Hyperproperties

Properties, which have long been used for reasoning about systems, are sets of traces. Hyperproperties, introduced here, are sets of properties. Hyperproperties can express security policies, such as secure information flow, that properties cannot. Safety and liveness are generalized to hyperproperties, and every hyperproperty is shown to be the intersection of a safety hyperproperty and a liveness hyperproperty. A verification technique for safety hyperproperties is given and is shown to generalize prior techniques for verifying secure information flow. Refinement is shown to be valid for safety hyperproperties. A topological characterization of hyperproperties is given.

[1]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[2]  Stefan Friedrich,et al.  Topology , 2019, Arch. Formal Proofs.

[3]  C. A. R. Hoare,et al.  Data Refinement Refined , 1986, ESOP.

[4]  Edsger W. Dijkstra,et al.  A constructive approach to the problem of program correctness , 1968 .

[5]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[6]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[7]  Martín Abadi,et al.  Composing Specifications , 1989, REX Workshop.

[8]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[9]  N. Falconer Structured Programming , 1973, Nature.

[10]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[11]  Leslie Lamport,et al.  Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers [Book Review] , 2002, Computer.

[12]  Joseph Y. Halpern Reasoning about uncertainty , 2003 .

[13]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[14]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[15]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[16]  H. R. Pitt Divergent Series , 1951, Nature.

[17]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[18]  Michael B. Smyth,et al.  Power Domains and Predicate Transformers: A Topological View , 1983, ICALP.

[19]  Dennis Volpano Safety versus Secrecy (Invited Paper) , 1999 .

[20]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[21]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[22]  Paul F. Syverson,et al.  A logical approach to multilevel security of probabilistic systems , 1998, Distributed Computing.

[23]  Robbert van Renesse,et al.  APSS: proactive secret sharing in asynchronous systems , 2005, TSEC.

[24]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[25]  James W. Gray,et al.  Probabilistic interference , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[26]  Bowen Alpern,et al.  Recognizing safety and liveness , 2005, Distributed Computing.

[27]  Dennis M. Volpano Safety versus Secrecy , 1999, SAS.

[28]  Ralph-Johan Back,et al.  On Correct Refinement of Programs , 1981, J. Comput. Syst. Sci..

[29]  Joseph Y. Halpern,et al.  “Sometimes” and “not never” revisited: on branching versus linear time temporal logic , 1986, JACM.

[30]  Mogens Nielsen,et al.  Models for Concurrency , 1992 .

[31]  Samson Abramsky,et al.  Handbook of logic in computer science. , 1992 .

[32]  Reiner Hähnle,et al.  A Theorem Proving Approach to Analysis of Secure Information Flow , 2005, SPC.

[33]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[34]  Michael R. Clarkson,et al.  Hyperproperties: Verification of Proofs , 2008 .

[35]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[36]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[37]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[38]  Andrew C. Myers,et al.  End-to-end availability policies and noninterference , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[39]  Riccardo Focardi,et al.  Refinement operators and information flow security , 2003, First International Conference onSoftware Engineering and Formal Methods, 2003.Proceedings..

[40]  L. Vietoris,et al.  Bereiche zweiter Ordnung , 1922 .

[41]  Heiko Mantel,et al.  Preserving information flow properties under refinement , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[42]  Leslie Lamport,et al.  "Sometime" is sometimes "not never": on the temporal logic of programs , 1980, POPL '80.

[43]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[44]  S. Shapiro,et al.  Foundations Without Foundationalism: A Case for Second-Order Logic. , 1994 .

[45]  Niklaus Wirth,et al.  Program development by stepwise refinement , 1971, CACM.

[46]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[47]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[48]  Randal E. Bryant,et al.  Concurrent programming , 1980, Operating Systems Engineering.

[49]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[50]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[51]  Samson Abramsky,et al.  Domain Theory in Logical Form , 1991, LICS.

[52]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[53]  Michael R. Clarkson,et al.  Information-flow security for interactive programs , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[54]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[55]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[56]  E. Michael Topologies on spaces of subsets , 1951 .

[57]  Fred B. Schneider,et al.  Independence from obfuscation: a semantic framework for diversity , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[58]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[59]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[60]  John McLean,et al.  A General Theory of Composition for a Class of "Possibilistic'' Properties , 1996, IEEE Trans. Software Eng..

[61]  John Rushby,et al.  Security Requirements Specifications: How and What? Extended Abstract , 2001 .

[62]  Daryl McCullough,et al.  A Hookup Theorem for Multilevel Security , 1990, IEEE Trans. Software Eng..