Monitoring Hyperproperties - PDF Free Download

none.png Monitoring Hyperproperties Bernd Finkbeiner, Christopher Hahn, Marvin Stenger, and Leander Tentrup Reactive Systems Group, Saarland University, Germany The 17th International Conference on Runtime Verification Seattle, USA, 2017 0

Hyperproperties Definition A Hyperproperty H 2 TR is a set of sets of execution traces [Clarkson, Schneider, 10]. Example trace equality: All traces agree on a proposition p. observational determinism: A program appears deterministic to low security users. noninterference, generalized noninterference, noninference, declassification,... 1

A Logical Approach to Information-Flow Control HyperLTL [Clarkson, Finkbeiner, Koleini, Micinski, Rabe, Sánchez, 14] HyperLTL LTL + explicit trace quantification: π. π. on π on π satisfiable by {{on} ω, {off} ω } on off on trace equality: π. π. (on π on π ) on off on on off on on off on on off on observational determinism: π. π. (O π = O π ) W (I π = I π ) 2

Monitoring Hyperproperties we sequentially observe traces of a system when a new trace comes in, we check whether a given hyperproperty still holds 3

Overview 1. monitor construction 2. two techniques to make monitoring of hyperproperties feasible in practice: Trace Analysis: exploits a dominance relation between traces Specification Analysis: exploits symmetry, transitivity, and reflexivity in the specification 4

Monitor Construction conference management system with author and pc traces no paper submission is lost: every submission (s) is visible (v) to every pc member when comparing two pc traces, they have to agree on v π. π. ( pc π pc π ) (s π v π ) (1) (pc π pc π ) (v π v π ) (2) 5

Monitor Construction π. π. ( pc π pc π ) (s π v π ) (pc π pc π ) (v π v π ) q 0 v π pc π pc π pc π pc π pc π v π s π q 4 q 1 s π q 3 q 2 s π v π v π 6

Monitor Construction Deterministic monitor template = (, Q, δ, q 0 ): finite alphabet = 2 AP The automaton runs in parallel over n-ary tuple N ((2 AP ) ) n of finite traces: n δ q i, {(a, π j )} = q i+1. j=1 a N(j)(i) 7

Memory Explosion The naive approach always stores every trace seen so far! 9

Memory Explosion The naive approach always stores every trace seen so far! Trace Analysis: discard traces that are dominated by other traces 9

Trace Analysis - Example {} {s} {} {} {} an author submits a paper {} {} {s} {} {} another author submits a paper 10

Trace Analysis - Example {} {s} {} {} {} an author submits a paper {} {} {s} {} {} another author submits a paper {} {} {s} {s} {} an author submits two papers 11

Trace Analysis - Example {} {s} {} {} {} an author submits a paper {} {} {s} {} {} another author submits a paper {} {} {s} {s} {} an author submits two papers 12

Trace Analysis - Example {} {s} {} {} {} an author submits a paper {} {} {s} {} {} another author submits a paper {} {} {s} {s} {} an author submits two papers {} {pc} {v} {v} {v} a pc observes 3 submissions 13

Trace Analysis - Example {} {pc} {v} {v} {v} a pc member observes three submissions 15

Trace Analysis - Example {} {pc} {v} {v} {v} a pc member observes three submissions {} {pc} {v} {v} {} a pc member observes two submissions 16

Trace Analysis Definition (Trace Redundancy) HyperLTL formula φ trace set T a trace t is (T, φ)-redundant if T is a model of φ if and only if T {t} is a model of φ 17

Dominance Checking HyperLTL formula φ traces t and t monitor template φ t dominates t if and only if π ( φ [t /π]) ( φ [t/π]) 18

Storage Minimization Algorithm input :HyperLTL formula φ, redundancy free trace set T, trace t output :redundancy free set of traces T min T {t} φ = build_template(φ) foreach t T do if t dominates t then return T end end foreach t T do if t dominates t then T := T \ {t } end end return T {t} 19

Specification Analysis Basic Idea: We use the HyperLTL-Sat solver EAHyper [Finkbeiner, H., Stenger, 17] to check whether HyperLTL formulas are symmetric, transitive or reflexive. Symmetry: we omit at least half of the monitor instantiations Transitivity: we reduce the instantiations to two Reflexivity: we omit the reflexive monitor instantiation 20

Symmetry - Example For observational determinism π. π. (O π = O π ) W (I π = I π ) we check whether the following formula is valid: π. π. (O π = O π ) W (I π = I π ) (O π = O π ) W (I π = I π ) we can omit the symmetric monitor instantiations 21

Transitivity - Example For output-equality π. π. O π = O π we check whether the following formula is valid: π. π. π. (O π = O π ) (O π = O π ) (O π = O π ) it is sufficient to store one reference trace 22

Reflexivity - Example For observational determinism π. π. (O π = O π ) W (I π = I π ) we check whether the following formula is valid: π. (O π = O π ) W (I π = I π ) we can omit the reflexive monitor 23

Experiments 10 5 π. π. (O π = O π ) W (I π = I π ) naive monitoring approach trace analysis specification analysis combination of both runtime on randomly generated traces runtime in msec. 8 6 4 2 0 0 500 1,000 1,500 2,000 # of instances 24

Experiments: Trace Analysis π. π. <n(i π = I π ) <n+c (O π = O π ) n = 16 n = 14 n = 12 10 5 10 5 10 5 10 4 10 3 10 2 10 1 10 0 10 4 10 3 10 2 10 1 10 0 10 4 10 3 10 2 10 1 10 0 0 0.25 0.5 0.75 1 0 0.25 0.5 0.75 1 0 0.25 0.5 0.75 1 10 5 absolute numbers of violations number of instances stored number of instances pruned 10 5 randomly generated traces of length 100000 25 10 5 10 5

Experiments: Specification Analysis symm trans refl ObsDet1 π. π. (I π = I π ) (O π = O π ) ObsDet2 π. π. (I π = I π ) (O π = O π ) ObsDet3 π. π.(o π = O ) (I π π = I ) π QuantNoninf π 0... π c. (( i I πi = I π0 ) i =j O πi = O πj ) EQ π. π (. (a π a π ) π π. ( pc π pc π ) (s π v π ) ) ConfMan ( (pc π pc π ) (v π v π ) ) preprocessing can be done in a couple of seconds with EAHyper saves tremendous amount of time during the monitoring process 26

Summary monitoring hyperproperties in theory: Monitor Template Memory Explosion monitoring hyperproperties in practice: Trace Analysis: exploits a dominance relation between traces Specification Analysis: exploits symmetry, transitivity, and reflexivity in the specification 27

Bibliography [Clarkson, Schneider, 10] Clarkson, M. R., and F. B. Schneider. "Hyperproperties." Journal of Computer Security 18.6 (2010): 1157-1210. [Clarkson, Finkbeiner, Koleini, Micinski, Rabe, Sánchez, 14] Clarkson, M. R., Finkbeiner, B., Koleini, M., Micinski, K. K., Rabe, M. N., & Sánchez, C. (2014, April). Temporal logics for hyperproperties. In International Conference on Principles of Security and Trust (pp. 265-284). [Finkbeiner, H., 16] Finkbeiner, Bernd, Hahn, Christopher. Deciding hyperproperties. 27th International Conference on Concurrency Theory, CONCUR 2016 [Finkbeiner, H., Stenger, 17] Bernd Finkbeiner, Christopher Hahn, and Marvin Stenger. EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties. International Conference on Computer Aided Verification (2017). Pictures: http://russia-insider.com/sites/insider/files/20110226_bbd001_0.jpg 28

Monitorability Theorem Given a HyperLTL formula φ = π 1... π k.ψ, where ψ true is an LTL formula. φ is monitorable if, and only if, u. v.uv bad( (ψ)). Theorem Given an alternation-free HyperLTL formula φ. Deciding whether φ is monitorable is PSpace-complete. 29

Finite Trace Semantics t[i, j] = { ε if i t t[ i, min(j, t 1)], otherwise fin = T a π if a fin (π)[0] fin = T φ if fin = T φ fin = T φ ψ if fin = T φ or fin = T ψ fin = T φ if fin [1,...] = T φ fin = T φ U ψ if i 0. fin [i,...] = T ψ 0 j < i. fin [j,...] = T φ fin = T π.φ if there is some t T such that fin [π t] = T φ 30

Alternation An offline monitor for a n m HyperLTL and m n HyperLTL formula has to perform the checks N T n check if φ accepts N M, and M T m check if φ accepts M N, respectively. N T n M T m 31