Runtime Verification of k-Safety Hyperproperties in HyperLTL

This paper introduces a novel runtime verification technique for a rich sub-class of Clarkson and Schneider's hyperproperties. The primary application of such properties is in expressing security policies (e.g., information flow) that cannot be expressed in trace-based specification languages (e.g., LTL). First, to incorporate syntactic means, we draw connections between safety and co-safety hyperproperties and the temporal logic HYPERLTL, which allows explicit quantification over multiple executions. We also define the notion of monitorability in HYPERLTL and identify classes of monitorable HYPERLTL formulas. Then, we introduce an algorithm for monitoring k-safety and co-k-safety hyperproperties expressed in HYPERLTL. Our technique is based on runtime formula progression as well as on-the-fly monitor synthesis across multiple executions. We analyze different performance aspects of our technique by conducting thorough experiments on monitoring security policies for information flow and observational determinism on a real-world location-based service dataset as well as synthetic trace sets.

[1]  Martin Leucker,et al.  Runtime Verification for LTL and TLTL , 2011, TSEM.

[2]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[3]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[4]  Martin Leucker,et al.  Monitoring modulo theories , 2016, International Journal on Software Tools for Technology Transfer.

[5]  David A. Naumann,et al.  Information Flow Monitor Inlining , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[6]  Fahiem Bacchus,et al.  Planning for temporally extended goals , 1996, Annals of Mathematics and Artificial Intelligence.

[7]  Andrew S. Tanenbaum,et al.  A Virtual Machine Based Information Flow Control System for Policy Enforcement , 2008, Electron. Notes Theor. Comput. Sci..

[8]  Amir Pnueli,et al.  PSL Model Checking and Run-Time Verification Via Testers , 2006, FM.

[9]  David Clark,et al.  Non-Interference for Deterministic Interactive Programs , 2009, Formal Aspects in Security and Trust.

[10]  Bernd Finkbeiner,et al.  Algorithms for Model Checking HyperLTL and HyperCTL ^* , 2015, CAV.

[11]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[12]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[13]  Sebastian Mödersheim,et al.  OFMC: A symbolic model checker for security protocols , 2005, International Journal of Information Security.

[14]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[15]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[16]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[17]  Alejandro Russo,et al.  On-the-fly inlining of dynamic security monitors , 2010, Comput. Secur..

[18]  Alejandro Russo,et al.  Dynamic vs. Static Flow-Sensitive Security Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[19]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[20]  Sorin Lerner,et al.  Staged information flow for javascript , 2009, PLDI '09.

[21]  Orna Kupferman,et al.  Model Checking of Safety Properties , 1999, Formal Methods Syst. Des..

[22]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[23]  Dawn Song,et al.  Privacy Scope: A Precise Information Flow Tracking System For Finding Application Leaks , 2009 .

[24]  Thomas H. Austin,et al.  Efficient purely-dynamic information flow analysis , 2009, PLAS '09.

[25]  Pierre Wolper,et al.  The Complementation Problem for Büchi Automata with Appplications to Temporal Logic , 1987, Theor. Comput. Sci..

[26]  Ronald Fagin,et al.  Reasoning about Knowledge: A Response by the Authors , 2004, Minds and Machines.

[27]  John McLean,et al.  Applying Formal Methods to a Certifiably Secure Software System , 2008, IEEE Transactions on Software Engineering.

[28]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[29]  Grigore Rosu,et al.  Monitoring programs using rewriting , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[30]  Borzoo Bonakdarpour,et al.  Decentralized Runtime Verification of LTL Specifications in Distributed Systems , 2015, 2015 IEEE International Parallel and Distributed Processing Symposium.

[31]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[32]  Martín Abadi,et al.  A logic of authentication , 1989, Proceedings of the Royal Society of London. A. Mathematical and Physical Sciences.

[33]  David A. Naumann,et al.  Information Flow Monitoring as Abstract Interpretation for Relational Logic , 2014, 2014 IEEE 27th Computer Security Foundations Symposium.

[34]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[35]  Dominique Devriese,et al.  Noninterference through Secure Multi-execution , 2010, 2010 IEEE Symposium on Security and Privacy.

[36]  Bernd Finkbeiner,et al.  Model Checking Information Flow in Reactive Systems , 2012, VMCAI.