Confidentiality for Probabilistic Multi-threaded Programs and Its Verification

Confidentiality is an important concern in today's information society: electronic payment and personal data should be protected appropriately. This holds in particular for multi-threaded applications, which are generally seen the future of high-performance computing. Multi-threading poses new challenges to data protection, in particular, data races may be exploited in security attacks. Also, the role of the scheduler is seminal in the multi-threaded context. This paper proposes a new notion of confidentiality for probabilistic and non-probabilistic multi-threaded programs, formalized as scheduler-specific probabilistic observational determinism (SSPOD), together with verification methods. Essentially, SSPOD ensures that no information about the private data can be derived either from the public data, or from the probabilities of the public data being changed. Moreover, SSPOD explicitly depends on a given (class of) schedulers. Formally, this is expressed by using two conditions: (i) each publicly visible variable individually behaves deterministically with probability 1, and (ii) for every trace considering all publicly visible variables, there always exists a matching trace with equal probability. We verify these conditions by a clever combination of new and existing algorithms over probabilistic Kripke structures.

[1]  Doron A. Peled,et al.  Stutter-Invariant Temporal Properties are Expressible Without the Next-Time Operator , 1997, Inf. Process. Lett..

[2]  Marieke Huisman,et al.  Effective verification of confidentiality for multi-threaded programs , 2014, J. Comput. Secur..

[3]  Christel Baier,et al.  On the Verification of Qualitative Properties of Probabilistic Processes under Fairness Constraints , 1998, Inf. Process. Lett..

[4]  Ji Zhu,et al.  Quantifying Information Leakage in Finite Order Deterministic Programs , 2011, 2011 IEEE International Conference on Communications (ICC).

[5]  Heiko Mantel,et al.  Flexible Scheduler-Independent Security , 2010, ESORICS.

[6]  Ivan Christoff,et al.  Efficient Algorithms for Verification of Equivalences for Probabilistic Processes , 1991, CAV.

[7]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[8]  Henri-Charles Blondeel Security by logic : characterizing Non-Interference in temporal logic , 2008 .

[9]  Alfred V. Aho,et al.  The Design and Analysis of Computer Algorithms , 1974 .

[10]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[11]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[12]  Joël Ouaknine,et al.  Language Equivalence for Probabilistic Automata , 2011, CAV.

[13]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[14]  Tachio Terauchi,et al.  A Type System for Observational Determinism , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[15]  Mário S. Alvim,et al.  Quantitative Information Flow and Applications to Differential Privacy , 2011, FOSAD.

[16]  Thomas A. Henzinger,et al.  Equivalence of Labeled Markov Chains , 2008, Int. J. Found. Comput. Sci..

[17]  Mariëlle Stoelinga,et al.  Alea jacta est : verification of probabilistic, real-time and parametric systems , 2002 .

[18]  David Sands,et al.  Assumptions and Guarantees for Compositional Noninterference , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[19]  Wen-Guey Tzeng,et al.  A Polynomial-Time Algorithm for the Equivalence of Probabilistic Automata , 1992, SIAM J. Comput..

[20]  Mário S. Alvim,et al.  On the Relation between Differential Privacy and Quantitative Information Flow , 2011, ICALP.

[21]  Jaco van de Pol,et al.  1 Motivation : A Modular , High-Performance Model Checker , 2010 .

[22]  Ana Sokolova,et al.  Information Hiding in Probabilistic Concurrent Systems , 2010, 2010 Seventh International Conference on the Quantitative Evaluation of Systems.

[23]  Geoffrey Smith,et al.  Probabilistic noninterference in a concurrent language , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[24]  Marieke Huisman,et al.  Scheduler-Specific Confidentiality for Multi-threaded Programs and Its Logic-Based Verification , 2011, FoVeOOS.

[25]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[26]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[27]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[28]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[29]  Marsha Chechik,et al.  Why Waste a Perfectly Good Abstraction? , 2006, TACAS.

[30]  Marieke Huisman,et al.  A temporal logic characterisation of observational determinism , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[31]  Pasquale Malacaria,et al.  Quantitative analysis of leakage for multi-threaded programs , 2007, PLAS '07.

[32]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[33]  Saul A. Kripke,et al.  Semantical Considerations on Modal Logic , 2012 .