A new algorithm for low-deterministic security

Abstract

We present a new algorithm for checking probabilistic noninterference in concurrent programs. The algorithm, named RLSOD, is based on the Low-Security Observational Determinism criterion. It utilizes program dependence graphs for concurrent programs and is flow-sensitive, context-sensitive, object-sensitive, and optionally time-sensitive. Due to a new definition of low-equivalency for infinite traces, the algorithm avoids restrictions or soundness leaks of previous approaches. A soundness proof is provided. Flow sensitivity turns out to be the key to precision and avoids prohibition of useful nondeterminism. The algorithm has been implemented for full Java byte code with unlimited threads. Precision and scalability have been experimentally validated.

Appendix A: Proof Sketch for Theorem 1 and 2

In the following, we describe the central steps in the soundness proof. All details can be found in [8].

Theorem 1

A program is low-security observational deterministic if

1. 1.

   no low-observable operation \(o\) is potentially influenced by an operation reading high input,

2. 2.

   no low-observable operation \(o\) is potentially influenced by a data conflict, and

3. 3.

   there is no order conflict between any two low-observable operations.

Proof

Let two low-equivalent inputs be given. We have to demonstrate that, under conditions 1.–3., all possible traces resulting from these inputs are low equivalent. The proof proceeds in a sequence of steps.

1. 1.

   Definition. For a trace \(T\) and operation \(o\), the trace slice \(S(o,T)\) consists of all operations and dependences in \(T\) which form a path from \( start\) to \(o\) (see Fig. 4). \(S(o,T)\) is thus similar to a dynamic backward slice for \(o\). Similarly the data slice \(D(o,T)\) is the dynamic backward slice which considers only dynamic data dependencies, but not control dependencies. Trace and data slices are cycle free. Note that every operation in \(S(o,T)\) has exactly one predecessor on which it is control dependent, the \( start\) operation being the only exception. Note also that \(S(o,T)\) can be soundly approximated by a static slice on \(stmt(o)\), the source code statement containing \(o\).

2. 2.

   Lemma. Let \(q\) and \(r\) be two different operations of the same thread, and let \(T\) and \(U\) be two traces which both execute \(q\) and \(r\). Further, let \(T\) execute \(q\) before \(r\). Then \(U\) also executes \(q\) before \(r\). This is a consequence of the fact that any dynamic branching point \(b\) imposes a total execution order on all operations \(\in {DCD(b)}\), because according to 1., all operations have at most one control predecessor.

3. 3.

   Lemma. Let \(q\), \(r\) be operations which cannot happen in parallel, and let \(T\) and \(U\) be traces which both execute \(q\) and \(r\). Further, let \(T\) execute \(q\) before \(r\). Then \(U\) also executes \(q\) before \(r\). Indeed, if \(q,r\) are in the same thread, this is just the last lemma. Otherwise, MHP guarantees \(q\) executes before \(r\)’s thread is forked, or \(r\) executes after \(q\)’s thread has joined. Hence, \(U\) executes \(q\) before \(r\).

4. 4.

   Lemma. Let \((\overline{m}, o, m)\) be a configuration in trace \(T\). \(\overline{T_o} = \overline{m}|_{{use}(o)}\) denotes the part of memory \(\overline{m}\) that contains the variables used by \(o\), and \(T_o = m|_{{def}(o)}\) denotes the part of memory \(m\) that contains the variables defined by \(o\). Now let \(T\) and \(U\) be two traces with low-equivalent inputs. Let \(o\) be an operation. If \(D(o, T) = D(o, U)\) and no operation in these data slices reads high input, then \(\overline{T_o} = \overline{U_o}\) and \(T_o = U_o\). This lemma is proved by induction on the structure of \(D(o,T)\) (remember \(D(o,T)\) is acyclic).

5. 5.

   Corollary. Let \(T, U\) be two traces with low-equivalent inputs. Let \(o\) be an operation. If \(S(o, T) = S(o, U)\) and no operation in these trace-slices reads high values, then \(\overline{T_o} = \overline{U_o}\) and \(T_o = U_o\). That is, the low memory parts in both traces are identical for low-equivalent inputs, if all operations do not depend on high values.

6. 6.

   Lemma. Let \(T\) and \(U\) be two finite traces of \(p\) with low-equivalent inputs. \(T\) and \(U\) are low equivalent if for every low-observable operation \(o\), \(S(o, T) = S(o, U)\) holds and no operation in the trace-slices depends on high values, and \(T\) and \(U\) execute the same low-observable operations in the same relative order. This lemma, which seems quite natural, gives us an instrument for finite traces to prove the low equivalence of traces resulting from low-equivalent input, which is necessary for theorem 1. The infinite cases are treated in the next two lemmata.

7. 7.

   Lemma. Let \(T\) and \(U\) be two infinite traces of \(p\) with low-equivalent inputs such that \({obs}_{{low}}(T)\) is of equal length or longer than \({obs}_{{low}}(U)\) (switch the names if necessary). \(T\) and \(U\) are low equivalent if

   • they execute the shared low-observable operations in the same relative order,

   • for every low-observable operation \(o \in U\) \(S(o, T) = S(o, U)\) holds and no operation in the trace-slices reads high input

   • and for every low-observable operation \(o \in T\) and \(o \notin U\) \(U\) infinitely delays an operation \(b \in {\textit{DCD}}(o)\).

8. 8.

   Lemma. Let \(T\) and \(U\) be two traces of \(p\) with low-equivalent inputs, such that \(T\) is finite and \(U\) is infinite. \(T\) and \(U\) are low equivalent if

   • \({obs}_{{low}}(T)\) is of equal length or longer than \({obs}_{{low}}(U)\),

   • \(T\) and \(U\) execute the shared low-observable operations in the same relative order,

   • for every low-observable operation \(o \in U\) \(S(o, T) = S(o, U)\) holds and no operation in the trace-slices reads high input

   • and for every low-observable operation \(o \in T\) and \(o \notin U\) \(U\) infinitely delays an operation \(b \in {\textit{DCD}}(o)\).

9. 9.

   Corollary. Traces \(T,U\) are low equivalent if one of the last three lemmata can be applied. What remains to be shown is that the preconditions of the lemmata are a consequence of the conditions 1.–3. in theorem 1.

10. 10.

    Lemma. If operation \(o\) is not potentially influenced by a data conflict, then \(S(o, T) = S(o, U)\) holds for all traces \(T\) and \(U\) which execute \(o\). Note that only at this point, data or order conflicts are exploited. This lemma needs an induction over the length of \(T\). The base case is trivial, because both \(T,U\) consist only of the \( start\) operation, and trivially \(S({start},T)=S({start},U)\). For the induction step, let \(q\) be the next operation in \(T\). If \(o\not \in {DFS}(q)\), then \(q\not \in S(o,T)\), and the induction step trivially holds. Otherwise, one can show that every dynamic data or control dependence \(r \mathop {\dashrightarrow }\limits ^{v} q\) and \(r \mathop {\dashrightarrow }\limits ^{dcd} q\) in \(S(q, T)\) is also in \(S(q, U)\). Furthermore, \(q\) does not depend on additional operations in \(U\). Thus, \(q\) has the same incoming dependences in \(T\) and \(U\). By induction hypothesis, \(S(r,T)=S(r,U)\) for every \(r\) on which \(q\) is dependent in \(T\) and \(U\). Hence, \(S(q,T)=S(r,T)\).

11. 11.

    Lemma (see section 4.3, lemma 1). Let \(o\) be an operation that is not potentially influenced by a data conflict or an operation reading high input. Let \(T\) be a trace and \(\varTheta \) be the set of possible traces whose inputs are low equivalent to the one of \(T\). If \(o \in T\), then every \(U \in \varTheta \) either executes \(o\) or infinitely delays an operation in \({\textit{DCD}}(o)\).

12. 12.

    Lemma. Let \(T\) and \(U\) be two traces with low-equivalent inputs. If there are no order conflicts between any two low-observable operations, then all low-observable operations executed by both \(T\) and \(U\) are executed in the same relative order.

13. 13.

    Theorem 1 holds. Lemma 12 guarantees that \(T\) and \(U\) execute the shared low-observable operations in the same relative order. Lemma 11 can be applied to all low-observable operations \(o\) executed by both \(T\) and \(U\); hence, \(S(o, T) = S(o, U)\). Since the potential influence of a low-observable operation \(o\) does not contain operations reading high input, this also holds for the operations in \(S(o, T)\) and \(S(o, U)\). To prove low equivalence of \(T\) and \(U\), we apply one of the lemmata 6,7, or 8, depending whether \(T\) resp. \(U\) are finite or infinite. \(\square \)

Remember that the three conditions for theorem 1 can naturally be checked using PDGs and slicing. This fact justifies our definition of low-equivalent traces and our PDG-based approach.

Theorem 2

If a program is LSOD according to definition 6, it is probabilistically noninterferent.

Proof

We write \(\varTheta _i\) for the set of possible traces for input \(i\); for a trace \(r\in \varTheta _i\), \(P_i(r)\) is its execution probability. Now let two low-equivalent inputs \(t,u\) be given. Let \(\varTheta =\varTheta _t\cup \varTheta _u\). Let \(T\in \varTheta \). Let \(\mathfrak {T}=\{r\in \varTheta _t \mid r \sim _{{low}} T\}\), \(\mathfrak {U}=\{r\in \varTheta _u\mid r \sim _{{low}} T\}\). We have to show that \(\sum _{r\in \mathfrak {T}}P_t(r)=\sum _{r\in \mathfrak {U}}P_u(r)\) if LSOD holds.

Due to LSOD, all traces in \(\varTheta \) and thus in \(\mathfrak {T}\cup \mathfrak {U}\) are low equivalent, and \(\forall r\in \varTheta : T\sim _{{low}} r\). Therefore, under LSOD, \(\mathfrak {T}=\varTheta _t\), because the condition \(T\sim _{{low}} r\) in the definition of \(\mathfrak {T}\) always holds. That is, \(\mathfrak {T}\) contains all possible traces for inputs \(t,u\). Therefore, \(\sum _{r\in \mathfrak {T}}P_t(r)=1\). Similarly, \(\sum _{r\in \mathfrak {U}}P_u(r)=1\), and the required equality holds. \(\square \)