′. For any other type A take any closing context C[.A] : N. Then C[t] C[t′], and C[t], C[t′] : N, hence we can apply the previous reasonning. An example: (λx : U.5 ∅) (λx : N.5 t)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 13 / 73

NI in a Purely Functional Setting Pure Terms and Simple Types

Problems linked with the unicity of typing

Type unicity + Conservative approximation = less accurate analyzis t = (λf : N → N.(g f (f 5)) λx : N.4) We would like to type tye first occurrence of f with N → N and the second one with U → N.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 14 / 73

NI in a Purely Functional Setting Higher-order Types

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 15 / 73

NI in a Purely Functional Setting Higher-order Types

Variable sorts

“A is a type” is a judgment: Γ ⊢ A : ∗ We introduce judgments of the form: Γ ⊢ A : α where α is a sort variable ranging over ∗⊥, ∗⊤. The two different ∗s are used to denote separated universes. We add axiom ∗i : for i ∈ {⊤, ⊥}

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 16 / 73

NI in a Purely Functional Setting Higher-order Types

Sort abstraction

Abstracting sorts w.r.t. terms: Γ, α : , Γ′ ⊢ t : B Γ, Γ′ ⊢ ok Γ, Γ′ ⊢ (λα : .t) : (Πα:.B) sort application: Γ ⊢ t : (Πα:.A) Γ ⊢ k : Γ ⊢ (t k) : A[α := k]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 17 / 73

NI in a Purely Functional Setting Higher-order Types

Examples

N α def = ΠX :α.X → (X → X) → X nα def = λX : α.λx : X.λf : X → X.

n

( f . . . (f x) . . .) α : , β : , y : N α ⊢ 5β : N β α : , β : ⊢ λy : N α.5β : (N α → N β)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 18 / 73

NI in a Purely Functional Setting Higher-order Types

k-types, k-constants

k-type: Type where the only occuring sort is k. Example of ∗⊥-type: ΠX :∗⊥.ΠY :∗⊥.X → Y → (ΠZ :∗⊥.Z → X) For all k-type A, we define a constant dA of type A. We define an order ≤k w.r.t. k-constants: (λx : N ∗⊥.5∗⊥ dN ∗⊥) ≤∗⊥ (λx : N ∗⊥.5∗⊥ t) if t is of type N ∗⊥, for instance.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 19 / 73

NI in a Purely Functional Setting Higher-order Types

Non-interference and types

A first result: Theorem (Non-interference) Let x : A ⊢ t : B, A a ∗⊥-type, B a ∗⊤-type then for all <>⊢ t1, t2 : A one has: t[x := t1] =obs t[x := t2] A corollary: Theorem (Dead-code) If <>⊢ t1, t2 : A, and A a ∗⊤-type, and t1 ≤∗⊥ t2, then t1 =obs t2

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 20 / 73

NI in a Purely Functional Setting Higher-order Types

Example 1

Let t be such that <>⊢ t : N ∗⊥, then terms t1 = (λy : N ∗⊥.5∗⊤ t), t2 = (λy : N ∗⊥.5∗⊤ dN ∗⊥) are both of type N ∗⊤. t2 ≤∗⊥ t1. Then from theorem 2, we conclude t1 =obs t2.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 21 / 73

NI in a Purely Functional Setting Higher-order Types

Example 2

The ability to abstract over sorts introduces flexibility : t = ( λf : Πα, β : .N α → N β(g (f ∗⊤ ∗⊤) ((f ∗⊥ ∗⊤) t′) λα, β : .λx : N α.5β) with g of type (N ∗⊤ → N ∗⊤) → N ∗⊤ → N ∗⊤, and t′ of type N ∗⊥. t is of type N ⊤, and t′ analyzed as dead-code.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 22 / 73

NI in a Purely Functional Setting Higher-order Types

The λ-cube [Barendregt, 1991]

Terms: T ::= V | C | (T T ) | λV : T .T | ΠV :T .T Parameters:

S: sorts, A, axioms of the form c : s, R, rules of the form (s1, s2, s3). We write (s1, s2) when s3 = s2. Rules define valid product: Γ ⊢ A : s1 Γ, x : A ⊢ B : s2 Γ ⊢ Πx :A.B : s3

Computation rule: (λx : A.B C) →β B[x := C]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 23 / 73

NI in a Purely Functional Setting Higher-order Types

The λ-cube

Take sorts: {∗, }, and axiom (∗ : ). We consider only rules of the form (s1, s2). We have four possible rules: {(∗, ∗), (, ∗), (∗, ), (, )}

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 24 / 73

NI in a Purely Functional Setting Higher-order Types

Intuitions behind rules

(∗, ∗): simply typed λ-calculus. (, ∗): polymorphism. (, ): possiblity to build connective. (∗, ): dependent types.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 25 / 73

NI in a Purely Functional Setting Higher-order Types

λ→

✚✚ ✚

λω λ2

✚✚ ✚

λω λP

✚✚ ✚

λPω λP2

✚✚ ✚

λC

✲ ✻

• ✒

(∗, ) (, ∗) (, ) System Historical name λ → Simply typed λ-calculus [Church, 1940] λ2 System F [Girard, 1972] λP AUT-QE; LF [Bruijn, 1970] λP2 [Longo and Moggi, 1988] λω POLYREC [de Lavalette, 1992] λω Fω [Girard, 1972] λC Calculus of Constructions [Coquand and Huet, 1988] λ-cube [Barendregt, 1991]

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 26 / 73

NI in a Purely Functional Setting Higher-order Types

Sort abstraction in “cube” style

Addition of sort: △; Addition of axiom: : △; Addition of rule: (△, ∗); Γ ⊢ : △ Γ, α : ⊢ A : ∗ Γ ⊢ (Πα:.A) : ∗

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 27 / 73

NI in a Purely Functional Setting Higher-order Types

λ →

✚✚ ✚

λω λ2

✚✚ ✚

λω λP

✚✚ ✚

λPω λP2

✚✚ ✚

λC λ→ E

✚✚ ✚

λωE λ2E

✚✚ ✚

λωE λPE

✚✚ ✚

λ PωE λ P2 E

✚✚ ✚

λCE (∗, ) (, ) (, ∗) (△, ∗)

✲ ✻

• ✒

✲

Hyper λ-cube

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 28 / 73

NI in a Purely Functional Setting Higher-order Types

Results

It is possible to prove theorems 1 and 2 in the E-cube: a non-interference result for the Calculus of Constructions. The rule (△, ∗) expresses the logical content of type-based analyses.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 29 / 73

NI in a Purely Functional Setting Higher-order Types

Technical considerations

Original formalism has been extended in order to have judgments like x : X : α : where x, X, α are variables. In λα : .A, α is a weak variable, i.e. it stands either for ∗⊤ or ∗⊥. The work done is of theoretical nature. Hint for an algorithm: ML unification modified (not complete).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 30 / 73

NI in an Imperative Setting

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 31 / 73

NI in an Imperative Setting

Interferences in imperative programs [Volpano and Smith, 1997]

Programs input and output are classified at different security levels. We would like to allow the information to go up but never down w.r.t. security levels. The security can be expressed by comparing the memory of the computer regarding the different levels of security (different from the functional approach in which there are no variables). Simple imperative programming language with procedures. Type soundness result: if a program is well typed, then non-interference is enforced.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 32 / 73

NI in an Imperative Setting

Some Information Leaking Programs and Non-Termination

for i = 0 to secret

• utput i on public_channel
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 33 / 73

NI in an Imperative Setting

Some Information Leaking Programs and Non-Termination

for i = 0 to secret

• utput i on public_channel

for i = 0 to secret

• utput i on public_channel

while true do skip

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 33 / 73

NI in an Imperative Setting

Some Information Leaking Programs and Non-Termination

for i = 0 to secret

• utput i on public_channel

for i = 0 to secret

• utput i on public_channel

while true do skip for i = 0 to maxNat {

• utput i on public_channel

if (i = secret) then (while true do skip) }

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 33 / 73

NI in an Imperative Setting

Types in the Smith-Volpano System

Three kinds of types

τ-types: security levels. π-types: expressions and commands. ρ-types: types of phrases.

For instance τ ∈ {h, l} with l ≤ h. command types have form τ cmd. A command of type h cmd says it does not contain assignment to low variables. Phrase types are of the form τ var or τ acc The subtype relation is contravariant in command and acceptor types.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 34 / 73

NI in an Imperative Setting

Information flow

Direct information flow: l:=h

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 35 / 73

NI in an Imperative Setting

Information flow

Direct information flow: l:=h Indirect information flow While h>0 do l:=l+1; h:=h-1;

• d
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 35 / 73

NI in an Imperative Setting

Information flow

Direct information flow: l:=h Indirect information flow While h>0 do l:=l+1; h:=h-1;

• d

We must have typing rules forbidding such programs: γ ⊢ e : τ γ ⊢ c : τ cmd γ ⊢ while e do c : τcmd

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 35 / 73

NI in an Imperative Setting

Type Soundnes and Non-Interference

One needs to define the operational semantics of the programming language: µ ⊢ c = ⇒ µ′ One needs to define a notion of “equivalent” memories µ ≃l ν if µ and ν agree on the value of low-level variables. The non-interference property can be stated as:

suppose that λ ⊢ c : π suppose that µ ⊢ c = ⇒ µ′ suppose that ν ⊢ c = ⇒ ν′ suppose that µ ≃τ ν ≃τ λ

then ν′(l) = µ′(l) for all l such that λ(l) ≤ τ.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 36 / 73

NI and concurrency

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 37 / 73

NI and concurrency

Process interlock and information leakage

α ⇐ [cα = 0 ⇒ SPY := 0 ; cβ := 0]; θ

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 38 / 73

NI and concurrency

Process interlock and information leakage

α ⇐ [cα = 0 ⇒ SPY := 0 ; cβ := 0]; θ β ⇐ [cβ = 0 ⇒ SPY := 1 ; cα := 0]; θ

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 39 / 73

NI and concurrency

Process interlock and information leakage

α ⇐ [cα = 0 ⇒ SPY := 0 ; cβ := 0]; θ β ⇐ [cβ = 0 ⇒ SPY := 1 ; cα := 0]; θ γ ⇐

• [PIN = 1 ⇒ cα := 0]; θ
• +
• [PIN = 0 ⇒ cβ := 0]; θ
• α β γ
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 40 / 73

NI and concurrency

λar [Prost, 2005]: λ-calculus with adressed resources

Variation of the blue-calculus of G. Boudol (variant of Milner’s polyadic π-calculus). Terms: t ::= x, a | (t t) | λx.t | t t | νa(t) | (t | s) | (s | t) Adressed ressources : s ::= a ⇐ t | a = t | (s | s)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 41 / 73

NI and concurrency

Operational Semantics

Definition (Reduction rules) (λx.t u) →β t{x := u} t | a ⇐ u →ρ t{a := u} Communication example: a ⇐ λx.t | (a v) →ρ (λx.t v) →β t{x := v}

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 42 / 73

NI and concurrency

λar Typing

It is possible to have a fine-grained typing of λar: [PPAR] Γ ⊢ t : τ Γ ⊢ u : σ Γ ⊢ t u : Pa(τ, σ)(τ, σ = ◦) Sort abstraction “` a la” [Prost00] leads to similar result than in λ-calculus.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 43 / 73

Relaxing Non-Interference

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 44 / 73

Relaxing Non-Interference

Non-Interference Dynamic policies [Prost, 2011]

A lot of every-day life scenarios involve dynamic evolution of data privacy levels.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 45 / 73

Relaxing Non-Interference

Non-Interference Dynamic policies [Prost, 2011]

A lot of every-day life scenarios involve dynamic evolution of data privacy levels.

Pay-per-view;

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 45 / 73

Relaxing Non-Interference

Non-Interference Dynamic policies [Prost, 2011]

A lot of every-day life scenarios involve dynamic evolution of data privacy levels.

Pay-per-view; Sealed auctions;

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 45 / 73

Relaxing Non-Interference

Non-Interference Dynamic policies [Prost, 2011]

A lot of every-day life scenarios involve dynamic evolution of data privacy levels.

Pay-per-view; Sealed auctions; etc.

Challenge: to adapt non-interference to fit with dynamic evolution of privacy ?

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 45 / 73

Relaxing Non-Interference

Non-Interference Dynamic policies [Prost, 2011]

A lot of every-day life scenarios involve dynamic evolution of data privacy levels.

Pay-per-view; Sealed auctions; etc.

Challenge: to adapt non-interference to fit with dynamic evolution of privacy ? In our framework we propose:

1

A “security profile” for each operator: rewrite rules over privacy lattice.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 45 / 73

Relaxing Non-Interference

Non-Interference Dynamic policies [Prost, 2011]

A lot of every-day life scenarios involve dynamic evolution of data privacy levels.

Pay-per-view; Sealed auctions; etc.

Challenge: to adapt non-interference to fit with dynamic evolution of privacy ? In our framework we propose:

1

A “security profile” for each operator: rewrite rules over privacy lattice.

2

Rewrite rules may have actions modifying the policy.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 45 / 73

Relaxing Non-Interference

Non-Interference Dynamic policies [Prost, 2011]

A lot of every-day life scenarios involve dynamic evolution of data privacy levels.

Pay-per-view; Sealed auctions; etc.

Challenge: to adapt non-interference to fit with dynamic evolution of privacy ? In our framework we propose:

1

A “security profile” for each operator: rewrite rules over privacy lattice.

2

Rewrite rules may have actions modifying the policy.

3

Definition of high/low bisimulation with dynamic policies.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 45 / 73

Relaxing Non-Interference

Non-Interference Dynamic policies [Prost, 2011]

A lot of every-day life scenarios involve dynamic evolution of data privacy levels.

Pay-per-view; Sealed auctions; etc.

Challenge: to adapt non-interference to fit with dynamic evolution of privacy ? In our framework we propose:

1

A “security profile” for each operator: rewrite rules over privacy lattice.

2

Rewrite rules may have actions modifying the policy.

3

Definition of high/low bisimulation with dynamic policies.

4

Program safety verification by abstract execution on privacy levels.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 45 / 73

Relaxing Non-Interference Programming framework

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 46 / 73

Relaxing Non-Interference Programming framework

WHILE programming language

Minimalistic programming language: v ::= x | 0 | 1 | 0 | 1 | . . . t, b ::= v | f (x1, . . . , xn) P ::= x := t | P; P | if b then P else P | while b do P | skip It can be seen as an intermediate language: x := f (345, g(x1, x2)) ≡ (x0 := 345; x3 := g(x2, x3); x := f (x3) Natural semantics µ, P →os µ′, P′

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 47 / 73

Relaxing Non-Interference Dynamic interference policy

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 48 / 73

Relaxing Non-Interference Dynamic interference policy

Interference policy

Program variables are attributed privacy levels. Privacy levels are elements of a lattice L. Interference policies are based on authorised behavior of operators.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 49 / 73

Relaxing Non-Interference Dynamic interference policy

Interference policy

Program variables are attributed privacy levels. Privacy levels are elements of a lattice L. Interference policies are based on authorised behavior of operators. Usually it is done through types but it is too rigid. = ⇒ We use term rewriting system on privacy levels in order to deal with concrete privacy levels used at evaluation time.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 49 / 73

Relaxing Non-Interference Dynamic interference policy

Static interference policy

For each operator f we consider fDIP. ΣDIP = (VDIP, V ∪ ΩDIP ∪ L) Encryption policy, SP: encryptDIP(π128, x) → π1 encryptDIP(π256, x) → ⊥ SPY DIP → ⊥ PINDIP → ⊤ . . . In the program: SPY := encrypt(K, PIN) The security level of encrypt(K, PIN) is computed using rules of SP.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 50 / 73

Relaxing Non-Interference Dynamic interference policy

Dynamicity

Privacy levels may change during computation. Rewriting rules with actions : l → r; a a ::= x → π | x → π | x → y | x → y | a; a The interference policy changes through the evaluation of operator security level computation: t[σ(l)], SP t[σ(r)], SP′

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 51 / 73

Relaxing Non-Interference Dynamic interference policy

Three strikes, out

Aim: account suspended after 3 unsuccessful login attempts. In the program: ckpwd(g, pwd) For each operator f of arity n we consider fDIP of arity 2n.

= ⇒ distinction between the name of a program variable and its privacy level.

Privacy level of ckpwd(g, pwd) is computed by the evaluation of: ckpwdDIP(πg, g, πpwd, pwd)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 52 / 73

Relaxing Non-Interference Dynamic interference policy

Three strikes, out

⊤ t0 t1 t2 t3 ⊥ ckpwd(⊥, g, t0, p) → ⊥; p → t1 ckpwd(⊥, g, t1, p) → ⊥; p → t2 ckpwd(⊥, g, t2, p) → ⊥; p → t3 ckpwd(⊥, (g, t3, p) → ⊤ ckok(x, y) → ⊥; y → t0 g → ⊥ PIN1 → t0 PIN2 → t0 . . .

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 53 / 73

Relaxing Non-Interference Dynamic interference policy

Three strikes, out

⊤ t0 t1 t2 t3 ⊥ ckpwd(⊥, g, t0, p) → ⊥; p → t1 ckpwd(⊥, g, t1, p) → ⊥; p → t2 ckpwd(⊥, g, t2, p) → ⊥; p → t3 ckpwd(⊥, (g, t3, p) → ⊤ ckok(x, y) → ⊥; y → t0 g → ⊥ PIN1 → t0 PIN2 → t0 . . . In the program: if ckpwd(g, PIN1) then blah else next try

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 53 / 73

Relaxing Non-Interference Dynamic interference policy

Dynamic interference policy

Definition A DIP, SP, is a confluent terminating rewrite system with actions with:

1 For every x ∈ V there is a rule x → π in SP. 2 For each rule l → r such that l is in V then r is in L. 3 SP introduces no junk into L. I.e., for all ground terms, t, over

Σ ∪ L, the normal form of t, is in L.

4 SP introduces no confusion into L. I.e.,

∀τ1, τ2 ∈ L, τ1 = τ2 = ⇒ τ1 ∗ ↔ τ2.

5 functions in Σ are monotonic w.r.t. privacy levels: ∀πi, π′

i ∈ L, πi ⊑

π′

i =

⇒ nf SP(f (π1, . . . , πn)) ⊑ nf SP(f (π′

1, . . . , π′ n)).

t, SP ∗ πSP(t), SP

t

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 54 / 73

Relaxing Non-Interference Dynamic interference policy

Privacy level of a term wrt SP

to compute the privacy level of f (x, y) we consider t = fDIP(nf SP(x), x, nf SP(y), y) The evaluation of this term in SP gives the privacy level and a new interference policy: t, SP ∗ πSP(t), SP

t

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 55 / 73

Relaxing Non-Interference Program safety w.r.t. DIP

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 56 / 73

Relaxing Non-Interference Program safety w.r.t. DIP

Program safety

Traditionally: a program is safe if every modification of a value above π cannot be observed below π: µ1, P →∗

• s µ′

1

µ2, P →∗

• s µ′

2

µ′

1 ≡π µ′ 2

What to do with the policy: encrypt(π1024, ⊤) → ⊥ making possible program as: SPY := encrypt(key1024, PIN)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 57 / 73

Relaxing Non-Interference Program safety w.r.t. DIP

Program safety

Traditionally: a program is safe if every modification of a value above π cannot be observed below π: µ1, P →∗

• s µ′

1

µ2, P →∗

• s µ′

2

µ′

1 ≡π µ′ 2

What to do with the policy: encrypt(π1024, ⊤) → ⊥ making possible program as: SPY := encrypt(key1024, PIN) = ⇒ Use an alternate op. sem. declared leaks are treated specifically. Notion of declassified operational semantics. µ1, P

µd

= ⇒ µ′

1, P′

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 57 / 73

Relaxing Non-Interference Program safety w.r.t. DIP

declassifying terms

A term is declassifying if its privacy level is lower than one of its arguments. Such terms will be subjected to specific rules in the declassified

• perational semantics.

Definition (Declassifying terms and assignments) t = f (x1, . . . , xn) is declassifying wrt SP, written SP ⊢ f (x1, . . . , xn) ↓ if: πSP(t) ⊑ ( n

i=1 πSP(ti))

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 58 / 73

Relaxing Non-Interference Program safety w.r.t. DIP

Declassified evaluation

P, µ

µd

= ⇒ P′, µ′, SP′ Declassifying assignment: SP ⊢ fDIP((πSP(x), x) ↓ [ [f (x)] ]µd = v f (πSP(x), x), SP ∗ π, SP

f (πSP(x),x)

y := f (x), µ, SP

µd

= ⇒ skip, µ[y := v], SP

f (πSP(x),x)

AS

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 59 / 73

Relaxing Non-Interference Program safety w.r.t. DIP

High/low bisimulation and DIPs

Definition (Bisimulation) A π-bisimulation is a symetric relation R such that: If P1, SP1RP2, SP2 and µ1, P1, SP1

µ1

= ⇒ µ′

1, P′ 1, SP′ 1

and µ1 ≃SP1⊔SP2

π

µ2

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 60 / 73

Relaxing Non-Interference Program safety w.r.t. DIP

High/low bisimulation and DIPs

Definition (Bisimulation) A π-bisimulation is a symetric relation R such that: If P1, SP1RP2, SP2 and µ1, P1, SP1

µ1

= ⇒ µ′

1, P′ 1, SP′ 1

and µ1 ≃SP1⊔SP2

π

µ2 = ⇒                      ∃P′

2, SP′ 2 and µ′ 2 s.t.

µ2, P2, SP2

µ1

= ⇒

∗ µ′ 2, P′ 2, SP′ 2

and µ′

1 ≃SP′

1⊔SP′ 2

π

µ′

2

and P′

1, SP′ 1RP′ 2, SP′ 2

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 60 / 73

Relaxing Non-Interference Program safety w.r.t. DIP

Program safety w.r.t. a DIP

The union of two π-bisimulation is a π-bisimulation. The biggest π-bisimulation is written ≃ and is the union of all π-bisimulation.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 61 / 73

Relaxing Non-Interference Program safety w.r.t. DIP

Program safety w.r.t. a DIP

The union of two π-bisimulation is a π-bisimulation. The biggest π-bisimulation is written ≃ and is the union of all π-bisimulation. Definition (Safe program) A program P is safe with relation DIP SP, written SP | = P, if for all privacy level π P, SP ≃π P, SP.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 61 / 73

Relaxing Non-Interference Program Verification

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 62 / 73

Relaxing Non-Interference Program Verification

Abstract execution principle (1)

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 63 / 73

Relaxing Non-Interference Program Verification

Abstract execution principle (1)

Idea: to execute the program on L. An abstract memory record associates variables with their privacy levels.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 63 / 73

Relaxing Non-Interference Program Verification

Abstract execution principle (1)

Idea: to execute the program on L. An abstract memory record associates variables with their privacy levels. Record of the highest privacy level encountered in if-then-else and while guards to avoid indirect leaks, e.g.: if PIN = 0 then while 0 do skip else skip; SPY := 0 Check assignments wrt SP and : x := f (. . .) implies πSP(x) ⊆ (πSP(f (. . .)) ⊔ πg) raises a failure if the inequality is not satisfied.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 63 / 73

Relaxing Non-Interference Program Verification

Abstract execution principle (2)

Moreover evaluation of terms modify the DIP. Problem: it is not possible to merge DIPs resulting from the branches

• f an if-then-else construct.
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 64 / 73

Relaxing Non-Interference Program Verification

Abstract execution principle (2)

Moreover evaluation of terms modify the DIP. Problem: it is not possible to merge DIPs resulting from the branches

• f an if-then-else construct.

= ⇒ Creation of a DIP list recording DIP’s for each execution paths.

Fixpoint problem for the while construct.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 64 / 73

Relaxing Non-Interference Program Verification

Abstract execution principle (2)

Moreover evaluation of terms modify the DIP. Problem: it is not possible to merge DIPs resulting from the branches

• f an if-then-else construct.

= ⇒ Creation of a DIP list recording DIP’s for each execution paths.

Fixpoint problem for the while construct.

= ⇒ Finite number of DIP lists.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 64 / 73

Relaxing Non-Interference Program Verification

Abstract execution result

Theorem ∃L.({SP, ⊥}, P ֒ →∗ L) = ⇒ SP | = P

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 65 / 73

Relaxing Non-Interference Program Verification

Abstract execution result

Theorem ∃L.({SP, ⊥}, P ֒ →∗ L) = ⇒ SP | = P Converse implication does not hold: if PIN = 0 then SPY := 1 else SPY := 1 this safe program raises a failure in the abstract operational semantics.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 65 / 73

Conclusion

Plan

1

NI in a Purely Functional Setting Pure Terms and Simple Types Higher-order Types

2

NI in an Imperative Setting

3

NI and concurrency

4

Relaxing Non-Interference Programming framework Dynamic interference policy Program safety w.r.t. DIP Program Verification

5

Conclusion

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 66 / 73

Conclusion

Conclusion

Non-Interference is a very abstract and powerful, but strict, approach to privacy in programming languages. It is very different from the traditional cryptographic approach and relies on completely different techniques: programming semantics. There has been a lot of work in order to cope with different paradigms and subtle variations around the notion of strict non-interference. Differential privacy is a relatively new way to approach non-interference. In a nutshell : the idea is to manipulate data of a data-base in such a way that statistical properties of interest are unchanged while having indistinguishability properties (kind of non-interference) insuring the privacy (e.g. [Dwork, 2008]).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 67 / 73

Conclusion

Bibliography I

Abadi, M., Lampson, B. W., and L´ evy, J. (1996). Analysis and caching of dependencies. In Proceedings of the 1996 ACM SIGPLAN International Conference

• n Functional Programming (ICFP ’96), Philadelphia, Pennsylvania,

May 24-26, 1996., pages 83–91. Askarov, A., Hunt, S., Sabelfeld, A., and Sands, D. (2008). Termination-insensitive noninterference leaks more than just a bit. In Computer Security - ESORICS 2008, 13th European Symposium on Research in Computer Security, M´ alaga, Spain, October 6-8, 2008. Proceedings, pages 333–348. Barendregt, H. (1991). Introduction to generalized type systems.

• J. Funct. Program., 1(2):125–154.
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 68 / 73

Conclusion

Bibliography II

Berardi, S. (1996). Pruning simply typed lambda-terms.

• J. Log. Comput., 6(5):663–681.

Bruijn, N. G. D. (1970). The mathematical language AUTOMATH, its usage and some of its extensions (iria, versailles 1968). In Symposium on automatic demonstration, volume 125 of Lecture Notes in Mathematics, pages 29–61. Springer-Verlag. Church, A. (1940). A formulation of the simple theory of types. Journal of Symbolic Logic, 5(1).

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 69 / 73

Conclusion

Bibliography III

Coquand, T. and Huet, G. (1988). The calculus of constructions. Information and Computation, 76:95–120. de Lavalette, G. R. (1992). Strictness analysis via abstract interpretation for recursively defined types. Information and Computation, 99(2):154–177. Dwork, C. (2008). Differential privacy: A survey of results. In Theory and Applications of Models of Computation, 5th International Conference, TAMC 2008, Xi’an, China, April 25-29,

• 2008. Proceedings, pages 1–19.
• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 70 / 73

Conclusion

Bibliography IV

Girard, J.-Y. (1972). Interpr´ etation fonctionnelle et ´ elimination des coupures de l’arithm´ etique d’ordre sup´ erieur. PhD thesis, Universit´ e Paris 7. Longo, G. and Moggi, E. (1988). Constructive natural deduction and its modest interpretation. Technical Report CMU-CS-88-131, Carneghie Mellon University. Prost, F. (2000). A static calculus of dependencies for the lambda-cube. In 15th Annual IEEE Symposium on Logic in Computer Science, Santa Barbara, California, USA, June 26-29, 2000, pages 267–276.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 71 / 73

Conclusion

Bibliography V

Prost, F. (2005). Sort abstraction for static analyzes of mobile processes. In Sixth Symposium on Trends in Functional Programming (TFP’ 2005), Tallinn, Estonia. Prost, F. (2011). Enforcing dynamic interference policy. In PASSAT/SocialCom 2011, Privacy, Security, Risk and Trust (PASSAT), 2011 IEEE Third International Conference on and 2011 IEEE Third International Conference on Social Computing (SocialCom), Boston, MA, USA, 9-11 Oct., 2011, pages 1111–1118. Sabelfeld, A. and Sands, D. (2009). Declassification: Dimensions and principles. Journal of Computer Security, 17(5):517–548.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 72 / 73

Conclusion

Bibliography VI

Volpano, D. M. and Smith, G. (1997). A type-based approach to program security. In TAPSOFT’97: Theory and Practice of Software Development, 7th International Joint Conference CAAP/FASE, Lille, France, April 14-18, 1997, Proceedings, pages 607–621.

• F. Prost Frederic.Prost@ens-lyon.fr (Ecole Normale Sup´

erieure de Lyon) Privacy and Computer Science (ECI 2015) Day 3 - Non Interference Analyzes July 2015 73 / 73