Verifying Hyperproperties of Hardware Systems Bernd Finkbeiner - PowerPoint PPT Presentation

Verifying Hyperproperties of Hardware Systems Bernd Finkbeiner Markus N. Rabe Saarland University UC Berkeley based on joint work with Michael R. Clarkson, Christopher Hahn, Masoud Koleini, Kristopher K. Micinski, and César Sánchez FMCAD’16 Tutorial Mountain View October 3, 2016

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions 2 / 60

Intro HyperLTL parse_and_execute (temp_string, name, SEVAL_NONINT|SEVAL_NOHIST); web servers attackable for 22 years goto fail; goto fail; if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0) encryption of >300M devices broken return 0; if (1 + 2 + payload + 16 > s->s3->rrec.length) 4.5m patient records leaked Major Incidents in Information Security Conclusions Beyond HyperLTL Satisfiability Model Checking Examples 3 / 60 ▶ Heartbleed ▶ Goto Fail ▶ Shellshock

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions Embedded Systems / Hardware Security 4 / 60

Intro I secret Typical information-flow property: Noninterference Public output should only depend on public input. O public I public O secret security-critical system HyperLTL Information-flow control Conclusions Beyond HyperLTL Satisfiability Model Checking Examples 5 / 60 ∀ t , t ′ ∈ Traces ( K ) : t = I public t ′ ⇒ t = O public t ′

Intro hyperproperties. O public t t I public t t T t t Traces T Noninterference as hyperproperty: Many information-flow properties can be formalized as HyperLTL Hyperproperty H : a set of sets of traces Clarkson&Schneider’10: Hyperproperties Conclusions Beyond HyperLTL Satisfiability Model Checking Examples 6 / 60 System K satisfies H iff Traces ( K ) ∈ H .

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions Hyperproperties Clarkson&Schneider’10: Hyperproperty H : a set of sets of traces Many information-flow properties can be formalized as hyperproperties. Noninterference as hyperproperty: 6 / 60 System K satisfies H iff Traces ( K ) ∈ H . { T ⊆ 2 Traces | ∀ t , t ′ ∈ T : t = I public t ′ ⇒ t = O public t ′ }

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions Case Study 1: Information flow in the I2C Bus inputs through the Master to the bus (and vice versa)? 7 / 60 ▶ Under which circumstances can information flow from the ▶ Is there an expiration date for information?

Intro (3) non-critical (9) number[ i ] = 0; (8) critical (7) (6) (5) HyperLTL choosing[i] = false ; (4) number[ i ] = max(number)+1; (2) Examples Model Checking Satisfiability Beyond HyperLTL Conclusions Case study 2: Symmetry in Protocols choosing[ i ] = true ; (1) 8 / 60 while ( true ) { for (int j =0; j < n ; j ++) { while (choosing[ j ]) { ; } while ( j ̸ = i ∧ number[ j ] ̸ = 0 ∧ (number[ j ], j ) < (number[ i ], i ) ) { ; } } } ▶ Are the clients treated symmetrically?

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions Case study 3: Error-resistant codes Different encoders from OpenCores.org. distance d ? 9 / 60 ▶ 8bit-10bit encoder, decoder ▶ Huffman encoder ▶ Hamming encoder ▶ Do codes for distinct inputs have at least Hamming

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions Automatic analysis techniques Common problem: single-property techniques This tutorial: A unifying framework for the analysis of hyperproperties 10 / 60 ▶ Security type systems ▶ Program analysis ▶ Dynamic approaches/taint tracking

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions Automatic analysis techniques Common problem: single-property techniques This tutorial: A unifying framework for the analysis of hyperproperties 10 / 60 ▶ Security type systems ▶ Program analysis ▶ Dynamic approaches/taint tracking

Intro II Beyond HyperLTL V Satisfiability IV Model Checking III Examples HyperLTL HyperLTL I Overview Conclusions Beyond HyperLTL Satisfiability Model Checking Examples 11 / 60

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions Part I HyperLTL 12 / 60

Intro Temporal logics for information security? … HyperLTL LTL: Specifies computations 13 / 60 Conclusions Beyond HyperLTL Satisfiability Model Checking Examples Example: FG x = 0 “from some point on x is 0 ” x = 3 x = 2 x = 1 x = 0 x = 0 x = 0 CTL/CTL ∗ : Specifies computation trees Example: AGEF x = 0 “ x may always become 0 in the future”

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions A Simple Information-flow Policy “All executions have the light on at the same time.” “For all pairs of executions and all points in time, the light is on on the one execution iff it is on on the other execution.” Information flow properties compare multiple executions! 14 / 60

Intro HyperLTL Examples Model Checking Satisfiability Beyond HyperLTL Conclusions LTL? Syntax: “All executions have the light on at the same time.” 15 / 60 ϕ ::= a π | X ψ | G ψ | F ψ | ψ U ψ | ψ W ψ Semantics: K | = ϕ iff Traces ( K ) ⊆ Traces ( ϕ )

Intro Syntax: HyperLTL “All executions have the light on at the same time.” Semantics: 16 / 60 Conclusions Examples Beyond HyperLTL Satisfiability Model Checking CTL ∗ ? ϕ ::= a | A ϕ | E ϕ | X ϕ | G ϕ | ϕ U ϕ | . . . K | = A ϕ iff for all p ∈ Paths ( K ) : p | = ϕ AA ϕ ? off on on off off off off on on on on on on on on

Intro Syntax: HyperLTL “All executions have the light on at the same time.” Semantics: 16 / 60 Conclusions Examples Beyond HyperLTL Satisfiability Model Checking CTL ∗ ? ϕ ::= a | A ϕ | E ϕ | X ϕ | G ϕ | ϕ U ϕ | . . . K | = A ϕ iff for all p ∈ Paths ( K ) : p | = ϕ AA ϕ ? off on on off off off off on on on on on on on on

Intro Syntax: HyperLTL “All executions have the light on at the same time.” Semantics: 16 / 60 Conclusions Examples Beyond HyperLTL Satisfiability Model Checking CTL ∗ ? ϕ ::= a | A ϕ | E ϕ | X ϕ | G ϕ | ϕ U ϕ | . . . K | = A ϕ iff for all p ∈ Paths ( K ) : p | = ϕ AA ϕ ? off on on off off off off on on on on on on on on ϕ

Intro HyperLTL on G on “All executions have the light on at the same time.” HyperLTL: Start with a quantifier prefix, then quantifier-free Syntax: 17 / 60 Quantifiers with trace variables: HyperLTL Conclusions Beyond HyperLTL Satisfiability Model Checking Examples ∀ π.ϕ ∃ π.ϕ ϕ ::= ∀ π.ϕ | ∃ π.ϕ | ψ ψ ::= a π | X ψ | G ψ | F ψ | ψ U ψ | ψ W ψ

Intro Quantifiers with trace variables: HyperLTL “All executions have the light on at the same time.” HyperLTL: Start with a quantifier prefix, then quantifier-free Syntax: 17 / 60 HyperLTL Examples Beyond HyperLTL Satisfiability Model Checking Conclusions ∀ π.ϕ ∃ π.ϕ ϕ ::= ∀ π.ϕ | ∃ π.ϕ | ψ ψ ::= a π | X ψ | G ψ | F ψ | ψ U ψ | ψ W ψ ∀ π. ∀ π ′ . G ( on π ↔ on π ′ ) off on on off off off off on on on on on on on on π

Intro Quantifiers with trace variables: HyperLTL “All executions have the light on at the same time.” HyperLTL: Start with a quantifier prefix, then quantifier-free Syntax: 17 / 60 HyperLTL Examples Beyond HyperLTL Satisfiability Model Checking Conclusions ∀ π.ϕ ∃ π.ϕ ϕ ::= ∀ π.ϕ | ∃ π.ϕ | ψ ψ ::= a π | X ψ | G ψ | F ψ | ψ U ψ | ψ W ψ ∀ π. ∀ π ′ . G ( on π ↔ on π ′ ) off on on off off off off on on on on on on on on π ′ π

Intro Quantifiers with trace variables: HyperLTL “All executions have the light on at the same time.” HyperLTL: Start with a quantifier prefix, then quantifier-free Syntax: 17 / 60 HyperLTL Examples Beyond HyperLTL Satisfiability Model Checking Conclusions ∀ π.ϕ ∃ π.ϕ ϕ ::= ∀ π.ϕ | ∃ π.ϕ | ψ ψ ::= a π | X ψ | G ψ | F ψ | ψ U ψ | ψ W ψ ∀ π. ∀ π ′ . G ( on π ↔ on π ′ ) off on on off off off off on on on on on on on on π ′ π

= K G on = K on p 1. p = K G on on 2. Intro p HyperLTL on 3. i p i p i on “All executions have the light on at the same time.” Semantics given with respect to a set of traces T 18 / 60 iff iff Examples Model Checking Satisfiability Beyond HyperLTL Conclusions Semantics iff Π | a ∈ Π( π )(0) = T a π Π | ∀ i ≥ 0 : Π[ i , ∞ ] | = T G ϕ = T ϕ Π | = T ∀ π. ϕ ∀ t ∈ T : Π[ π �→ t ] | = T ϕ and a trace environment Π : Vars → T A Kripke structure K satisfies a HyperLTL formula ϕ iff ∅ | = Traces ( K ) ϕ

= K G on = K on p 1. p = K G on on 2. Intro p “All executions have the light on at the same time.” on 3. i p i p i on HyperLTL 18 / 60 iff Examples Model Checking Satisfiability Beyond HyperLTL iff Conclusions Semantics iff Π | a ∈ Π( π )(0) = T a π Π | ∀ i ≥ 0 : Π[ i , ∞ ] | = T G ϕ = T ϕ Π | = T ∀ π. ϕ ∀ t ∈ T : Π[ π �→ t ] | = T ϕ off on on off off off off on on on on on on on on