On Bounded Hyperproperties

We have already seen that for a k-bounded subset-closed hyperproperty cHp the verifica- tion concerns the subsets of the base semantics with cardinality k. Suppose that the base semantics is τ , namely the post-conditions semantics. This means that P |= cHp if and only if {X ⊆ τ | |X| = k} ⊆ cHp. But this boils down to checkJPK X ∈ cHp, for every X ⊆ I such that |X| = k. Now consider the set I|k

, {X ⊆ I | |X| = k}. The following theorem tells us how we can use the post-conditions hypersemantics for verifying bounded hyperproperties.

Theorem 22. Given cHp ∈ SSCH

k, we have that P |= cHp if and only ifL P M I

|k_{⊆ cHp.}

Proof. By correctness (Theorem20) and completeness (Theorem21), for subset-closed hy- perproperties, of the post-conditions hypersemantics, we have that {JPK X | X ∈ I|k_{} ⊆}

L P M I

|k_{. Then, recalling that we are in a deterministic setting, we have that {JPK X | X ∈}

I|k_{} = {X ⊆}

JPK I | |X| = k}. Due to Proposition9the theorem follows.

In the next chapter we will see how to apply Theorem22in order to verify information flow specifications, which are formalized as 2-bounded hyperproperties.

110 110

Application: Verification of Information Flows

8

U

ntil now we have seen how to define hypersemantics and hyperdomains. In this chap- ter we give an example of application of the theoretical results presented. We take in consideration information flows, hence the goal of this chapter is to define a verification mechanism for (Abstract) Non-Interference. In particular we define an abstract semantics approximating the hypersemantics presented at the end of Chapter7.

The original formulation of Non-Interference [Cohen,1977] takes in consideration only two security levels: private (H), i.e. information that have to be kept secret, and public (L), i.e. information that could be freely released. A program is said non-interferent if there are no in- formation flows from private (input) variables to public (output) variables, and it is said in-

terferent otherwise. In the following, we define the classic notion of Non-Interference for pro-

grams in Imp. A program P = ii_cff _{is non-interferent if and only if for every pair of memo-}

ries m1, m2, such that m1

L = m2, hhii, m1i, Pi_ ∗ _{hff, m}0 1i and hhii, m2i, Pi_ ∗_{hff, m}0 2i, we have m01 L

= m0₂. As usual, the relation=L says that two memories are equal modulo public variables, namely m = mL 0 if and only if ∀x . Γ(x) = L ⇒ m(x) = m0(x). This specification checks the input/output relation between executions, so we represent programs compu- tations with just the initial and the final states. Furthermore, it is termination insensitive, hence we ignore divergent computations. The denotations domain is Den , Σ+ _{= Σ × Σ,} where we recall that Σ = Lab × Mem.

Remark. We could have defined Non-Interference on the more concrete denotations domain

Σ∞~ _{and retrieve the definition of the specification on Σ}+_{by abstraction, but this is only a} conceptual step, since Σ+ _{is the most abstract domain sufficiently precise to express Non-} Interference.

Non-Interference is an hyperproperty, hence we need to define it on ℘(℘(Σ × Σ)). Definition 32(Non-Interference for Imp). The classic notion of Non-Interference, NI in short, for programs in Imp is defined as:

NI , [ i i,ff∈Lab ( X ⊆ Σ × Σ     

∀hhii, m1i,hff, m01ii, hhii, m2i,hff, m02ii ∈ X . m1 L = m2⇒ m01 L = m0₂ )

Basically, the definition says that a program is non-interferent when its execution starting from two arbitrary memories L-equivalent yields two memories L-equivalent. The defini- tion, is implicitly parametric on a typing environment Γ, which is supposed to be defined for every variable.

M. Pasqua

Weakening Non-Interference. The limitation of the above notion is that it is extremely restrictive. Indeed, Non-Interference requires that any change of private data has not to be revealed through the observation of the public one, but any real system is intended to leak some kind of information (one classic example is the form for passwords check). Hence, a weakening of Non-Interference is necessary.

As already highlighted, we adopt Abstract Non-Interference [Giacobazzi and Mastroeni,

2004], as a formal method to weak Non-Interference. Abstract Non-Interference makes Non- Interference parametric on two properties, each one modeling different aspects of the infor- mation flow: what the attacker can observe and what information is allowed/not allowed to flow. In general, we can suppose that the attacker may not have the same constraints in ob- serving inputs and outputs but, in the following, we assume that the attacker’s observation precision is the same, both in input and in output.

The attacker is characterized as a property ρ representing what can be observed about the public input/output of programs. An abstraction is a property of data, hence an at- tacker can distinguish data up to particular properties (for instance, an attacker could be able to distinguish the parity of variables but not their sign). As far as declassification is concerned, we suppose to specify what private information is allowed to flow. Let φ be the input property that may flow in output, without violating the information flow policy: we check (abstract) non-interference only for those private inputs agreeing on the property φ. This models the information that may flow, since it is not interesting to check whether its variation is visible through the output.

Using the notation introduced in Subsection7.2.2, we can elegantly generalize the defi- nition of Non-Interference w.r.t. a property φ ∈ uco(℘(Z)) of input private variables which may flow and an observable property ρ ∈ uco(℘(Z)) of input/output public variables. A program P = ii_cff _{is abstract non-interferent if and only if for every pair of memories}

m1, m2, such that νρ×φ(m1) = νρ×φ(m2), hhii, m1i, Pi _ ∗ _{hff, m}0 1i and hhii, m2i, Pi _ ∗ hff, m0₂i, we have νρ×τ_(m0 1) = νρ ×τ_(m0 2).

Again, the denotations domain is Den , Σ+_{, hence Abstract Non-Interference is the} following hyperproperty on ℘(℘(Σ × Σ)).

Definition 33 (Abstract Non-Interference). Let φ ∈ uco(℘(Z)) be the property of input private variables which may flow and ρ ∈ uco(℘(Z)) be the observable property of in- put/output public variables. Abstract Non-Interference w.r.t. φ and ρ, ANIρφfor short, is

ANIρ_φ, [ i i,ff∈Lab  X ⊆ Σ×Σ    

∀hhii, m1i,hff, m01ii, hhii, m2i,hff, m02ii ∈ X . νρ×φ_(m

1) = νρ×φ(m2) ⇒ νρ×τ(m01) = νρ

×τ_(m0 2)



This means that a program P satisfies Abstract Non-Interference relatively to a public input/output observation ρ and a private input property φ that may flow if, whenever the public input values have the same property ρ and the private input values have the same property φ, then the execution of P leads to ρ-indistinguishable public values. It is worth noting that Non-Interference is an instance of ANI, with ρ = ι, since NI deals with all-power observers, namely attackers observing values in the most precise way, and φ = τ , meaning that no declassification is allowed since all values have the property τ . Hence, NI = ANIιτ. In other words, since input/output L variables need to have the property “to be equal”, we model ρ as the identity abstraction ι. Dually, in NI there is no declassification, hence we have

112 112

Chapter 8. Application: Verification of Information Flows M. Pasqua

φ = τ, meaning that we need to check the dependence for every combination of H inputs (in fact τ ({n}) = τ ({n0_{}), for every pair of elements n, n}0_{∈ Z).}

8.1

Abstract Hypersemantics for Abstract Non-Interference

Since ANI is parametric on the property to be checked, an unique verifier is not possible. In this section we give a hypersemantics and a parametric abstract semantics for the verification of Abstract Non-Interference. This means that we give one hypersemantics, whose abstract versions, parametric on the ANI properties to check, are useful for ANI verification. In Sec- tion8.2we go deeply in the details of a verifier for Non-Interference. A prototype analyzer has been written in order to test the abstract semantics.

For doing so, we follow the construction introduced in Section7.2for k-bounded subset- closed hyperproperties (indeed ANI is 2-bounded). First, we give the definition of the hy- persemantics, computing at the level of sets of sets. Then we instantiate the hyperlevel constants domain of Section6.2to Abstract Non-Interference. The latter, in its original for- mulation, may be not machine-representable (it may have an uncountable set of elements). This depends on the structure of the domain ρ. For such cases we show how to approximate the hyperlevel constants domain, in order to make its implementation feasible. Finally we show how to design the abstract semantics.

In document Hyper Static Analysis of Programs - An Abstract Interpretation-Based Framework for Hyperproperties Verification (Page 128-131)