Example: Verifying Abstract Non-Interference

In this subsection we show how the verification for Abstract Non-Interference, can be made simpler, applying the results of the previous subsections. Non-Interference requires that any change of private data should not be revealed through the observation of the public one, but any real system are intended to leak some kind of information. Hence, a weakening of Non-Interference is necessary.

Among all formal methods for weakening Non-Interference, we adopt the one proposed in [Giacobazzi and Mastroeni,2004], which is based on abstract interpretation. Abstract Non-Interference considers dependencies between properties of values. In particular, it al- lows some (property of) the confidential information to flow and it considers weaker at- tackers, i.e. attackers with a restricted observation power of public data. This naturally

M. Pasqua 7.2. Verification of Bounded Subset-Closed Hyperproperties

deals with declassification: sometimes it is necessary to release some confidential informa- tion in order to make a system useful (selective dependencies of [Cohen,1977]). Hence, Abstract Non-Interference makes Non-Interference parametric on two properties, each one modeling different aspects of the information flow: what the attacker can observe and what information is allowed/not allowed to flow. In general, we can suppose that the attacker may not have the same constraints in observing inputs and outputs but, in the following, we assume that the attacker’s observation precision is the same, both in input and in output. The attacker is characterized as a property ρ representing what can be observed about the public input/output of programs. An abstraction is a property of data, hence an at- tacker can distinguish data up to particular properties (for instance, an attacker could be able to distinguish the parity of variables but not their sign). As far as declassification is concerned, we suppose to specify what private information is allowed to flow. Let φ be the input property representing the input property that may flow in output, without violating the information flow policy: we check (abstract) non-interference only for those private in- puts agreeing on the property φ. This models the information that may flow, since it is not interesting to check whether its variation is visible through the output.

Formally, variables take values in Z hence data properties are modeled as upper closure operators on the complete lattice h℘(Z), ⊆, ∪, ∩, ∅, Zi [Giacobazzi and Mastroeni,2018]. We denote with uco(℘(Z)) the set of all upper closure operators on h℘(Z), ⊆, ∪, ∩, ∅, Zi and we use, from now on, Greek lowercase letters in order to denote its elements. Let ι , λX . X and τ , λX . Z be the bottom closure (representing the most concrete property) and the top closure (representing the most abstract property) on ℘(Z), respectively. Now we introduce a notation allowing us to compactly compare memories, w.r.t. an abstraction ρ on L variables and an abstraction φ on H variables. Given a typing environment Γ ∈ Var −→ {L, H} and two upper closure operators ρ, φ ∈ uco(℘(Z)), we define3νρ×φ_{∈ Mem −→ (Var −→ ℘(Z)) as:}

νρ×φ

(m) , λx . (

ρ({m(x)}) if Γ(x) = L φ({m(x)}) if Γ(x) = H

Hence νρ×φ_{(m) = ν}ρ×φ_(m0_{)denotes the fact that memories m, m}0_{agree on public variables,} up to the abstraction ρ (denoting that the attacker is observing the same public input prop- erty), and agree on private variables, up to the abstraction φ (denoting that the variations indistinguishable by φ may be revealed).

Using this notation, we can elegantly generalize the definition of Non-Interference w.r.t. a property φ ∈ uco(℘(Z)) of input private variables which may flow and an observable property ρ ∈ uco(℘(Z)) of input/output public variables. A program is (abstract) non- interferent if and only if whenever it starts its computation from memories m1, m2, such that νρ×φ_(m

1) = νρ×φ(m2), then it ends its computation in memories m01, m02 such that νρ×τ_(m0

1) = νρ

×τ_(m0

2). This hyperproperty is defined as: ANIρ_{φ, {X ∈ ℘(Den) | ∀¯}σ, ¯σ0∈ X . νρ×φ

(¯σ`) = νρ×φ(¯σ0`) ⇒ ν ρ×τ

(¯σa) = νρ×τ(¯σ0a)}

Proposition 11. For any ρ, φ ∈ uco(℘(Z)), we have that ANIρφis a partitionable first order not-

relational 2-bounded subset-closed hyperproperty.

3_{We take in consideration the two-levels security lattice for classic Non-Interference, but it is straightforward to} generalize the definition for arbitrary multi-levels lattices.

104 104

Chapter 7. Bounded Subset-Closed Hyperproperties M. Pasqua

Proof. The partitioning functions, indexed by ∆ , {=, 6=}, for ANIρφ, ANI in short, are:

f=, λX .{hm1, m01i, hm2, m02i} ∈ X  νρ ×φ_(m 1) = νρ ×φ_(m 2) f6=, λX .{hm1, m01i, hm2, m02i} ∈ X  νρ ×φ_(m 1) 6= νρ ×φ_(m 2)

Clearly, {f=(ANI), f6=(ANI)}is a partition of ANI|2. Furthermore, we have that αst(ANI|2)is:

h{m1, m2| νρ ×φ (m1) = νρ ×φ (m2)}, {m 0 1, m 0 2| ν ρ×φ (m01) = ν ρ×φ (m02)}i  hm1, m 0 1i, hm2, m 0 2i ∈ Den ∪h{m1, m2| νρ ×φ (m1) 6= νρ ×φ (m2)}, {m01, m 0 2}i  hm1, m01i, hm2, m02i ∈ Den

It is clear that a system S satisfies ANI if and only if αst(S|2) ⊆ αst(ANI|2). In fact, this later inclusion means that for every pair of executions of S, either the executions start in memories equivalent, modulo hφ, ρi, and end in memories equivalent modulo hφ, ρi or the executions start in memories not equivalent (which is the definition of ANI).

Due to Propositions11and10, there exists two second order not-relational hyperprop- erties ANI|2

=and ANI

|2

6=such that S ∈ ANI if and only if αnd(f=(S|2)) ⊆2αnd(f=(ANI|2=))and αnd(f6=(S|2)) ⊆2αnd(f6=(ANI|26=)). These two hyperproperties are:

ANI|2 =,  X ⊆ Mem×Mem     X = {hm1, m01i, hm2, m02i} ∧ νρ×φ_(m 1) = νρ×φ(m2) ∧ νρ×τ(m01) = νρ ×τ_(m0 2)  ANI|2 6=,X ⊆ Mem×Mem  X = {hm1, m01i, hm2, m02i} ∧ ν ρ×φ_(m 1) 6= νρ×φ(m2) The verification is then reduced to the check αnd(f=(S|2)) ⊆2 αnd(f=(ANI

|2

=))since, as ex- pected, αnd(f6=(S|2)) ⊆2αnd(f6=(ANI|26=))is, by definition, always true.

Now we can show how to exploit this fact in order to verify ANIρφ. Given the base se- mantics S ∈ ℘(Den) of a program, for the set of execution denotations domain Den , Mem × Mem, its collecting semantics, i.e. it strongest hyperproperty, for Den is {S}. We have that the program satisfies ANI if and only if S ∈ ANI or, equivalently, if and only if {S} ⊆ ANI. This boils down to check whether αnd(f=(S|2)) ⊆2αnd(f=(ANI|2=))holds or not. Assume that αnd(f=(S|2))is the pair hX , Yi and αnd(f=(ANI|2=))is the pair hX0, Y0i, then we have, by definition, X ⊆ X0_{. This means that the verification process for Abstract Non-} Interference is reduced to the check Y ⊆ Y0_{, namely to check whether Y contains only sets of} memories which agree on L variables, modulo the abstraction ρ. So, basically, we can verify Abstract Non-Interference just checking whether αnd(f=(S|2))a satisfies a hyperproperty on the set of execution denotations Mem, as stated by the following proposition.

Proposition 12. A program, with base semantics S, satisfies ANIρ_φ ∈ ℘(℘(Mem × Mem)) if and

only if αnd(f=(S|2))a ⊆ equivρL, where equiv

ρ

L ∈ ℘(℘(Mem)) is:

equivρ_{L ,}X ⊆ Mem∀m, m0∈ X . ν ρ×τ

(m) = νρ×τ(m0)

This simplifies the verification process for Abstract Non-Interference: We can build a verification method computing on ℘(℘(Mem)) instead of ℘(℘(Mem × Mem)).