Download presentation

Presentation is loading. Please wait.

Published byNico Tinsley Modified over 2 years ago

1
Software Model Checking for Confidentiality Rajeev Alur University of Pennsylvania Joint work with Pavol Cerny

2
2 download programs online banking store health records Confidentiality 2 Data Leaks Abound And No One Is Safe (Feb 9 th ) Indian Foreign Ministry hit by spyware (Feb 15 th ) Cell Phones a Much Bigger Privacy Risk Than Facebook (Feb 20 th )

3
Confidentiality How do data leaks happen? Unauthorized application use: … the use of unauthorized programs resulted in as many as half of their companies' data loss incidents. (Data leakage worldwide, …,Cisco, 2008) Focus of our case study: J2ME midlets for mobile devices can buy spyware (flexispy.com,..) A malicious signed application could read all the PIM data and send it to an attacker using the variety of transport mechanisms outlined in this document. (Symantec, 2007) 3

4
4 J2ME midlets void sendEvent(…) { … contactList = (ContactList) PIM.getInstance().openPIMlists( PIM.Contact_LIST, PIM.READ_ONLY, listname) … conn.send(message) … } Accesses phones native data Sends something How do we know that information does not leak? EventSharingMidlet:

5
5 How can information be leaked? public void sendEvent() { doUsefulWork(); … low = 0; if (phoneBook.contains(555-55)) { low = 1; } conn.send(low); } Information leaked due to malicious (or buggy) code. Confidentiality is not a property of a single trace. public void sendEvent(…) { doUsefulWork();... conn.send (secret_message); } Model: The attacker a)knows the program b)observes all external communication

6
Checking Confidentiality 6 createEvent Midlet //get the phone number number = phoneBook.elementAt(selected); //test if the number is valid if ((number==null)||(number==)) { //output error } else { String message = inputMessage(); //send a message to the receiver sendMessage(number,message); } Taint analysis too strict Language-based approaches would require annotations for downgrading

7
7 Software Model Checking Software model checker Yes / No (counterexample) Specification φ Program P (source code) Abstraction Successful and widely used, e.g. SLAM SDV. Is every acquired lock eventually released? Is the system deadlock free? Not applicable to specifying and verifying of confidentiality: 1.Confidentiality is not a property of a single execution (thus not specifiable in LTL and in fact is not specifiable in μ-calculus). 2.Both over- and under- approximation needed. 3.Main strength of software model checking – Finding bugs in control-oriented programs. Not applicable to specifying and verifying of confidentiality: 1.Confidentiality is not a property of a single execution (thus not specifiable in LTL and in fact is not specifiable in μ-calculus). 2.Both over- and under- approximation needed. 3.Main strength of software model checking – Finding bugs in control-oriented programs.

8
8 Goal program Confidentiality analysis tool Specification No Yes What we need: Specification framework Analysis method

9
Reachability 9 Temporal Specifications LTL, CTL, μ-calculus Finite-state systemsNL-complete Programs (Java methods) Undecidable. Over-approximation for sound analysis (of unreachability)

10
Talk Overview 10 ReachabilityConfidentiality ?? Temporal Specifications LTL, CTL, μ-calculus?? Finite-state systemsNL-complete?? Programs (Java methods) Undecidable. Over-approximation for sound analysis (of unreachability) ??

11
11 Defining Confidentiality Secret: Property to be kept confidential; typically a predicate over state variables Observation h of an execution: What can the attacker observe? Two executions with same observation are equivalent Examples: Outputs; Sequence of messages sent More generally, each state is labeled with observable propositions, and observation of an execution is a sequence of observable propositions of states Executions of interest specified by a condition cond Terminating executions Executions where input satisfies some constraint

12
12 Conditional Confidentiality Given a notion of observation, a property secret, and a condition cond of interesting executions, a program P satisfies conditional confidentiality iff For every execution r satisfying cond, there exists an execution r such that 1.r and r have the same observation 2.r and r differ on the value of secret

13
13 Temporal Logics for Confidentiality Motivation: In multi-agent systems and for protocols, how to specify requirements concerning order in which secrets are revealed Classical model of systems/programs: Trees Existing branching-time logics are not adequate Thm: Confidentiality cannot be expressed in -calculus Cannot capture equivalence of executions

14
Agent a observes proposition p, b observes q Labeled Trees p q

15
Agent a observes proposition p, b observes q a-labeled edge between nodes: a considers them equivalent a Labeled Trees with Equivalence Edges p q ba a

16
The logic CTL CTL f = p | ¬ f | f1 or f2 | EX f | f1 EU f2 | EG f | EI a f EI a f: f holds in some world considered plausible by a Confidentiality: AG (EI a α and EI a ¬α) Agent a does not reveal x before agent b reveals y A (EI a x and EI a ~x) U ( AI b y or AI b ~y) Analogous extension of -calculus: µ f EX f EI a g g a a

17
17 Model Checking Nesting-free fragments CTL :PSPACE complete μ -calculus: EXPTIME complete In general – nonelementary (resp. undecidable) Good news: Typical confidentiality properties captured in the nesting-free fragments Does a finite-state system satisfy a temporal logic formula?

18
Talk Overview 18 ReachabilityConditional Confidentiality Temporal logicsCTL, μ-calculus Finite-state systemsNL-completePSPACE-complete Programs (Java methods) Undecidable. Over-approximation for sound analysis (of unreachability) ??

19
19 Confidentiality for programs res = -1; i=0; while (i

20
Confidentiality for programs res = -1; i=0; while (i

21
21 Over- / under- approximation Computing reachable states exactly is impractical. Approximation: R + (an over-approximation (R R + )), R - (an under-approximation (R R - )) Lemma: The approximate formula implies confidentiality. Confidentiality: For all possible observations h, if h is valid (consistent with the condition cond), if there exists s: s in R + and cond(s) and s[res]=h then h leads to a state where secret holds, then there exists s: s in R - and secret(s) and s[res]=h and h leads to a state where the secret does not hold. and there exists s: s in R - and ¬secret(s) and s[res]=h R-R- R+R+ R

22
22 Over- / under- approximation Computing the over-approximation R + : invariants (user-supplied or computed): Example: res = -1; i=0; while (i

23
23 Over- / under- approximation Computing the under-approximation R - : (loop unrolling, bounding the data structure size) res = -1; i=0; while (i

24
24 Confidentiality as a logical formula for all h: if there exist pv: inv(pv) and cond(pv) and res=h implies there exist pv: WP(P,(secret and res=h)) and there exist pv: WP(P,(¬secret and res=h)) Invariant Program with unrolled loops Confidentiality holds only if: Program vars Weakest pre- condition

25
25 Deciding validity of confidentiality formula Problem: Quantifier alternation. Complexity of decision procedures (QBF, Pressburger) high, tools not well engineered. Question: Could we use SMT solvers? Idea: Restrict the expression language to contain only equality (order). Rationale: Many programs do not perform arithmetic on the data, only tasks like searching, inserting, deleting, (sorting). res = -1; i=0; while (i

26
26 Deciding validity of confidentiality formula Result: If universal quantifier is over a domain with only equality, we can replace it by checking the formula at a fixed number of specific values res = -1; i=0; while (i

27
27 ConAn (CONfidentiality ANalysis) Java Bytecode WALA ConAn Yices Valid Unsat Secret Cond Invariant N array N unroll Processes bytecode to produce an intermediate representation of SSA instructions organized in a control-flow graph. Performs SMT solving.

28
28 Applications Case study: J2ME Java methods third party programs, accessing PIM information (managing contacts, calendars, to-do lists) and sending messages Other Java methods: methods from other PIM managing programs (chat clients, calendars..). data structure accessing methods from Java standard library.

29
Experimental results 29 Project/ Class Method Name# of lines unrollrunning time (s) result 1Java.lang/ Vector elementAt610.18valid 2EventSharingsendEvent valid 3EventSharingsendEvent (bug) unsat 4find910.31unsat 5find920.34valid 6Funambol/ Contact getContact valid 7Blackchat/ ICQContact getContact- -ByReference valid 8passwordcheck920.22valid

30
30 Conclusions Algorithmic, specification-driven analysis is an effective way of establishing that programs do not leak confidential information.

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google