DERIVING AND PROVING ABSTRACT NON-INTERFERENCE

Size: px

Start display at page:

Download "DERIVING AND PROVING ABSTRACT NON-INTERFERENCE"

Dwayne Wilkerson
6 years ago
Views:

1 DERIVING AND PROVING ABSTRACT NON-INTERFERENCE Roberto Giacobazzi and Isabella Mastroeni Dipartimento di Informatica Università di Verona Italy Paris, February 20th, 2004 Deriving and Proving Abstract Non-interference p.1/34

2 The Problem The problem: Protect data confidentiality from erroneous/malicious attacks while data are processed Attack = disclosing properties of confidential data Access control by declaring data privileges! Deriving and Proving Abstract Non-interference p.2/34

3 The Problem The problem: Protect data confidentiality from erroneous/malicious attacks while data are processed Access control methods do not put constraints on how the information is propagated! Deriving and Proving Abstract Non-interference p.2/34

4 The Problem The problem: Protect data confidentiality from erroneous/malicious attacks while data are processed Description of the problem: Typing of data (and variables) in private (H) and public (L); Non-Interference: to prevent the results of the computation from leaking even partial information about private inputs! Explicit flow: caused by directly passing private data to a public variable: l := 2 h; Implicit flow: arise from control structure of the program: while h do l := l + 1; h := h 1. We consider only terminating computations! Deriving and Proving Abstract Non-interference p.2/34

5 The Goal IT IS ESSENTIAL TO KNOW HOW MUCH AN ATTACKER MAY LEARN FROM A PROGRAM! Goal: Automatically generate certificates about secure information flows Design of accurate security polices Static program analysis & verification techniques (types,cfa,dfa,...) Deriving and Proving Abstract Non-interference p.3/34

6 The Goal IT IS ESSENTIAL TO KNOW HOW MUCH AN ATTACKER MAY LEARN FROM A PROGRAM! Goal: Automatically generate certificates about secure information flows State of the art: Standard non-interference is far too restrictive No sensitive information can be disclosed Any change upon confidential data has not to be revealed by public ones Rigid security policy: L can flow into H but H cannot flow into L [Denning and Denning 77] Deriving and Proving Abstract Non-interference p.3/34

7 The Goal IT IS ESSENTIAL TO KNOW HOW MUCH AN ATTACKER MAY LEARN FROM A PROGRAM! Goal: Automatically generate certificates about secure information flows State of the art: Standard non-interference is far too restrictive Question: Is there a way to characterize what kind of information flows? Characterize the secrecy degree of a program H can flow into L unless a given property of H is disclosed Weakening standard non-interference (a challenge in language-based security [Sabelfeld & Myers 03]) Deriving and Proving Abstract Non-interference p.3/34

8 IDEA: Attackers as Abstract Interpretations while h do (l := l + 2; h := h 1) Deriving and Proving Abstract Non-interference p.4/34

9 IDEA: Attackers as Abstract Interpretations while h do (l := l + 2; h := h 1) There is an (implicit/absolute) flow from h into l The parity of l is not affected by any change of h... no information flow for parity! Deriving and Proving Abstract Non-interference p.4/34

10 IDEA: Attackers as Abstract Interpretations while h do (l := l + 2; h := h 1) The idea: Abstract non-interference Attackers as program analyzers Attackers can analyze I/O behaviour of public data Attackers perform static program analyses Abstract interpretation is a general method for specifying approximate semantics of programs [Cousot & Cousot 77] Attackers are abstract interpretations of program semantics Deriving and Proving Abstract Non-interference p.4/34

11 IDEA: Attackers as Abstract Interpretations The idea: Abstract non-interference Main results: Generalizing non-interference relatively to the attacker s power Making non-interference parametric on the attacker s point of view Checking abstract non-interference by abstract interpretation Systematic method for deriving attackers for programs by modifying abstractions Abstract Robust Declassification Deriving and Proving Abstract Non-interference p.4/34

12 Related works Refining security policies by constraining attackers Characterizing released information Deriving and Proving Abstract Non-interference p.5/34

13 Complexity: Refining security policies by constraining attackers Related works Security levels corresponding to how complex is attacking the program [Lowe 02] Deriving and Proving Abstract Non-interference p.5/34

14 Related works Refining security policies by constraining attackers Complexity: Security levels corresponding to how complex is attacking the program [Lowe 02] Quantitative measure: An absolute (approximate) quantitative evaluation of information leakage (number of statistical tests to disclose properties) [Di Pierro et al. 02] Deriving and Proving Abstract Non-interference p.5/34

15 Related works Characterizing released information Quantitative measure: Quantification of the information flowed by information theory [D. Clark et al. 03] Deriving and Proving Abstract Non-interference p.5/34

16 Related works Characterizing released information Quantitative measure: Quantification of the information flowed by information theory [D. Clark et al. 03] Robust declassification: The observational capability of the attacker is characterized by equivalence relations, then the information released is identified and declassified. [Zdancewic and Myers 01] Deriving and Proving Abstract Non-interference p.5/34

17 Standard non-interference One group of users [...] is noninterfering with another group of users if what the first group does [...] has no effect on what the second group of users can see [Goguen & Meseguer 82] Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L Deriving and Proving Abstract Non-interference p.6/34

18 Standard non-interference Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L EXAMPLE: while h do (l := l + 2; h := h 1). Deriving and Proving Abstract Non-interference p.6/34

19 Standard non-interference Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L EXAMPLE: while h do (l := l + 2; h := h 1). h = 0, l = 1 l = 1 h = 1, l = 1 l = 3 h = n, l = 1 l = 1 + 2n Deriving and Proving Abstract Non-interference p.6/34

20 Standard non-interference Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L EXAMPLE: while h do (l := l + 2; h := h 1). h = 0, l = 1 l = 1 h = 1, l = 1 l = 3 h = n, l = 1 l = 1 + 2n If l is unchanged then h is 0! There is an information flow from h into l. Deriving and Proving Abstract Non-interference p.6/34

21 Standard non-interference Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L EXAMPLE: while h do (l := l + 2; h := h 1). h = 0, l = 1 l = 1 h = 1, l = 1 l = 3 h = n, l = 1 l = 1 + 2n If l is unchanged then h is 0! There is an information flow from h into l. Note that if the input l is even/odd then the output l is even/odd! Deriving and Proving Abstract Non-interference p.6/34

22 Consider α, η Abs( (V L )): Abstracting non-interference I Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L Deriving and Proving Abstract Non-interference p.7/34

23 Consider α, η Abs( (V L )): Abstracting non-interference I Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) No change of H values and η-equivalent L values may affect the α abstraction of L outputs. Possible deceptive interference due to η-undistinguished L values! The more η is precise the less deceptive interference appears Deriving and Proving Abstract Non-interference p.7/34

24 Consider α, η Abs( (V L )): Abstracting non-interference I Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) EXAMPLE: [id]p(par) P= while h do (l := l + 2; h := h 1). h = 0, l = 1 Par(l) = odd h = 1, l = 1 Par(l) = odd h = n, l = 1 Par(l) = odd Deriving and Proving Abstract Non-interference p.7/34

25 Consider α, η Abs( (V L )): Abstracting non-interference I Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) EXAMPLE: [id]p(par) P= while h do (l := l + 2; h := h 1). h = 0, l = 1 Par(l) = odd h = 1, l = 1 Par(l) = odd h = n, l = 1 Par(l) = odd If l is odd/even then, independently from h, after the execution l is odd/even! There is not an information flow from h into the parity of l. Deriving and Proving Abstract Non-interference p.7/34

26 Consider α, η Abs( (V L )): Abstracting non-interference I Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) EXAMPLE II: [Par]P(Sign) P = l := 2 l h 2. h = 3, l = 2 (Par( 2) = even) Sign(l) = h = 1, l = 4 (Par( 4) = even) Sign(l) = Deriving and Proving Abstract Non-interference p.7/34

27 Consider α, η Abs( (V L )): Abstracting non-interference I Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) EXAMPLE II: [Par]P(Sign) P = l := 2 l h 2. h = 1, l = 4 (Par(4) = even) Sign(l) = + h = 1, l = 4 (Par( 4) = even) Sign(l) = The sign of the output l depends on the sign of the input l! There is a DECEPTIVE FLOW! Deriving and Proving Abstract Non-interference p.7/34

28 Consider α, η Abs( (V L )): Abstracting non-interference I Standard non-interference l : L, h 1, h 2 : H. P (h 1, l) L = P (h 2, l) L Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) EXAMPLE II: [Par]P(Sign) P = l := 2 l h 2. h = 1, l = 4 (Par(4) = even) Sign(l) = + h = 1, l = 4 (Par( 4) = even) Sign(l) = The sign of the output l depends on the sign of the input l! There is a DECEPTIVE FLOW! We compute the semantics on the concrete value of the input l! Deriving and Proving Abstract Non-interference p.7/34

29 Abstracting non-interference II Consider α, η Abs( (V L )): Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) Deriving and Proving Abstract Non-interference p.8/34

30 Abstracting non-interference II Consider α, η Abs( (V L )): Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) No change of H values may affect the α abstraction of L outputs. No deceptive interference due to L data Deriving and Proving Abstract Non-interference p.8/34

31 Abstracting non-interference II Consider α, η Abs( (V L )): Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) EXAMPLE: (Par)P(Sign) P = l := 2 l h 2. h = 3, Par(l) = even Sign(l) = I don t know h = 1, Par(l) = even Sign(l) = I don t know Deriving and Proving Abstract Non-interference p.8/34

32 Abstracting non-interference II Consider α, η Abs( (V L )): Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) EXAMPLE: (Par)P(Sign) P = l := 2 l h 2. h = 3, Par(l) = even Sign(l) = I don t know h = 1, Par(l) = even Sign(l) = I don t know There is not an information flow from h into the sign of l. Deriving and Proving Abstract Non-interference p.8/34

33 Abstracting non-interference II Consider α, η Abs( (V L )): Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) EXAMPLE II: (id)p(par) P = l := l h 2. h = 2, l = 1 Par(l) = even h = 3, l = 1 Par(l) = odd h = n, l = 1 Par(l) = Par(n) Deriving and Proving Abstract Non-interference p.8/34

34 Abstracting non-interference II Consider α, η Abs( (V L )): Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) EXAMPLE II: (id)p(par) P = l := l h 2. h = 2, l = 1 Par(l) = even h = 3, l = 1 Par(l) = odd h = n, l = 1 Par(l) = Par(n) The parity of h is flowing into l! Deriving and Proving Abstract Non-interference p.8/34

35 Abstracting non-interference II Consider α, η Abs( (V L )): Narrow (abstract) non-interference [η]p(α): η(l 1 ) = η(l 2 ) α( P (h 1, l 1 ) L ) = α( P (h 2, l 2 ) L ) Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) EXAMPLE II: (id)p(par) P = l := l h 2. h = 2, l = 1 Par(l) = even h = 3, l = 1 Par(l) = odd h = n, l = 1 Par(l) = Par(n) The parity of h is flowing into l! We are looking for flows from any possible property of h into l! Deriving and Proving Abstract Non-interference p.8/34

36 Consider α, η Abs( (V L )) and φ Abs( (V H )): Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) Abstracting non-interference III Deriving and Proving Abstract Non-interference p.9/34

37 Consider α, η Abs( (V L )) and φ Abs( (V H )): Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) Abstracting non-interference III Abstract non-interference (η)p(φ []α): η(l 1 )=η(l 2 ) α( P (φ(h 1 ), η(l 1 )) L )=α( P (φ(h 2 ), η(l 2 )) L ) No change of φ-equivalent H values may affect the α abstraction of L outputs. No deceptive interference due to L data;...φ does not flow into what α can see on the output Deriving and Proving Abstract Non-interference p.9/34

38 Consider α, η Abs( (V L )) and φ Abs( (V H )): Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) Abstracting non-interference III Abstract non-interference (η)p(φ []α): η(l 1 )=η(l 2 ) α( P (φ(h 1 ), η(l 1 )) L )=α( P (φ(h 2 ), η(l 2 )) L ) EXAMPLE: (id)p(sign []Par) P = l := l h 2. Sign(h) = +, l = 1 Par(l) = I don t know Sign(h) =, l = 1 Par(l) = I don t know Deriving and Proving Abstract Non-interference p.9/34

39 Consider α, η Abs( (V L )) and φ Abs( (V H )): Abstracting non-interference (η)p(α): η(l 1 )=η(l 2 ) α( P (h 1, η(l 1 )) L )=α( P (h 2, η(l 2 )) L ) Abstracting non-interference III Abstract non-interference (η)p(φ []α): η(l 1 )=η(l 2 ) α( P (φ(h 1 ), η(l 1 )) L )=α( P (φ(h 2 ), η(l 2 )) L ) EXAMPLE: (id)p(sign []Par) P = l := l h 2. Sign(h) = +, l = 1 Par(l) = I don t know Sign(h) =, l = 1 Par(l) = I don t know There is not an information flow from the sign of h into the parity of l. Deriving and Proving Abstract Non-interference p.9/34

40 Basic properties [η]p( ) [η]p(α) β η. [β]p(α) [η]p(α) β α. [η]p(β) i. [η]p(α i ) [η]p( α i ) i I Deriving and Proving Abstract Non-interference p.10/34

41 Basic properties [η]p( ) [η]p(α) β η. [β]p(α) [η]p(α) β α. [η]p(β) i. [η]p(α i ) [η]p( α i ) i I (η)p(φ [] ) (η)p(φ []α) β α. (η)p(φ []β) i. (η)p(φ []α i ) (η)p(φ [] i I α i ) Deriving and Proving Abstract Non-interference p.10/34

42 Basic properties [η]p( ) [η]p(α) β η. [β]p(α) [η]p(α) β α. [η]p(β) i. [η]p(α i ) [η]p( α i ) i I (η)p(φ [] ) (η)p(φ []α) β α. (η)p(φ []β) i. (η)p(φ []α i ) (η)p(φ [] i I α i ) Standard non-interference: [id]p(id) = (id)p(id []id) Deriving and Proving Abstract Non-interference p.10/34

43 Basic properties [η]p( ) [η]p(α) β η. [β]p(α) [η]p(α) β α. [η]p(β) i. [η]p(α i ) [η]p( α i ) i I (η)p(φ [] ) (η)p(φ []α) β α. (η)p(φ []β) i. (η)p(φ []α i ) (η)p(φ [] i I α i ) [id]p(id) (η)p(id []α) (η)p(φ []α) Deriving and Proving Abstract Non-interference p.10/34

44 Basic properties [η]p( ) [η]p(α) β η. [β]p(α) [η]p(α) β α. [η]p(β) i. [η]p(α i ) [η]p( α i ) i I (η)p(φ [] ) (η)p(φ []α) β α. (η)p(φ []β) i. (η)p(φ []α i ) (η)p(φ [] i I α i ) [η]p(α) (η)p(id []α) (η)p(φ []α) Deriving and Proving Abstract Non-interference p.10/34

45 Basic properties [η]p( ) [η]p(α) β η. [β]p(α) [η]p(α) β α. [η]p(β) i. [η]p(α i ) [η]p( α i ) i I (η)p(φ [] ) (η)p(φ []α) β α. (η)p(φ []β) i. (η)p(φ []α i ) (η)p(φ [] i I α i ) [id]p(id) [η]p(α) due to deceptive flows Deriving and Proving Abstract Non-interference p.10/34

46 Deriving output attackers Abstract interpretation provides advanced methods for designing abstractions (refinement, simplification, compression...) [Giacobazzi & Ranzato 97] Designing abstractions = designing attackers Deriving and Proving Abstract Non-interference p.11/34

47 Deriving output attackers Abstract interpretation provides advanced methods for designing abstractions (refinement, simplification, compression...) [Giacobazzi & Ranzato 97] Designing abstractions = designing attackers Characterize the most concrete α such that (η)p(φ []α) [The most powerful output attacker] Deriving and Proving Abstract Non-interference p.11/34

48 Deriving output attackers The following theorems hold: Consider η Abs( (V L )): We characterize the function λη. [η] P (id) whose result is { } β [η]p(β). Deriving and Proving Abstract Non-interference p.11/34

49 Deriving output attackers The following theorems hold: Consider η Abs( (V L )): We characterize the function λη. [η] P (id) whose result is { } β [η]p(β). Consider η Abs( (V L )) and φ Abs( (V H )): We characterize the function λη. (η) P (φ []id) whose result is { } β (η)p(φ []β). Deriving and Proving Abstract Non-interference p.11/34

50 Deriving output attackers The following theorems hold: Consider η Abs( (V L )): We characterize the function λη. [η] P (id) whose result is { } β [η]p(β). Consider η Abs( (V L )) and φ Abs( (V H )): We characterize the function λη. (η) P (φ []id) whose result is { } β (η)p(φ []β). This would provide a certificate for security with a fixed input observation. Skip details Deriving and Proving Abstract Non-interference p.11/34

51 Characterizing Attackers Let η uco( (V L )), φ uco( (V H )): WHICH POINTS GUARANTEE NON-INTERFERENCE? Deriving and Proving Abstract Non-interference p.12/34

52 Characterizing Attackers Let η uco( (V L )), φ uco( (V H )): WHICH POINTS GUARANTEE NON-INTERFERENCE? Indistinguishable elements: Υ η { def } (l) = P (h, y) L P η(y) = η(l), h V H ; Υ η, φ { def } (l) = P (φ(h), η(l)) L P h V H Deriving and Proving Abstract Non-interference p.12/34

53 Characterizing Attackers Let η uco( (V L )), φ uco( (V H )): WHICH POINTS GUARANTEE NON-INTERFERENCE? Indistinguishable elements: Υ η { def } (l) = P (h, y) L P η(y) = η(l), h V H ; Υ η, φ { def } (l) = P (φ(h), η(l)) L P h V H Secret elements: Secr ε P (X) iff l V L. ( Z Υ ε P (l). Z X W Υε P (l). W X) Deriving and Proving Abstract Non-interference p.12/34

54 Graphically Consider X, Y (V L ), and Secr ε P of both: X Y Υ ε P (l 1) Υ ε P (l 3) Deriving and Proving Abstract Non-interference p.13/34

55 Graphically Consider X, Y (V L ), and Secr ε P of both: X Y Υ ε P (l 1) Υ ε P (l 3) Deriving and Proving Abstract Non-interference p.13/34

56 Graphically Consider X, Y (V L ), and Secr ε P of both: X Y Υ ε P (l 1) Υ ε P (l 3) Secr ε P (X) and Secrε P (Y) Deriving and Proving Abstract Non-interference p.13/34

57 Characterizing Attackers II Consider a program P, η uco( (V L )) and φ uco( (V H )) S η P ( (VL )) = { X (V L ) Secr η P (X) } is the most concrete domain K such that [η]p(k) Deriving and Proving Abstract Non-interference p.14/34

58 Characterizing Attackers II Consider a program P, η uco( (V L )) and φ uco( (V H )) S η P ( (VL )) = { X (V L ) Secr η P (X) } is the most concrete domain K such that [η]p(k) S η, φ { P ( (V L )) = X (V L ) Secr η,φ } P (X) is the most concrete domain K such that (η)p(φ []K) Deriving and Proving Abstract Non-interference p.14/34

59 Characterizing Attackers II Consider a program P, η uco( (V L )) and φ uco( (V H )) S η P ( (VL )) = { X (V L ) Secr η P (X) } is the most concrete domain K such that [η]p(k) S η, φ { P ( (V L )) = X (V L ) Secr η,φ } P (X) is the most concrete domain K such that (η)p(φ []K) The canonical attacker is obtained by a fix-point process! Deriving and Proving Abstract Non-interference p.14/34

60 Deriving Attackers I Let η uco( (V L )), φ uco( (V H )), P a program and η(l 1 ) = η(l 2 ): D P (η) WHICH ELEMENTS ARE ALWAYS NOT SECRET? Narrow (abstract) Non-Interference P (V H, η(l 1 )) P (h 1, l 1 ) P (h 2, l 2 ) Deriving and Proving Abstract Non-interference p.15/34

61 Deriving Attackers I Let η uco( (V L )), φ uco( (V H )), P a program and η(l 1 ) = η(l 2 ): WHICH ELEMENTS ARE ALWAYS NOT SECRET? D P (η) Narrow (abstract) Non-Interference P (V H, η(l 1 )) ρ( P (h 1, l 1 )) = ρ( P (h 2, l 2 )) ρ( P (h 1, l 1 )) ρ( P (h 2, l 2 )) X P (h 1, l 1 ) P (h 2, l 2 ) Deriving and Proving Abstract Non-interference p.15/34

62 Deriving Attackers I Let η uco( (V L )), φ uco( (V H )), P a program and η(l 1 ) = η(l 2 ): WHICH ELEMENTS ARE ALWAYS NOT SECRET? D P (η). Narrow (abstract) Non-Interference P (V H, η(l 1 )) ρ( P (h 1, l 1 )) = ρ( P (h 2, l 2 )) ρ( P (h 1, l 1 )) ρ( P (h 2, l 2 )) X P (h 1, l 1 ) P (h 2, l 2 ) Deriving and Proving Abstract Non-interference p.15/34

63 Deriving Attackers I Let η uco( (V L )), φ uco( (V H )), P a program and η(l 1 ) = η(l 2 ): WHICH ELEMENTS ARE ALWAYS NOT SECRET? D P (η). Abstract Non-Interference P (V H, η(l 1 )) ρ( P (φ(h 1 ), η(l 1 ))) ρ( P (φ(h 2 ), η(l 2 ))) ρ( P (φ(h 1 ), η(l 1 ))) = ρ( P (φ(h 2 ), η(l 2 ))) X P (φ(h 1 ), η(l 1 )) P (φ(h 2 ), η(l 2 )) P (h 1, η(l 1 )) P (h 2, η(l 2 )) P (h 1, l 1 ) P (h 2, l 2 ) Deriving and Proving Abstract Non-interference p.15/34

64 Deriving Attackers II Let η uco( (V L )), φ uco( (V H )), P a program and η(l 1 ) = η(l 2 ): FOR WHICH ELEMENTS WE HAVE TO VERIFY SECRECY? D P (η). Deriving and Proving Abstract Non-interference p.16/34

65 Deriving Attackers II Let η uco( (V L )), φ uco( (V H )), P a program and η(l 1 ) = η(l 2 ): FOR WHICH ELEMENTS WE HAVE TO VERIFY SECRECY? D P (η). P (V H, η(l 1 )) P (V H, η(l 2 )) P (φ(h 1 ), η(l 1 )) P (φ(h 2 ), η(l 1 )) P (φ(h 1 ), η(l 2 )) Deriving and Proving Abstract Non-interference p.16/34

66 Graphically Let η uco( (V L )), η(l 1 ) η(l 2 ): S ε P ( )D P (η). d 1 d 3 d 4 D P (η) d 2 Υ ε P (l 1) Υ ε P (l 2) Υ ε P (l 3) Υ ε P (l 4) Deriving and Proving Abstract Non-interference p.17/34

67 Graphically Let η uco( (V L )), η(l 1 ) η(l 2 ): S ε P () D P (η). d 1 d 3 d 4 D P (η) d 2 Υ ε P (l 1) Υ ε P (l 2) Υ ε P (l 3) Υ ε P (l 4) Deriving and Proving Abstract Non-interference p.17/34

68 Graphically Let η uco( (V L )), η(l 1 ) η(l 2 ): S ε P () D P (η). d 1 d 3 d 4 D P (η) d 2 Υ ε P (l 1) Υ ε P (l 2) Υ ε P (l 3) Υ ε P (l 4) Deriving and Proving Abstract Non-interference p.17/34

69 Graphically Let η uco( (V L )), η(l 1 ) η(l 2 ): S ε P ( D P (η)). d 1 d 3 d 4 D P (η) d 2 Υ ε P (l 1) Υ ε P (l 2) Υ ε P (l 3) Υ ε P (l 4) Deriving and Proving Abstract Non-interference p.17/34

70 Deriving Attackers III Let η uco( (V L )), φ uco( (V H )), φ(h 1 ) φ(h 2 ) and η(l 1 ) η(l 2 ): WHICH ELEMENTS ARE ALWAYS SECRET? Irr P (φ, η). Secr P (V H, η(l 1 )) P (V H, η(l 1 )) P (φ(h 2 ), η(l 1 )) P (φ(h 1 ), η(l 1 )) P (φ(h 1 ), η(l 2 )) Deriving and Proving Abstract Non-interference p.18/34

71 Deriving canonical attackers Abstract interpretation provides advanced methods for designing abstractions (refinement, simplification, compression...) [Giacobazzi & Ranzato 97] Transforming abstractions = transforming attackers Deriving and Proving Abstract Non-interference p.19/34

72 Deriving canonical attackers Abstract interpretation provides advanced methods for designing abstractions (refinement, simplification, compression...) [Giacobazzi & Ranzato 97] Transforming abstractions = transforming attackers Characterize the most concrete δ such that (δ)p(φ []δ) [The most powerful canonical attacker] This would provide a certificate for security. Deriving and Proving Abstract Non-interference p.19/34

73 Deriving canonical attackers λx. [X] P (id) is monotone on Abs( (V L )). [α]p(α) α = [α] P (id). lfp(λx. [X] P (id)) is the most concrete secure attacker for P for narrow abstract non-interference. Deriving and Proving Abstract Non-interference p.19/34

74 Deriving canonical attackers λx. [X] P (id) is monotone on Abs( (V L )). [α]p(α) α = [α] P (id). lfp(λx. [X] P (id)) is the most concrete secure attacker for P for narrow abstract non-interference. (α)p(φ []α) α = (α) P (φ []id) λx. (X) P (φ []id) X is extensive on Abs( (V L )). fix(λx. (X) P (φ []id) X) is a secure attacker for P for abstract non-interference. Deriving and Proving Abstract Non-interference p.19/34

75 Deriving canonical attackers EXAMPLE: P = while h do (l := l 2; h := h 1)... we derive a secure attacker π = { } ( n{2} N n 2N + 1 {{0}}): (π) P (id []π) h = 0, π(l) = 3{2} N h = 2, π(l) = 3{2} N π(l) = 3{2} N π(l) = 3{2} N In the program l is always multiplied by 2! Deriving and Proving Abstract Non-interference p.19/34

76 Consider a program P and its finite computations. Abstract robust declassification A passive attacker may be able to learn some information by observing the system but, by assumption, that information leakage is allowed by the security policy. [Zdancewic and Myers 2001] Deriving and Proving Abstract Non-interference p.20/34

77 Consider a program P and its finite computations. Abstract robust declassification A passive attacker may be able to learn some information by observing the system but, by assumption, that information leakage is allowed by the security policy. [Zdancewic and Myers 2001] We want to characterize the most concrete flow-irredundant property such that (η)p(φ α) [The maximal amount of information disclosed] This would provide a certificate for disclosed secrets. Deriving and Proving Abstract Non-interference p.20/34

78 Abstract robust declassification Consider the program P = l := l + (h mod 3) The transition system is such that < h, l > < h, l + (h mod 3) >. Consider η( (Z)) = {Z, [2, 4], [5, 8], {5}, } and α = id. Deriving and Proving Abstract Non-interference p.20/34

79 Abstract robust declassification Consider the program P = l := l + (h mod 3) The transition system is such that < h, l > < h, l + (h mod 3) >. Consider η( (Z)) = {Z, [2, 4], [5, 8], {5}, } and α = id. The flow is revealed when h 1 and h 2 differs in the values h 1 mod 3 and h 2 mod 3 φ = ({3Z, 3Z + 1, 3Z + 2}) is the maximal amount of information disclosed! Deriving and Proving Abstract Non-interference p.20/34

80 Proving Abstract Non-Interference We introduce a compositional proof-system for certifying abstract non-interference; Deriving and Proving Abstract Non-interference p.21/34

81 Proving Abstract Non-Interference We introduce a compositional proof-system for certifying abstract non-interference; PROOF-SYSTEM OF INVARIANTS I: {ρ} L c {ρ} L means that c is ρ-observably equivalent to the statement nil: {ρ} L c {ρ} L iff ρ( c (h, l) L ) = ρ(l) Deriving and Proving Abstract Non-interference p.21/34

82 Proving Abstract Non-Interference We introduce a compositional proof-system for certifying abstract non-interference; PROOF-SYSTEM OF INVARIANTS I: {ρ} L c {ρ} L means that c is ρ-observably equivalent to the statement nil: {ρ} L c {ρ} L iff ρ( c (h, l) L ) = ρ(l) PROOF-SYSTEM FOR DETERMINISTIC NARROW NON-INTERFERENCE N det : Syntax-driven certification of narrow non-interference for deterministic languages; PROOF-SYSTEM FOR NON-DETERMINISTIC NARROW NON-INTERFERENCE N Deriving and Proving Abstract Non-interference p.21/34

83 Proving Abstract Non-Interference We introduce a compositional proof-system for certifying abstract non-interference; PROOF-SYSTEM OF INVARIANTS I: {ρ} L c {ρ} L means that c is ρ-observably equivalent to the statement nil: {ρ} L c {ρ} L iff ρ( c (h, l) L ) = ρ(l) PROOF-SYSTEM FOR DETERMINISTIC NARROW NON-INTERFERENCE N det : Syntax-driven certification of narrow non-interference for deterministic languages; PROOF-SYSTEM FOR NON-DETERMINISTIC NARROW NON-INTERFERENCE N PROOF-SYSTEM FOR NON-DETERMINISTIC ABSTRACT NON-INTERFERENCE A: Syntax-driven certification of abstract non-interference for non-deterministic languages. Deriving and Proving Abstract Non-interference p.21/34

84 The invariants proof-system I I1: { } L c { } L I2: {ρ} L nil {ρ} L I3: x : H {ρ} L x := e {ρ} L I4: {ρ} e, x {ρ}, x : L {ρ} L x := e {ρ} L I5: {ρ} L c 1 {ρ} L, {ρ} L c 2 {ρ} L {ρ} L c 1 ; c 2 {ρ} L I6: {ρ} L c {ρ} L {ρ} L while x do c endw {ρ} L I7: {ρ } L c {ρ } L, ρ ρ {ρ} L c {ρ} L I8: i I. {ρ i } L c i {ρ i } L { i I ρ i} L i c i { i I ρ i} L Next Table Deriving and Proving Abstract Non-interference p.22/34

85 The assignment {ρ} e, x {ρ}, x : L {ρ} L x := e {ρ} L where {ρ} e, x {ρ} iff ρ(e [e](h, l)) = ρ(l x ). Deriving and Proving Abstract Non-interference p.23/34

86 The assignment {ρ} e, x {ρ}, x : L {ρ} L x := e {ρ} L where {ρ} e, x {ρ} iff ρ(e [e](h, l)) = ρ(l x ). EXAMPLE: Let e = l + 2. Then = {Sign} e, l {Sign} since if l = 1 Sign(l + 2) = Sign(1) = + Sign(l) = Deriving and Proving Abstract Non-interference p.23/34

87 The assignment {ρ} e, x {ρ}, x : L {ρ} L x := e {ρ} L where {ρ} e, x {ρ} iff ρ(e [e](h, l)) = ρ(l x ). EXAMPLE: Let e = l + 2. We have = {Par} e, l {Par}. Consider c = l := l + 2, we obtain that {Par} L l := l + 2 {Par} L Return Deriving and Proving Abstract Non-interference p.23/34

88 The sequential composition {ρ} L c 1 {ρ} L, {ρ} L c 2 {ρ} L {ρ} L c 1 ; c 2 {ρ} L Deriving and Proving Abstract Non-interference p.24/34

89 The sequential composition {ρ} L c 1 {ρ} L, {ρ} L c 2 {ρ} L {ρ} L c 1 ; c 2 {ρ} L EXAMPLE: Let c = l := l + 2; h := h + 1. { = {Par} L l := l + 2 {Par} L by Rule I4 = {Par} L h := h + 1 {Par} L by Rule I3 Deriving and Proving Abstract Non-interference p.24/34

90 The sequential composition {ρ} L c 1 {ρ} L, {ρ} L c 2 {ρ} L {ρ} L c 1 ; c 2 {ρ} L EXAMPLE: Let c = l := l + 2; h := h + 1. { = {Par} L l := l + 2 {Par} L by Rule I4 = {Par} L h := h + 1 {Par} L by Rule I3 = {Par} L l := l + 2; h := h + 1 {Par} L Return Deriving and Proving Abstract Non-interference p.24/34

91 The proof-system N det N1: [η] c (id) ρ [η]c(ρ) N2: [η]c( ) N3: [η]nil(ρ) N4: [η]e(ρ), [Π(η) Π(ρ)], x : L [η]x := e(ρ) N5: x : H, Π(η) Π(ρ) [η]x := e(ρ) N6: [η]c 1 (ρ), [ρ]c 2 (β) [η]c 1 ; c 2 (β) N7: {ρ} L c {ρ} L [ρ]while x do c endw(ρ) N8: i I. [η]c(ρ i ) [η]c( i I ρ i) N9: i I. [η]c(ρ i ) [η]c( i I ρ i) N10: [η ]c(ρ ), η η, ρ ρ [η]c(ρ) Next Table Deriving and Proving Abstract Non-interference p.25/34

92 The low assignment [η]e(ρ), [Π(η) Π(ρ)], x : L [η]x := e(ρ) where [η]e(ρ) iff ρ(e [e](h 1, l 1 )) = ρ(e [e](h 2, l 2 )). Deriving and Proving Abstract Non-interference p.26/34

93 The low assignment [η]e(ρ), [Π(η) Π(ρ)], x : L [η]x := e(ρ) where [η]e(ρ) iff ρ(e [e](h 1, l 1 )) = ρ(e [e](h 2, l 2 )). EXAMPLE: Let c = l 1 := 2 h l 2. Then = [ ]l 1 := 2 h l 2 (Par) since Par( l 1 := 2 h l 2 (h, l 1, 3 ) L ) = even, odd Par( l 1 := 2 h l 2 (h, l 1, 2 ) L ) = even, even This because (2) = (3) but Par(2) Par(3). Deriving and Proving Abstract Non-interference p.26/34

94 The low assignment [η]e(ρ), [Π(η) Π(ρ)], x : L [η]x := e(ρ) where [η]e(ρ) iff ρ(e [e](h 1, l 1 )) = ρ(e [e](h 2, l 2 )). NOTE: If there s only one low variable the condition Π(η) Π(ρ) is not necessary. EXAMPLE: Consider c = l := 2 h [ ]2 h(par) [ ]l := 2 h(par) Return Deriving and Proving Abstract Non-interference p.26/34

95 The high assignment x : H, Π(η) Π(ρ) [η]x := e(ρ) Deriving and Proving Abstract Non-interference p.27/34

96 The high assignment x : H, Π(η) Π(ρ) [η]x := e(ρ) EXAMPLE: Let c = h := h + 1. Then ρ( h := h + 1 (h 1, l 1 ) L ) = ρ(l 1 ) ρ( h := h + 1 (h 2, l 2 ) L ) = ρ(l 2 ) Therefore [η]h := h + 1(ρ) (η(l 1 ) = η(l 2 ) ρ(l 1 ) = ρ(l 2 )) Π(η) Π(ρ) Return Deriving and Proving Abstract Non-interference p.27/34

97 The proof-system N N1: [η] c (id) ρ [η]c(ρ) N2: [η]c( ) N3: [η]nil(ρ) N4: [η]e(ρ), [Π(η) Π(ρ)], x : L [η]x := e(ρ) N5: x : H, Π(η) Π(ρ) [η]x := e(ρ) N6: [η]c 1 ( (ρ)), [ρ]c 2 ( (β)) [η]c 1 ; c 2 ( (β)) N7: {ρ} L c {ρ} L [ρ]while x do c endw(ρ) N8: i I. [η]c(ρ i ) [η]c( i I ρ i) N9: i I. [η]c(ρ i ) [η]c( i I ρ i) N10: [η ]c(ρ ), η η, ρ ρ [η]c(ρ) N11: i I. [η i ]c i (ρ i ) [ i I η i] i c i ( i I ρ i) Next Table Deriving and Proving Abstract Non-interference p.28/34

98 The non-deterministic concatenation [η]c 1 ( (ρ)), [ρ]c 2 ( (β)) [η]c 1 ; c 2 ( (β)) Deriving and Proving Abstract Non-interference p.29/34

99 The non-deterministic concatenation [η]c 1 ( (ρ)), [ρ]c 2 ( (β)) [η]c 1 ; c 2 ( (β)) EXAMPLE: Let ρ = {Z, 4Z, 4Z + 1, 4Z + 2, 4Z + 3, } and c = c 1 ; c 2 = [ l := 1 (h mod 2) l := 2 (h mod 2) + 2 (1 (h mod 2)); l := (l mod 2) 4h + (1 (l mod 2)) (4h + 1) then h 2Z ρ( c 1 (h, l) L ) = ρ({1, 2}) = Z h 2Z + 1 ρ( c 1 (h, l) L ) = ρ({0, 2}) = Z [ ]c 1 (ρ) Deriving and Proving Abstract Non-interference p.29/34

100 The non-deterministic concatenation [η]c 1 ( (ρ)), [ρ]c 2 ( (β)) [η]c 1 ; c 2 ( (β)) EXAMPLE: Let ρ = {Z, 4Z, 4Z + 1, 4Z + 2, 4Z + 3, } and c = c 1 ; c 2 = [ [ ]c 1 (ρ) and l := 1 (h mod 2) l := 2 (h mod 2) + 2 (1 (h mod 2)); l := (l mod 2) 4h + (1 (l mod 2)) (4h + 1) l 2Z ρ( c 2 (h, l) L ) = ρ({4h + 1}) = 4Z + 1 l 2Z + 1 ρ( c 2 (h, l) L ) = ρ({4h}) = 4Z [ρ]c 2 (ρ) Deriving and Proving Abstract Non-interference p.29/34

101 The non-deterministic concatenation [η]c 1 ( (ρ)), [ρ]c 2 ( (β)) [η]c 1 ; c 2 ( (β)) EXAMPLE: Let ρ = {Z, 4Z, 4Z + 1, 4Z + 2, 4Z + 3, } and c = c 1 ; c 2 = [ [ ]c 1 (ρ) and [ρ]c 2 (ρ), but l := 1 (h mod 2) l := 2 (h mod 2) + 2 (1 (h mod 2)); l := (l mod 2) 4h + (1 (l mod 2)) (4h + 1) h 2Z ρ( c 1 ; c 2 (h, l) L ) = ρ({4h, 4h + 1}) = Z h 2Z + 1 ρ( c 1 ; c 2 (h, l) L ) = ρ({4h + 1}) = 4Z + 1 Return = [ ]c(ρ) Deriving and Proving Abstract Non-interference p.29/34

102 The proof-system A A1: (η) c (id) ρ (η)c(ρ) A2: (η)c( ) A3: (η)nil(ρ) A4: (η)e(ρ), x : L (η)x := e(ρ) A5: x : H (η)x := e(ρ) A6: (η)c 1 ( (ρ)), [ρ]c 2 ( (β)) (η)c 1 ; c 2 ( (β)) A7: {ρ} L c {ρ} L, x : H (ρ)while x do c endw(ρ) A8: (ρ)c(ρ), x : L (ρ)while x do c endw(ρ) A9: i I. (η)c i (ρ i ) (η) i c i ( i I ρ i) A10: (η)c(ρ ), ρ ρ (η)c(ρ) A11: i I. (η)c(ρ i ) (η)c( i I ρ i) A12: i I. (η)c(ρ i ) (η)c( i I ρ i) Theorems Deriving and Proving Abstract Non-interference p.30/34

103 The high assignment x : H (η)x := e(ρ) Deriving and Proving Abstract Non-interference p.31/34

104 The high assignment x : H (η)x := e(ρ) EXAMPLE: Let c = h := h + 1. Then Therefore ρ( h := h + 1 (h 1, η(l 1 )) L ) = ρ(η(l 1 )) ρ( h := h + 1 (h 2, η(l 2 )) L ) = ρ(η(l 2 )) [η]h := h + 1(ρ) (η(l 1 ) = η(l 2 ) ρ(η(l 1 )) = ρ(η(l 2 ))) Return Deriving and Proving Abstract Non-interference p.31/34

105 The concatenation (η)c 1 ( (ρ)), [ρ]c 2 ( (β)) (η)c 1 ; c 2 ( (β)) Deriving and Proving Abstract Non-interference p.32/34

106 The concatenation (η)c 1 ( (ρ)), [ρ]c 2 ( (β)) (η)c 1 ; c 2 ( (β)) EXAMPLE: Let ρ = {Z, 4Z, 4Z + 1, 4Z + 2, 4Z + 3, } and c = c 1 ; c 2 = [ l := (h mod 2)(2l mod 4) + (1 (h mod 2))(l mod 2 + 1); l := (l mod 2) 4h + (1 (l mod 2)) (4h + 1) then h 2Z ρ( c 1 (h, Z) L ) = ρ({1, 2}) = Z h 2Z + 1 ρ( c 1 (h, Z) L ) = ρ({0, 2}) = Z ( )c 1 (ρ) Deriving and Proving Abstract Non-interference p.32/34

107 The concatenation (η)c 1 ( (ρ)), [ρ]c 2 ( (β)) (η)c 1 ; c 2 ( (β)) EXAMPLE: Let ρ = {Z, 4Z, 4Z + 1, 4Z + 2, 4Z + 3, } and c = c 1 ; c 2 = ( )c 1 (ρ) and [ l := (h mod 2)(2l mod 4) + (1 (h mod 2))(l mod 2 + 1); l := (l mod 2) 4h + (1 (l mod 2)) (4h + 1) l 2Z ρ( c 2 (h, l) L ) = ρ({4h + 1}) = 4Z + 1 l 2Z + 1 ρ( c 2 (h, l) L ) = ρ({4h}) = 4Z [ρ]c 2 (ρ) Deriving and Proving Abstract Non-interference p.32/34

108 The concatenation (η)c 1 ( (ρ)), [ρ]c 2 ( (β)) (η)c 1 ; c 2 ( (β)) EXAMPLE: Let ρ = {Z, 4Z, 4Z + 1, 4Z + 2, 4Z + 3, } and c = c 1 ; c 2 = [ ( )c 1 (ρ) and [ρ]c 2 (ρ), but l := (h mod 2)(2l mod 4) + (1 (h mod 2))(l mod 2 + 1); l := (l mod 2) 4h + (1 (l mod 2)) (4h + 1) h 2Z ρ( c 1 ; c 2 (h, Z) L ) = ρ({4h, 4h + 1}) = Z h 2Z + 1 ρ( c 1 ; c 2 (h, Z) L ) = ρ({4h + 1}) = 4Z + 1 Return = ( )c(ρ) Deriving and Proving Abstract Non-interference p.32/34

109 Theorems T 1) The system I is correct. Deriving and Proving Abstract Non-interference p.33/34

110 Theorems T 1) The system I is correct. T 2) The system N det is complete but N det {N1} is correct. EXAMPLE: Let ρ = {2Z} { {n} n 2Z + 1 } and P = l := 4 h 2 + 4; c where c = while h do l := l mod 4; h := 0 endw. We have [ ]l := 4 h 2 + 4(ρ) and [ ]P(ρ) But = [ρ]while h do l := l mod 4; h := 0 endw(ρ): ρ( c (0, 5) L ) = 5 ρ( c (1, 5) L ) = 1 Deriving and Proving Abstract Non-interference p.33/34

111 Theorems T 1) The system I is correct. T 2) The system N det is complete but N det {N1} is correct. T 3) The system N is complete but N {N1} is correct. Deriving and Proving Abstract Non-interference p.33/34

112 Theorems T 1) The system I is correct. T 2) The system N det is complete but N det {N1} is correct. T 3) The system N is complete but N {N1} is correct. T 4) The system A is complete but A {A1} is correct. EXAMPLE: Let ρ = {Z, 2Z, 4Z, } and P = while h do l := (l mod 4) (l 4); h := 0 endw Then (ρ)p(ρ): But = {ρ} L P {ρ} L : ρ( P (h, 2Z) L ) = 2Z ρ( c (1, 2) L ) = ρ(0) = 4Z ρ(2) = 2Z Deriving and Proving Abstract Non-interference p.33/34

113 Theorems T 1) The system I is correct. T 2) The system N det is complete but N det {N1} is correct. T 3) The system N is complete but N {N1} is correct. T 4) The system A is complete but A {A1} is correct. T 5) The system N is stronger than A. EXAMPLE: Then = [Sign]P(Par) but N [Sign]P(Par) : P = h := h + 1; l := 2 h Sign(2) = Sign(3) and Par( h := h + 1 (h, 3) L ) = Par(3) = odd Par( h := h + 1 (h, 2) L ) = Par(2) = even Deriving and Proving Abstract Non-interference p.33/34

114 Theorems T 1) The system I is correct. T 2) The system N det is complete but N det {N1} is correct. T 3) The system N is complete but N {N1} is correct. T 4) The system A is complete but A {A1} is correct. T 5) The system N is stronger than A. EXAMPLE: P = h := h + 1; l := 2 h Then = [Sign]P(Par) but N [Sign]P(Par) while A (Sign)P(Par) Deriving and Proving Abstract Non-interference p.33/34

115 Discussion We map security of programs into the lattice of abstract interpretations: systematic methods for designing attackers and certificates security degrees compared in the lattice checking abstract non-interference by static program analysis Deriving and Proving Abstract Non-interference p.34/34

116 Discussion We map security of programs into the lattice of abstract interpretations: systematic methods for designing attackers and certificates security degrees compared in the lattice checking abstract non-interference by static program analysis Abstract non-interference is a semantics property the method is language independent (as any abstract interpretation) refined semantics may refine security: covert channels (termination, non-determinism, synchronization, probabilistic, etc...) is a matter of semantics! Deriving and Proving Abstract Non-interference p.34/34

117 Discussion We map security of programs into the lattice of abstract interpretations: systematic methods for designing attackers and certificates security degrees compared in the lattice checking abstract non-interference by static program analysis Abstract non-interference is a semantics property the method is language independent (as any abstract interpretation) refined semantics may refine security: covert channels (termination, non-determinism, synchronization, probabilistic, etc...) is a matter of semantics! How far is any practical application? program slicing may help in checking program secrecy! Construction of a PCC architecture. Deriving and Proving Abstract Non-interference p.34/34

Abstract Non-Interference - An Abstract Interpretation-based approach to Secure Information Flow

Isabella Mastroeni Abstract Non-Interference - An Abstract Interpretation-based approach to Secure Information Flow Ph.D. Thesis 31 Marzo 2005 Università degli Studi di Verona Dipartimento di Informatica