Program Analysis Probably Counts

Transcription

1 Probably Counts 1 c.hankin@imperial.ac.uk joint work with Alessandra Di Pierro 2 and Herbert Wiklicky 1 1 Department of Computing, 2 Dipartimento di Informatica, Università di Verona Computer Journal Lecture, November 2008

2 Outline 1 Introduction 2 Information Flow 3 Covert Channels 4 Conclusions

3 Outline 1 Introduction 2 Information Flow 3 Covert Channels 4 Conclusions

4 Outline 1 Introduction 2 Information Flow 3 Covert Channels 4 Conclusions

5 Outline 1 Introduction 2 Information Flow 3 Covert Channels 4 Conclusions

6 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })

7 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })

8 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })

9 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })

10 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: = Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })

11 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: = = Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })

12 Aim: to determine properties of program run-time (dynamic) behavior without running it (statically) Based on formal model (semantics) of program Most interesting problems are undecidable Turing s Halting Problem Program analysis uses abstract semantics where issues are decidable, e.g. rule of signs: = = Penalty is safe (or close) answers rather than accurate answers false positives ( + = {, })

13 Program Semantics Complete Partial Orders + Continuous Functions Labelled Transition Systems Hilbert Spaces + Bounded, Linear Operators Decidability: restrict to variables (etc) in program under analysis restrict sets of values to finite sets truncate iterations

14 Program Semantics Complete Partial Orders + Continuous Functions Labelled Transition Systems Hilbert Spaces + Bounded, Linear Operators Decidability: restrict to variables (etc) in program under analysis restrict sets of values to finite sets truncate iterations

15 Program Semantics Complete Partial Orders + Continuous Functions Labelled Transition Systems Hilbert Spaces + Bounded, Linear Operators Decidability: restrict to variables (etc) in program under analysis restrict sets of values to finite sets truncate iterations

16 Program Semantics Complete Partial Orders + Continuous Functions Labelled Transition Systems Hilbert Spaces + Bounded, Linear Operators Decidability: restrict to variables (etc) in program under analysis restrict sets of values to finite sets truncate iterations

17 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA

18 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA

19 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA

20 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA Abstract Interpretation: (A, G) form a Galois Connection.

21 Abstraction Consider a Concrete Domain C and an Abstract Domain D: C T C A A D D T # With an abstraction A : C D and a concretisation G : D C: T # = GTA Probabilistic Abst.Int.: (A, G) Moore-Penrose Pseudo-Inverse.

22 Galois Connections Definition Let C = (C, ) and D = (D, ) be two partially ordered sets. If there are two functions α : C D and γ : D C such that for all c C and all d D: c C γ(d) iff α(c) d, then (C, α, γ, D) form a Galois connection.

23 Moore Penrose Pseudo-Inverse Definition Let C and D be two Hilbert spaces and A : C D a bounded linear map. A bounded linear map A = G : D C is the Moore-Penrose pseudo-inverse of A iff (i) A G = P A, (ii) G A = P G, where P A and P G denote orthogonal projections onto the ranges of A and G. An (orthogonal) projection is an operator P with P = P = PP.

24 Moore Penrose Pseudo-Inverse Definition Let C and D be two Hilbert spaces and A : C D a bounded linear map. A bounded linear map A = G : D C is the Moore-Penrose pseudo-inverse of A iff (i) A G = P A, (ii) G A = P G, where P A and P G denote orthogonal projections onto the ranges of A and G. An (orthogonal) projection is an operator P with P = P = PP.

25 Moore-Penrose Pseudo-Inverse II Definition An operator A B(H) is Moore-Penrose invertible if there exists an element G B(H) such that: (i) AGA = A, (ii) GAG = G, (iii) (AG) = AG, (iv) (GA) = GA. If it exists G = A is called Moore-Penrose pseudo-inverse.

26 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n.

27 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n.

28 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n.

29 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n.

30 Example: Function Approximation Concrete and abstract domain are step-functions on [a, b]. The set of (real-valued) step-function T n is based on the sub-division of the interval into n sub-intervals. Each step function in T n corresponds to a vector in R n. ( )

31 Example: Geometric Interpretation

32 Example: Geometric Interpretation

33 Example: Geometric Interpretation

34 Example: Geometric Interpretation

35 Example: Geometric Interpretation

36 Example: AI vs PAI

37 Example: AI vs PAI

38 Example: AI vs PAI

39 Example: AI vs PAI

40 Example: AI vs PAI

41 Denning s notion of information flow Following Denning we divide information flows into two classes: direct and indirect. Indirect flows are just the transitive flows (a flow from x to y followed by a flow from y to z implies a flow from x to z). The direct flows are further divided: Explicit flows arise from assignments; for example, x := y + z causes explicit information flows from both y and z to x.

42 Denning s notion of information flow Following Denning we divide information flows into two classes: direct and indirect. Indirect flows are just the transitive flows (a flow from x to y followed by a flow from y to z implies a flow from x to z). The direct flows are further divided: Explicit flows arise from assignments; for example, x := y + z causes explicit information flows from both y and z to x.

43 Denning contd. Implicit flows arise when one variable s value influences the value assigned to another by determining the flow of control. There are two types of implicit flow (though Denning only considered the first type in detail): Local flows arise from guards in conditionals: if x then y := z else y := w. Here there is local implicit information flow from x to y, in addition to the explicit flows from z and w.

44 Denning contd. Implicit flows arise when one variable s value influences the value assigned to another by determining the flow of control. There are two types of implicit flow (though Denning only considered the first type in detail): Global flows arise from guards in while loops x := y; (while w do x := z);. Here there is a global implicit flow from w to all subsequent program points, since reaching those points carries the information that the loop terminated and hence, in this example, that w was false.

45 The Language S Statement C Command l Lab x Ide a Arith-exp b Bool-exp S ::= C l C ::= skip x := a S 1 ; S 2 if b then S 1 else S 2 while b do S new x. S

46 The Analysis We write (Ĝ, D) = S when (Ĝ, D) is an acceptable Information Flow Analysis of the statement S. (Ĝ, D) = skip l iff D(l) Id (Ĝ, D) = (x := a) l iff D(l) Id[x FV(a)] (Ĝ, D) = (C l 1 1 ; Cl 2 2 )l iff (Ĝ, D) = C l 1 1 (Ĝ, D) = C l 2 2 Ĝ(l) Ĝ(l 1) Ĝ(l 2) ; D(l 1 ) D(l) D(l 2 ) ; D(l 1 )

47 The Analysis We write (Ĝ, D) = S when (Ĝ, D) is an acceptable Information Flow Analysis of the statement S. (Ĝ, D) = skip l iff D(l) Id (Ĝ, D) = (x := a) l iff D(l) Id[x FV(a)] (Ĝ, D) = (C l 1 1 ; Cl 2 2 )l iff (Ĝ, D) = C l 1 1 (Ĝ, D) = C l 2 2 Ĝ(l) Ĝ(l 1) Ĝ(l 2) ; D(l 1 ) D(l) D(l 2 ) ; D(l 1 )

48 The Security Test Having analysed a program, C l, we determine that there is no breach of security if both {x x H} Ĝ(l) =, and x L. y H.x D(l) y i.e. there are no global information flows from high variables and no low variable depends on any high variable. h := l; l := h [l h]; [h l] l := h; h := l [h l]; [l h]

49 The Security Test Having analysed a program, C l, we determine that there is no breach of security if both {x x H} Ĝ(l) =, and x L. y H.x D(l) y i.e. there are no global information flows from high variables and no low variable depends on any high variable. h := l; l := h [l h]; [h l] l := h; h := l [h l]; [l h]

50 The Security Test Having analysed a program, C l, we determine that there is no breach of security if both {x x H} Ĝ(l) =, and x L. y H.x D(l) y i.e. there are no global information flows from high variables and no low variable depends on any high variable. h := l; l := h [l h]; [h l] l := h; h := l [h l]; [l h]

51 Adding quantities Early work on language-based security precluded the use of high security variables to affect control flow. Specifically, conditions were restricted to using only low security information. If this restriction is weakened, high security data may be leaked through the different timing behaviour of alternative control paths. This kind of leakage of information is said to form a covert timing channel

52 Adding quantities Early work on language-based security precluded the use of high security variables to affect control flow. Specifically, conditions were restricted to using only low security information. If this restriction is weakened, high security data may be leaked through the different timing behaviour of alternative control paths. This kind of leakage of information is said to form a covert timing channel

53 Adding quantities Early work on language-based security precluded the use of high security variables to affect control flow. Specifically, conditions were restricted to using only low security information. If this restriction is weakened, high security data may be leaked through the different timing behaviour of alternative control paths. This kind of leakage of information is said to form a covert timing channel

54 Adding quantities Early work on language-based security precluded the use of high security variables to affect control flow. Specifically, conditions were restricted to using only low security information. If this restriction is weakened, high security data may be leaked through the different timing behaviour of alternative control paths. This kind of leakage of information is said to form a covert timing channel

55 The Language: Syntax op ::= + =! = < <= e ::= v x e op e C, D ::= x := e skipasn x e if (e) then C else D skipif e C while (e) do C C; D [choose] p C or D v ::= n TRUE FALSE J.Agat: Transforming Out Timing Leaks, POPL 2000.

56 The Language: Syntax op ::= + =! = < <= e ::= v x e op e C, D ::= x := e skipasn x e if (e) then C else D skipif e C while (e) do C C; D [choose] p C or D v ::= n TRUE FALSE J.Agat: Transforming Out Timing Leaks, POPL 2000.

57 The Language: Syntax op ::= + =! = < <= e ::= v x e op e C, D ::= x := e skipasn x e if (e) then C else D skipif e C while (e) do C C; D [choose] p C or D v ::= n TRUE FALSE J.Agat: Transforming Out Timing Leaks, POPL 2000.

58 Operational Semantics (Choose) E [choose] p C or D p:t ch E C E [choose] p C or D (1 p):t ch E D (If) E e TRUE E if (e) then C else D 1:t e t br E C E e FALSE E if (e) then C else D 1:t e t br E D

59 Security Types Security levels Base types Security types s ::= L H τ ::= Int Bool τ ::= τ s Sub-typing s 1 s 2 τ s1 τ s2

60 Low Equivalence We associate to every variable x a security level Γ(x) τ {L,H} Identify environments which agree on the low variables: E 1 = L E 2 iff l with Γ(l) = τ L : E 1 (l) = E 2 (l)

61 Low Equivalence We associate to every variable x a security level Γ(x) τ {L,H} Identify environments which agree on the low variables: E 1 = L E 2 iff l with Γ(l) = τ L : E 1 (l) = E 2 (l)

62 Γ-Bisimilarity (Agat) Γ-Bisimilarity Γ is the largest symmetric relation on commands that satisfies: C 1 Γ C 2 if for all E 1, E 2 such that E 1 = L E 2 we have E 1 C 1 as E 1 D 1 implies E 2 C 2 and E 1 = L E 2 and D 1 Γ D 2 E 1 C 1 E 1 = L E 2. ts E 1 implies E 2 C 2 ts as E 2 D 2 E 2 and

63 Lifted Bisimilarity We have to deal for probabilistic programs we need to consider distributions Dist(Conf). An equivalence relation S S on S can be lifted to an (equivalence) relation Dist(S) Dist(S) on distributions on S via µ ν iff [s] S/ : µ([s] ) = ν([s] ).

64 Lifted Bisimilarity We have to deal for probabilistic programs we need to consider distributions Dist(Conf). An equivalence relation S S on S can be lifted to an (equivalence) relation Dist(S) Dist(S) on distributions on S via µ ν iff [s] S/ : µ([s] ) = ν([s] ).

65 Probabilistic Time Bisimilarity A probabilistic time bisimilarity PT = is the largest symmetric relation on configurations such that whenever c 1 c 2, then c 1 = χ 1 implies χ 2 such that c 2 = χ 2 and χ 1 L χ 2 with E 1 C L E 2 C iff l with Γ(l) = τ L : E 1 (l) = E 2 (l)

66 Note: L = ( L) ( ) L s : :2 4 :1 4 :2 s 1 1 s 1 2 s 1 3 s 1 4 s : :2 4 1 :1 4 :1 s 2 1 s 2 2 s 2 3 s 2 4 χ 1 (t, l) χ 2 (t, l)

67 Note: L = ( L) ( ) L s : :2 4 :1 4 :2 s 1 1 s 1 2 s 1 3 s 1 4 s : :2 4 1 :1 4 :1 s 2 1 s 2 2 s 2 3 s 2 4 χ 1 (t, l) χ 2 (t, l)

68 Security Typing I (Assign H ) Γ e : τ s Γ = x : τ H s H Γ x := e : skipasn x e (Assign L ) Γ e : τ L Γ = x : τ L Γ x := e : x := e (Seq) Γ C : C L Γ D : D L Γ C; D : C L ; D L

69 Security Typing II (If H ) Γ e : Bool H Γ C : C L Γ D : D L Γ if (e) then C else D : skipif e C L C L D L (If L ) Γ e : Bool L Γ C : C L Γ D : D L Γ if (e) then C else D : if (e) then C L else D L (While) Γ e : Bool L Γ C : C L Γ while (e) do C : while (e) do C L

70 Security Typing III (Choose) Γ C : C L Γ D : D L Γ [choose] p C or D : [choose] p C L or D L (SkipAsn) Γ skipasn x e : skipasn x e (SkipIf) Γ C : C L Γ skipif e C : skipif e C L

71 Transformation I Γ C D D L (Assign H ) Γ e : τ s Γ = x : τ H s H Γ x := e x := e skipasn x e (Assign L ) Γ e : τ L Γ = x : τ L Γ x := e x := e x := e (Seq) Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ C 1 ; C 2 D 1 ; D 2 D 1L ; D 2L

72 Transformation I Γ C D D L (Assign H ) Γ e : τ s Γ = x : τ H s H Γ x := e x := e skipasn x e (Assign L ) Γ e : τ L Γ = x : τ L Γ x := e x := e x := e (Seq) Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ C 1 ; C 2 D 1 ; D 2 D 1L ; D 2L

73 Transformation II (Deterministic) (If H ) Γ e : Bool H ge(d 1L ) = ge(d 2L ) = Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ if (e) then C 1 else C 2 if (e) then D 1 ; D 2L else D 1L ; D 2 skipif e (D 1L ; D 2L ) (If L ) Γ e : Bool L Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ if (e) then C 1 else C 2 if (e) then D 1 else D 2 if (e) then D 1L else D 2L

74 Transformation II (Probabilistic) (If H ) Γ e : Bool H ge(d 1L ) = ge(d 2L ) = Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ if (e) then C 1 else C 2 if (e) then ([choose] p D 1 or D 1 ; D 2L ) else ([choose] p D 2 or D 1L ; D 2 ) skipif e (D 1L ; D 2L ) (If L ) Γ e : Bool L Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ if (e) then C 1 else C 2 if (e) then D 1 else D 2 if (e) then D 1L else D 2L

75 Transformation III (While) Γ e : Bool L Γ C D D L Γ while (e) do C while (e) do D while (e) do D L (Choose) Γ C 1 D 1 D 1L Γ C 2 D 2 D 2L Γ [choose] p C 1 or C 2 [choose] p D 1 or D 2 [choose] p D 1L or D 2L

76 Transformation IV (SkipAsn) Γ skipasn x e skipasn x e skipasn x e (SkipIf) Γ C D D L Γ skipif e C skipif e D skipif e D L

77 Global Effects ge(x := e) = {x} ge(c 1 ; C 2 ) = ge(c 1 ) ge(c 2 ) ge(if (e) then C 1 else C 2 ) = ge(c 1 ) ge(c 2 ) ge(while (e) do C) = ge(c) ge([choose] p C 1 or C 2 ) = ge(c 1 ) ge(c 2 ) ge(skipasn x e) = ge(skipif e C) = ge(c)

78 Probabilistic Program Transformation i := 1; while i<=3 do if k[i]==1 then s := s; else skip; fi; i := i+1; od;

79 Probabilistic Program Transformation i := 1; while i<=3 do if k[i]==1 then s := s; else skip; fi; i := i+1; od; i := 1; while i<=3 do if k[i]==1 then s := s; [skip] else [s := s]; skip fi; i := i+1; od;

80 Probabilistic Program Transformation i := 1; while i<=3 do if k[i]==1 then choose p: s := s; [skip] or 1-p: ro else choose p: or 1-p: ro fi; i := i+1; od; s := s skip [s := s]; skip

81 Application: Security Tradeoffs c(p) δ (p) t(p)

82 Commercial Applications AbsInt tools used by major car and electronic goods manufacturers such as BMW, Daimler and Bosch. Another example is the work of Polyspace (recently taken over by The MathWorks) work with Airbus on the verification of fly-by-wire software.

83 Embedded Systems Henzinger and Sifakis make an eloquent case for the reappraisal of the foundations of computing. They call for a new scientific foundation which... will systematically and even-handedly integrate computation and physicality... ". They identify the a list of issues that must be dealt with which include: computation and physical constraints nondeterminism and probabilities functional and performance requirements qualitative and quantitative analysis, and Boolean and real values

84 Concluding Remarks Clark, Hunt and Malacaria use information theoretic ideas as a basis for studying information flow. General theme of incorporating quantitative and probabilistic techniques into program analysis and reasoning is certain to expand. It remains to be seen which approach will eventually prevail but, whichever does, there is no doubt that the arsenal of techniques will be enrichened and program analysis probably will count! Thank you

85 Concluding Remarks Clark, Hunt and Malacaria use information theoretic ideas as a basis for studying information flow. General theme of incorporating quantitative and probabilistic techniques into program analysis and reasoning is certain to expand. It remains to be seen which approach will eventually prevail but, whichever does, there is no doubt that the arsenal of techniques will be enrichened and program analysis probably will count! Thank you