Automaton-based Non-interference Monitoring

Transcription

1 Autmatn-based Nn-interference Mnitring Gurvan Le Guernic, Anindya Banerjee, David Schmidt T cite this versin: Gurvan Le Guernic, Anindya Banerjee, David Schmidt. Autmatn-based Nn-interference Mnitring. [Technical Reprt] KSU Reprt , 2006, pp.49. <inria v1> HAL Id: inria Submitted n 10 Apr 2006 (v1), last revised 24 Apr 2006 (v2) HAL is a multi-disciplinary pen access archive fr the depsit and disseminatin f scientific research dcuments, whether they are published r nt. The dcuments may cme frm teaching and research institutins in France r abrad, r frm public r private research centers. L archive uverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusin de dcuments scientifiques de niveau recherche, publiés u nn, émanant des établissements d enseignement et de recherche français u étrangers, des labratires publics u privés.

2 Autmatn-based Nn-interference Mnitring Gurvan Le Guernic Anindya Banerjee David A. Schmidt April 10, 2006

3 Cntents 1 Intrductin 2 2 Outline Backgrund The Apprach Used Definitin f the Mnitring Mechanism The Autmatn The Semantics Efficiency f the Mnitring Mechanism Sundness Mnitring Autmatn versus Type System Related Wrk 14 6 Cnclusin 16 A Nmenclature 19 B Prfs 19 B.1 Prfs f Sect.4.1 (Sundness) B.2 Prfs f Sect References 46 2

4 Abstract This reprt presents a nn-interference mnitring mechanism fr sequential prgrams. Nn-interference is a prperty f the infrmatin flws f a prgram. It implies the respect f the cnfidentiality f the secret infrmatin manipulated. The apprach taken uses an autmatn based mnitr. During the executin, abstractins f the events ccurring are sent t the autmatn. The autmatn uses thse inputs t track the infrmatin flws and t cntrl the executin by frbidding r editing dangerus actins. The mechanism prpsed is prved t be sund and mre efficient than a type system similar t the histrical ne develped by Vlpan, Smith and Irvine.

5 1 Intrductin With the increase f the level f cmmunicatin between infrmatin systems, the interest fr researches n security has fllwed the same path. Security is usually partitined in three main dmains: cnfidentiality fcuses n the cntrl f the disseminatin f secrets, integrity is cncerned by the incrruptibility f imprtant infrmatin, availability ensures the accessibility f resurces t legal users. This reprt deals with the cncept f cnfidentiality; and mre precisely with the ntin f nn-interference in sequential prgrams. This ntin is based n ideas frm classical infrmatin thery [Ash56]. It has first been intrduced by Gguen and Meseguer [GM82] as the absence f strng dependency (a cncept develped by Chen [Ch77]). infrmatin is transmitted frm a surce t a destinatin nly when variety in the surce can be cnveyed t the destinatin Chen [Ch77, Sect.1]. One grup f users, using a certain set f cmmands, is nninterfering with anther grup f users if what the first grup des with thse cmmands has n effect n what the secnd grup f users can see. Gguen and Meseguer [GM82, Sect.1]. A sequential prgram is said t be nn-interfering if the value f the public (r lw) utputs d nt depend n the value f the secret (r high) inputs. In ther wrd, a prgram is nn-interfering if the secret inputs d nt interfere with the public utputs. Fllwing the ntatin f Sabelfeld and Myers [SM03], the ntin f nn-interference (with regard t the equivalence relatins = L and L ) can be expressed as fllws: s 1,s 2 S. s 1 = L s 2 [[P]]s 1 L [[P]]s 2 (1) This equatin states that a prgram P is said t be nn-interfering if and nly if fr any tw states s 1 and s 2 that assciate the same value t lw (public) data (written s 1 = L s 2 ), the executins f the prgram P in the initial states s 1 and s 2 are indistinguishable by an attacker having access nly t the lw (public) utputs. Thse executins are said lw-equivalent ; nted [[C]]s 1 L [[C]]s 2. The lw-equivalent relatin characterizes the bservatinal pwer f the attacker, by stating what he can distinguish. This may vary frm requiring the lw (public) data f the final states t be equal fr bth executins, t requiring the tw executins t have the same energy cnsumptin. As emphasized by the review paper f Sabelfeld and Myers [SM03], there are already lts f wrks n nn-interference. The particularity f the apprach develped in this reprt lies in the granularity assciated t the ntin f nninterference and the apprach taken in rder t ensure the cnfidentiality f 2

6 secret data. The majrity f researches, as the nes f Mizun and Schmidt [MS92] and Vlpan, Smith, and Irvine [VSI96], assciate the ntin f nninterference t the level f a whle prgram; they develp a static analysis which accept r reject whle prgrams depending n their ability t ensure the cnfidentiality f the secrets they manipulate. In the wrk presented here, the ntin f nn-interference is assciated at the level f executins themselves. This reprt intrduces a mnitring mechanism which guaranties the respect f the cnfidentiality f secret data; either the mnitr deduces that the current executin is nn-interfering r it alters the behavir f the prgram in rder t btain a nn-interfering executin. The next sectin gives an verview f the apprach. It defines sme ntins used, as well as intrduces the scpe f the wrk. Sectin 3 defines the mnitring semantics. This semantics is based n an autmatn which is defined in the same sectin. The prperties f mnitred executins and a cmparisn with a type system are cntained in Sect. 4. Then the reprt skims thrugh related wrks in the dmain f autmata based mnitring and infrmatin flw mnitring. Finally, the cnclusin cmes in Sect Outline The wrk presented in this reprt aims at mnitring executins. S it is dealing with the ntin f nn-interfering executin and nt with the ntin f nninterfering prgram. An executin is said t be nn-interfering if its public (lw) utputs have the same values as the public utputs f any ther executin having the same public (lw) inputs. Fr an executin f a prgram P started in the initial state s, based n the frmal definitin f prgram nn-interference given in (1), the prperty f being nn-interfering can be frmalized as fllws: s S. s = L s [[P]]s L [[P]]s (2) The ntin f nn-interference is intrinsically linked t the ntin f infrmatin flw. This reprt distinguishes three types f infrmatin flws: direct flws Thse flws appear when an assignment is executed. Fr example, if the assignment x := y is executed, then a direct flw frm y t x is generated. indirect flws Thse flws cncern a flw frm the cntext f executin t the value f a variable. There are tw types f indirect flws: explicit indirect flws Thse flws appear when an assignment is executed. Fr example, if the statement if b then x := y else skip end is executed with b equals t true, then an explicit indirect flw frm b t x is generated. implicit indirect flws Thse flws appear when an assignment is nt executed. Fr example, if the statement if b then x := y else skip end 3

7 is executed with b equals t false, then an implicit indirect flw frm b t x is generated. 2.1 Backgrund The idea f using autmata t mnitr the gd behavir f executins is nt recent. Schneider in [Sch00] studies the type f security plicies which can be enfrced using truncatin autmata. Thse types f autmata are nly able t stp an executin. His cnclusin is that this apprach enables nly the enfrcement f safety prperties. A safety prperty is befre all a prperty. In [LBW05a], with the definitin that an executin is a sequence f actins, a prperty is defined as fllws: Definitin 2.1 (Prperty). A security plicy P is deemed t be a prperty if and nly if there exists a cmputable predicate ˆP n executin such that P is a predicate ver sets f executins with the fllwing frm: P(Σ) = σ Σ. ˆP(σ) Frm (2), it is bvius that there is n predicate ˆP n the sequence f actins evaluated by an executin such that ˆP can decide if an executin is r is nt nn-interfering. S, truncatin autmata are nt sufficient t enfrce nn-interference 1. Mre pwerful autmata are described in [LBW05a]. They are called Edit Autmata. On a given sequence f actins, thse autmata can insert, suppress r edit sme actins in rder t enfrce what is called infinite renewal prperties in [LBW05b]. Thse are still prperties and thus nn-interference des nt belng t this set. Hwever, as shwn by this reprt, by increasing the infrmatin given t an autmatn similar t Edit Autmata, it is pssible t enfrce nn-interfering executins. The wrk presented in this reprt is nt the first ne trying t enfrce cnfidentiality at run time. RIFLE [VBC + 04] is a runtime infrmatin-flw security system. It is designed t track the infrmatin flw during the executin f cnverted binaries. The system uses the cllected infrmatin t enfrce users cnfidentiality plicies. Hwever, it des nt enfrce nn-interference. The reasn is that it des nt take int cnsideratin implicit indirect flws. By ding s, RIFLE ignres executins with equivalent public inputs but taking a different path. As Ashby states: the infrmatin carried by a particular message depends n the set it cmes frm. The infrmatin cnveyed is nt an intrinsic prperty f the individual message. [Ash56, 7/5 page 124]. 1 The title f [TA05], by Terauchi and Aiken, may let the reader think that truncatin autmata can indeed enfrce nn-interference. Hwever, what they d is really reduce the nn-interference prblem t, what they call, a 2-safety prblem. Even if their methd gives really gd results with therem prvers and mdel checkers, it is nt fitted fr mnitring. 4

8 The authrs f RIFLE are cnscius f this fact. They ntice that, in rder t enfrce strnger cnstraints n the infrmatin flw, the mnitring mechanism must be aware f the cmmands which are nt evaluated by a given executin. This is part f the apprach taken in the wrk presented in this reprt. 2.2 The Apprach Used The language taken int cnsideratin is a while-language extended with an utput statement. Its grammar is given in Fig. 1. Statements are partitined between sequences f statements and cmmands. Cmmands themselves are partitined between atmic cmmands and branching cmmands. The utput statement, which is an atmic cmmand and is nted utput e, is a generic statement used t represent any kind f public (lw) utput. Fr example, it is used t represent the actin f printing the value f an expressin e in the terminal running the prgram, prducing a sund, r lay ut a new windw n the desktp screen. Only public utputs (i.e. utputs that are visible by standard users) are cded using the utput statement. Secret utputs are simply ignred. Fr example, sending a message m n a public netwrk is represented by the statement utput m. Whereas sending an encrypted message n n a public netwrk is abstracted by utput δ, where δ is a default cnstant which emphasize the fact that an attacker is unable t decrypt an encded message. Finally, sending a message n a private netwrk, t which standard users d nt have access, simply des nt appear in the cde f the prgrams studied. A B C S ::= x := e skip utput e ::= if e then S else S end while e d S dne ::= A B ::= S ; S C Figure 1: Grammar f the language Figure 2 gives the standard semantics f the language. The semantics is a functin frm a pair, cmpsed f a prgram state and a statement, t anther pair cnstituted frm an utput sequence and a new prgram state. A prgram state is simply a value stre mapping variable names t their current value. An utput sequence is an empty sequence (nted ǫ), a single value (fr example, σ(e)) r the cncatenatin f tw ther sequences (nted 1 2 ). The semantics is quite standard; except fr the utput sequence which, hwever, cmes withut 5

9 any surprise. σ x := e ǫ = σ[x σ(e)] σ utput e σ(e) === σ σ skip ǫ = σ σ(e) = v σ S v = σ σ if e then S true else S false end = σ (E O -ASSIGN) (E O -PRINT) (E O -SKIP) (E O -IF) σ(e) = true σ S ; while e d S dne = σ σ while e d S dne = σ (E O -WHILE true ) σ(e) = false σ while e d S dne ǫ = σ (E O -WHILE false ) σ S 1 1 = σ σ S 2 2 = σ σ S 1 ; S === σ (E O -SEQ) Figure 2: Semantics utputting the values f lw-utputs The mnitring principles. The main idea behind nn-interference is that there is n infrmatin flwing frm secret (high) inputs t public (lw) utputs. In the apprach taken in this reprt, the secret inputs are the initial values f the variable belnging t a set nted S. The nly public utput is the sequence utputted during the executin. The values f the variables at the end f the executin are nt accessible t standard users; cnsequently, they are nt cnsidered as public utputs. The main principle f the mnitring mechanism is based n ntins f classical infrmatin thery [Ash56] abut infrmatin transmissin. Chen states it as fllw: infrmatin can be transmitted frm a t b ver executin f H if, by suitably varying the initial value f a (explring the variety in a), the resulting value in b after H s executin will als vary (shwing that the variety is cnveyed t b). Chen [Ch77, Sect.3]. Hence, fr preventing infrmatin flw frm secret inputs t public utputs, the mnitring mechanism will make sure that variety in the initial values f the variables in the state S is nt cnveyed t the utput sequence. This means that the mnitring mechanism, which wrks n a single executin (i.e. the initial value f the variables belnging t S is fixed), will ensure that even if the initial values f the variables belnging t S were different (bringing back variety in it) the utput sequence wuld be identical. 6

10 The mnitring autmatn has tw jbs. The first ne is t track variety. By that, we mean t track entities which may be different if the initial value f the variables belnging t S were different. The secnd jb is t prevent variety t be cnveyed t the utput sequence; in ther wrds, t ensure that the utput sequence wuld be identical fr any executin fr which the value f the public inputs (i.e. the initial value f the variables nt belnging t S) is identical. In rder t cmplete the first jb, the states f the mnitring autmatn are pairs. The first element f this pair is a set f variables. At any step f the cmputatin, it cntains all the variables which have variety (i.e. which may have a different value if the initial value f the variables belnging t S were different). The secnd element f the pair is a wrd belnging t the language whse alphabet is {, } and is described by the regular expressin ( + ). This wrd tracks variety in the cntext f the executin (r the value f the prgram cunter). The secnd jb (preventing variety t be cnveyed t the utput sequence) is accmplished by authrizing, denying r editing utput statements depending ne the current state f the mnitring autmata. What precisin is lst by the abstractin? The autmatn described here des nt have infrmatin abut the real value f the variables. It just knws if a variable may r may nt have variety. This feature prevents the autmatn t detect sme safe executins. An example f such an executin fllws. The prgram has tw inputs h (cntaining secrets) and l (cntaining public infrmatin). x := l ; i f h then x := 1 e l s e x := x / 2 end ; utput x The executin, fr which h is true and l is 2, is safe. Whatever the value f h is, the executins f the prgram, fr which l is 2, just utput 1 (there is n variety in the utput sequence). S, in thse cases, there is n flw frm h t what is utputted. Hwever, t be able t discver this fact, the autmatn used wuld need sme infrmatin abut the real values f variables. This is nt the case with the wrk prpsed here, s the abve example is ut f the reach f the prpsed mnitring mechanism. Hwever, Sect. 4 demnstrates that this mechanism is still f interest. Befre that, the next sectin gives a frmal definitin f the mnitring autmatn and f the mnitred semantics. 3 Definitin f the Mnitring Mechanism The mnitring mechanism is divided int tw main elements. The first ne is an autmatn similar t Edit Autmata [LBW05a]. It takes as inputs abstrac- 7

11 tins f the actins accmplished during an executin. Its rle is t track the infrmatin flw and authrize r frbid the actins f the mnitred executin in rder t enfrce nn-interference. The secnd element f the mnitring mechanism is a semantics f mnitred executins which merge tgether the behavir f the mnitring autmatn and f the standard utput semantics given in Fig. 2. This sectin first describes the mnitring autmatn and then the semantics f mnitred executins. 3.1 The Autmatn The transitin functin f the autmatn used t mnitr an executin is independent f the prgram mnitred. Hwever, the set f autmatn states depends f the prgram mnitred. Fr any prgram P, whse variables belngs t V(?) and the set f secret input variables is S(?), the autmatn A(P) enfrcing nn-interference is defined as (Q,Φ,Ψ,σ, s) where: Q is a set f states (Q = (P(V(?)) L(( + ) )), 2 Φ is a finite set f the input alphabet, Ψ is a finite set f the utput alphabet, σ is a transitin functin (Q Φ) Q, s, an element f Q, is the start state (s = (S(?),0)). The first element f a state is bviusly finite, as the number f variables used by a given prgram is finite. The length f the wrd used as secnd element f a state can be bunded. Assuming that there is n recursive methd calls, the maximum length f this wrd is equal t the maximum depth f branching statements inclusin. Fr example, with a prgram having n methds and a single branching statement, the secnd element f a state is a wrd which maximum size is 1. The input alphabet f the autmatn (Φ) crrespnds t an abstractin f the events ccurring during an executin. This alphabet is cmpsed f the fllwing: branch e is generated each time a branching statement has t be evaluated. e is the expressin which/whse value determines the branch which is executed. Fr example, befre the evaluatin f the statement if x > 10 then S 1 else S 2 end, the input branch x > 10 is sent t the mnitring autmatn. exit is generated each time a branching statement has been evaluated. Fr example, after the evaluatin f the statement if x > 10 then S 1 else S 2 end, the input exitis sent t the mnitring autmatn. 2 P(X) is the pwer set f X, als written 2 X 8

12 nt S is generated each time a piece f cde, S, is nt evaluated. It is sent just after the executin f the piece f cde which has been executed instead f S. Fr example, the statement if x then S 1 else S 2 end, with x being true, generates the autmata input nt S 2 just after the executin f S 1. A, where A is any atmic actin f the language. Any such actin is sent t the autmatn fr validatin befre its executin. The utput alphabet (Ψ) is cmpsed f the fllwing: ACK is used as answer fr any input which is nt an atmic actin f the language. The autmatn acknwledges the receptin f infrmatin useful fr tracking ptential infrmatin flws but which des nt require an interventin f the autmatn. is used whenever the mnitring autmatn authrizes the executin f an atmic actin. NO is used whenever the mnitring autmatn frbids the executin f an atmic actin. A, where A is any atmic actin f the language. This is the answer f the mnitring autmatn whenever anther actin than the current ne has t be executed. The transitin functin, which is given in Fig.3 page 3, uses tw special functins. FV(e) returns the set f variables appearing in e. Fr example, FV(x +y) returns the set {x,y}. PA(S) is the set f all variables assigned t (i.e. appearing n the left side f an assignment) in S. This functin is used t take int accunt the implicit indirect flws created whenever a branch is mt executed. A frmal definitin f this functin fllws: x, e : PA(x := e) = {x} e : PA(utput e) = PA(skip) = S 1,S 2 : PA(if e then S 1 else S 2 end) = PA(S 1 ) PA(S 2 ) S 1,S 2 : PA(while e d S dne) = PA(S) S 1,S 2 : PA(S 1 ; S 2 ) = PA(S 1 ) PA(S 2 ) As it can be seen in Fig.3, the autmatn validates r invalidates nly the executins f utput statements. Fr ther inputs, the nly thing dne is t keep track in the set V f the variables which may cntain sme secret infrmatin, and keep track in w f the branching cnditins encuntered s far which were secret. The rules fr the autmata input utput e prevent bad flws thrugh tw different channels. The first ne is the actual cntent f what is utputted. 9

13 ((V,w), branch e) ACK (V, w ) iff FV(e) V (T-BRANCH-high) ((V,w), branch e) ACK (V, w ) iff FV(e) V = (T-BRANCH-lw) ((V,wa), exit) ACK (V, w) (T-EXIT) ((V,w), nt S) ACK (V PA(S),w) iff w L( ( + ) ) (T-NOT-high) ((V,w), nt C) ACK (V,w) iff w L( ) (T-NOT-lw) ((V,w), skip) (V, w) ((V,w), x := e) (V {x},w) iff w L( ( + ) ) r FV(e) V (T-SKIP) (T-ASSIGN-sec) 10 ((V,w), x := e) (V \ {x},w) iff w L( ) and FV(e) V = (T-ASSIGN-pub) ((V,w), utput e) (V,w) iff w L( ) and FV(e) V = (T-PRINT-k) ((V,w), utput e) utput δ (V,w) iff w L( ) and FV(e) V (T-PRINT-def) ((V,w), utput e) NO (V,w) iff w L( ( + ) ) (T-PRINT-n) Figure 3: Transitin functin f mnitring autmata

14 If the prgram tries t utput a secret in a public cntext, then the value f the utput is replaced by a default value. This value can be a message t the user letting him knw that, fr security reasns, the utput has been denied. The secnd channel is the behavir f the prgram itself. This channel des exist because, depending n the path fllwed, sme utputs may r may nt be executed. In that case, any utput must be frbidden. If the secnd channel is nt required t be mnitred, then the cnditin w L( ), in the definitin f σ fr the autmata input utput e, can be remved. 3.2 The Semantics The semantics merging the standard utput semantics given in Fig.2 and the mnitring autmatn is given in Fig.4 page 12. There are three rules fr atmic actins (thse actins are: skip, x := e and utput e). There is ne rule fr each pssible answer f the autmatn t the actin which will be executed. Either the autmatn authrizes the executin (E M(s) -), denies the executin (E M(s) -NO) r replaces the actin by anther ne (E M(s) -EDIT). In the case where the executin is denied, the evaluatin mits the current actin (as if the actin was a skip statement). If the statement t be executed is a branching cmmand, the evaluatin begins by sending t the autmatn the input branch e where e is the cnditin f the branching cmmand. Then, the branch designated by e is executed (in the case where the branching cmmand is a while statement and the cnditin is false, the branch executed is skip). The executin fllws by sending the autmatn input nt S where S is the branch nt executed (if the branching cmmand is a while statement and the cnditin is true, what happens is equivalent t sending the autmatn input nt skip). Finally, the input exit is sent t the autmatn and the executin prceeds as usual. In the case f a while statement with a cnditin equals t true, the executin prceeds by executing the while statement nce again. 4 Efficiency f the Mnitring Mechanism The preceding sectin gives a frmal definitin f the mnitring mechanism used. This sectin studies the efficiency f this mnitring mechanism by giving bunds n the set f executins btained by using this mnitring mechanism. First, it is prved that any mnitred executin belngs t the set f nn-interfering executins. This is equivalent t a sundness prf. Then, it is prved that a nn trivial set f unmnitred nn-interfering executins is included in the set f mnitred executins. 4.1 Sundness The sundness prperty f the mnitring mechanism is based n a ntin f nn-interference between the secret inputs and the sequence utputted by an 11

15 (q, A) q σ A = s σ (q, σ) A = M(s) (q, σ ) A (q, A) q σ A = s σ (q, σ) A = M(s) (q, σ ) NO (q, A) q (q, σ) A = ǫ M(s) (q, σ) (q, branch e) q 1 σ(e) = v (q 1, σ) S v = M(s) (q 2, σ 1 ) (q 2, nt S v ) q 3 (q 3, exit) q 4 (q, σ) if e then S true else S false end = M(s) (q 4, σ 1 ) (E M(s) -) (E M(s) -EDIT) (E M(s) -NO) (E M(s) -IF) σ(e) = true (q, branch e) q 1 (q 1, σ) S l = M(s) (q 2, σ 1 ) (q 2, exit) q 3 (q 3, σ 1 ) while e d S dne == w M(s) (q 4, σ 2 ) (q, σ) while e d S dne l w ==== M(s) (q 4, σ 2 ) σ(e) = false (q, branch e) q 1 (q 1, nt S) q 2 (q 2, exit) q 3 (q, σ) while e d S dne = ǫ M(s) (q 3, σ) (q, σ) S 1 1 = M(s) (q 1, σ 1 ) (q 1, σ 1 ) S 2 2 = M(s) (q 2, σ 2 ) (q, σ) S 1 ; S === M(s) (q 2, σ 2 ) (E M(s) -WHILE true ) (E M(s) -WHILE false ) (E M(s) -SEQ) Figure 4: Semantics f mnitred executins executin. An executin is cnsidered safe if and nly if this executin des nt cnvey the variety in its secret inputs t the sequence utputted during this executin; in ther terms, if the secret inputs have n influence n what is utputted during this executin. Befre stating the sundness therem, this sectin gives the definitin f a ntatin designating the utput sequence f the executin f a prgram P started in the initial state σ. Definitin 4.1 (Executin utput). Fr all semantics s, prgram P whse secret inputs belng t S(?), and value stre σ, [[P]] O s σ is the sequence utputted by the executin f P with the initial state (S(?),ǫ),σ. In ther wrds: [[P]] O s σ = if and nly if σ : (S(?),ǫ),σ P = s σ 12

16 The fllwing therem states that any mnitred executin is safe; i.e. it is nn-interfering. = X is an equivalence relatin between value stres. This relatin is true whenever the tw stres assciate the same value t any variable belnging t X. X c is the cmplement f the set X. Therem 4.1 (Mnitred executins are nn-interfering). Fr all prgram P which set f secret inputs is S(?), and value stres σ 1 and σ 2 : σ 1 = S(?) c σ 2 [[P]] O M(O) σ 1 = [[P]] O M(O) σ 2 Prf. This therem fllws directly frm lemma B.6 page Mnitring Autmatn versus Type System It has been prved that any mnitred executin is nn-interfering. This is a required result. Hwever, in rder t achieve this gal, in sme cases the mnitring mechanism mdifies the sequence utputted by an executin. The sequence f utputs resulting frm the executin f a prgram P with the initial state σmay nt be the same if the semantics used is the standard ne (given in Fig. 2) r the mnitring semantics (given in Fig. 4). It is usually admitted that, as lng as the mnitring mechanism accmplishes its jb, the lesser impact the better. S, the fllwing gives a lwer bund n the set f nn-interfering executins n which the mnitring mechanism has n impact. It is shwn that the mechanism prpsed in this reprt des nt interfere with the utput sequence f any executin f a prgram which is well-typed under a type system similar t the ne f Vlpan, Smith, and Irvine [VSI96]. Let us first intrduce the type system which will serve as cmparisn. The typing rules are given in Fig. 5. They are the same ne as thse fund in [VSI96] except fr a small mdificatin f the typing envirnment and the additin f a rule fr the utput statement (which is nt in the language f [VSI96]). The lattice used has nly tw elements and is defined using the reflexive relatin (L H). L is the type fr public infrmatin and H the type fr secrets. A prgram P is well-typed if it can be typed under a typing envirnment γ in which every secret input is typed secret (i.e. x S(?),γ(x) = H). Therem 4.2 states frmally that any executin f a well-typed prgram belngs t the set f mnitred executins. This means that the mnitring mechanism des nt interfere with executins f well-typed prgrams. T be cnvinced that the inclusin in questin here is strict it is sufficient t have a lk at the fllwing prgram: x := h ; x := 0; utput x In this prgram, h is the nly secret input. Any executin f this prgram is bviusly nn-interfering. Hwever, as the type system is flw insensitive and x is nce assigned a secret, the utput statement is nt allwed by the type system. 13

17 type(e) = τ τ τ γ e : τ γ(x) = τ γ e : τ τ τ γ x := e : τ cmd τ H γ skip : τ cmd γ e : L γ utput e : L cmd γ e : τ γ S 1 : τ cmd γ S 2 : τ cmd τ τ γ if e then S 1 else S 2 end : τ cmd γ e : τ γ S : τ cmd τ τ γ while e d S dne : τ cmd γ S 1 : τ cmd γ S 2 : τ cmd γ S 1 ; S 2 : τ cmd (T-EXP) (T-ASSIGN) (T-SKIP) (T-PRINT) (T-IF) (T-WHILE) (T-SEQ) Figure 5: The type system used fr cmparisn Whereas the mnitring mechanism des nt interfere with the utputs f this prgram while still guarantying that any mnitred executin is nn-interfering. Therem 4.2 (Mnitring des nt interfere with type safe prgrams). Fr all prgram P whse secret inputs belng t S, typing envirnment γ such that variables belnging t S are typed secret, type τ, and value stres σ and σ : γ P : τ cmd σ P = O σ } [[P]] O M(O) σ = Prf. This therem fllws directly frm lemma B.11 page Related Wrk Dynamic infrmatin flw analyzes. Even s infrmatin flw mnitring is nt as ppular as infrmatin flw static analyzes, there has cntinuusly been sme research cncerning it. At the level f languages, Abadi, Lampsn, and Lévy expse in [ALL96] a dynamic analysis based n the labeled λ-calculus f Lévy. This analysis cmputes the dependencies between the different parts f a λ-term and its final result in rder t save this result fr a faster evaluatin f any future equivalent λ-term. Als based n a labeled λ-calculus, Gandhe, Venkatesh, and Sanyal 14

18 [GVS95] address the infrmatin flw related issue f need. It has t be nticed that even sme real wrld languages dispse f similar mechanisms. The language Perl includes a special mde called Perl Taint Mde [WCO00]. In this mde, the direct infrmatin flws riginating with user inputs are tracked. It is dne in rder t prevent the executin f bad cmmands. Nne f thse wrks take int accunt implicit indirect flws (created by the nn-executin f ne f the branches f a branching statement). At the level f perating systems, Weissman [Wei69] described at the end f the 60 s a security cntrl mechanism which dynamically cmputes the security level f newly created files depending n the security level f files previusly pened by the current jb. Fllwing a similar apprach, Wdward presents its flating labels methd in [W87]. This methd deals with the prblem f ver-classificatin f data in cmputer systems implementing the MAC security mdel [NSA95, Bra85]. The main difference between thse tw wrks and urs lies in the granularity f label applicatin. In thse mdels [Wei69, W87], at any time, there is nly ne label fr all the data manipulated. Data s security levels cannt evlve separately frm each ther. Mre recently, Suh, Lee, Zhang, and Devadas presented in [SLZD04] an architectural mechanism, called dynamic infrmatin flw tracking. Its aim is t prevent an attacker t gain cntrl f a system by giving spurius inputs t a prgram which may be buggy but is nt malicius. Their wrk lks at the prblem f security under the aspect f integrity and des nt take care f infrmatin flwing indirectly thrw branching statements cntaining different assignments. At the level f cmputers themselves, Fentn [Fen74] describes a small machine, in which strage lcatins have a fixed data mark. Thse data marks are used t ensure a secure executin with regard t nninterference between private inputs and nn-private utputs. Hwever, the fixed characteristic f the data marks frbids mdularity and reuse f cde by disallwing a temprary variable t cntain alternatively secrets and public infrmatin. As Fentn shws himself, his mechanism des nt ensure cnfidentiality with variable data marks. At the same level, Brwn and Knight [BK01] describe a machine which dynamically cmputes security level f data in memry wrds and try t ensure that there are n undesirable flws. This wrk des nt take care f nn-executed cmmands. As it has been shwn in [LGJ05], this is a feature which can be used t gain infrmatin abut secrets in sme cases. With a prgram similar t the fllwing ne, their machine des nt prevent the flw frm h t x when l is true and h is false. x := 0; i f l then i f h then x := 1 e l s e skip end e l s e skip end ; utput x In [MPL04], Masri, Pdgurski and Len present a dynamic infrmatin flw analysis fr structured r unstructured language. Their algrithm seems t 15

19 achieve a gd level f precisin fr a quite cmplete language. Hwever, fr the analysis f a methd (which is the unit n which their algrithm applies), their apprach requires that its cntrl flw graph [...] has been cmputed befrehand. Their apprach is then nt fully dynamic. Mrever, their wrk seems t fcus mre n dynamic slicing than n nn-interference mnitring. Cnsequently, it des nt study deeply the dynamic crrectin f bad flws. The slutin prpsed is t stp the executin as sn as a ptential flw frm a secret data t a public sink is detected. As explained in [LGJ05], if dne withut enugh care, this can create a new cvert channel revealing sme secret infrmatin. T avid this, the infrmatin flws cmputed must be the same fr every lw-input equivalent executin. This prperty is nt prved fr the prpsed algrithm. The case f RIFLE [VBC + 04] is different frm the research wrks presented abve. It is a cmplete runtime infrmatin flw security system enfrcing user-centric security plicies. It includes a binary translatr and a specific architecture which, tgether, track the infrmatin flws. Based n this infrmatin, a security enhanced OS enfrces user plicies. Hwever, as acknwledge by the authrs, their system des nt take int cnsideratin implicit indirect flws. It is the impssible fr their mechanism t enfrce nn-interference like plicies. And, hence, it is impssible t enfrce strict cnfidentiality. 6 Cnclusin This reprt addresses the security prblem f cnfidentiality frm the pint f view f nn-interference. It is usually a prperty f a whle prgram. Either a prgram is nn-interfering r it is nt. As we are interested in mnitring executins t ensure the respect f cnfidentiality, the ntin f nn-interference is refined t a ntin f nn-interfering executin. An executin ε is said t be nn-interfering if and nly if any executin f the same prgram with the same public inputs (as fr ε) prduces the same public utputs. The mnitring mechanism prpsed in the reprt is based n an autmatn and a special semantics. During the executin, the semantics sends t the autmatn inputs abstracting the events ccurring. The autmatn is in charge f tw main jbs. The first ne is t track the flws f infrmatin between the secret inputs and the current value f the variables used by the prgram. The secnd ne is t validate the executin f atmic actins (mainly utputs) in rder t ensure the respect f the cnfidentiality f the secret inputs. In Sect.4.1, it has been prved that any executin mnitred by the prpsed mechanism is a nn-interfering executin. This means that an attacker having access t the lw utputs f a mnitred executin is never able t deduce anything abut the value f the secret inputs. An additinal interesting prperty which has been prved is that the mnitring mechanism des nt interfere with the executins f a prgram which is well-typed under a type system similar t the ne f Vlpan, Smith and Irvine [VSI96]. 16

20 Typicality f nn-interference mnitring. In rder t enfrce a prperty as strng as nn-interference, this mnitring mechanism (as any nninterference mnitr wuld) has a principal particularity cmpared t standard mnitrs. Usually, mnitrs are nly aware f statements which are really executed. With the prpsed mechanism, when exiting a branching statement, the branch which has nt been executed is analyzed. This is dne in rder t take int accunt a special type f flws: implicit indirect flws. These flws appear between the cnditin f a branching statement and all the variables n the left side f an assignment in the branch which is nt executed. As nted by [VBC + 04], this feature is required in rder t enfrce nn-interference. Of curse, mnitring an executin has a cst. S, what are the main interests f nn-interference mnitring cmpared t static analyzes? The first ne lies in the granularity f the nn-interference prperty. Static analyzes have t take int cnsideratin all pssible executins f the prgram analyzed. This implies that if a single executin is unsafe then the whle prgram is rejected; and then all f its executins. With a mnitring mechanism, it is pssible t allw the safe executins f a prgram which is knwn t have sme unsafe executins. Mrever, a mnitring mechanism may be mre precise than static analyzes. The reasn fr it is that during the executin the mnitring mechanism gets sme accurate infrmatin abut the path behavir f the prgram. An example being smetimes mre understandable, let us have a lk at the fllwing prgram where h is the nly secret input and l the nly ther input (a public ne). i f ( test1 ( l ) ) then tmp := h e l s e skip end ; i f ( test2 ( l ) ) then x := tmp e l s e skip end ; utput x Withut infrmatin n test1 and test2 (and ften, even with), a static analysis wuld cnclude that this prgram is unsafe because the secret input infrmatin culd be carried t x thrugh tmp and then utputted. Hwever, if test1 and test2 are such that there exists n value such that bth predicates are true then any executin f the prgram is perfectly safe. The mnitring mechanism wuld allw any executin f this prgram. The reasn is that, l being a public input, nly executins fllwing the same path than the current executin is taken care by the mnitring mechanism. S, fr such cnfiguratins where the branching cnditins are nt influenced by the secret inputs, a mnitring mechanism is at least as precise as any static analysis. Future wrk. Of curse, increasing the expressiveness f the language is a first ptential future wrk. Adding methd call r even recrds shuld be quite straightfrward. Whereas, in my pinin, adding pinters t the language wuld nt be trivial. Anther interesting feature, which is under wrk, is cncurrency. The language is extended with a synchrnizatin cnstruct and the mnitr is adapted t deal with cncurrent executin f a set f sequential prgrams. 17

21 The analysis used n unevaluated statements is anther pint which wuld be wrth sme extended wrk. The analysis used in this reprt is a really simple ne cllecting the variables appearing n the left side f an assignment. By increasing the precisin f this analysis, a better precisin wuld be achieved. The fllwing example emphasizes the limitatin f the current analysis. x := 0; i f h then skip e l s e i f f a l s e then x := 1 e l s e skip end end ; utput x ; h is the nly input f the prgram. It is a secret input. This prgram utputs 0 whatever the value f h. It is then perfectly safe. Hwever, the mnitring mechanism detects any executin f this prgram as unsafe. The reasn is that the mnitr des nt take int cnsideratin the values f branching cnditins. In this case, it may seem simple t imprve the mnitring mechanism. Hwever, as explained in [LGJ05], if the gal f the mechanism is t crrect bad flws and nt nly detect them then the analysis must be dne with great care. It is required that, fr a branching statement, whatever the branch executed and the branch analyzed, the result f the infrmatin flw tracking must be the same. Finally, in the wrk prpsed in this reprt, there are nly tw categries f data: public and secret. It wuld be interesting t have mre. In rder t achieve this gal, we can remark that, even if there are tw categries, there is nly ne prperty n data: either data is secret r is nt. Based n this idea f prperty f data, the number f categries can be extended by increasing the number f prperties and changing the definitin f autmatn states. A new state is a set f ld states, ne fr each prperty. The slutin is quite simple, but its impact n the different prfs must be studied. 18

22 A Nmenclature Nmenclature L(E) is the language described by the regular expressin E. FV(e) is the set f free variables appearing in the expressin e. PA(S) is the analysis used fr unevaluated statements. It returns the set f variables which wuld be ptentially be assigned t by an executin f S. P is a prgram f name P V(?)? is the set f variables used by the prgram?. S(?)? is the set f variables used by the prgram?. A(P) is the mnitring autmatn fr the prgram (P. Q Φ Ψ σ s L H γ σ B is the set f states f mnitring autmata. is the input alphabet f mnitring autmata. is the utput alphabet f mnitring autmata. is the transitin functin between autmata states. is the start state f a mnitring autmatn. is the type fr public infrmatin. is the type fr secret infrmatin. is a typing envirnment. is a value stre mapping variable names t their current value. Prfs B.1 Prfs f Sect.4.1 (Sundness) Lemma B.1 (Same cntext befre and after an executin). Fr all statement S, autmatn states q = (V,n) and q f = (V f,n f ), and value stre σ, if (q, σ) S = M(s) (q f,σ f ) then n f = n. Prf. The fact that n f = n fllws directly frm the definitin f the semantics (E M(O) ), and the definitin f the transitin functin f the mnitring autmatn. 19

23 Lemma B.2 (N utputs under secret cntext). Fr all statement S, autmatn state (V,n), and value stre σ, if n > 0 then [[S]] O M(O) ((V,n),σ) = ǫ. Prf. It fllws directly frm the definitins f the semantics (E M(O) ) and (E O ) and frm the transitin functin f the mnitring autmatn. The nly statement utputting anything is utput e. The semantics (E M(O) ) always call the autmatn t verify any actin it will evaluates. Whenever the cntext f executin is secret (i.e. n > 0), the mnitring autmatn deny the executin f any print statement. Lemma B.3 (Autmatn simulates executin in secret cntext). Fr all statement S, autmatn state q = (V,n), and value stre σ, if (q, σ) S = M(s) (q f,σ f ) and n > 0 then (q,nt S) q f. Prf. The prf ges by inductin n the derivatin tree f ((V,n),σ) S = M(s) (q f,σ f ). Assume the lemma hlds fr any sub-derivatin tree, if the last rule used is: (E M(s) -) then we can cnclude that : (1) S = skip r S = y := e r S = utput e, and (q, S) q f. It fllws directly frm the definitin f the rule (E M(s) -) and the grammar f the language. It can als be deduced frm the rule (E M(s) -), the transitin functin f the mnitring autmatn, and the semantics (E O ). Case 1: S = skip r S = utput e (a) q f = q. It fllws directly frm the transitin functin f the mnitring autmatn. ( ) (q,nt S) q f. It fllws directly frm the transitin functin f the mnitring autmatn because n > 0 and LA(S) =. Case 2: S = x := e (a) q f = (V {x},n). It fllws directly frm the transitin functin f the mnitring autmatn because n > 0. ( ) (q,nt S) q f. It fllws directly frm the transitin functin f the mnitring autmatn because n > 0 and LA(x := e) = {x}. (E M(s) -EDIT) then we can cnclude that : (1) S = utput e, and (q, S) A q f. It fllws directly frm the definitin f the rule (E M(s) -EDIT) and 20

24 the grammar f the language. It can als be deduced frm the rule (E M(s) -), the transitin functin f the mnitring autmatn, and the semantics (E O ). (2) q f = q. It fllws directly frm the transitin functin f the mnitring autmatn. ( ) (q,nt S) q f. It fllws directly frm the transitin functin f the mnitring autmatn because n > 0 and LA(utput e) =. (E M(s) -NO) then we can cnclude that : (1) S = utput e, and (q, S) A q f. It fllws directly frm the definitin f the rule (E M(s) -NO) and the grammar f the language. It can als be deduced frm the rule (E M(s) -), the transitin functin f the mnitring autmatn, and the semantics (E O ). (2) q f = q. It fllws directly frm the definitin f the rule (E M(s) -NO). ( ) (q,nt S) q f. It fllws directly frm the transitin functin f the mnitring autmatn because n > 0 and LA(utput e) =. (E M(s) -IF) then we can cnclude that : (1) S = if e then S 1 else S 2 end, σ(e) = v, and: (q, branch e) q 1 (q 1, σ) S v = M(s) (q 2, σ 1 ) (q 2, nt S v ) q 3 (q 3, exit) q f It fllws directly frm the definitin f the rule (E M(s) -IF). Lets define q i = (V i,n i ) fr all integer i frm 1 t 3. (2) n 1 > 0. It fllws directly frm the glbal hypthesis n > 0 and the definitin f the transitin functin f the mnitring autmatn. (3) V 2 = V LA(S v ). It fllws frm the applicatin f the inductive hypthesis t the evaluatin f S v in the lcal cnclusin (1) and the definitin f the transitin (T-NOT-high). (4) q f = (V LA(S v ) LA(S v ),n). Frm the lcal cnclusin (2), the evaluatin f S v in the lcal cnclusin (1) and lemma B.1, it is pssible t shw that n 2 > 0. S, the 21

25 definitin f the transitin functin f the mnitring autmatn imply that V 3 = V 2 LA(S v ). Finally the desired result is btain using the lcal cnclusin (3), the definitin f (T-EXIT) and lemma B.1. ( ) (q,nt S) q f. It fllws directly frm the transitin functin f the mnitring autmatn because n > 0 and LA(if e then S 1 else S 2 end) = LA(S 1 ) LA(S 2 ). (E M(s) -WHILE true ) then we can cnclude that : (1) S = while e d S l dne and: (q, branch e) q 1 (q 1, σ) S l l = M(s) (q 2, σ 1 ) (q 2, exit) q 3 (q 3, σ 1 ) while e d S l dne == w M(s) (q f, σ 2 ) It fllws directly frm the definitin f the rule (E M(s) -WHILE true ). Lets define q i = (V i,n i ) fr all integer i frm 1 t 3. (2) n 1 > 0. It fllws directly frm the glbal hypthesis n > 0 and the definitin f the transitin functin f the mnitring autmatn. (3) V 3 = V LA(S l ). It fllws frm the applicatin f the inductive hypthesis t the evaluatin f S l in the lcal cnclusin (1) and the definitin f the transitin (T-NOT-high) and (T-EXIT). (4) V f = V LA(S l ). The lcal cnclusin (2) and the definitin f the transitin functin imply n 3 > 0. Using the inductive hypthesis n the evaluatin f while e d S l dne in the lcal cnclusin (1), it is pssible t shw that V f = V 2 LA(S l ) because LA(while e d S l dne) = LA(S l ). Then, the lcal cnclusin (3) implies the desired result. ( ) (q,nt S) q f. It fllws directly frm the lcal cnclusin (4) and the transitin functin f the mnitring autmatn because n > 0 and LA(while e d S l dne) = LA(S l ). (E M(s) -WHILE false ) then we can cnclude that : (1) S = while e d S l dne and: (q, branch e) q 1 (q 1, nt S l ) q 2 (q 2, exit) q f 22

26 It fllws directly frm the definitin f the rule (E M(s) -WHILE false ). Lets define q i = (V i,n i ) fr all integer i frm 1 t 2. (2) n 1 > 0. It fllws directly frm the glbal hypthesis n > 0 and the definitin f the transitin functin f the mnitring autmatn. (3) V f = V LA(S l ). It fllws frm the lcal cnclusin (2) and the definitin f the transitin functin f the mnitring autmatn. ( ) (q,nt S) q f. It fllws directly frm the lcal cnclusin (3) and the transitin functin f the mnitring autmatn because n > 0 and LA(while e d S l dne) = LA(S l ). (E M(s) -SEQ) then we can cnclude that : (1) S = S 1 ; S 2 and: (q, σ) S 1 1 = M(s) (q 1, σ 1 ) (q 1, σ 1 ) S 2 2 = M(s) (q f, σ f ) It fllws directly frm the definitin f the rule (E M(s) -SEQ). (2) (q,nt S 1 ) q 1 and (q 1,nt S 2 ) q f. Thse results fllw frm the inductive hypthesis. The secnd result als makes use f lemma B.1 in rder t prve that n 1 > 0. (3) q f = (V LA(S 1 ) LA(S 2 ),n). It fllws directly frm the lcal cnclusin (2), the glbal hypthesis n > 0, lemma B.1, and the definitin f the rule (T-NOT-high). ( ) (q,nt S) q f. It fllws directly frm the transitin functin f the mnitring autmatn because n > 0 and LA(S 1 ; S 2 ) = LA(S 1 ) LA(S 2 ). Lemma B.4 (LA is an ver-apprximatin f the assigned variables). Fr all statement S, autmatn state q = (V,n), and value stre σ, if (q, σ) S = M(O) (q f,σ f ) then: x LA(S) : σ f (x) = σ(x) Let (V f,n f ) = q f in V LA(S) V f V LA(S) Prf. The prf ges by inductin n the derivatin tree f (q, σ) S = M(O) (q f,σ f ). Assume the lemma hlds fr any sub-derivatin tree, if the last rule used is: (E M(O) -) then we can cnclude that : 23

27 (1) S = skip r S = y := e r S = utput e, (q, S) q f, and σ S = O σ f. It fllws directly frm the definitin f the rule (E M(O) -) and the grammar f the language. It can als be deduced frm the rule (E M(O) -), the transitin functin f the mnitring autmatn, and the semantics (E O ). Case 1: S = skip r S = utput e (a) q f = q and σ f = σ. It fllws directly frm the transitin functin f the mnitring autmatn and the definitin f the semantics (E O ). ( ) x LA(S) : σ f (x) = σ(x) and V LA(S) V f V LA(S). It fllws directly frm the lcal cnclusin (a). Case 2: S = x := e (a) q f = (V {x},n) r q f = (V {x},n), and σ f = σ[x σ(e)]. It fllws directly frm the transitin functin f the mnitring autmatn and the definitin f the semantics (E O ). ( ) x LA(S) : σ f (x) = σ(x) and V LA(S) V f V LA(S). It fllws directly frm the lcal cnclusin (a) because LA(S) = {x}. (E M(O) -EDIT) then we can cnclude that : (1) S = utput e, (q, S) utput δ q f, and σ utput δ = O σ f. It fllws directly frm the definitin f the rule (E M(O) -EDIT), the grammar f the language, and the definitin f the transitin functin f the mnitring autmatn. (2) q f = q and σ f = σ. It fllws directly frm the lcal cnclusin (1), the transitin functin f the mnitring autmatn and the definitin f the semantics (E O ). ( ) x LA(S) : σ f (x) = σ(x) and V LA(S) V f V LA(S). It fllws directly frm the lcal cnclusin (2). (E M(O) -NO) then we can cnclude that : (1) q f = q and σ f = σ. It fllws directly frm the definitin f (E M(O) -NO), and the definitin f the transitin functin f the mnitring autmatn. ( ) x LA(S) : σ f (x) = σ(x) and V LA(S) V f V LA(S). It fllws directly frm the lcal cnclusin (1). (E M(O) -IF) then we can cnclude that : (1) S = if e then S true else S false end, σ(e) = v, and: 24

28 (q, branch e) q 1 (q 1, σ) S v = M(O) (q 2, σ f ) (q 2, nt S v ) q 3 (q 3, exit) q f It fllws directly frm the definitin f the rule (E M(O) -IF). (2) x LA(S) : σ f (x) = σ(x). It fllws frm the inductive hypthesis used n the derivatin tree f S v in the lcal cnclusin (1) and the fact that LA(if e then S true else S false end) = LA(S true ) LA(S false ). Lets define q i = (V i,n i ) fr all integer i frm 1 t 3. (3) V 1 = V. It fllws directly frm the definitin f the transitin functin f the mnitring autmatn. (4) V LA(S v ) V 2 V LA(S v ). It fllws frm the inductive hypthesis applied t the derivatin tree f S v. (5) V 2 V f V 2 LA(S v ). It fllws frm the lcal cnclusin (1) and the definitin f the transitin functin f the mnitring autmatn. ( ) x LA(S) : σ f (x) = σ(x) and V LA(S) V f V LA(S). It fllws frm the fact that LA(if e then S true else S false end) = LA(S true ) LA(S false ) and the lcal cnclusins (2), (4), and (5). (E M(O) -WHILE true ) then we can cnclude that : (1) S = while e d S l dne and: (q, branch e) q 1 (q 1, σ) S l l = M(O) (q 2, σ 1 ) (q 2, exit) q 3 (q 3, σ 1 ) while e d S l dne == w M(O) (q f, σ f ) It fllws directly frm the definitin f the rule (E M(O) -WHILE true ). (2) V 1 = V. It fllws directly frm the definitin f the transitin functin f the mnitring autmatn. (3) x LA(S l ) : σ 1 (x) = σ(x) and V LA(S l ) V 2 V 2 LA(S l ). It fllws frm the inductive hypthesis applied t the derivatin tree f S l fund in the lcal cnclusin (1). (4) V 3 = V 2. It fllws directly frm the definitin f (T-EXIT). 25