Reasoning about Privacy Properties of Biometric Systems Architectures in the Presence of Information Leakage

Abstract

Motivated by the need for precise definitions of privacy requirements, foundations for formal reasoning, and tools for justifying privacy-preserving design choices, a recent work introduces a formal model for the description of system architectures and the formal verification of their privacy properties. A subsequent work uses this framework to reason about privacy properties of biometric system architectures. In these studies, the description of an architecture specifies each component, their computations and the communications between them. This static approach makes it possible to reason about design choices at the very architectural level, leaving aside the implementation details. Although it is important to express privacy properties at this level, this approach fails to catch some leakage which may result from the system runtime. In particular, in the case of biometric systems, known attacks allow to recover some biometric information following a black-box approach, without breaking any part of the system. In this paper, we extend the existing formal model in order to deal with such side-channel attacks and we apply the extended model to analyse biometric information leakage in several variants of a biometric system architecture.

A Sketch of Proof for Completeness and Correctness

A trace is said to be a covering trace if it contains an event corresponding to each primitive specified in an architecture \(\mathcal {A}\) (except trust relations) and if for each primitive it contains as much events as the multiplicity \(^{(n)}\) of the primitive. As a first step to prove soundness, it is shown that for all consistent architecture \(\mathcal {A}\), there exists a consistent trace \(\theta \in T (\mathcal {A})\) that covers \(\mathcal {A}\).

Then the soundness is shown by induction on the depth of the tree \(\mathcal {A} \vdash \phi \).

• Let us assume that \(\mathcal {A} \vdash Has_i (X^{(n)})\), and that the derivation tree is of depth 1. By definition of \(\mathcal {D}\), such a proof is obtained by application of (H1), (H2) or (H3). In each case, it is shown (thanks to the existence of covering traces) that an appropriate trace can be found in the semantics of \(\mathcal {A}\), hence \(\mathcal {A} \in S (Has_i (X^{(n)}))\). The case of \(\mathcal {A} \vdash Has_i (c)\) is very similar.

• Let us assume that \(\mathcal {A} \vdash K_i (Eq)\), and that the derivation tree is of depth 1. By definition of \(\mathcal {D}\), such a proof is obtained by application of (K1), (K2), (K3), (K4) or (K5). In each case, starting from a state \(\sigma ' \in S_i (\mathcal {A})\) such that \(\mathsf {s} (\sigma ') \ge n\), it is first shown that there exists a covering trace \(\theta \ge \theta '\) that extends \(\theta '\) and that contains \(n\) corresponding events \(Compute_G (X = T^\epsilon ) \in \theta \) in \(n\) distinct sessions (for the K1 case, and other events for the other rules). Then by the properties of the deductive algorithmic knowledge, it is shown that the semantics of the property \(\mathcal {A} \in S (K_i (X = T))\) holds.

• Let us assume that \(\mathcal {A} \vdash Has_i (X^{(n)})\), and that the derivation tree is of depth strictly greater than 1. By definition of \(\mathcal {D}\), such a proof is obtained by application of (H4) or (H5).

  In the first case, by the induction hypothesis and the semantics of properties, there exists a reachable state \(\sigma \in S (\mathcal {A})\) and \(n\) indices \(i_1, \dots , i_n\) such that \(\sigma _i^v (X) [i_l]\) is fully defined for all \(l \in [1, n]\). This gives, a fortiori, \(\mathcal {A} \in S (Has_i (X^{(m)}))\) for all \(m\) such that \(1 \le m \le n\).

  In the second case, we have that \((Y, \{X_1^{(n_1)}, \dots , X_m^{(n_m)}, c_1, \dots , c_q\}) \in Dep_i\), that \(\forall l \in [1, m]:\) \(\mathcal {A} \vdash Has_i (X_l^{(n_l)})\) and \(\forall l \in [1, q]:\) \(\mathcal {A} \vdash Has_i (c_l)\). of a covering trace that contains an event \(Compute_G\) (\(Y\) \(=\) \(T\)) (where \(i \in G\)), allowing to conclude that \(\mathcal {A} \in S (Has_i (Y^{(1)}))\).

  Again, the corresponding cases for constant are very similar.

• A derivation for \(Has^{none}\) is obtained by application of (HN). The proof assume, towards a contradiction, that \(A \not \in S (Has^{none}_i (X))\). It is shown, by the architecture semantics, that there exists a compatible trace that enable to derive \(\mathcal {A} \vdash Has^{(1)}_i (X)\). However, since (HN) was applied, we have \(\mathcal {A} \nvdash Has^{(1)}_i (X)\), hence a contradiction.

• The last case (the conjunction \(\wedge \)) is fairly straightforward.

The completeness is proved by induction over the definition of \(\phi \).

• Let us assume that \(\mathcal {A} \in S (Has_i (X^{(n)}))\). By the architecture semantics and the semantics of traces, it is shown that the corresponding traces either contain events where \(X\) is computed, received or measured, or that some dependence relation on \(X\) exists. In the first case, we have \(\mathcal {A} \vdash Has_i (X^{(n)})\) by applying (respectively) (H1), (H2), or (H3) (after an eventual application of (H4)). In the last case, the proof shows how to exhibit a derivation tree to obtain \(\mathcal {A} \vdash Has_i (X^{(n)})\) (the (H5) rule is used).

• Let us assume that \(\mathcal {A} \in S (Has^{none}_i (X))\). By the semantics of properties, this means that in all reachable states, \(X\) does not receive any value. The proof shows that \(\mathcal {A} \nvdash S (Has_i (X^{(1)}))\), otherwise \(\mathcal {A} \in S (Has^{none}_i (X))\) would be contradicted. So as a conclusion, \(\mathcal {A} \vdash Has^{none}_i (X)\) by applying (HN).

• The constant cases \(\mathcal {A} \in S (Has_i (c)\) and \(\mathcal {A} \in S (Has^{none}_i (c))\) case are similar to the variable cases.

• Let us assume that \(\mathcal {A} \in S (K_i (Eq))\). By the semantics of properties this means that for all reachable states, there exists a later state in the same session where the knowledge state enables to derive \(Eq\). By the semantics of architecture, we can exhibit a compatible trace that reaches a state where \(Eq\) can be derived. By the semantics of compatible traces, the proof shows, by reasoning on the events on the traces, that \(\mathcal {A} \vdash K_i (Eq)\) by applying either (K1), (K2), (K3), (K4) or (K5).

• Finally the conjunctive case is straightforward.