Monitoring Hyperproperties

Size: px

Start display at page:

Download "Monitoring Hyperproperties"

Georgiana Mathews
6 years ago
Views:

1 none.png Monitoring Hyperproperties Bernd Finkbeiner, Christopher Hahn, Marvin Stenger, and Leander Tentrup Reactive Systems Group, Saarland University, Germany The 17th International Conference on Runtime Verification Seattle, USA,

2 Hyperproperties Definition A Hyperproperty H 2 TR is a set of sets of execution traces [Clarkson, Schneider, 10]. Example trace equality: All traces agree on a proposition p. observational determinism: A program appears deterministic to low security users. noninterference, generalized noninterference, noninference, declassification,... 1

3 A Logical Approach to Information-Flow Control HyperLTL [Clarkson, Finkbeiner, Koleini, Micinski, Rabe, Sánchez, 14] HyperLTL LTL + explicit trace quantification: π. π. on π on π satisfiable by {{on} ω, {off} ω } on off on trace equality: π. π. (on π on π ) on off on on off on on off on on off on observational determinism: π. π. (O π = O π ) W (I π = I π ) 2

4 Monitoring Hyperproperties we sequentially observe traces of a system when a new trace comes in, we check whether a given hyperproperty still holds 3

5 Monitoring Hyperproperties we sequentially observe traces of a system when a new trace comes in, we check whether a given hyperproperty still holds 3

6 Monitoring Hyperproperties we sequentially observe traces of a system when a new trace comes in, we check whether a given hyperproperty still holds 3

7 Monitoring Hyperproperties we sequentially observe traces of a system when a new trace comes in, we check whether a given hyperproperty still holds 3

8 Monitoring Hyperproperties we sequentially observe traces of a system when a new trace comes in, we check whether a given hyperproperty still holds 3

9 Monitoring Hyperproperties we sequentially observe traces of a system when a new trace comes in, we check whether a given hyperproperty still holds 3

10 Monitoring Hyperproperties we sequentially observe traces of a system when a new trace comes in, we check whether a given hyperproperty still holds 3

11 Monitoring Hyperproperties we sequentially observe traces of a system when a new trace comes in, we check whether a given hyperproperty still holds 3

12 Overview 1. monitor construction 2. two techniques to make monitoring of hyperproperties feasible in practice: Trace Analysis: exploits a dominance relation between traces Specification Analysis: exploits symmetry, transitivity, and reflexivity in the specification 4

13 Monitor Construction conference management system with author and pc traces no paper submission is lost: every submission (s) is visible (v) to every pc member when comparing two pc traces, they have to agree on v π. π. ( pc π pc π ) (s π v π ) (1) (pc π pc π ) (v π v π ) (2) 5

14 Monitor Construction π. π. ( pc π pc π ) (s π v π ) (pc π pc π ) (v π v π ) q 0 v π pc π pc π pc π pc π pc π v π s π q 4 q 1 s π q 3 q 2 s π v π v π 6

15 Monitor Construction Deterministic monitor template = (, Q, δ, q 0 ): finite alphabet = 2 AP The automaton runs in parallel over n-ary tuple N ((2 AP ) ) n of finite traces: n δ q i, {(a, π j )} = q i+1. j=1 a N(j)(i) 7

16 Monitor Construction Deterministic monitor template = (, Q, δ, q 0 ): finite alphabet = 2 AP The automaton runs in parallel over n-ary tuple N ((2 AP ) ) n of finite traces: n δ q i, {(a, π j )} = q i+1. j=1 a N(j)(i) 7

17 Monitor Construction Deterministic monitor template = (, Q, δ, q 0 ): finite alphabet = 2 AP The automaton runs in parallel over n-ary tuple N ((2 AP ) ) n of finite traces: n δ q i, {(a, π j )} = q i+1. j=1 a N(j)(i) 8

18 Monitor Construction Deterministic monitor template = (, Q, δ, q 0 ): finite alphabet = 2 AP The automaton runs in parallel over n-ary tuple N ((2 AP ) ) n of finite traces: n δ q i, {(a, π j )} = q i+1. j=1 a N(j)(i) 8

19 Monitor Construction Deterministic monitor template = (, Q, δ, q 0 ): finite alphabet = 2 AP The automaton runs in parallel over n-ary tuple N ((2 AP ) ) n of finite traces: n δ q i, {(a, π j )} = q i+1. j=1 a N(j)(i) 8

20 Memory Explosion The naive approach always stores every trace seen so far! 9

21 Memory Explosion The naive approach always stores every trace seen so far! 9

22 Memory Explosion The naive approach always stores every trace seen so far! 9

23 Memory Explosion The naive approach always stores every trace seen so far! 9

24 Memory Explosion The naive approach always stores every trace seen so far! 9

25 Memory Explosion The naive approach always stores every trace seen so far! 9

26 Memory Explosion The naive approach always stores every trace seen so far! 9

27 Memory Explosion The naive approach always stores every trace seen so far! 9

28 Memory Explosion The naive approach always stores every trace seen so far! 9

29 Memory Explosion The naive approach always stores every trace seen so far! 9

30 Memory Explosion The naive approach always stores every trace seen so far! 9

31 Memory Explosion The naive approach always stores every trace seen so far! 9

32 Memory Explosion The naive approach always stores every trace seen so far! 9

33 Memory Explosion The naive approach always stores every trace seen so far! 9

34 Memory Explosion The naive approach always stores every trace seen so far! 9

35 Memory Explosion The naive approach always stores every trace seen so far! 9

36 Memory Explosion The naive approach always stores every trace seen so far! Trace Analysis: discard traces that are dominated by other traces 9

37 Trace Analysis - Example {} {s} {} {} {} an author submits a paper {} {} {s} {} {} another author submits a paper 10

38 Trace Analysis - Example {} {s} {} {} {} an author submits a paper {} {} {s} {} {} another author submits a paper {} {} {s} {s} {} an author submits two papers 11

39 Trace Analysis - Example {} {s} {} {} {} an author submits a paper {} {} {s} {} {} another author submits a paper {} {} {s} {s} {} an author submits two papers 12

40 Trace Analysis - Example {} {s} {} {} {} an author submits a paper {} {} {s} {} {} another author submits a paper {} {} {s} {s} {} an author submits two papers {} {pc} {v} {v} {v} a pc observes 3 submissions 13

41 Trace Analysis - Example {} {s} {} {} {} an author submits a paper {} {} {s} {} {} another author submits a paper {} {} {s} {s} {} an author submits two papers {} {pc} {v} {v} {v} a pc observes 3 submissions 14

42 Trace Analysis - Example {} {pc} {v} {v} {v} a pc member observes three submissions 15

43 Trace Analysis - Example {} {pc} {v} {v} {v} a pc member observes three submissions {} {pc} {v} {v} {} a pc member observes two submissions 16

44 Trace Analysis Definition (Trace Redundancy) HyperLTL formula φ trace set T a trace t is (T, φ)-redundant if T is a model of φ if and only if T {t} is a model of φ 17

45 Dominance Checking HyperLTL formula φ traces t and t monitor template φ t dominates t if and only if π ( φ [t /π]) ( φ [t/π]) 18

46 Storage Minimization Algorithm input :HyperLTL formula φ, redundancy free trace set T, trace t output :redundancy free set of traces T min T {t} φ = build_template(φ) foreach t T do if t dominates t then return T end end foreach t T do if t dominates t then T := T \ {t } end end return T {t} 19

47 Specification Analysis Basic Idea: We use the HyperLTL-Sat solver EAHyper [Finkbeiner, H., Stenger, 17] to check whether HyperLTL formulas are symmetric, transitive or reflexive. Symmetry: we omit at least half of the monitor instantiations Transitivity: we reduce the instantiations to two Reflexivity: we omit the reflexive monitor instantiation 20

48 Symmetry - Example For observational determinism π. π. (O π = O π ) W (I π = I π ) we check whether the following formula is valid: π. π. (O π = O π ) W (I π = I π ) (O π = O π ) W (I π = I π ) we can omit the symmetric monitor instantiations 21

49 Transitivity - Example For output-equality π. π. O π = O π we check whether the following formula is valid: π. π. π. (O π = O π ) (O π = O π ) (O π = O π ) it is sufficient to store one reference trace 22

50 Reflexivity - Example For observational determinism π. π. (O π = O π ) W (I π = I π ) we check whether the following formula is valid: π. (O π = O π ) W (I π = I π ) we can omit the reflexive monitor 23

51 Experiments 10 5 π. π. (O π = O π ) W (I π = I π ) naive monitoring approach trace analysis specification analysis combination of both runtime on randomly generated traces runtime in msec ,000 1,500 2,000 # of instances 24

52 Experiments: Trace Analysis π. π. <n(i π = I π ) <n+c (O π = O π ) n = 16 n = 14 n = absolute numbers of violations number of instances stored number of instances pruned 10 5 randomly generated traces of length

53 Experiments: Specification Analysis symm trans refl ObsDet1 π. π. (I π = I π ) (O π = O π ) ObsDet2 π. π. (I π = I π ) (O π = O π ) ObsDet3 π. π.(o π = O ) (I π π = I ) π QuantNoninf π 0... π c. (( i I πi = I π0 ) i =j O πi = O πj ) EQ π. π (. (a π a π ) π π. ( pc π pc π ) (s π v π ) ) ConfMan ( (pc π pc π ) (v π v π ) ) preprocessing can be done in a couple of seconds with EAHyper saves tremendous amount of time during the monitoring process 26

54 Summary monitoring hyperproperties in theory: Monitor Template Memory Explosion monitoring hyperproperties in practice: Trace Analysis: exploits a dominance relation between traces Specification Analysis: exploits symmetry, transitivity, and reflexivity in the specification 27

55 Bibliography [Clarkson, Schneider, 10] Clarkson, M. R., and F. B. Schneider. "Hyperproperties." Journal of Computer Security 18.6 (2010): [Clarkson, Finkbeiner, Koleini, Micinski, Rabe, Sánchez, 14] Clarkson, M. R., Finkbeiner, B., Koleini, M., Micinski, K. K., Rabe, M. N., & Sánchez, C. (2014, April). Temporal logics for hyperproperties. In International Conference on Principles of Security and Trust (pp ). [Finkbeiner, H., 16] Finkbeiner, Bernd, Hahn, Christopher. Deciding hyperproperties. 27th International Conference on Concurrency Theory, CONCUR 2016 [Finkbeiner, H., Stenger, 17] Bernd Finkbeiner, Christopher Hahn, and Marvin Stenger. EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties. International Conference on Computer Aided Verification (2017). Pictures: 28

56 Monitorability Theorem Given a HyperLTL formula φ = π 1... π k.ψ, where ψ true is an LTL formula. φ is monitorable if, and only if, u. v.uv bad( (ψ)). Theorem Given an alternation-free HyperLTL formula φ. Deciding whether φ is monitorable is PSpace-complete. 29

57 Finite Trace Semantics t[i, j] = { ε if i t t[ i, min(j, t 1)], otherwise fin = T a π if a fin (π)[0] fin = T φ if fin = T φ fin = T φ ψ if fin = T φ or fin = T ψ fin = T φ if fin [1,...] = T φ fin = T φ U ψ if i 0. fin [i,...] = T ψ 0 j < i. fin [j,...] = T φ fin = T π.φ if there is some t T such that fin [π t] = T φ 30

58 Alternation An offline monitor for a n m HyperLTL and m n HyperLTL formula has to perform the checks N T n check if φ accepts N M, and M T m check if φ accepts M N, respectively. N T n M T m 31

Monitoring Hyperproperties

Monitoring Hyperproperties Bernd Finkbeiner, Christopher Hahn, Marvin Stenger, and Leander Tentrup Reactive Systems Group Saarland University lastname@react.uni-saarland.de Abstract. We investigate the