Software Model Checking for Confidentiality Rajeev Alur University of Pennsylvania Joint work with Pavol Cerny

2 download programs online banking store health records Confidentiality 2 Data Leaks Abound And No One Is Safe (Feb 9 th ) Indian Foreign Ministry hit by spyware (Feb 15 th ) Cell Phones a Much Bigger Privacy Risk Than Facebook (Feb 20 th )

Confidentiality How do data leaks happen? Unauthorized application use: … the use of unauthorized programs resulted in as many as half of their companies' data loss incidents. (Data leakage worldwide, …,Cisco, 2008) Focus of our case study: J2ME midlets for mobile devices can buy spyware (flexispy.com,..) A malicious signed application could read all the PIM data and send it to an attacker using the variety of transport mechanisms outlined in this document. (Symantec, 2007) 3

4 J2ME midlets void sendEvent(…) { … contactList = (ContactList) PIM.getInstance().openPIMlists( PIM.Contact_LIST, PIM.READ_ONLY, listname) … conn.send(message) … } Accesses phones native data Sends something How do we know that information does not leak? EventSharingMidlet:

5 How can information be leaked? public void sendEvent() { doUsefulWork(); … low = 0; if (phoneBook.contains(555-55)) { low = 1; } conn.send(low); } Information leaked due to malicious (or buggy) code. Confidentiality is not a property of a single trace. public void sendEvent(…) { doUsefulWork();... conn.send (secret_message); } Model: The attacker a)knows the program b)observes all external communication

Checking Confidentiality 6 createEvent Midlet //get the phone number number = phoneBook.elementAt(selected); //test if the number is valid if ((number==null)||(number==)) { //output error } else { String message = inputMessage(); //send a message to the receiver sendMessage(number,message); } Taint analysis too strict Language-based approaches would require annotations for downgrading

7 Software Model Checking Software model checker Yes / No (counterexample) Specification φ Program P (source code) Abstraction Successful and widely used, e.g. SLAM SDV. Is every acquired lock eventually released? Is the system deadlock free? Not applicable to specifying and verifying of confidentiality: 1.Confidentiality is not a property of a single execution (thus not specifiable in LTL and in fact is not specifiable in μ-calculus). 2.Both over- and under- approximation needed. 3.Main strength of software model checking – Finding bugs in control-oriented programs. Not applicable to specifying and verifying of confidentiality: 1.Confidentiality is not a property of a single execution (thus not specifiable in LTL and in fact is not specifiable in μ-calculus). 2.Both over- and under- approximation needed. 3.Main strength of software model checking – Finding bugs in control-oriented programs.

8 Goal program Confidentiality analysis tool Specification No Yes What we need: Specification framework Analysis method

Reachability 9 Temporal Specifications LTL, CTL, μ-calculus Finite-state systemsNL-complete Programs (Java methods) Undecidable. Over-approximation for sound analysis (of unreachability)

Talk Overview 10 ReachabilityConfidentiality ?? Temporal Specifications LTL, CTL, μ-calculus?? Finite-state systemsNL-complete?? Programs (Java methods) Undecidable. Over-approximation for sound analysis (of unreachability) ??

11 Defining Confidentiality Secret: Property to be kept confidential; typically a predicate over state variables Observation h of an execution: What can the attacker observe? Two executions with same observation are equivalent Examples: Outputs; Sequence of messages sent More generally, each state is labeled with observable propositions, and observation of an execution is a sequence of observable propositions of states Executions of interest specified by a condition cond Terminating executions Executions where input satisfies some constraint

12 Conditional Confidentiality Given a notion of observation, a property secret, and a condition cond of interesting executions, a program P satisfies conditional confidentiality iff For every execution r satisfying cond, there exists an execution r such that 1.r and r have the same observation 2.r and r differ on the value of secret

13 Temporal Logics for Confidentiality Motivation: In multi-agent systems and for protocols, how to specify requirements concerning order in which secrets are revealed Classical model of systems/programs: Trees Existing branching-time logics are not adequate Thm: Confidentiality cannot be expressed in -calculus Cannot capture equivalence of executions

Agent a observes proposition p, b observes q Labeled Trees p q

Agent a observes proposition p, b observes q a-labeled edge between nodes: a considers them equivalent a Labeled Trees with Equivalence Edges p q ba a

The logic CTL CTL f = p | ¬ f | f1 or f2 | EX f | f1 EU f2 | EG f | EI a f EI a f: f holds in some world considered plausible by a Confidentiality: AG (EI a α and EI a ¬α) Agent a does not reveal x before agent b reveals y A (EI a x and EI a ~x) U ( AI b y or AI b ~y) Analogous extension of -calculus: µ f EX f EI a g g a a

17 Model Checking Nesting-free fragments CTL :PSPACE complete μ -calculus: EXPTIME complete In general – nonelementary (resp. undecidable) Good news: Typical confidentiality properties captured in the nesting-free fragments Does a finite-state system satisfy a temporal logic formula?

Talk Overview 18 ReachabilityConditional Confidentiality Temporal logicsCTL, μ-calculus Finite-state systemsNL-completePSPACE-complete Programs (Java methods) Undecidable. Over-approximation for sound analysis (of unreachability) ??

19 Confidentiality for programs res = -1; i=0; while (i<n) { if (A[i]==key) { res=A[i]; } i++; } send res; For all observations h, if h is valid (consistent with the condition cond), then h leads to a state where secret holds, and h leads to a state where the secret does not hold. Example: suppose the observer sees 3 (that is, res = 3): There exists a state: A= [7,3]; key = 3 (observation valid) There exists a state: A= [7,3]; key = 3 (secret holds) There exists a state: A= [1,3]; key = 3 (secret does not hold) secret: Does A contain 7? Observer sees the value of res cond: key is not 7

Confidentiality for programs res = -1; i=0; while (i<n) { if (A[i]==key) { res =A[i]; } i++; } send res; secret: Does A contain 7? Observer sees the value of res. cond: key is not 7. Confidentiality: For all possible observations h, if h is valid (consistent with the condition cond), if there exists s: s in R and cond(s) and s[res]=h then h leads to a state where secret holds, then there exists s: s in R and secret(s) and s[res]=h and h leads to a state where the secret does not hold. and there exists s: s in R and ¬secret(s) and s[res]=h R - set of reachable states

21 Over- / under- approximation Computing reachable states exactly is impractical. Approximation: R + (an over-approximation (R R + )), R - (an under-approximation (R R - )) Lemma: The approximate formula implies confidentiality. Confidentiality: For all possible observations h, if h is valid (consistent with the condition cond), if there exists s: s in R + and cond(s) and s[res]=h then h leads to a state where secret holds, then there exists s: s in R - and secret(s) and s[res]=h and h leads to a state where the secret does not hold. and there exists s: s in R - and ¬secret(s) and s[res]=h R-R- R+R+ R

22 Over- / under- approximation Computing the over-approximation R + : invariants (user-supplied or computed): Example: res = -1; i=0; while (i<n) { if (A[i]==key) { res =A[i]; } i++; } send res; Invariant: (res ==key) or (res ==-1)

23 Over- / under- approximation Computing the under-approximation R - : (loop unrolling, bounding the data structure size) res = -1; i=0; while (i<n) { if (A[i]==key) { res =A[i]; } i++; } send res; res = -1; i=0; if (i<n) { if (A[i]==key) { res =A[i]; } i++; } if (i<n) { if (A[i]==key) { res =A[i]; } i++; } assume(i>=n); send res;

24 Confidentiality as a logical formula for all h: if there exist pv: inv(pv) and cond(pv) and res=h implies there exist pv: WP(P,(secret and res=h)) and there exist pv: WP(P,(¬secret and res=h)) Invariant Program with unrolled loops Confidentiality holds only if: Program vars Weakest pre- condition

25 Deciding validity of confidentiality formula Problem: Quantifier alternation. Complexity of decision procedures (QBF, Pressburger) high, tools not well engineered. Question: Could we use SMT solvers? Idea: Restrict the expression language to contain only equality (order). Rationale: Many programs do not perform arithmetic on the data, only tasks like searching, inserting, deleting, (sorting). res = -1; i=0; while (i<n) { if (A[i]=key) { res =A[i]; } i++; } send res;

26 Deciding validity of confidentiality formula Result: If universal quantifier is over a domain with only equality, we can replace it by checking the formula at a fixed number of specific values res = -1; i=0; while (i<n) { if (A[i]=key) { res =A[i]; } i++; } send result; Values 7, -1, and one other (e.g. 1) need to be checked. Thus, an SMT solver can be used (checking three formulas per constant).

27 ConAn (CONfidentiality ANalysis) Java Bytecode WALA ConAn Yices Valid Unsat Secret Cond Invariant N array N unroll Processes bytecode to produce an intermediate representation of SSA instructions organized in a control-flow graph. Performs SMT solving.

28 Applications Case study: J2ME Java methods third party programs, accessing PIM information (managing contacts, calendars, to-do lists) and sending messages Other Java methods: methods from other PIM managing programs (chat clients, calendars..). data structure accessing methods from Java standard library.

Experimental results 29 Project/ Class Method Name# of lines unrollrunning time (s) result 1Java.lang/ Vector elementAt610.18valid 2EventSharingsendEvent valid 3EventSharingsendEvent (bug) unsat 4find910.31unsat 5find920.34valid 6Funambol/ Contact getContact valid 7Blackchat/ ICQContact getContact- -ByReference valid 8passwordcheck920.22valid

30 Conclusions Algorithmic, specification-driven analysis is an effective way of establishing that programs do not leak confidential information.