Hyperproperties

1
Hyperproperties

• Michael Clarkson and Fred B. Schneider
• Cornell University
• Air Force Office of Scientific Research
• December 4, 2008

TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. AAAAAAAA
2
Security Policies Today

• Confidentiality
• Integrity
• Availability
• Formalize and verify any security policy?

?
3
Program Correctness ca. 1970s

• Partial correctness (If program terminates,
  it produces correct output)
• Termination
• Total correctness (Program terminates and
  produces correct output)
• Mutual exclusion
• Deadlock freedom
• Starvation freedom
• ???

4
Safety and Liveness Properties

• Partial correctness
• Bad thing program terminates with incorrect
  output
• Access control
• Bad thing subject completes operation without
  required rights
• Termination
• Good thing termination
• Guaranteed service
• Good thing service rendered

• Intuition Lamport 1977
• Safety Nothing bad happens
• Liveness Something good happens

5
Properties

• Trace Sequence of execution states
• t s0s1
• Property Set of infinite traces
• Trace t satisfies property P iff t 2 P
• Satisfaction depends on the trace alone
• System Also a set of traces
• System S satisfies property P iff all traces of S
  satisfy P

6
Properties
System S
Property P
trace
7
Properties
System S
S satisfies P
Property P
trace
8
Properties
System S
S does not satisfy P
Property P
trace
9
Safety and Liveness Properties

• Formalized
• Safety property Lamport 1985
• Bad thing trace prefix
• Liveness property Alpern and Schneider 1985
• Good thing trace suffix

10
Success!

• Alpern and Schneider (1985, 1987)
• Theorem. 8 P P Safe(P) Å Live(P)
• Theorem. Safety proved by invariance.
• Theorem. Liveness proved by well-foundedness.
• Theorem. Topological characterization
• Safety closed sets
• Liveness dense sets
• Formalize and verify any property?

?
11
Back to Security Policies
?

• Formalize and verify any property?
• Formalize and verify any security policy?

?
?

• Security policy Property

12
Information Flow is not a Property

• Secure information flow secret inputs are not
  leaked to public outputs
• L 0 L H
• Not safety!
• Noninterference Goguen and Meseguer 1982
  Commands of high users have no effect on
  observations of low users
• Satisfaction depends on pairs of traces
  ) not a property
• Information flow occurs when traces are
  correlated
• Satisfaction does not depend on each trace alone

?
?
13
Service Level Agreements are not Properties

• Service level agreement Acceptable performance
  of system
• Not liveness!
• Average response time Average time, over all
  executions, to respond to request has given bound
• Satisfaction depends on all traces of system
  ) not a property
• Any security policy that stipulates relations
  among traces is not a property
• Need satisfaction to depend on sets of traces

14
Hyperproperties

• A hyperproperty is a set of properties
• A system S satisfies a hyperproperty H iff S 2 H
• a hyperproperty specifies exactly the allowed
  sets of traces

15
Hyperproperties
System S
S does not satisfy H
Hyperproperty H
trace
16
Hyperproperties
S satisfies H
System S
Hyperproperty H
trace
17
Hyperproperties

• Security policies are hyperproperties!
• Information flow Noninterference, relational
  noninterference, generalized noninterference,
  observational determinism, self-bisimilarity,
  probabilistic noninterference, quantitative
  leakage
• Service-level agreements Average response time,
  time service factor, percentage uptime

18
Hyperproperties

• Safety and liveness?
• Verification?

19
Safety

• Safety proscribes bad things
• A bad thing is finitely observable and
  irremediable
• S is a safety property L85 iff

b is a finite trace
20
Safety

• Safety proscribes bad things
• A bad thing is finitely observable and
  irremediable
• S is a safety property L85 iff

b is a finite trace
21
Safety

• Safety proscribes bad things
• A bad thing is finitely observable and
  irremediable
• S is a safety property L85 iff
• S is a safety hyperproperty (hypersafety) iff

b is a finite trace
B is a finite set of finite traces
22
Prefix Ordering

• An observation is a finite set of finite traces
• Intuition Observer sees a set of partial
  executions
• M T (is a prefix of) iff
• M is an observation, and
• If observer watched longer, M could become T

23
Safety Hyperproperties

• Noninterference Goguen and Meseguer 1982
• Bad thing is a pair of traces where removing high
  commands does change low observations
• Observational determinism Roscoe 1995
• Bad thing is a pair of traces that cause system
  to look nondeterministic to low observer

24
Liveness

• Liveness prescribes good things
• A good thing is always possible and possibly
  infinite
• L is a liveness property AS85 iff

t is a finite trace
25
Liveness

• Liveness prescribes good things
• A good thing is always possible and possibly
  infinite
• L is a liveness property AS85 iff
• L is a liveness hyperproperty (hyperliveness)
  iff

t is a finite trace
T is a finite set of finite traces
26
Liveness Hyperproperties

• Average response time
• Good thing is that average time is low enough
• Possibilistic information flow
• Class of policies requiring alternate possible
  explanations to exist
• e.g., generalized noninterference McCullough
  1987
• Long known that these are harder to verify
• Theorem. All PIF policies are hyperliveness.

27
Relating Properties and Hyperproperties

• Can lift property T to hyperproperty T
• Satisfaction is equivalent iff T P(T)
• Theorem. S is safety ) S is hypersafety.
• Theorem. L is liveness ) L is hyperliveness.
• Verification techniques for safety and liveness
  now carry forward to hyperproperties

28
Safety and Liveness is a Basis (still)

• Theorem. (8 H H Safe(H) Å Live(H))

A fundamental basis
29
Topology

• Topology Branch of mathematics that studies the
  structure of spaces
• Open set Can always wiggle from point and
  stay in set
• Closed set Wiggle might move outside set
• Dense set Can always wiggle to get into set

open
closed
dense
30
Topology of Hyperproperties

• For Plotkin topology on properties AS85
• Safety closed sets
• Liveness dense sets
• Theorem. Hypersafety closed sets.
• Theorem. Hyperliveness dense sets.
• Theorem. Our topology on hyperproperties is
  equivalent to the lower Vietoris construction
  applied to the Plotkin topology.

31
Stepping Back
?

• Safety and liveness?
• Verification?

32
Verification of 2-Safety

• 2-safety Terauchi and Aiken 2005 Property
  that can be refuted by observing two finite
  traces
• Methodology
• Transform system with self-composition
  construction Barthe, DArgenio, and Rezk 2004
• Verify safety property of transformed system
• Implies 2-safety property of original system
• Reduction from hyperproperty to property

33
k-Safety Hyperproperties

• A k-safety hyperproperty is a safety
  hyperproperty in which the bad thing never has
  more than k traces
• Examples
• 1-hypersafety the lifted safety properties
• 2-hypersafety Terauchi and Aikens 2-safety
  properties
• k-hypersafety SEC(k) System cant, across
  all runs, output all shares of a k-secret
  sharing
• Not k-hypersafety for any k SEC ?k SEC(k)

34
Verifying k-Hypersafety

• Theorem. Any k-safety hyperproperty of S is
  equivalent to a safety property of Sk.
• Yields methodology for k-hypersafety
• Incomplete for hypersafety
• Hyperliveness? In general?

35
Logic and Verification

• Polices are predicates in what logic?
• Second-order logic suffices, first-order logic
  does not.
• Verify second-order logic?
• Cant! (effectively and completely)
• Can for fragments
• might suffice for security policies

36
Refinement Revisited

• Stepwise refinement
• Development methodology for properties
• Start with specification and high-level
  (abstract) program
• Repeatedly refine program to lower-level
  (concrete) program
• Techniques for refinement well-developed
• Long-known those techniques dont work for
  security policiesi.e., hyperproperties
• Develop new techniques?
• Reuse known techniques?

37
Refinement Revisited

• Theorem. Known techniques work with all
  hyperproperties that are subset-closed.
• Theorem. All safety hyperproperties are
  subset-closed.
• Stepwise refinement applicable with hypersafety
• Hyperliveness? In general?

38
Beyond Hyperproperties?

• Add another level of sets?
• Theorem. Set of hyperproperties hyperproperty.
• Logical interpretation
• Policies are predicates on systems
• Hyperproperties are the extensions of those
  predicates
• Hyperproperties are expressively complete
• (for systems and trace semantics)

39
Probabilistic Hyperproperties

• To incorporate probability
• Assume probability on state transitions
• Construct probability measure on traces Halpern
  2003
• Use measure to express hyperproperties
• Weve expressed
• Probabilistic noninterference Gray and Syverson
  1998
• Quantitative leakage
• Channel capacity

40
Summary

• We developed a theory of hyperproperties
• Parallels theory of properties
• Safety, liveness (basis, topological
  characterization)
• Verification (for k-hypersafety)
• Stepwise refinement (hypersafety)
• Expressive completeness
• Enables classification of security policies

41
Charting the landscape
42
HP
All hyperproperties (HP)
43
HP
SHP
LHP
Safety hyperproperties (SHP)Liveness
hyperproperties (LHP)
44
HP
SHP
LHP
SP
LP
Lifted safety properties SPLifted liveness
properties LP
45
HP
SHP
LHP
SP
LP
AC
GS
Access control (AC) is safetyGuaranteed service
(GS) is liveness
46
HP
SHP
LHP
SP
LP
GMNI
AC
GS
Goguen and Meseguers noninterference (GMNI) is
hypersafety
47
HP
SHP
LHP
2SHP
LP
SP
GMNI
GS
AC
2-safety hyperproperties (2SHP)
48
HP
SHP
LHP
2SHP
SP
LP
GMNI
SEC
AC
GS
Secret sharing (SEC) is not k-hypersafety for any
k
49
HP
PNI
SHP
LHP
2SHP
SP
LP
GMNI
GNI
OD
SEC
AC
GS
Observational determinism (OD) is
2-hypersafetyGeneralized noninterference (GNI)
is hyperlivenessProbabilistic noninterference
(PNI) is neither
50
HP
PNI
SHP
LHP
2SHP
SP
LP
PIF
GMNI
GNI
OD
SEC
AC
GS
Possibilistic information flow (PIF) is
hyperliveness
51
Revisiting the CIA Landscape

• Confidentiality
• Information flow is not a property
• Is a hyperproperty (HS OD HL GNI)
• Integrity
• Safety property?
• Dual to confidentiality, thus hyperproperty?
• Availability
• Sometimes a property (max. response time)
• Sometimes a hyperproperty (HS uptime, HL avg.
  resp. time)
• CIA seems orthogonal to hyperproperties

52
Hyperproperties

• Michael Clarkson and Fred B. Schneider
• Cornell University
• Air Force Office of Scientific Research
• December 4, 2008

TexPoint fonts used in EMF. Read the TexPoint
manual before you delete this box. AAAAAAAA
53
Extra Slides
54
Future Work

• Verification methodology
• Hyperliveness?
• Axiomatizable fragments of second order logic?
• CIA express with hyperproperties?
• Hyperproperties in other semantic domains

55
Information-flow Hyperproperties

• Noninterference The set of all properties T
  where for each trace t 2 T, there exists another
  trace u 2 T, such that u contains no high
  commands, but yields the same low observation as
  t.
• Generalized noninterference The set of all
  properties T where for any traces t and u 2 T,
  there exists a trace v 2 T, such that v is an
  interleaving of the high inputs from t and the
  low events from u.
• Observational determinism The set of all
  properties T where for all traces t and u 2 T,
  and for all j 2 N, if t and u have the same first
  j-1 low events, then they have equivalent jth low
  events.
• Self-bisimilarity The set of all properties T
  where T represents a labeled transition system S,
  and for all low-equivalent initial memories m1
  and m2, the execution of S starting from m1 is
  bisimilar to the execution of S starting from m2.

56
Topological Definitions

• Open sets closed under finite intersections and
  infinite unions
• Closed sets complements of open sets
• closed under infinite intersection and finite
  union
• contains all its limit points
• is its own closure
• Dense sets closure is the universe

57
Powerdomains

• We use the lower (Hoare) powerdomain
• Our is the Hoare order
• Lower Vietoris lower powerdomain Smyth 1983
• Other powerdomains?
• Change the notion of observable
• Upper observations can disappear impossibility
  of nondeterministic choices becomes observable
• Convex similar problem
• But might be useful on other semantic domains