what you lose is what you leak - profs area scienze ed...

WHAT YOU LOSE IS WHAT YOU LEAKINFORMATION LEAKAGE IN DECLASSIFICATION POLICIES

A. Banerjee, R. Giacobazzi and I. Mastroeni

Kansas State University Universita di Verona

Manhattan (KS), USA Verona, Italy

MFPS 2007

What you lose is what you leak – p.1/19

Overview

By exploiting the strong relation between completeness andnon-interference we can obtain the following results:

Model declassification as a forward completeness problem for theweakest precondition semantics;

Derive counterexamples to a given declassification policy;

Refine a given declassification policy;

Overview

By exploiting the strong relation between completeness andnon-interference we can obtain the following results:

Model declassification as a forward completeness problem for theweakest precondition semantics;

Derive counterexamples to a given declassification policy;

Refine a given declassification policy;

We can model declassification as a model checking problem (see therelation with robust declassification)

Standard Non-Interference

Private InputPublic Input

Public Output

∀l : L, ∀h1, h2 : H. JPK(h1, l)L = JPK(h2, l)L

Public Output

NI: A completeness problem

Recall that [Joshi & Leino’00]

P is secure iff HH ; P ; HH.= P ; HH

Let X = 〈X H, X L〉 ⇒ H(X )def= 〈⊤H, X L〉 ∈ uco(℘(V))

HH ; P ; HH.= P ; HH

⇓H◦JPK◦H = H◦JPK

Let X = 〈X H, X L〉 ⇒ H(X )def= 〈⊤H, X L〉 ∈ uco(℘(V))

HH ; P ; HH.= P ; HH

⇓H◦JPK◦H = H◦JPK

⇒ A COMPLETENESS PROBLEM

[Giacobazzi& Mastroeni ‘05]

Declassified NI

Public Output

φ ∈ Abs(℘(VH)): φ(h1)=φ(h2) ⇒ JPK(h1, l)L= JPK(h2, l)L

[Mastroeni ’05]

Declassified NI

Public Output

[Mastroeni ’05]

Declassified NI

Public Output

[Mastroeni ’05]

Modelling declassification: A running example

Let φ =Paritydef= {⊤, Even, Odd, ∅},

"h := |h |;

while (h > 0) do (h := h − 1; l := h) endw

{h ∈ Z}

h := |h |;

{(h = 0 ∧ l = 0) ∨ h > 0}

{l = 0}

Z ∈ φ ⇒ φ is ok!

{h = 0}

h := |h |;

{h = 0 ∧ l = a}

{l = a 6= 0}

{0} /∈ φ ⇒ φ is not ok!

Ha ={〈h, l〉

˛˛ h ∈ Z, l = a

}(a value observed in output).

"h := |h |;

{H0 7→ {〈h, l〉 | h 6= 0, l ∈ Z} ∪ {〈0, 0〉}

Ha 7→ {〈0, a〉} (a 6= 0)

P secure with φ declassified ⇔ Hφ◦WlpP ◦H = WlpP ◦H

DNI: A completeness problem (1)

Let Hφ the abstract domain declassifying the property φ of the private input:

H◦JPK◦Hφ = H◦JPK ⇔ Hφ◦WlpP ◦H = WlpP ◦H

⇓To release φ means to distinguish between elements in φ!

〈φ(XH), XL〉

Output

〈⊤, xL〉

〈xH, xL〉

WlpP 〈XH, XL〉

Deriving counterexamples: A running example

Consider again φ =Paritydef= {⊤, Even, Odd, ∅},

"h := |h |;

Deriving counterexamples: A running example

Consider again φ =Paritydef= {⊤, Even, Odd, ∅},

{h = 0} ⇒Even split in {0} and Even r {0}

h := |h |;

{h = 0 ∧ l = a}

{l = a 6= 0}

Let l = 5, h1 = 0 ∈ Even and h2 = 2 ∈ Even:JPK(〈0, 5〉) = 〈0, 5〉 6= 〈0, 0〉 = JPK(〈2, 5〉)

〈φ(XH), XL〉

Output

〈⊤, xL〉

〈xH, xL〉

WlpP 〈XH, XL〉

Counterexample

Output

〈⊤, xL〉

〈xH, xL〉

WlpP 〈XH, XL〉

〈φ(XH), XL〉

Counterexample

LeakeageOutput

〈⊤, xL〉

〈xH, xL〉

WlpP 〈XH, XL〉

〈φ(XH), XL〉

Refining policies: An example

Consider φ ={ {

〈h1, h2, . . . , hn 〉˛˛ (h1 + h2 + . . . + hn )/n = a

} ˛˛ a ∈ Z

"h1 := h1; h2 := h2; . . . ; hn = hn

avg := declassify((h1 + h2 + . . . + hn )/n);

Consider φ ={ {

〈h1, h2, . . . , hn 〉˛˛ (h1 + h2 + . . . + hn )/n = a

} ˛˛ a ∈ Z

{h1 = a}

h1 := h1; h2 := h2; . . . ; hn = hn

{(h1 + h2 + . . . + hn )/n = a}

{avg = a}

{〈h1, h2, . . . , hn 〉

˛˛ (h1 + h2 + . . . + hn )/n = a, h1 = a

}/∈ φ ⇒ φ is not ok!

Consider φ ={ {

〈h1, h2, . . . , hn 〉˛˛ (h1 + h2 + . . . + hn )/n = a

} ˛˛ a ∈ Z

Ha ={〈h1, . . . , hn , avg〉

˛˛ avghi

(a value observed in output).

"h1 := h1; h2 := h2; . . . ; hn = hn

Wlp : Ha 7→{〈a, h2, . . . , hn , a〉

˛˛ avg = a

P secure with φ ′ declassified ⇔ φ ′ = φ ⊓{

Wlp(Ha )˛˛ a ∈ Z

〈φ(XH), XL〉

Output

〈⊤, xL〉

〈xH, xL〉

WlpP 〈XH, XL〉

Counterexample

Output

〈⊤, xL〉

〈xH, xL〉

WlpP 〈XH, XL〉

〈φ(XH), XL〉

Counterexample

LeakeageOutput

〈⊤, xL〉

〈xH, xL〉

WlpP 〈XH, XL〉

〈φ(XH), XL〉

Refinement

Output

〈⊤, xL〉

〈xH, xL〉

WlpP 〈XH, XL〉

〈φ(XH), XL〉

Example: Oblivious Transfer Protocol

[C. Morgan]

[C. Morgan]Ted: Trusted party

Alice Bob

Hid: r ; d ; c ∈ {0, 1};m m0;m1; r0; r1

Vis: m0; m1; r0; r1; f0; f1; e c;m ; d ; r ; f0; f1; e

2666664

r0, r1 :∈ M ; d :∈ {0, 1};

r := rd ;

e := c ⊕ d ;

f0, f1 := m0 ⊕ re , m1 ⊕ r1⊕e ;

m := fc ⊕ r ;

Alice Bob

Hid: r ; d ; c ∈ {0, 1};m m0;m1; r0; r1

Bob’s point of view: He has not to see m1⊕c

r0, r1 :∈ M ; d :∈ {0, 1};

r := rd ;

{(c = d , f0 = m0 ⊕ r0, f1 = m1 ⊕ r1) ∨ (c 6= d , f0 = m0 ⊕ r1, f1 = m1 ⊕ r0)}

e := c ⊕ d ;

{f0 = m0 ⊕ re , f1 = m1 ⊕ r1⊕e }

f0, f1 := m0 ⊕ re , m1 ⊕ r1⊕e ;

m := fc ⊕ r ;

{f0; f1; m}

Alice Bob

Hid: r ; d ; c ∈ {0, 1};m m0;m1; r0; r1

Bob’s point of view: He has not to see m1⊕c

Soundness guarantees that Bob knows m = mc , fc , rdWlp guarantees that Bob knows only fc = mc ⊕ rd and f1⊕c = m1⊕c ⊕ r1⊕d

⇓f1⊕c tells almost nothing of the secret m1⊕c

Declassified Abstract non-interference

if(d ≤ x +y ≤ d +dx +dy ∧ −dy ≤ x −y ≤ dx ) then

if(x ≥ 0 ∧x ≤ d) then xL := d ;

if(x > d ∧ x ≤ dx ) then xL := x ;

if(x > dx ∧ x ≤ dx +d) then xL := dx ;

if(y ≥ 0 ∧y ≤ d) then yL := d ;

if(y > d ∧ y ≤ dy) then yL := y ;

if(y > dy ∧ y ≤ dy +d) then yL := dy ;

if(d ≤ x +y ≤ d +dx +dy ∧ −dy ≤ x −y ≤ dx ) then

if(x ≥ 0 ∧x ≤ d) then xL := d ;

if(x > d ∧ x ≤ dx ) then xL := x ;

if(x > dx ∧ x ≤ dx +d) then xL := dx ;

if(y ≥ 0 ∧y ≤ d) then yL := d ;

if(y > d ∧ y ≤ dy) then yL := y ;

if(y > dy ∧ y ≤ dy +d) then yL := dy ;

Hφη◦WlpP ◦Hρ = WlpP ◦Hρ

Public Output

ρ, η ∈ Abs(℘(VL)),φ ∈ Abs(℘(VH)): (η)P(φ ⇒ ρ):η(l1)=η(l2) and φ(h1)=φ(h2) ⇒ ρ(JPK(h1, η(l1))L)=ρ(JPK(h2, η(l2))L)

[Giacobazzi & Mastroeni ’04]

Public Output

Abstract Model checking DNI

Robust declassification transforms the attacker observational capability[Zdancewic & Myers ’01]:

∀σ, σ′ ∈ Σ . 〈σ, σ

′〉 ∈ S [≈] ⇔ Obsσ(S ,≈) ≡ Obsσ ′(S ,≈)

∀σ, σ′ ∈ Σ . 〈σ, σ

′〉 ∈ S [≈] ⇔ Obsσ(S ,≈) ≡ Obsσ ′(S ,≈)

S [≈] =≈ iff ≈ backward complete for post

∀σ, σ′ ∈ Σ . 〈σ, σ

′〉 ∈ S [≈] ⇔ Obsσ(S ,≈) ≡ Obsσ ′(S ,≈)

Example:〈t , h, p, q , r〉 7→ 〈t , h, p, q , r〉

〈0, h, q , q , 0〉 7→ 〈1, h, q , q , 1〉

〈0, h, q , q , 1〉 7→ 〈1, h, q , q , 0〉

〈0, h, p, q , 0〉 7→ 〈1, h, p, q , 0〉 p 6= q

〈0, h, p, q , 1〉 7→ 〈1, h, p, q , 1〉 p 6= q

The public variables are t , q , r , hence the partition induced by H is:

〈t , h, p, q , r〉 ≡ 〈t ′, h ′, p

′, q

′, r

′〉 iff t = t′

∧ q = q′

∧ r = r′

∀σ, σ′ ∈ Σ . 〈σ, σ

′〉 ∈ S [≈] ⇔ Obsσ(S ,≈) ≡ Obsσ ′(S ,≈)

Example:〈t , h, p, q , r〉 7→ 〈t , h, p, q , r〉

〈0, h, q , q , 0〉 7→ 〈1, h, q , q , 1〉

〈0, h, q , q , 1〉 7→ 〈1, h, q , q , 0〉

〈0, h, p, q , 0〉 7→ 〈1, h, p, q , 0〉 p 6= q

〈0, h, p, q , 1〉 7→ 〈1, h, p, q , 1〉 p 6= q

〈0, h, p, q , 0〉 7→{

〈1, h, q , q , 1〉

〈1, h, p, q , 0〉fpreP :

{〈1, h, q , q , 1〉 7→ 〈0, h, q , q , 0〉

〈1, h, p, q , 0〉 7→ 〈0, h, p, q , 0〉 p 6= q

Discussion

What already exists: Several studies about declassification, derivation ofcounterexamples and refinements... nothing that combines all together

Several approaches for modelling and checking declassificationpolicies: PER model [Sabelfeld and Sands], dynamic logic [Darvas etal.], robust declassification [Zdancewic and Myers], Delimited release[Sabelfeld and Myers], Relaxed non-interference [Li andZdancewic],...;

Derivation of counterexamples of secure information flows (withoutdeclassification) [Unno et al.];

Preservation of secrecy under refinement [Alur et al.];

Discussion

What we have done: Modelling declassification as a completenessproblem;

We analyze the accuracy of a declassification policy;

We associate with each public observation the correspondinginformation released;

We can refine the accuracy of the policy;

We create a connection with abstract model checking;

Discussion

What we have done: Modelling declassification as a completenessproblem;

We analyze the accuracy of a declassification policy;

We associate with each public observation the correspondinginformation released;

We can refine the accuracy of the policy;

We create a connection with abstract model checking;

What we have to do: We are interested in......extending our approach to more complex systems;

...exploiting this connection for implementing our approach;

Abstract Interpretation

Consider the complete lattice < C ,≤, ∧, ∨,⊥,⊤ >, Ai ∈ uco(C )

Lattice of Abstract Domains ≡ Lattice ucoA ≡ ρ(C )