Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Air Force Office of Scientific Research December 4, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAA A A A
Clarkson and Schneider: Hyperproperties2 Security Policies Today Confidentiality Integrity Availability Formalize and verify any security policy?
Clarkson and Schneider: Hyperproperties3 Program Correctness ca. 1970s Partial correctness (If program terminates, it produces correct output) Termination Total correctness (Program terminates and produces correct output) Mutual exclusion Deadlock freedom Starvation freedom ???
Clarkson and Schneider: Hyperproperties4 Safety and Liveness Properties Intuition [Lamport 1977]: Safety: “Nothing bad happens” Liveness: “Something good happens” Partial correctness Bad thing: program terminates with incorrect output Access control Bad thing: subject completes operation without required rights Termination Good thing: termination Guaranteed service Good thing: service rendered
Clarkson and Schneider: Hyperproperties5 Properties Trace: Sequence of execution states t = s 0 s 1 … Property: Set of infinite traces Trace t satisfies property P iff t 2 P Satisfaction depends on the trace alone System: Also a set of traces System S satisfies property P iff all traces of S satisfy P
Clarkson and Schneider: Hyperproperties6 Properties Property P System S = trace
Clarkson and Schneider: Hyperproperties7 Properties Property P System S S satisfies P = trace
Clarkson and Schneider: Hyperproperties8 Properties Property P System S S does not satisfy P = trace
Clarkson and Schneider: Hyperproperties9 Safety and Liveness Properties Formalized: Safety property [Lamport 1985] Bad thing = trace prefix Liveness property [Alpern and Schneider 1985] Good thing = trace suffix
Clarkson and Schneider: Hyperproperties10 Success! Alpern and Schneider (1985, 1987): Theorem. 8 P : P = Safe( P ) Å Live( P ) Theorem. Safety proved by invariance. Theorem. Liveness proved by well-foundedness. Theorem. Topological characterization: Safety = closed sets Liveness = dense sets Formalize and verify any property?
Clarkson and Schneider: Hyperproperties11 Back to Security Policies Formalize and verify any property? Formalize and verify any security policy? Security policy = Property ?
Clarkson and Schneider: Hyperproperties12 Information Flow is not a Property Secure information flow: secret inputs are not leaked to public outputs L := 0;L := H; Not safety! Noninterference [Goguen and Meseguer 1982]: Commands of high users have no effect on observations of low users Satisfaction depends on pairs of traces ) not a property Information flow occurs when traces are correlated Satisfaction does not depend on each trace alone
Clarkson and Schneider: Hyperproperties13 Service Level Agreements are not Properties Service level agreement: Acceptable performance of system Not liveness! Average response time: Average time, over all executions, to respond to request has given bound Satisfaction depends on all traces of system ) not a property Any security policy that stipulates relations among traces is not a property Need satisfaction to depend on sets of traces
Clarkson and Schneider: Hyperproperties14 Hyperproperties A hyperproperty is a set of properties A system S satisfies a hyperproperty H iff S 2 H …a hyperproperty specifies exactly the allowed sets of traces
Clarkson and Schneider: Hyperproperties15 Hyperproperties Hyperproperty H System S S does not satisfy H = trace
Clarkson and Schneider: Hyperproperties16 Hyperproperties Hyperproperty H System S S satisfies H = trace
Clarkson and Schneider: Hyperproperties17 Hyperproperties Security policies are hyperproperties! Information flow: Noninterference, relational noninterference, generalized noninterference, observational determinism, self-bisimilarity, probabilistic noninterference, quantitative leakage Service-level agreements: Average response time, time service factor, percentage uptime …
Clarkson and Schneider: Hyperproperties18 Hyperproperties Safety and liveness? Verification?
Clarkson and Schneider: Hyperproperties19 Safety Safety proscribes “bad things” A bad thing is finitely observable and irremediable S is a safety property [L85] iff b is a finite trace
Clarkson and Schneider: Hyperproperties20 Safety Safety proscribes “bad things” A bad thing is finitely observable and irremediable S is a safety property [L85] iff b is a finite trace
Clarkson and Schneider: Hyperproperties21 Safety Safety proscribes “bad things” A bad thing is finitely observable and irremediable S is a safety property [L85] iff S is a safety hyperproperty (“hypersafety”) iff B is a finite set of finite traces b is a finite trace
Clarkson and Schneider: Hyperproperties22 Prefix Ordering An observation is a finite set of finite traces Intuition: Observer sees a set of partial executions M · T (is a prefix of) iff: M is an observation, and If observer watched longer, M could become T
Clarkson and Schneider: Hyperproperties23 Safety Hyperproperties Noninterference [Goguen and Meseguer 1982] Bad thing is a pair of traces where removing high commands does change low observations Observational determinism [Roscoe 1995] Bad thing is a pair of traces that cause system to look nondeterministic to low observer
Clarkson and Schneider: Hyperproperties24 Liveness Liveness prescribes “good things” A good thing is always possible and possibly infinite L is a liveness property [AS85] iff t is a finite trace
Clarkson and Schneider: Hyperproperties25 Liveness Liveness prescribes “good things” A good thing is always possible and possibly infinite L is a liveness property [AS85] iff L is a liveness hyperproperty (“hyperliveness”) iff t is a finite trace T is a finite set of finite traces
Clarkson and Schneider: Hyperproperties26 Liveness Hyperproperties Average response time Good thing is that average time is low enough Possibilistic information flow Class of policies requiring “alternate possible explanations” to exist e.g., generalized noninterference [McCullough 1987] Long known that these are harder to verify Theorem. All PIF policies are hyperliveness.
Clarkson and Schneider: Hyperproperties27 Can lift property T to hyperproperty [ T ] Satisfaction is equivalent iff [ T ] = P ( T ) Theorem. S is safety ) [ S ] is hypersafety. Theorem. L is liveness ) [ L ] is hyperliveness. … Verification techniques for safety and liveness now carry forward to hyperproperties Relating Properties and Hyperproperties
Clarkson and Schneider: Hyperproperties28 Safety and Liveness is a Basis (still) Theorem. ( 8 H : H = Safe( H ) Å Live( H )) A fundamental basis…
Clarkson and Schneider: Hyperproperties29 Topology Topology: Branch of mathematics that studies the structure of spaces Open set: Can always “wiggle” from point and stay in set Closed set: “Wiggle” might move outside set Dense set: Can always “wiggle” to get into set open closed dense
Clarkson and Schneider: Hyperproperties30 Topology of Hyperproperties For Plotkin topology on properties [AS85]: Safety = closed sets Liveness = dense sets Theorem. Hypersafety = closed sets. Theorem. Hyperliveness = dense sets. Theorem. Our topology on hyperproperties is equivalent to the lower Vietoris construction applied to the Plotkin topology.
Clarkson and Schneider: Hyperproperties31 Stepping Back… Safety and liveness? Verification?
Clarkson and Schneider: Hyperproperties32 Verification of 2-Safety 2-safety [Terauchi and Aiken 2005]: “Property that can be refuted by observing two finite traces” Methodology: Transform system with self-composition construction [Barthe, D’Argenio, and Rezk 2004] Verify safety property of transformed system Implies 2-safety property of original system …Reduction from hyperproperty to property
Clarkson and Schneider: Hyperproperties33 A k-safety hyperproperty is a safety hyperproperty in which the bad thing never has more than k traces Examples: 1-hypersafety: the lifted safety properties 2-hypersafety: Terauchi and Aiken’s 2-safety properties k-hypersafety: SEC ( k ) = “System can’t, across all runs, output all shares of a k -secret sharing” Not k-hypersafety for any k: SEC = k SEC ( k ) k-Safety Hyperproperties
Clarkson and Schneider: Hyperproperties34 Verifying k-Hypersafety Theorem. Any k-safety hyperproperty of S is equivalent to a safety property of S k. Yields methodology for k -hypersafety Incomplete for hypersafety Hyperliveness? In general?
Clarkson and Schneider: Hyperproperties35 Logic and Verification Polices are predicates…in what logic? Second-order logic suffices, first-order logic does not. Verify second-order logic? Can’t! (effectively and completely) Can for fragments …might suffice for security policies
Clarkson and Schneider: Hyperproperties36 Refinement Revisited Stepwise refinement: Development methodology for properties Start with specification and high-level (abstract) program Repeatedly refine program to lower-level (concrete) program Techniques for refinement well-developed Long-known those techniques don’t work for security policies—i.e., hyperproperties Develop new techniques? Reuse known techniques?
Clarkson and Schneider: Hyperproperties37 Refinement Revisited Theorem. Known techniques work with all hyperproperties that are subset-closed. Theorem. All safety hyperproperties are subset- closed. Stepwise refinement applicable with hypersafety Hyperliveness? In general?
Clarkson and Schneider: Hyperproperties38 Beyond Hyperproperties? Add another level of sets? Theorem. Set of hyperproperties ´ hyperproperty. Logical interpretation: Policies are predicates on systems Hyperproperties are the extensions of those predicates Hyperproperties are expressively complete (for systems and trace semantics)
Clarkson and Schneider: Hyperproperties39 Probabilistic Hyperproperties To incorporate probability: Assume probability on state transitions Construct probability measure on traces [Halpern 2003] Use measure to express hyperproperties We’ve expressed: Probabilistic noninterference [Gray and Syverson 1998] Quantitative leakage Channel capacity
Clarkson and Schneider: Hyperproperties40 Summary We developed a theory of hyperproperties Parallels theory of properties Safety, liveness (basis, topological characterization) Verification (for k -hypersafety) Stepwise refinement (hypersafety) Expressive completeness Enables classification of security policies…
Clarkson and Schneider: Hyperproperties41 Charting the landscape…
Clarkson and Schneider: Hyperproperties42 All hyperproperties ( HP ) HP
Clarkson and Schneider: Hyperproperties43 HP SHPLHP Safety hyperproperties ( SHP ) Liveness hyperproperties ( LHP )
Clarkson and Schneider: Hyperproperties44 HP SHPLHP [SP][LP] Lifted safety properties [SP] Lifted liveness properties [LP]
Clarkson and Schneider: Hyperproperties45 HP SHPLHP [SP][LP] ACGS Access control ( AC ) is safety Guaranteed service ( GS ) is liveness
Clarkson and Schneider: Hyperproperties46 HP SHPLHP [SP][LP] ACGS GMNI Goguen and Meseguer’s noninterference ( GMNI ) is hypersafety
Clarkson and Schneider: Hyperproperties47 HP SHPLHP [LP] GS 2-safety hyperproperties ( 2SHP ) [SP] AC 2SHP GMNI
Clarkson and Schneider: Hyperproperties48 HP SHPLHP [SP][LP] ACGS GMNI SEC Secret sharing ( SEC ) is not k -hypersafety for any k 2SHP
Clarkson and Schneider: Hyperproperties49 HP SHPLHP [SP][LP] ACGS GMNI OD PNI GNI Observational determinism ( OD ) is 2-hypersafety Generalized noninterference ( GNI ) is hyperliveness Probabilistic noninterference ( PNI ) is neither 2SHP SEC
Clarkson and Schneider: Hyperproperties50 HP SHPLHP [SP][LP] ACGS GMNI OD PNI GNI PIF 2SHP Possibilistic information flow ( PIF ) is hyperliveness SEC
Clarkson and Schneider: Hyperproperties51 Revisiting the CIA Landscape Confidentiality Information flow is not a property Is a hyperproperty (HS: OD ; HL: GNI ) Integrity Safety property? Dual to confidentiality, thus hyperproperty? Availability Sometimes a property (max. response time) Sometimes a hyperproperty (HS: % uptime, HL: avg. resp. time) CIA seems orthogonal to hyperproperties
Hyperproperties Michael Clarkson and Fred B. Schneider Cornell University Air Force Office of Scientific Research December 4, 2008 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A AAA A A A
Clarkson and Schneider: Hyperproperties53 Extra Slides
Clarkson and Schneider: Hyperproperties54 Future Work Verification methodology Hyperliveness? Axiomatizable fragments of second order logic? CIA: express with hyperproperties? Hyperproperties in other semantic domains
Clarkson and Schneider: Hyperproperties55 Information-flow Hyperproperties Noninterference: The set of all properties T where for each trace t 2 T, there exists another trace u 2 T, such that u contains no high commands, but yields the same low observation as t. Generalized noninterference: The set of all properties T where for any traces t and u 2 T, there exists a trace v 2 T, such that v is an interleaving of the high inputs from t and the low events from u. Observational determinism: The set of all properties T where for all traces t and u 2 T, and for all j 2 N, if t and u have the same first j - 1 low events, then they have equivalent j th low events. Self-bisimilarity: The set of all properties T where T represents a labeled transition system S, and for all low-equivalent initial memories m 1 and m 2, the execution of S starting from m 1 is bisimilar to the execution of S starting from m 2.
Clarkson and Schneider: Hyperproperties56 Topological Definitions Open sets: closed under finite intersections and infinite unions Closed sets: complements of open sets = closed under infinite intersection and finite union = contains all its limit points = is its own closure Dense sets: closure is the universe
Clarkson and Schneider: Hyperproperties57 Powerdomains We use the lower (Hoare) powerdomain Our · is the Hoare order Lower Vietoris = lower powerdomain [Smyth 1983] Other powerdomains? Change the notion of “observable” Upper: observations can disappear; impossibility of nondeterministic choices becomes observable Convex: similar problem But might be useful on other semantic domains