! X SAS08 Valencia p.8/44 I N C OMPARATIVE S EMANTICS P 1 ; P 2 - PowerPoint PPT Presentation

NI: A COMPLETENESS PROBLEM Recall that [Joshi & Leino’00] . P is secure HH ; P ; HH = P ; HH iff Let X = � X H , X L � ⇒ H ( X ) def = �⊤ H , X L � ∈ uco ( ℘ ( V )) . HH ; P ; HH P ; HH = ⇓ H ◦ � P � ◦ H H ◦ � P � = ⇒ A COMPLETENESS PROBLEM SAS’08 – Valencia – p.12/44

M AKING A BSTRACT I NTERPRETATIONS C OMPLETE 10 YEARS AFTER SAS’08 – Valencia – p.13/44

T HE G EOMETRY OF AI TRANSFORMERS ()*'%+$' X R ( X ) !"#$%&'& lco – REFINEMENT SAS’08 – Valencia – p.14/44

T HE G EOMETRY OF AI TRANSFORMERS ()*'%+$' S ( X ) X !"#$%&'& uco – SIMPLIFICATION SAS’08 – Valencia – p.14/44

T HE G EOMETRY OF AI TRANSFORMERS Can we use abstract interpretation for transforming abstract interpretations? ! Refinements: X ⊆ R ( X ) (improving precision – lower closure) ! Simplification: S ( X ) ⊆ X (reducing precision – upper closure) [Janowitz ’67] � η ◦ η + = η + ( 1 ) η ∈ uco ( C ) ⇔ η + ∈ lco ( C ) ⇔ η + ◦ η = η � η ◦ η − = η ( 2 ) η ∈ uco ( C ) ⇔ η − ∈ lco ( C ) ⇔ η − ◦ η = η − SAS’08 – Valencia – p.15/44

T HE G EOMETRY OF AI TRANSFORMERS Can we use abstract interpretation for transforming abstract interpretations? ! Refinements: X ⊆ R ( X ) (improving precision – lower closure) ! Simplification: S ( X ) ⊆ X (reducing precision – upper closure) [Janowitz ’67] � S ◦ S + = S + ( 1 ) S simplification ⇔ S + refinement ⇔ S + ◦ S = S Shell/Core of a given property � S ◦ S − = S ( 2 ) S simplification ⇔ S − refinement ⇔ S − ◦ S = S − Expander/Compressor for a given property SAS’08 – Valencia – p.15/44

T HE G EOMETRY OF D OMAIN TRANSFORMERS + - Core Expander - + Shell Compressor - + ! Shell/Core minimally transform domains in order to achieve a given property ! Expander/Compressor maximally transform domains in order to achieve a given property W HAT IS THE MEANING OF S HELL /C ORE AND E XPANDER /C OMPRESSOR FOR THE COMPLETENESS PROPERTY ? SAS’08 – Valencia – p.16/44

T HE G EOMETRY OF DOMAIN TRANSFORMERS Basic abstract domain transformers Core: Expander: + - C f E f Minimal complete Maximal incomplete - simplification refinement + Shell: Compressor: K f R f Minimal complete Maximal incomplete - + refinement simplification [Giacobazzi et al.’00] [SAS’08] SAS’08 – Valencia – p.17/44

S HELL /C ORE Let P be completeness P holds: Shell of A P doesn’t hold A SAS’08 – Valencia – p.18/44

S HELL /C ORE Let P be completeness P holds: Shell of A P doesn’t hold P doesn’t hold P holds: Core of A A A SAS’08 – Valencia – p.18/44

D OMAIN C OMPLETENESS : S HELL /C ORE ⊤ ⊤ " ρ η ! ⊥ ⊥ B ACKWARD COMPLETENESS : η ◦ f ◦ ρ = η ◦ f SAS’08 – Valencia – p.19/44

D OMAIN C OMPLETENESS : S HELL /C ORE ⊤ ⊤ " ρ η ! ⊥ ⊥ B ACKWARD IN - COMPLETENESS : η ◦ f ◦ ρ ≥ η ◦ f SAS’08 – Valencia – p.19/44

D OMAIN C OMPLETENESS : S HELL /C ORE ⊤ ⊤ " ρ η ! ⊥ ⊥ Making BACKWARD COMPLETE : Refining input domains [GRS’00] SAS’08 – Valencia – p.19/44

D OMAIN C OMPLETENESS : S HELL /C ORE ⊤ ⊤ " ρ η ! ⊥ ⊥ Making BACKWARD COMPLETE : Simplifying output domains [GRS’00] SAS’08 – Valencia – p.19/44

D OMAIN C OMPLETENESS : S HELL /C ORE ⊤ ⊤ ρ η ⊥ ⊥ F ORWARD COMPLETENESS : η ◦ f ◦ ρ = f ◦ ρ SAS’08 – Valencia – p.19/44

D OMAIN C OMPLETENESS : S HELL /C ORE ⊤ ⊤ ρ η ⊥ ⊥ F ORWARD IN - COMPLETENESS : η ◦ f ◦ ρ ≥ f ◦ ρ SAS’08 – Valencia – p.19/44

D OMAIN C OMPLETENESS : S HELL /C ORE ⊤ ⊤ " η ρ ! ⊥ ⊥ Making FORWARD COMPLETE : Refining output domains [GQ’01] SAS’08 – Valencia – p.19/44

D OMAIN C OMPLETENESS : S HELL /C ORE ⊤ ⊤ " η ρ ! ⊥ ⊥ Making FORWARD COMPLETE : Simplifying input domains [GQ’01] SAS’08 – Valencia – p.19/44

B ACKWARD VS F ORWARD ! A domain is backward complete wrt f iff it is forward complete wrt f + = λ X . S � � ˛ ; Y ˛ f ( Y ) ⊆ X ˛ ! A (not trivial) partition is backward stable wrt f iff it is forward stable wrt � � ˛ f − 1 = λ X . ; y ˛ f ( y ) ∈ X ˛ ! If f is injective, a (not trivial) partition is forward stable wrt f iff it is backward stable wrt f − 1 ; SAS’08 – Valencia – p.20/44

B ACKWARD VS F ORWARD ! A domain is backward complete wrt f iff it is forward complete wrt f + = λ X . S � � ˛ ; Y ˛ f ( Y ) ⊆ X ˛ ! A (not trivial) partition is backward stable wrt f iff it is forward stable wrt � � ˛ f − 1 = λ X . ; y ˛ f ( y ) ∈ X ˛ ! If f is injective, a (not trivial) partition is forward stable wrt f iff it is backward stable wrt f − 1 ; A backward problem can always be transformed in a forward one, but the viceversa is not always possible! SAS’08 – Valencia – p.20/44

N EW PERSPECTIVES IN L ANGUAGE - BASED S ECURITY Secret H Public L SW Observable: φ φ ( H ) L ρ Secret φ ( H ) External observer Public L SAS’08 – Valencia – p.21/44

A BSTRACT N ON -I NTERFERENCE (N ARROW ) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : [ η ] P ( ρ ) : η ( l 1 ) = η ( l 2 ) ⇒ ρ ( � P � ( h 1 , l 1 ) L ) = ρ ( � P � ( h 2 , l 2 ) L ) SAS’08 – Valencia – p.22/44

A BSTRACT N ON -I NTERFERENCE (N ARROW ) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : [ η ] P ( ρ ) : η ( l 1 ) = η ( l 2 ) ⇒ ρ ( � P � ( h 1 , l 1 ) L ) = ρ ( � P � ( h 2 , l 2 ) L ) SAS’08 – Valencia – p.22/44

A BSTRACT N ON -I NTERFERENCE (N ARROW ) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : [ η ] P ( ρ ) : η ( l 1 ) = η ( l 2 ) ⇒ ρ ( � P � ( h 1 , l 1 ) L ) = ρ ( � P � ( h 2 , l 2 ) L ) SAS’08 – Valencia – p.22/44

A BSTRACT N ON -I NTERFERENCE (N ARROW ) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : [ η ] P ( ρ ) : η ( l 1 ) = η ( l 2 ) ⇒ ρ ( � P � ( h 1 , l 1 ) L ) = ρ ( � P � ( h 2 , l 2 ) L ) SAS’08 – Valencia – p.22/44

A BSTRACT N ON -I NTERFERENCE (N ARROW ) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : [ η ] P ( ρ ) : η ( l 1 ) = η ( l 2 ) ⇒ ρ ( � P � ( h 1 , l 1 ) L ) = ρ ( � P � ( h 2 , l 2 ) L ) SAS’08 – Valencia – p.22/44

A BSTRACT N ON -I NTERFERENCE (N ARROW ) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : [ η ] P ( ρ ) : η ( l 1 ) = η ( l 2 ) ⇒ ρ ( � P � ( h 1 , l 1 ) L ) = ρ ( � P � ( h 2 , l 2 ) L ) SAS’08 – Valencia – p.22/44

A BSTRACT N ON -I NTERFERENCE (ANI) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : ( η ) P ( ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( h 1 , η ( l 1 )) L )= ρ ( � P � ( h 2 , η ( l 2 )) L ) SAS’08 – Valencia – p.23/44

A BSTRACT N ON -I NTERFERENCE (ANI) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : ( η ) P ( ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( h 1 , η ( l 1 )) L )= ρ ( � P � ( h 2 , η ( l 2 )) L ) SAS’08 – Valencia – p.23/44

A BSTRACT N ON -I NTERFERENCE (ANI) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : ( η ) P ( ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( h 1 , η ( l 1 )) L )= ρ ( � P � ( h 2 , η ( l 2 )) L ) SAS’08 – Valencia – p.23/44

A BSTRACT N ON -I NTERFERENCE (ANI) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : ( η ) P ( ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( h 1 , η ( l 1 )) L )= ρ ( � P � ( h 2 , η ( l 2 )) L ) SAS’08 – Valencia – p.23/44

A BSTRACT N ON -I NTERFERENCE (ANI) Public Input Private Input η � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) : ( η ) P ( ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( h 1 , η ( l 1 )) L )= ρ ( � P � ( h 2 , η ( l 2 )) L ) SAS’08 – Valencia – p.23/44

E XAMPLES E XAMPLE I : while h do ( l := l + 2 ; h := h − 1 ). Standard Non-Interference ≡ [ id ] P ( id ) h = 0, l = 1 ❀ l = 1 h = 1, l = 1 ❀ l = 3 h = n , l = 1 ❀ l = 1 + 2 n SAS’08 – Valencia – p.24/44

E XAMPLES E XAMPLE I : while h do ( l := l + 2 ; h := h − 1 ). Standard Non-Interference ≡ [ id ] P ( id ) h = 0, l = 1 ❀ l = 1 h = 1, l = 1 ❀ l = 3 h = n , l = 1 ❀ l = 1 + 2 n ⇓ [ id ] P ( Par ) h = 0, l = 1 ❀ Par ( l ) = odd h = 1, l = 1 ❀ Par ( l ) = odd h = n , l = 1 ❀ Par ( l ) = odd SAS’08 – Valencia – p.24/44

E XAMPLES E XAMPLE II : l := 2 ∗ l ∗ h 2 . P = [ Par ] P ( Sign ) h = 1, l = 4 ( Par ( 4 ) = even ) ❀ Sign ( l ) = + h = 1, l = − 4 ( Par (− 4 ) = even ) ❀ Sign ( l ) = − D ECEPTIVE F LOW SAS’08 – Valencia – p.24/44

E XAMPLES E XAMPLE II : l := 2 ∗ l ∗ h 2 . P = [ Par ] P ( Sign ) h = 1, l = 4 ( Par ( 4 ) = even ) ❀ Sign ( l ) = + h = 1, l = − 4 ( Par (− 4 ) = even ) ❀ Sign ( l ) = − D ECEPTIVE F LOW ⇓ ( Par ) P ( Sign ) h = − 3, Par ( l ) = even ❀ Sign ( l ) = I don’t know h = 1, Par ( l ) = even ❀ Sign ( l ) = I don’t know SAS’08 – Valencia – p.24/44

E XAMPLES E XAMPLE III : l := l ∗ h 2 . P = ( id ) P ( Par ) h = 2, l = 1 ❀ Par ( l ) = even h = 3, l = 1 ❀ Par ( l ) = odd h = n , l = 1 ❀ Par ( l ) = Par ( n ) SAS’08 – Valencia – p.24/44

D ECLASSIFIED ANI VIA BLOCKING Public Input Private Input η φ � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) , φ ∈ uco ( ℘ ( V H )) : ( η ) P ( φ � [ ] ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( φ ( h 1 ) , η ( l 1 )) L )= ρ ( � P � ( φ ( h 2 ) , η ( l 2 )) L ) SAS’08 – Valencia – p.25/44

D ECLASSIFIED ANI VIA BLOCKING Public Input Private Input η φ � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) , φ ∈ uco ( ℘ ( V H )) : ( η ) P ( φ � [ ] ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( φ ( h 1 ) , η ( l 1 )) L )= ρ ( � P � ( φ ( h 2 ) , η ( l 2 )) L ) SAS’08 – Valencia – p.25/44

D ECLASSIFIED ANI VIA BLOCKING Public Input Private Input η φ � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) , φ ∈ uco ( ℘ ( V H )) : ( η ) P ( φ � [ ] ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( φ ( h 1 ) , η ( l 1 )) L )= ρ ( � P � ( φ ( h 2 ) , η ( l 2 )) L ) SAS’08 – Valencia – p.25/44

D ECLASSIFIED ANI VIA BLOCKING Public Input Private Input η φ � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) , φ ∈ uco ( ℘ ( V H )) : ( η ) P ( φ � [ ] ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( φ ( h 1 ) , η ( l 1 )) L )= ρ ( � P � ( φ ( h 2 ) , η ( l 2 )) L ) SAS’08 – Valencia – p.25/44

D ECLASSIFIED ANI VIA BLOCKING Public Input Private Input η φ � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) , φ ∈ uco ( ℘ ( V H )) : ( η ) P ( φ � [ ] ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( φ ( h 1 ) , η ( l 1 )) L )= ρ ( � P � ( φ ( h 2 ) , η ( l 2 )) L ) SAS’08 – Valencia – p.25/44

D ECLASSIFIED ANI VIA BLOCKING Public Input Private Input η φ � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) , φ ∈ uco ( ℘ ( V H )) : ( η ) P ( φ � [ ] ρ ) : η ( l 1 )= η ( l 2 ) ⇒ ρ ( � P � ( φ ( h 1 ) , η ( l 1 )) L )= ρ ( � P � ( φ ( h 2 ) , η ( l 2 )) L ) SAS’08 – Valencia – p.25/44

E XAMPLE E XAMPLE : l := l ∗ h 2 . P = ( id ) P ( Par ) h = 2, l = 1 ❀ Par ( l ) = even h = 3, l = 1 ❀ Par ( l ) = odd h = n , l = 1 ❀ Par ( l ) = Par ( n ) ⇓ ( id ) P ( Sign � [ ] Par ) Sign ( h ) = + , l = 1 ❀ Par ( l ) = I don’t know Sign ( h ) = − , l = 1 ❀ Par ( l ) = I don’t know SAS’08 – Valencia – p.26/44

D ECLASSIFIED ANI ( VIA ALLOWING ) Public Input Private Input η φ � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) , φ ∈ uco ( ℘ ( V H )) : ( η ) P ( φ ⇒ ρ ) : η ( l 1 )= η ( l 2 ) and φ ( h 1 )= φ ( h 2 ) ⇒ ρ ( � P � ( h 1 , η ( l 1 )) L )= ρ ( � P � ( h 2 , η ( l 2 )) L ) SAS’08 – Valencia – p.27/44

D ECLASSIFIED ANI ( VIA ALLOWING ) Public Input Private Input η φ � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) , φ ∈ uco ( ℘ ( V H )) : ( η ) P ( φ ⇒ ρ ) : η ( l 1 )= η ( l 2 ) and φ ( h 1 )= φ ( h 2 ) ⇒ ρ ( � P � ( h 1 , η ( l 1 )) L )= ρ ( � P � ( h 2 , η ( l 2 )) L ) SAS’08 – Valencia – p.27/44

D ECLASSIFIED ANI ( VIA ALLOWING ) Public Input Private Input η φ � P � [Giacobazzi & Mastroeni ’04] Public Output ρ ρ, η ∈ uco ( ℘ ( V L )) , φ ∈ uco ( ℘ ( V H )) : ( η ) P ( φ ⇒ ρ ) : η ( l 1 )= η ( l 2 ) and φ ( h 1 )= φ ( h 2 ) ⇒ ρ ( � P � ( h 1 , η ( l 1 )) L )= ρ ( � P � ( h 2 , η ( l 2 )) L ) SAS’08 – Valencia – p.27/44

O BSERVER VS O BSERVABLE M ODELLING A TTACKERS AS D OMAIN T RANSFORMERS ] ρ ) : In order to preserve non-interference... = ( η ) P ( φ � [ Consider | SAS’08 – Valencia – p.28/44

O BSERVER VS O BSERVABLE M ODELLING A TTACKERS AS D OMAIN T RANSFORMERS ] ρ ) : In order to preserve non-interference... = ( η ) P ( φ � [ Consider | More abstract More abstract A ND ρ φ More concrete More concrete uco ( ℘ ( V L )) uco ( ℘ ( V H )) SAS’08 – Valencia – p.28/44

O BSERVER VS O BSERVABLE M ODELLING A TTACKERS AS D OMAIN T RANSFORMERS ] ρ ) : In order to preserve non-interference... = ( η ) P ( φ � [ Consider | More abstract More abstract A ND ρ φ More concrete More concrete uco ( ℘ ( V L )) uco ( ℘ ( V H )) SAS’08 – Valencia – p.28/44

ANI AS COMPLETENESS Let ρ ∈ uco ( ℘ ( V L )) ⇒ H ρ ( X ) def = �⊤ H , ρ ( X L ) � ∈ uco ( ℘ ( V )) ! Narrow abstract non-interference: H ρ ◦ � P � ◦ H η = H ρ ◦ � P � ; ! Abstract non-interference: H ρ ◦ � P � η,φ ◦ H η = H ρ ◦ � P � η,φ SAS’08 – Valencia – p.29/44

ANI AS COMPLETENESS Let ρ ∈ uco ( ℘ ( V L )) ⇒ H ρ ( X ) def = �⊤ H , ρ ( X L ) � ∈ uco ( ℘ ( V )) ! Narrow abstract non-interference: H ρ ◦ � P � ◦ H η = H ρ ◦ � P � ; ! Abstract non-interference: H ρ ◦ � P � η,φ ◦ H η = H ρ ◦ � P � η,φ ⇓ ! P UBLIC OBSERVER AS COMPLETENESS CORE : ] C H η ( η ) P ( φ � [ � P � η,φ ( H )) SAS’08 – Valencia – p.29/44

ANI AS COMPLETENESS Let ρ ∈ uco ( ℘ ( V L )) ⇒ H ρ ( X ) def = �⊤ H , ρ ( X L ) � ∈ uco ( ℘ ( V )) ! Narrow abstract non-interference: H ρ ◦ � P � ◦ H η = H ρ ◦ � P � ; ! Abstract non-interference: H ρ ◦ � P � η,φ ◦ H η = H ρ ◦ � P � η,φ ⇓ ! P UBLIC OBSERVER AS FORWARD COMPLETENESS CORE : ] C H η ( η ) P ( φ � [ � P � η,φ ( H )) Strongest harmless attacker ! P RIVATE OBSERVABLE AS FORWARD COMPLETENESS SHELL : ( η ) P ( R H ρ � P � η, id ( H η ) ⇒ ρ ) Maximal information released SAS’08 – Valencia – p.29/44

ANI AS COMPLETENESS ! A DJOINING ATTACKERS AND DECLASSIFICATION BY COMPLETENESS Declassification id The most abstract observable Secure The most concrete observer id ⊤ SAS’08 – Valencia – p.29/44

D ECLASSIFICATION [Banerjee, Giacobazzi and Mastroeni ’07] ! By exploiting the strong relation between completeness and non-iterference we can obtain the following results: ! Model declassification as a forward completeness problem for the weakest precondition semantics; ! Derive counterexamples to a given declassification policy; ! Refine a given declassification policy (Shell); SAS’08 – Valencia – p.30/44

DNI: A COMPLETENESS PROBLEM Let H φ the abstract domain declassifying the property φ of the private input : H ◦ � P � ◦ H φ = H ◦ � P � ⇔ H φ ◦ Wlp P ◦ H = Wlp P ◦ H ⇓ To release φ means to distinguish between elements in φ ! SAS’08 – Valencia – p.31/44

DNI: A COMPLETENESS PROBLEM Let H φ the abstract domain declassifying the property φ of the private input : H ◦ � P � ◦ H φ = H ◦ � P � ⇔ H φ ◦ Wlp P ◦ H = Wlp P ◦ H H � φ ( X H ) , X L � �⊤ , x L � H φ � X H , X L � Wlp P � x H , x L � Input Output SAS’08 – Valencia – p.32/44

DNI: A COMPLETENESS PROBLEM Let H φ the abstract domain declassifying the property φ of the private input : H ◦ � P � ◦ H φ = H ◦ � P � ⇔ H φ ◦ Wlp P ◦ H = Wlp P ◦ H H � φ ( X H ) , X L � �⊤ , x L � H φ � X H , X L � Wlp P Counterexample � x H , x L � Input Output SAS’08 – Valencia – p.32/44

DNI: A COMPLETENESS PROBLEM Let H φ the abstract domain declassifying the property φ of the private input : H ◦ � P � ◦ H φ = H ◦ � P � ⇔ H φ ◦ Wlp P ◦ H = Wlp P ◦ H H � φ ( X H ) , X L � �⊤ , x L � H φ � X H , X L � Wlp P Counterexample � x H , x L � Leakeage Input Output SAS’08 – Valencia – p.32/44

DNI: A COMPLETENESS PROBLEM Let H φ the abstract domain declassifying the property φ of the private input : H ◦ � P � ◦ H φ = H ◦ � P � ⇔ H φ ◦ Wlp P ◦ H = Wlp P ◦ H Refinement H � φ ( X H ) , X L � �⊤ , x L � H φ � X H , X L � Wlp P � x H , x L � Input Output SAS’08 – Valencia – p.32/44

S HELL :T HE MAXIMAL RELEASED INFORMATION Consider ρ = Parity def = { ⊤ , Even , Odd , ∅ } , as the information observed by the attacker. h l := l ∗ h 2 ; P = SAS’08 – Valencia – p.33/44

S HELL :T HE MAXIMAL RELEASED INFORMATION Consider ρ = Parity def = { ⊤ , Even , Odd , ∅ } , as the information observed by the attacker. ( l ∈ Even ∨ ( l ∈ Odd , h ∈ Even )) ( l ∈ Odd ∧ h ∈ Odd ) l := l ∗ h 2 ; l := l ∗ h 2 ; O R ( l ∈ Even ) ( l ∈ Odd ) Let l = 3 , h = 2 ∈ Even : H Par � P � ( � 2, 3 � ) = �⊤ , Even � � = �⊤ , ⊤� = H Par � P � ( �⊤ , 3 � ) = H Par � P � ( H ( � 2, 3 � )) SAS’08 – Valencia – p.33/44

S HELL :T HE MAXIMAL RELEASED INFORMATION Consider ρ = Parity def = { ⊤ , Even , Odd , ∅ } , as the information observed by the attacker. ( l ∈ Even ∨ ( l ∈ Odd , h ∈ Even )) ( l ∈ Odd ∧ h ∈ Odd ) l := l ∗ h 2 ; l := l ∗ h 2 ; O R ( l ∈ Even ) ( l ∈ Odd ) Let l = 3 , h = 2 ∈ Even : H Par � P � ( � 2, 3 � ) = �⊤ , Even � � = �⊤ , ⊤� = H Par � P � ( �⊤ , 3 � ) = H Par � P � ( H ( � 2, 3 � )) W E RELEASE SOMETHING ABOUT THE PRIVATE INPUT ! SAS’08 – Valencia – p.33/44

S HELL :T HE MAXIMAL RELEASED INFORMATION Consider ρ = Parity def = { ⊤ , Even , Odd , ∅ } , as the information observed by the attacker. ( l ∈ Even ∨ ( l ∈ Odd , h ∈ Even )) ( l ∈ Odd ∧ h ∈ Odd ) l := l ∗ h 2 ; l := l ∗ h 2 ; O R ( l ∈ Even ) ( l ∈ Odd ) Let us compute the shell of the input domain H : H ′ def H Par = R � P � ( H ) = H ⊓ ( �⊤ , Even � ∪ � Even , Odd � , � Odd , Odd � , � Odd , Even � ) SAS’08 – Valencia – p.33/44

S HELL :T HE MAXIMAL RELEASED INFORMATION Consider ρ = Parity def = { ⊤ , Even , Odd , ∅ } , as the information observed by the attacker. ( l ∈ Even ∨ ( l ∈ Odd , h ∈ Even )) ( l ∈ Odd ∧ h ∈ Odd ) l := l ∗ h 2 ; l := l ∗ h 2 ; O R ( l ∈ Even ) ( l ∈ Odd ) Let us compute the shell of the input domain H : H ′ def H Par = R � P � ( H ) = H ⊓ ( �⊤ , Even � ∪ � Even , Odd � , � Odd , Odd � , � Odd , Even � ) Hence (NB: By reduced product in H ′ we have the elements � Even , l � ) Let l = 3 , h = 2 ∈ Even : H Par � P � ( � 2, 3 � ) = �⊤ , Even � = H Par � P � ( � Even , 3 � ) = H Par � P � ( H ′ ( � 2, 3 � )) SAS’08 – Valencia – p.33/44

C ORE :T HE MOST POWERFUL ATTACKER h while ( h � = 0 ) do ( h := 0 ; l := 2 l ) endw P = SAS’08 – Valencia – p.34/44

C ORE :T HE MOST POWERFUL ATTACKER (( l ∈ Even , h = 0 ) ∨ ( h � = 0 )) ( h = 0 ) while ( h � = 0 ) do ( h := 0 ; l := 2 l ) endw ; O R while ( h � = 0 ) do ( h := 0 ; l := 2 l ) endw ( l ∈ Even ) ( l ∈ Odd ) Let l = 5 , h = 3 : H � P � ( � 3, 5 � ) = �⊤ , 10 � � = �⊤ , ⊤� = H � P � ( �⊤ , 5 � ) = H � P � ( H ( � 3, 5 � )) SAS’08 – Valencia – p.34/44

C ORE :T HE MOST POWERFUL ATTACKER (( l ∈ Even , h = 0 ) ∨ ( h � = 0 )) ( h = 0 ) while ( h � = 0 ) do ( h := 0 ; l := 2 l ) endw ; O R while ( h � = 0 ) do ( h := 0 ; l := 2 l ) endw ( l ∈ Even ) ( l ∈ Odd ) Let l = 5 , h = 3 : H � P � ( � 3, 5 � ) = �⊤ , 10 � � = �⊤ , ⊤� = H � P � ( �⊤ , 5 � ) = H � P � ( H ( � 3, 5 � )) W E RELEASE SOMETHING ABOUT THE PRIVATE INPUT ! SAS’08 – Valencia – p.34/44

C ORE :T HE MOST POWERFUL ATTACKER (( l ∈ Even , h = 0 ) ∨ ( h � = 0 )) ( h = 0 ) while ( h � = 0 ) do ( h := 0 ; l := 2 l ) endw ; O R while ( h � = 0 ) do ( h := 0 ; l := 2 l ) endw ( l ∈ Even ) ( l ∈ Odd ) Let us compute the core of the output domain H : � � � “ � � ” H ′ def ˛ n { 2 } N ˛ = C H � P � ( H ) = �⊤ , L � ˛ ∀ l ∈ ⊤ . l ∈ L ⇔ 2 l ∈ L = ˛ n ∈ Odd ˛ ˛ SAS’08 – Valencia – p.34/44