Model Checking Quantitative Hyperproperties

Hyperproperties are properties of sets of computation traces. In this paper, we study quantitative hyperproperties, which we define as hyperproperties that express a bound on the number of traces that may appear in a certain relation. For example, quantitative non-interference limits the amount of information about certain secret inputs that is leaked through the observable outputs of a system. Quantitative non-interference thus bounds the number of traces that have the same observable input but different observable output. We study quantitative hyperproperties in the setting of HyperLTL, a temporal logic for hyperproperties. We show that, while quantitative hyperproperties can be expressed in HyperLTL, the running time of the HyperLTL model checking algorithm is, depending on the type of property, exponential or even doubly exponential in the quantitative bound. We improve this complexity with a new model checking algorithm based on model-counting. The new algorithm needs only logarithmic space in the bound and therefore improves, depending on the property, exponentially or even doubly exponentially over the model checking algorithm of HyperLTL. In the worst case, the new algorithm needs polynomial space in the size of the system. Our Max#Sat-based prototype implementation demonstrates, however, that the counting approach is viable on systems with nontrivial quantitative information flow requirements such as a passcode checker.

[1]  Geoffrey Smith,et al.  On the Foundations of Quantitative Information Flow , 2009, FoSSaCS.

[2]  Axel Legay,et al.  QUAIL: A Quantitative Security Analyzer for Imperative Code , 2013, CAV.

[3]  Christel Baier,et al.  Principles of Model Checking (Representation and Mind Series) , 2008 .

[4]  Andrey Rybalchenko,et al.  Approximation and Randomization for Quantitative Information-Flow Analysis , 2010, 2010 23rd IEEE Computer Security Foundations Symposium.

[5]  Adnan Darwiche,et al.  New Advances in Compiling CNF into Decomposable Negation Normal Form , 2004, ECAI.

[6]  Radu Sion,et al.  DataLair: Efficient Block Storage with Plausible Deniability against Multi-Snapshot Adversaries , 2017, Proc. Priv. Enhancing Technol..

[7]  Pasquale Malacaria,et al.  Quantitative analysis of leakage for multi-threaded programs , 2007, PLAS '07.

[8]  Anindya Banerjee,et al.  Stack-based access control and secure information flow , 2005, J. Funct. Program..

[9]  Bernd Finkbeiner,et al.  Model Checking Information Flow in Reactive Systems , 2012, VMCAI.

[10]  Michael Backes,et al.  Automatic Discovery and Quantification of Information Leaks , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[11]  Bernd Finkbeiner,et al.  Algorithms for Model Checking HyperLTL and HyperCTL ^* , 2015, CAV.

[12]  Gregor Snelting,et al.  Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs , 2009, International Journal of Information Security.

[13]  Toniann Pitassi,et al.  Stochastic Boolean Satisfiability , 2001, Journal of Automated Reasoning.

[14]  Michael R. Clarkson,et al.  Quantifying information flow with beliefs , 2009, J. Comput. Secur..

[15]  Roberto J. Bayardo,et al.  Using CSP Look-Back Techniques to Solve Real-World SAT Instances , 1997, AAAI/IAAI.

[16]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[17]  Pasquale Malacaria,et al.  Assessing security threats of looping constructs , 2007, POPL '07.

[18]  Satoru Miyano,et al.  Alternating Finite Automata on omega-Words , 1984, CAAP.

[19]  Hirotoshi Yasuoka,et al.  Quantitative information flow as safety and liveness hyperproperties , 2014, Theor. Comput. Sci..

[20]  Mário S. Alvim,et al.  Quantitative information flow in interactive systems , 2012, J. Comput. Secur..

[21]  Bernd Finkbeiner,et al.  Counting Models of Linear-Time Temporal Logic , 2014, LATA.

[22]  Hirotoshi Yasuoka,et al.  On Bounding Problems of Quantitative Information Flow , 2010, ESORICS.

[23]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[24]  James W. Gray,et al.  Toward a mathematical foundation for information flow security , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[25]  David Clark,et al.  Quantitative Information Flow, Relations and Polymorphic Types , 2005, J. Log. Comput..

[26]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[27]  Rohit Chadha,et al.  Computing Information Flow Using Symbolic Model-Checking , 2014, FSTTCS.

[28]  Christian J. Muise,et al.  Dsharp: Fast d-DNNF Compilation with sharpSAT , 2012, Canadian Conference on AI.

[29]  Peter J. Stuckey,et al.  #∃SAT: Projected Model Counting , 2015, SAT.

[30]  Tom Chothia,et al.  LeakWatch: Estimating Information Leakage from Java Programs , 2014, ESORICS.

[31]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[32]  Michael R. Clarkson,et al.  Belief in information flow , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[33]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[34]  Armin Biere,et al.  Bounded Model Checking Using Satisfiability Solving , 2001, Formal Methods Syst. Des..

[35]  David Clark,et al.  A static analysis for quantifying information flow in a simple imperative language , 2007, J. Comput. Secur..

[36]  Carl A. Gunter,et al.  Plausible Deniability for Privacy-Preserving Data Synthesis , 2017, Proc. VLDB Endow..

[37]  Daniel Bryce,et al.  Evaluating Temporal Plans in Incomplete Domains , 2012, AAAI.

[38]  David A. Basin,et al.  An information-theoretic model for adaptive side-channel attacks , 2007, CCS '07.

[39]  Sanjit A. Seshia,et al.  Maximum Model Counting , 2017, AAAI.

[40]  Dave Clarke,et al.  Incremental Hyperproperty Model Checking via Games , 2013, NordSec.

[41]  Martin Zimmermann,et al.  The Complexity of Counting Models of Linear-time Temporal Logic , 2014, FSTTCS.

[42]  Bernd Finkbeiner,et al.  The Density of Linear-Time Properties , 2017, ATVA.

[43]  Edmund M. Clarke,et al.  Design and Synthesis of Synchronization Skeletons Using Branching-Time Temporal Logic , 1981, Logic of Programs.

[44]  David Clark,et al.  Quantified Interference for a While Language , 2005, QAPL.