Typable DEX O Implies Non-interference - Typable DEX Program Implies Non-Interference

4.2 Typable DEX Program Implies Non-Interference

4.2.3 Typable DEX O Implies Non-interference

Indistinguishability between states can be defined with the additional definition of heap indistinguishability, so we do not need additional indistinguishability defini-

tions. In the DEX_O part, we only need to appropriate the lemmas used to establish the proof.

Definition 4.2.2 (State indistinguishability). Two states ⟨i,ρ,h⟩ and⟨i′,ρ′,h′⟩ are indis-

tinguishable w.r.t. a partial function β∈ L ⇀ L, and two register typing rt,rt′ ∈ (R → S),

denoted⟨i,ρ,h⟩ ∼_k_obs_,_rt_,_rt′_,

β ⟨i′,ρ′,h′⟩, iffρ∼kobs,rt,rt′,β ρ′and h∼kobs,βh′hold.

Lemma 4.2.14 (Locally Respects). Let βbe a partial function β∈ L ⇀ L, s1,s2 ∈ StateO

be two DEX_O states at the same program point i and let rt1,rt2∈ (R → S)be two registers types such that s1∼kobs,rt1,rt2,βs2.

• Let s′₁,s′₂∈StateOand rt′₁,rt′₂∈ (R → S)such that s1↝s′₁,s2↝s₂′, i⊢rt1⇒rt′₁, and i⊢rt2⇒rt′2, then there existsβ′∈ L ⇀ Lsuch that s′1∼kobs,rt′1,rt

′

2,β

′ s′

2andβ⊆β′. • Let v1,v2 ∈ V such that s1 ↝v1, s2 ↝v2, i ⊢rt1 ⇒, and i ⊢ rt′2 ⇒, then kr ≤ kobs

implies v1∼β v2.

Proof. Just like in DEX_I, we do a structural induction on the possible instruction. If the instruction is a DEX_I instruction, then we know that registers wise they preserve indistinguishability. Since DEX_I instruction does not modify the heap, then this lemma is proved trivially. If the instruction is not in DEX_I:

new(r,c): the proof for the registers indistinguishability follows that of const. This is one of the instructions that may add a mapping toβ, therefore we know that β ⊆ β′ is also satisfied. Now we also know from Lemma 4.2.8 that we have

h′₁ ∼kobs,β′ h′

2. Combined with the fact that we have ρ′1 ∼kobs,rt′1,rt

′ 2,β′ ρ ′ 2, we have s′₁∼_k_obs_,_rt′ 1,rt ′ 2,β′s ′

2 (Case 1 of the lemma).

iget(r,ro,f): there is no change to the heaps, and there is no change to theβmapping

either, therefore we have β ⊆ β′ and h₁′ ∼kobs,β′ h′

2. We just need to prove the

registers indistinguishability to prove state indistinguishability. If the register is not r, then we can use Lemma 4.2.10. If the register is r, we first make the distinction whether ro is of high security level. If ro is of high security levels, r will also be updated with high security level. Hence the registers indistinguishability is preserved. In the case where ro has low security level, we make further cases on whether ft(f) is of high security level. If ft(f) is of high security level, then r will be updated with high security level, which also means that the registers indistinguishability is preserved. Ifft(f)is of low security level, we know that the field contains the same value, hence we will have ρ′₁ ∼_k_obs_,_rt′

1,rt

′

2,r,β ρ

′

2. With this registers indistinguishability, we will have s′₁∼_k_obs_,_rt′

1,rt

′

2,β′s

′

2 (Case 1 of the lemma)

iput(rs,ro,f): there is no change to the registers, hence registers indistinguishability still holds (ρ′₁ ∼kobs,rt′1,rt

′

2,β

′ ρ′

2). Even though this instruction modifies the heap,

it does not affect the β mapping. Therefore we have β ⊆ β′. Now for the

heaps indistinguishability, we distinguish between the reference to the object that is pointed byro. If it is not the object pointed byro, we know that they are

§4.2 Typable DEX Program Implies Non-Interference 85

indistinguishable, since initially, the heaps are indistinguishable. If the object is actually the object pointed by ro, we have two possibilities, either both ro contains the same object (ρ1(ro) =ρ2(ro)), or they point to different objects.

• In the case where they point to the same objects, we also have further two possibilities depending on the value of se(i) ⊔rt(ro) ⊔rt(rs) (rt is either

rt1 or rt2). If they are of high security level, we know that to be typable

ft(f) is necessarily of high security level. Therefore it does not affect indistinguishability. If they are of low security level, we know thatρ1(rs) =

ρ2(rs)andβ(ρ1(ro)) =ρ2(ro). Since the operation will update the field with the same value, it will preserve the heap indistinguishability.

• In the case where they point to different objects, we know thatrt1(ro)and

rt2(ro)will be of high security levels. Since the program is typable, it implies thatft(f)is of high security level. Therefore we can conclude that the update is applied to a high field which does not affect indistinguishability. We haveh′₁∼kobs,β′ h′

2 and we haveρ′1∼kobs,rt′1,rt

′

2,β

′ ρ′

2i, therefore, we can conclude

that we haves′₁∼_k_obs_,_rt′

1,rt

′

2,β′s

′

2 (Case 1 of the lemma).

newarray(r,r_l,t): This instruction possibly adds a mapping to β, so we know that

we have β ⊆ β′. Using Lemma 4.2.8, we get h₁′ ∼_k_obs_,_β′ h′

2. For the registers

indistinguishability, if the register is not r, then we can use Lemma 4.2.10. If the register isr, depending on the security level ofrl, we have two possibilities. If the security level of rl is high, then based on the typing rule we have the security level ofralso to be high, thus completing the proof forρ′₁∼_k_obs_,_rt′

1,rt

′

2,β ρ

′ 2.

If rl is low, we will have ρ′₁(r) ∼β ρ′2(r) since the type and the length of the

array are the same. With the registers and heap indistinguishability, we have

s′₁∼kobs,rt′1,rt

′

2,β′ s

′

2 (Case 1 of the lemma).

arraylength(r,ra): This instruction does not modify the β mapping and the heap,

therefore we haveβ⊆β′andh₁′ ∼_k_obs_,_β′ h′

2for granted. As usual, for the registers

indistinguishability, we distinguish the case whether the register is r. If the register is not r, then we can use Lemma 4.2.10. If the register is r, we will distinguish the case further depending on whether ra has high security level or not. If ra is of high security level, we know that r will also be of high security level, thus we have ρ′₁(r) ∼kobs,rt′1,rt

′

2,r,β ρ

′

2 thus completing the proof for

ρ′₁ ∼kobs,rt′1,rt

′

2,β ρ

′

2. If ra is of low security level, then we know that the array

is the same thus we will have ρ′₁(r) ∼β ρ′2(r). With the registers and heap

indistinguishability, we haves′₁∼_k_obs_,_rt′

1,rt

′

2,β′ s

′

2(Case 1 of the lemma).

aget(r,ra,ri): The argument for this instruction is pretty much the same as the argument for iget. We already have β⊆β′ andh₁′ ∼kobs,β′ h′

2 since the instruction

does not modifyβmapping and the heap. For registers indistinguishability, we

first distinguish the case whether the register we are interested in is r or not. If the register is not r, then we can use Lemma 4.2.10. If the register isr, then we distinguish the case further based on the lub of the security level ofra and

ri. If the least upper bound is of high security level, then we know that r will also be updated with high security level (ρ′₁ ∼kobs,rt′1,rt

′

2,r,β ρ

′

2). If the least upper

bound is low, then we know that the index and the array are indistinguishable, hence the value will also be indistinguishable (ρ′₁(r) ∼β ρ′2(r)). This concludes

the proof ofs′₁∼kobs,rt′1,rt

′

2,β

′ s′

2(Case 1 of the lemma).

aput(rs,ra,ri): The argument for this instruction is pretty much the same as the argument foriput. This instruction does not modifyβmapping and the registers,

therefore we have β⊆ β′ and ρ′₁ ∼_k_obs_,_rt′

1,rt

′

2,β ρ

′

2 for granted. Now for the heaps

indistinguishability, we distinguish between the reference to the array that is pointed by ra. If it is not the object pointed by ra, we know that they are indistinguishable, since initially, the heaps are indistinguishable. If the array is actually the array pointed byra, we have two possibilities, either both ra contains the same arrays (ρ1(ra) =ρ2(ra)), or they point to different arrays.

• In the case where they point to the same arrays, we also have further two possibilities depending on the value of(se(i)⊔rt(ra))⊔extrt(rs)(rtis either

rt1 or rt2). If they are of high security level, we know that to be typable

the security level of the array content is necessarily of high security level, therefore it does not affect indistinguishability. If they are of low security level, we know thatρ1(rs) =ρ2(rs)andρ1(ra) ∼βρ2(ra). Since the operation

will update the array content with the same value, it will preserve the heap indistinguishability.

• In the case where they point to different arrays, we know thatrt1(ra)and

rt2(ra) will be of high security levels. Since the program is typable, it implies that the security level of the content is also high which does not affect indistinguishability.

We haveh′₁∼kobs,β′ h′

2and we haveρ′1∼kobs,rt′1,rt

′

2,β′ ρ

′

2, therefore, we can conclude

that we haves′₁∼_k_obs_,_rt′

1,rt

′

2,β′ s

′

2(Case 1 of the lemma).

All of the possible instructions maintain state indistinguishability, therefore the lemma holds.

Lemma 4.2.15(High Branching). Letβ∈ L ⇀ Lbe a partial function, s1,s2∈StateObe two

DEX_Ostates at the same program point i and let two registers types rt1,rt2∈ (R → S)such that s1 ∼kobs,rt1,rt2,β s2. Let two states ⟨i1,ρ1′,h′1⟩,⟨i2,ρ′₂,h′₂⟩ ∈ StateO and two register type

rt′₁,rt′₂∈ (R → S)s.t. i1≠i2,s1↝ ⟨i1,ρ′₁,h′₁⟩, s2↝ ⟨i2,ρ′₂,h′₂⟩. If i⊢rt1⇒rt′1,i⊢rt2⇒rt′2 then∀j∈region(i),se(j) ≰k_obs.

Proof. This lemma is trivially true since there is no branching instruction in DEX_O.

In document Design and Analysis of Mobile Operating System Security Architecture using Formal Methods (Page 101-104)