A temporal logic approach to iInformation-flow control

Information leaks and other violations of information security pose a severe threat to individuals, companies, and even countries. The mechanisms by which attackers threaten information security are diverse and to show their absence thus proved to be a challenging problem. Information-flow control is a principled approach to prevent security incidents in programs and other technical systems. In information-flow control we define information-flow properties, which are sufficient conditions for when the system is secure in a particular attack scenario. By defining the information-flow property only based on what parts of the executions of the system a potential attacker can observe or control, we obtain security guarantees that are independent of implementation details and thus easy to understand. There are several methods available to enforce (or verify) information-flow properties once defined. We focus on static enforcement methods, which automatically determine whether a given system satisfies a given information-flow property for all possible inputs to the system. Most enforcement approaches that are available today have one problem in common: they each only work for one particular programming language or information-flow property. In this thesis, we propose a temporal logic approach to information-flow control to provide a simple formal basis for the specification and enforcement of information-flow properties. We show that the approach can be used to enforce a wide range of information-flow properties with a single algorithm. The main challenge is that the standard temporal logics are unable to express information-flow properties. They lack the ability to relate multiple executions of a system, which is essential for information-flow properties. We thus extend the temporal logics LTL and CTL* by the ability to quantify over multiple executions and to relate them using boolean and temporal operators. The resulting temporal logics HyperLTL and HyperCTL* can express many information-flow properties of interest. The extension of temporal logics com- pels us to revisit the algorithmic problem to check whether a given system (model) satisfies a given specification in HyperLTL or HyperCTL*; also called the model checking problem. On the technical side, the main contribution is a model checking algorithm for HyperLTL and HyperCTL* and the detailed complexity analysis of the model checking problem: We give nonelementary lower and upper bounds for its computational complexity, both in the size of the system and the size of the specification. The complexity analysis also reveals a class of specification, which includes many of the commonly consid- ered information-flow properties and for which the algorithm is efficient (in NLOGSPACE in the size of the system). For this class of efficiently checkable properties, we provide an approach to reuse existing technology in hardware model checking for information-flow control. We demonstrate along a case study that the temporal logic approach to information-flow control is flexible and effective. We further provide two case studies that demonstrate the use of HyperLTL and HyperCTL* for proving properties of error resistant codes and distributed protocols that have so far only been considered in manual proofs. Informationssicherheit stellt eine immer grosere Bedrohung fur einzelne Personen, Firmen und selbst ganze Lander dar. Ein grundlegender Ansatz zur Vorbeugung von Sicherheitsproblemen in technischen Systemen, wie zum Beispiel Programmen, ist Informationsflusskontrolle. In der Informationsflusskontrolle definieren wir zunachst sogenannte Informationsflusseigenschaften, welche hinreichende Bedingungen fur die Sicherheit des gegebenen Systems in einem Sicherheitsszenario darstellen. Indem wir Informationsflusseigenschaften nur auf Basis der moglichen Beobachtungen eines Angreifers uber das System definieren, erhalten wir einfach zu verstehende Sicherheitsgarantien, die unabhangig von Implementierungsdetails sind. Nach der Definition von Eigenschaften muss sichergestellt werden, dass ein gegebenes System seine Informationsflusseigenschaft erfullt, wofur es bereits verschiedene Methoden gibt. Wir fokussieren uns in dieser Arbeit auf statische Methoden, welche fur ein gegebenes System und eine gegebene Informationsflusseigenschaft automatisch entscheiden, ob das System die Eigenschaft fur alle moglichen Eingaben erfullt, was wir auch das Modellprufungsproblem nennen. Die meisten verfugbaren Methoden zum Sicherstellen der Einhaltung von Informationsflusseigenschaften teilen jedoch eine Schwache: sie funktionieren nur fur eine einzelne Programmiersprache oder eine einzelne Informationsflusseigenschaft. In dieser Arbeit verfolgen wir einen Ansatz basierend auf Temporallogiken, um eine einfache theoretische Basis fur die Spezifikation von Informationsflusseigenschaften und deren Umsetzung zu erhalten. Wir analysieren den Zusammenhang von der Ausdrucksmachtigkeit von Spezifikationssprachen und dem algorithmischen Problem Spezifikationen fur ein System zu uberprufen. Anhand einer Fallstudie im Bereich der Hardwaresicherheit zeigen wir, dass der Ansatz dazu geeignet ist eine breite Palette von bekannten und neuen Informationsflusseigenschaften mittels eines einzelnen Modellprufungsalgorithmus zu beweisen. Das Kernproblem hierbei ist, dass wir in den ublichen Temporallogiken Informationsflusseigenschaften nicht ausdrucken konnen, es fehlt die Fahigkeit mehrere Ausfuhrungen eines Systems miteinander zu vergleichen, was der gemeinsame Nenner von Informationsflusseigenschaften ist. Wir erweitern Temporallogiken daher um die Fahigkeit uber mehrere Ausfuhrungen zu quantifizieren und diese miteinander zu vergleichen. Der Hauptbeitrag auf der technischen Ebene ist ein Modellprufungsalgorithmus und eine detaillierte Analyse der Komplexitat des Modellprufungsproblems. Wir geben einen Modellprufungsalgorithmus an und beweisen, dass der Algorithmus asymptotisch optimal ist. Die Komplexitatsanalyse zeigt auch eine Klasse von Eigenschaften auf, welche viele der ublichen Informationsflusseigenschaften beinhaltet, und fur welche der gegebene Algorithmus effizient ist (in NLOGSPACE in der Grose des Systems). Fur diese Klasse von effizient uberprufbaren Eigenschaften diskutieren wir einen Ansatz bestehende Technologie zur Modellprufung von Hardware fur Informationsflusskontrolle wiederzuverwenden. Anhand einer Fallstudie zeigen wir, dass der Ansatz flexibel und effektiv eingesetzt werden kann. Desweiteren diskutieren wir zwei weitere Fallstudien, welche demonstrieren, dass die vorgeschlagene Erweiterung von Temporallogiken auch eingesetzt werden kann, um Eigenschaften fur fehlerresistente Kodierungen und verteilte Protokolle zu beweisen, welche bisher nur Abstrakt betrachtet werden konnten.

[1]  Danfeng Zhang,et al.  Language-based control and mitigation of timing channels , 2012, PLDI.

[2]  Máté Kovács Information flow security in tree-manipulating processes , 2013 .

[3]  Adi Shamir,et al.  Cache Attacks and Countermeasures: The Case of AES , 2006, CT-RSA.

[4]  Thomas Wilke,et al.  Preservation of epistemic properties in security protocol implementations , 2007, TARK '07.

[5]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[6]  Sophie Pinchinat,et al.  Unifying Hyper and Epistemic Temporal Logics , 2014, FoSSaCS.

[7]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[8]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[9]  Aaron R. Bradley,et al.  SAT-Based Model Checking without Unrolling , 2011, VMCAI.

[10]  Rohit Chadha,et al.  Epistemic Logic for the Applied Pi Calculus , 2009, FMOODS/FORTE.

[11]  Bernd Finkbeiner,et al.  Algorithms for Model Checking HyperLTL and HyperCTL ^* , 2015, CAV.

[12]  Marieke Huisman,et al.  A temporal logic characterisation of observational determinism , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[13]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[14]  Dimiter Vladimirov Milushev,et al.  Reasoning about Hyperproperties , 2014 .

[15]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[16]  Daniel Kroening,et al.  A Tool for Checking ANSI-C Programs , 2004, TACAS.

[17]  Sérgio Vale Aguiar Campos,et al.  Symbolic Model Checking , 1993, CAV.

[18]  Pierre Wolper,et al.  Reasoning about infinite computation paths , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[19]  Deian Stefan,et al.  Security and the Average Programmer , 2014, POST 2014.

[20]  Andrey Rybalchenko,et al.  An Epistemic Perspective on Consistency of Concurrent Computations , 2013, CONCUR.

[21]  David E. Muller,et al.  Weak alternating automata give a simple explanation of why most temporal and dynamic logics are decidable in exponential time , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[22]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[24]  Hirotoshi Yasuoka,et al.  On bounding problems of quantitative information flow , 2010, J. Comput. Secur..

[25]  Johan Anthory Willem Kamp,et al.  Tense logic and the theory of linear order , 1968 .

[26]  Bernd Finkbeiner,et al.  Relational abstract interpretation for the verification of 2-hypersafety properties , 2013, CCS.

[27]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[28]  Christian Hammer Information flow control for Java: a comprehensive approach based on path conditions in dependence graphs , 2009 .

[29]  A. Turing On Computable Numbers, with an Application to the Entscheidungsproblem. , 1937 .

[30]  A. Prasad Sistla,et al.  The complexity of propositional linear temporal logics , 1982, STOC '82.

[31]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[32]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[33]  Ralf Küsters,et al.  A Framework for the Cryptographic Verification of Java-Like Programs , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[34]  Bernd Finkbeiner,et al.  Model Checking Information Flow in Reactive Systems , 2012, VMCAI.

[35]  Todd Millstein,et al.  Automatic predicate abstraction of C programs , 2001, PLDI '01.

[36]  Tim French Decidability of Quantifed Propositional Branching Time Logics , 2001, Australian Joint Conference on Artificial Intelligence.

[37]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[38]  Y VardiMoshe,et al.  An automata-theoretic approach to branching-time model checking , 2000 .

[39]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[40]  L.,et al.  SECURE COMPUTER SYSTEMS : MATHEMATICAL FOUNDATIONS , 2022 .

[41]  Richard E. Ladner,et al.  Application of Model Theoretic Games to Discrete Linear Orders and Finite Automata , 1977, Inf. Control..

[42]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[43]  James A. Kupsch,et al.  Manual vs. Automated Vulnerability Assessment: A Case Study , 2009 .

[44]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[45]  Armando Solar-Lezama,et al.  A language for automatically enforcing privacy policies , 2012, POPL '12.

[46]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[47]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[48]  Zohar Manna,et al.  Temporal verification of reactive systems - safety , 1995 .

[49]  Bengt Jonsson,et al.  A logic for reasoning about time and reliability , 1990, Formal Aspects of Computing.

[50]  Anirban Dasgupta,et al.  Quantified Computation Tree Logic , 2002, Inf. Process. Lett..

[51]  Mads Dam,et al.  Epistemic temporal logic for information flow security , 2011, PLAS '11.

[52]  Nir Piterman,et al.  Fairness for Infinite-State Systems , 2015, TACAS.

[53]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[54]  David Sands,et al.  Dimensions and principles of declassification , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[55]  Robert K. Brayton,et al.  Efficient implementation of property directed reachability , 2011, 2011 Formal Methods in Computer-Aided Design (FMCAD).

[56]  K. Rustan M. Leino,et al.  A semantic approach to secure information flow , 2000, Sci. Comput. Program..

[57]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[58]  David A. Basin,et al.  An information-theoretic model for adaptive side-channel attacks , 2007, CCS '07.

[59]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[60]  Joseph Y. Halpern,et al.  “Sometimes” and “not never” revisited: on branching versus linear time temporal logic , 1986, JACM.

[61]  Pierre Wolper,et al.  The Complementation Problem for Büchi Automata with Appplications to Temporal Logic , 1987, Theor. Comput. Sci..

[62]  Moshe Y. Vardi Alternating Automata and Program Verification , 1995, Computer Science Today.

[63]  Marco Bozzano,et al.  Formal Design of Fault Detection and Identification Components Using Temporal Epistemic Logic , 2014, TACAS.

[64]  Armin Biere,et al.  Verifiying Safety Properties of a Power PC Microprocessor Using Symbolic Model Checking without BDDs , 1999, CAV.

[65]  Pavol Cerný,et al.  Preserving Secrecy Under Refinement , 2006, ICALP.

[66]  Gerrit Muller What is a Process , 2000 .

[67]  Jonathan M. Smith,et al.  SPECS: A Lightweight Runtime Mechanism for Protecting Software from Security-Critical Processor Bugs , 2015, ASPLOS.

[68]  Amir Pnueli,et al.  The temporal logic of programs , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[69]  W. Thomas Safety- and liveness-properties in propositional temporal logic: characterizations and decidability , 1988 .

[70]  Larry Joseph Stockmeyer,et al.  The complexity of decision problems in automata theory and logic , 1974 .

[71]  Orna Kupferman,et al.  Weak alternating automata are not that weak , 2001, TOCL.

[72]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[73]  Dave Clarke,et al.  Towards Incrementalization of Holistic Hyperproperties , 2012, POST.

[74]  A. Rybalchenko,et al.  Transition invariants , 2004, LICS 2004.

[75]  Gilles Barthe,et al.  Relational Verification Using Product Programs , 2011, FM.

[76]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[77]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[78]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[79]  Andrei Popescu,et al.  A Conference Management System with Verified Document Confidentiality , 2014, CAV.

[80]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[81]  Greg Bromage Heartbleed bug: What you need to know… , 2014 .

[82]  Robert Avag,et al.  Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant? | Institute for Science and International Security , 2010 .

[83]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[84]  R. J. vanGlabbeek The linear time - branching time spectrum , 1990 .

[85]  Andrei Popescu,et al.  A shallow embedding of HyperCTL , 2014, Arch. Formal Proofs.

[86]  Baruch Sterin,et al.  A circuit approach to LTL model checking , 2013, 2013 Formal Methods in Computer-Aided Design.

[87]  Orna Kupferman,et al.  Augmenting Branching Temporal Logics with Existential Quantification over Atomic Propositions , 1995, J. Log. Comput..

[88]  Satoru Miyano,et al.  Alternating Finite Automata on omega-Words , 1984, CAAP.

[89]  Christel Baier,et al.  Principles of model checking , 2008 .

[90]  E.C. Posner,et al.  Voyager mission telecommunication firsts , 1990, IEEE Communications Magazine.

[91]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.

[92]  Edmund M. Clarke,et al.  Sequential circuit verification using symbolic model checking , 1991, DAC '90.

[93]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[94]  Moshe Y. Vardi An Automata-Theoretic Approach to Linear Temporal Logic , 1996, Banff Higher Order Workshop.

[95]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[96]  Moshe Y. Vardi,et al.  Branching vs. Linear Time: Semantical Perspective , 2007, ATVA.

[97]  W. Thomas Star-Free Regular Sets of ~o-Sequences , 2004 .

[98]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[99]  Leslie Lamport,et al.  A new solution of Dijkstra's concurrent programming problem , 1974, Commun. ACM.

[100]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[101]  Dexter Kozen,et al.  Results on the Propositional µ-Calculus , 1982, ICALP.

[102]  Bernd Finkbeiner,et al.  SLAB: A Certifying Model Checker for Infinite-State Concurrent Systems , 2010, TACAS.

[103]  Heiko Mantel,et al.  The framework of selective interleaving functions and the modular assembly kit , 2005, FMSE '05.

[104]  Bernd Finkbeiner,et al.  The linear-hyper-branching spectrum of temporal logics , 2014, it Inf. Technol..

[105]  Martin Lange,et al.  Model-Checking the Higher-Dimensional Modal mu-Calculus , 2012, FICS.

[106]  Ronald Fagin,et al.  Reasoning about knowledge , 1995 .

[107]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[108]  Nir Piterman,et al.  Faster temporal reasoning for infinite-state programs , 2014, 2014 Formal Methods in Computer-Aided Design (FMCAD).

[109]  Kenneth L. McMillan Craig Interpolation and Reachability Analysis , 2003, SAS.

[110]  John C. Mitchell,et al.  Security Modeling and Analysis , 2011, IEEE Security & Privacy.

[111]  Amir Pnueli,et al.  Algorithmic Verification of Linear Temporal Logic Specifications , 1998, ICALP.

[112]  Emil L. Post A variant of a recursively unsolvable problem , 1946 .

[113]  R. Van der Meyden Axioms for knowledge and time in distributed systems with perfect recall , 1994, Proceedings Ninth Annual IEEE Symposium on Logic in Computer Science.

[114]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching Time Temporal Logic , 2008, 25 Years of Model Checking.