Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Model Checking for Confidentiality Rajeev Alur University of Pennsylvania Joint work with Pavol Cerny.

Published byNico Tinsley Modified over 10 years ago

Similar presentations

Presentation on theme: "Software Model Checking for Confidentiality Rajeev Alur University of Pennsylvania Joint work with Pavol Cerny."— Presentation transcript:

1 Software Model Checking for Confidentiality Rajeev Alur University of Pennsylvania Joint work with Pavol Cerny

2 2 email download programs online banking store health records Confidentiality 2 Data Leaks Abound And No One Is Safe (Feb 9 th ) Indian Foreign Ministry hit by spyware (Feb 15 th ) Cell Phones a Much Bigger Privacy Risk Than Facebook (Feb 20 th )

3 Confidentiality How do data leaks happen? Unauthorized application use: … the use of unauthorized programs resulted in as many as half of their companies' data loss incidents. (Data leakage worldwide, …,Cisco, 2008) Focus of our case study: J2ME midlets for mobile devices can buy spyware (flexispy.com,..) A malicious signed application could read all the PIM data and send it to an attacker using the variety of transport mechanisms outlined in this document. (Symantec, 2007) 3

4 4 J2ME midlets void sendEvent(…) { … contactList = (ContactList) PIM.getInstance().openPIMlists( PIM.Contact_LIST, PIM.READ_ONLY, listname) … conn.send(message) … } Accesses phones native data Sends something How do we know that information does not leak? EventSharingMidlet:

5 5 How can information be leaked? public void sendEvent() { doUsefulWork(); … low = 0; if (phoneBook.contains(555-55)) { low = 1; } conn.send(low); } Information leaked due to malicious (or buggy) code. Confidentiality is not a property of a single trace. public void sendEvent(…) { doUsefulWork();... conn.send (secret_message); } Model: The attacker a)knows the program b)observes all external communication

6 Checking Confidentiality 6 createEvent Midlet //get the phone number number = phoneBook.elementAt(selected); //test if the number is valid if ((number==null)||(number==)) { //output error } else { String message = inputMessage(); //send a message to the receiver sendMessage(number,message); } Taint analysis too strict Language-based approaches would require annotations for downgrading

7 7 Software Model Checking Software model checker Yes / No (counterexample) Specification φ Program P (source code) Abstraction Successful and widely used, e.g. SLAM SDV. Is every acquired lock eventually released? Is the system deadlock free? Not applicable to specifying and verifying of confidentiality: 1.Confidentiality is not a property of a single execution (thus not specifiable in LTL and in fact is not specifiable in μ-calculus). 2.Both over- and under- approximation needed. 3.Main strength of software model checking – Finding bugs in control-oriented programs. Not applicable to specifying and verifying of confidentiality: 1.Confidentiality is not a property of a single execution (thus not specifiable in LTL and in fact is not specifiable in μ-calculus). 2.Both over- and under- approximation needed. 3.Main strength of software model checking – Finding bugs in control-oriented programs.

8 8 Goal program Confidentiality analysis tool Specification No Yes What we need: Specification framework Analysis method

9 Reachability 9 Temporal Specifications LTL, CTL, μ-calculus Finite-state systemsNL-complete Programs (Java methods) Undecidable. Over-approximation for sound analysis (of unreachability)

10 Talk Overview 10 ReachabilityConfidentiality ?? Temporal Specifications LTL, CTL, μ-calculus?? Finite-state systemsNL-complete?? Programs (Java methods) Undecidable. Over-approximation for sound analysis (of unreachability) ??

11 11 Defining Confidentiality Secret: Property to be kept confidential; typically a predicate over state variables Observation h of an execution: What can the attacker observe? Two executions with same observation are equivalent Examples: Outputs; Sequence of messages sent More generally, each state is labeled with observable propositions, and observation of an execution is a sequence of observable propositions of states Executions of interest specified by a condition cond Terminating executions Executions where input satisfies some constraint

12 12 Conditional Confidentiality Given a notion of observation, a property secret, and a condition cond of interesting executions, a program P satisfies conditional confidentiality iff For every execution r satisfying cond, there exists an execution r such that 1.r and r have the same observation 2.r and r differ on the value of secret

13 13 Temporal Logics for Confidentiality Motivation: In multi-agent systems and for protocols, how to specify requirements concerning order in which secrets are revealed Classical model of systems/programs: Trees Existing branching-time logics are not adequate Thm: Confidentiality cannot be expressed in -calculus Cannot capture equivalence of executions

14 Agent a observes proposition p, b observes q Labeled Trees p q

15 Agent a observes proposition p, b observes q a-labeled edge between nodes: a considers them equivalent a Labeled Trees with Equivalence Edges p q ba a

16 The logic CTL CTL f = p | ¬ f | f1 or f2 | EX f | f1 EU f2 | EG f | EI a f EI a f: f holds in some world considered plausible by a Confidentiality: AG (EI a α and EI a ¬α) Agent a does not reveal x before agent b reveals y A (EI a x and EI a ~x) U ( AI b y or AI b ~y) Analogous extension of -calculus: µ f EX f EI a g g a a

17 17 Model Checking Nesting-free fragments CTL :PSPACE complete μ -calculus: EXPTIME complete In general – nonelementary (resp. undecidable) Good news: Typical confidentiality properties captured in the nesting-free fragments Does a finite-state system satisfy a temporal logic formula?

18 Talk Overview 18 ReachabilityConditional Confidentiality Temporal logicsCTL, μ-calculus Finite-state systemsNL-completePSPACE-complete Programs (Java methods) Undecidable. Over-approximation for sound analysis (of unreachability) ??

19 19 Confidentiality for programs res = -1; i=0; while (i<n) { if (A[i]==key) { res=A[i]; } i++; } send res; For all observations h, if h is valid (consistent with the condition cond), then h leads to a state where secret holds, and h leads to a state where the secret does not hold. Example: suppose the observer sees 3 (that is, res = 3): There exists a state: A= [7,3]; key = 3 (observation valid) There exists a state: A= [7,3]; key = 3 (secret holds) There exists a state: A= [1,3]; key = 3 (secret does not hold) secret: Does A contain 7? Observer sees the value of res cond: key is not 7

20 Confidentiality for programs res = -1; i=0; while (i<n) { if (A[i]==key) { res =A[i]; } i++; } send res; secret: Does A contain 7? Observer sees the value of res. cond: key is not 7. Confidentiality: For all possible observations h, if h is valid (consistent with the condition cond), if there exists s: s in R and cond(s) and s[res]=h then h leads to a state where secret holds, then there exists s: s in R and secret(s) and s[res]=h and h leads to a state where the secret does not hold. and there exists s: s in R and ¬secret(s) and s[res]=h R - set of reachable states

21 21 Over- / under- approximation Computing reachable states exactly is impractical. Approximation: R + (an over-approximation (R R + )), R - (an under-approximation (R R - )) Lemma: The approximate formula implies confidentiality. Confidentiality: For all possible observations h, if h is valid (consistent with the condition cond), if there exists s: s in R + and cond(s) and s[res]=h then h leads to a state where secret holds, then there exists s: s in R - and secret(s) and s[res]=h and h leads to a state where the secret does not hold. and there exists s: s in R - and ¬secret(s) and s[res]=h R-R- R+R+ R

22 22 Over- / under- approximation Computing the over-approximation R + : invariants (user-supplied or computed): Example: res = -1; i=0; while (i<n) { if (A[i]==key) { res =A[i]; } i++; } send res; Invariant: (res ==key) or (res ==-1)

23 23 Over- / under- approximation Computing the under-approximation R - : (loop unrolling, bounding the data structure size) res = -1; i=0; while (i<n) { if (A[i]==key) { res =A[i]; } i++; } send res; res = -1; i=0; if (i<n) { if (A[i]==key) { res =A[i]; } i++; } if (i<n) { if (A[i]==key) { res =A[i]; } i++; } assume(i>=n); send res;

24 24 Confidentiality as a logical formula for all h: if there exist pv: inv(pv) and cond(pv) and res=h implies there exist pv: WP(P,(secret and res=h)) and there exist pv: WP(P,(¬secret and res=h)) Invariant Program with unrolled loops Confidentiality holds only if: Program vars Weakest pre- condition

25 25 Deciding validity of confidentiality formula Problem: Quantifier alternation. Complexity of decision procedures (QBF, Pressburger) high, tools not well engineered. Question: Could we use SMT solvers? Idea: Restrict the expression language to contain only equality (order). Rationale: Many programs do not perform arithmetic on the data, only tasks like searching, inserting, deleting, (sorting). res = -1; i=0; while (i<n) { if (A[i]=key) { res =A[i]; } i++; } send res;

26 26 Deciding validity of confidentiality formula Result: If universal quantifier is over a domain with only equality, we can replace it by checking the formula at a fixed number of specific values res = -1; i=0; while (i<n) { if (A[i]=key) { res =A[i]; } i++; } send result; Values 7, -1, and one other (e.g. 1) need to be checked. Thus, an SMT solver can be used (checking three formulas per constant).

27 27 ConAn (CONfidentiality ANalysis) Java Bytecode WALA ConAn Yices Valid Unsat Secret Cond Invariant N array N unroll Processes bytecode to produce an intermediate representation of SSA instructions organized in a control-flow graph. Performs SMT solving.

28 28 Applications Case study: J2ME Java methods third party programs, accessing PIM information (managing contacts, calendars, to-do lists) and sending messages Other Java methods: methods from other PIM managing programs (chat clients, calendars..). data structure accessing methods from Java standard library.

29 Experimental results 29 Project/ Class Method Name# of lines unrollrunning time (s) result 1Java.lang/ Vector elementAt610.18valid 2EventSharingsendEvent12221.83valid 3EventSharingsendEvent (bug) 12621.80unsat 4find910.31unsat 5find920.34valid 6Funambol/ Contact getContact1320.32valid 7Blackchat/ ICQContact getContact- -ByReference 2320.24valid 8passwordcheck920.22valid

30 30 Conclusions Algorithmic, specification-driven analysis is an effective way of establishing that programs do not leak confidential information.

Download ppt "Software Model Checking for Confidentiality Rajeev Alur University of Pennsylvania Joint work with Pavol Cerny."

Similar presentations

Model Checking From Tools to Theory University of Pennsylvania

Model Checking From Tools to Theory University of Pennsylvania
1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,

1 Lecture 5 Towards a Verifying Compiler: Multithreading Wolfram Schulte Microsoft Research Formal Methods 2006 Race Conditions, Locks, Deadlocks, Invariants,
Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,

Path-Sensitive Analysis for Linear Arithmetic and Uninterpreted Functions SAS 2004 Sumit Gulwani George Necula EECS Department University of California,
Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.

Bounded Model Checking of Concurrent Data Types on Relaxed Memory Models: A Case Study Sebastian Burckhardt Rajeev Alur Milo M. K. Martin Department of.
Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.

ADDING INTEGERS 1. POS. + POS. = POS. 2. NEG. + NEG. = NEG. 3. POS. + NEG. OR NEG. + POS. SUBTRACT TAKE SIGN OF BIGGER ABSOLUTE VALUE.
MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.
Addition Facts 1 - 20.

Addition Facts
1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.

1 Reasoning with Promela Safety properties bad things do not happen can check by inspecting finite behaviours Liveness properties good things do eventually.
Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.

Modeling issues Book: chapters 4.12, 5.4, 8.4, 10.1.
1 Abstraction (Cont’d) Defining an Abstract Domain variable elimination, data abstraction, predicate abstraction Abstraction for Universal/Existential.

1 Abstraction (Cont’d) Defining an Abstract Domain variable elimination, data abstraction, predicate abstraction Abstraction for Universal/Existential.
Chapter 14 Software Testing Techniques - Testing fundamentals - White-box testing - Black-box testing - Object-oriented testing methods (Source: Pressman,

Chapter 14 Software Testing Techniques - Testing fundamentals - White-box testing - Black-box testing - Object-oriented testing methods (Source: Pressman,
Copyright Critical Software S.A. 1998-2008 All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.

Copyright Critical Software S.A All Rights Reserved. COTS based approach for the Multilevel Security Problem Bernardo Patrão.
Modal Logic with Variable Modalities & its Applications to Querying Knowledge Bases Evgeny Zolin The University of Manchester

Modal Logic with Variable Modalities & its Applications to Querying Knowledge Bases Evgeny Zolin The University of Manchester
MOdel-based GENeration of Tests for Embedded Systems #216679 FP7-ICT-2007-1-3.3 Embedded Systems Design Institute for Software Technology – Graz University.

MOdel-based GENeration of Tests for Embedded Systems # FP7-ICT Embedded Systems Design Institute for Software Technology – Graz University.
Addition 1’s to 20.

Addition 1’s to 20.
Week 1.

Week 1.
Modeling Main issues: What do we want to build How do we write this down.

Modeling Main issues: What do we want to build How do we write this down.
© Imperial College LondonPage 1 Model checking and refinement checking for modal transition systems and their cousins MTS meeting 2007 Adam Antonik & Michael.

© Imperial College LondonPage 1 Model checking and refinement checking for modal transition systems and their cousins MTS meeting 2007 Adam Antonik & Michael.

Similar presentations

Ads by Google