Model Checking on Trees with Path Equivalences

1
Model Checking on Trees with Path Equivalences

• Rajeev Alur, Pavol Cerný, Swarat Chaudhuri
• University of Pennsylvania

2
Outline.

• Motivation.
• Specifying information flow properties.
• Models Trees with path equivalences.
• Logics CTL, µ ..
• Verifying information flow properties.
• Model checking algorithm.
• Complexity results.

3
Information Flow Properties.
Application areas protocols, finite-state
systems, software e.g. J2ME midlets for cell
phones (future work)

• Confidentiality Is the first exchanged bit
  equal to 0?, Attack at dawn?
• Agent A does not reveal a secret unless agent B
  reveals a secret
• The sequence of valuations to public variables
  is the same along all execution paths

4
Case study SKA Isotropic Channels.
Secure Key Agreement via Isotropic Channels
I see M. But who has sent it?
Eve
Message M
We know more than Eve!
Alice
Bob
5
Secure Key Agreement.

• Exchange of one bit
• 1) Elect a sender S (randomly)
• Both A and B flip a coin. If one does
  not want to be a
• sender, he/she broadcasts 1. If one
  wants to be a sender and receives
• one, he/she is elected.
• 2) S broadcasts M
• 3) R receives M
• sets k to 1 if R is Alice
• 0 if R is Bob
• broadcasts ACK
• 4) S receives ACK and
• sets k to 0 if S is Alice
• 1 if S is Bob

In reality More participants, degree of
isotropism, active adversary.
Anand, Cronin, Sherr, Blaze, Kannan (2006)
6
How can information leak?
Two cases 1) Malicious code (e.g. downloaded
from internet). 2) Information leaks due to
bugs.
send (secret_message) .
low 0 if (myIdentity Alice) low
1 send(low)

• Information leak due to the control flow of the
  program of an agent.
• Confidentiality is not a property of a single
  trace, e.g. runtime monitoring would not work (if
  the false branch is taken).

7
Model-checking for confidentiality.

• Information-flow properties are not expressible
  in standard temporal logics. They cannot be
  checked by common tools.
• A remedy
• Enrich models and logics, develop
  model-checking algorithms.

8
Outline.

• Motivation.
• Specifying information flow properties.
• Models Trees with path equivalences.
• Logics CTL, µ ..
• Verifying information flow properties.
• Model checking algorithm
• Complexity results.

9
SKA Modeling.

• Properties
• At most one sender
• Consistency at the end of an iteration, bits
  agree
• Secrecy observer cannot infer the key

A.isSender1 B.isSender0
A.isSender0 B.isSender1
B 1
A 1
A M
B M
A ack As key 1
B ack Bs key 0
As key 0
Bs key 1
theEnd
theEnd
10
SKA Modeling.

• Properties
• At most one sender
• AG (neg (A.isSender B.isSender))
• Consistency at the end of an iteration, bits
  agree
• AG (theEnd gt (A.key ltgt B.key))
• Secrecy observer cannot infer the key
• ??

A.isSender1 B.isSender0
A.isSender0 B.isSender1
B 1
A 1
A M
B M
A ack As key 1
B ack Bs key 0
Moreover, the tree does not directly have the
needed information.
Not specifiable in µ-calculus.
As key 0 Bs key 0
As key 0 Bs key 1
theEnd
theEnd
11
Specifying Confidentiality.
B 1
A 1
Can the observer infer the value of the key ?
A M
B M
B ack Bs key 0
A ack As key 1
Confidentiality is a property of the execution
tree it depends on what is happening with
equivalent paths.
As key 0 Bs key 1
As key 0 Bs key 0
theEnd
theEnd
12
Specifying Confidentiality Leak.

• Information leak.
• If the observer sees 1, n, she does not know,
  which branch is taken.
• If the observer sees, 1, n, (A, ack), she knows
  the key will be 1.

B 1
A 1
A M
B M
A (A, ack) As key 1
B (B, ack) Bs key 0
As key 0
Bs key 1
theEnd
theEnd
13
Specifying Confidentiality Loops.
Init
Init
B 1
A 1
B 1
A 1
Tree unfolding of the system.
A M
B M
A M
B M
A ack As key 1
A ack As key 1
B ack Bs key 0
B ack Bs key 0
As key 0
Bs key 1
Bs key 1
As key 0
theEnd
theEnd
theEnd
Init
Init
theEnd




14
Model Trees with Path Equivalences.

• Model labeled tree set of observers.
• Nodes labeled with propositions in P.
• Observers defined by subsets of P.
• Equivalence edges between nodes that have
  equivalent paths w.r.t. an observer.

• Input to the checker
• Kripke structure
• Observers
• Formulas

15
The logic CTL.
Leak example

• CTL
• f p f f1 OR f2
• EX f f1 EU f2 EG f
• EIa f EIa f

a
B 1
A 1
a
A n
B n
A (A, ack) As key 1
B (B, ack) Bs key 0
a
AIa F F has been revealed EIa F and EIa F
F is secret
Bs key 1 theEnd
a
As key 0 theEnd
Example AG (theEnd -gt (EIa A.key) and (EIa
A.key))
16
The µ calculus.

• µ
• f p f f1 OR f2
• ltgt f ltagt f ltagt f
• µX. fX

a
b
b
b
a
a
b,p
b,p
b,p
b,p
Example Reachability in partial information
adaptive games
µX. (p or a(b and X) or
a(not b and X))
17
Properties.
cij

• Secrecy
• AG(askij or ((EIa cij) and (EIa
  cij)))
• Agent A does not reveal x before agent B reveals
  y
• AG ((EIa x) and (EIa x)) AW
  (AIb y))
• Partial-information adaptive games.
• Logics CTLw, µw for time insensitive
  equivalences.
• The sequence of valuations to public variables is
  the same along all observation paths
• AG AIa false

18
Outline.

• Motivation.
• Specifying information flow properties.
• Models Trees with path equivalences.
• Logics CTL, µ .
• Model-checking algorithm.
• Verifying information flow properties.
• Model checking algorithm
• Complexity results.

19
Model-checking problem.

• Given a Kripke structure K and a CTL formula F,
  is F true for K?
• Pb Semantics defined on an infinite structure.
• Idea The amount of information we need is finite
  just remember the set of states that are
  equivalent according to the observer.

20
Nesting-free fragment.

• Nesting-free formulas
• no nesting between operators EIa EIb for
  different agents
• Examples
• AG (askij or ((EIa cij) and (EIa cij)))
• AG ((EIa x) and (EIa x)) AW (AIb y))
• Not EIa EIb p

a
B 1
A 1
a
A M
B M


K
Information flow properties, partial information
games expressible in the nesting free fragment.
21
Model checking algorithm.
a
B 1
A 1
a
a
A M
B M
a




K
FMf(K)
(s,U) ? (t,V) can be defined locally (s,U)
?a (t,U) can be defined locally (t in U)
22
Model checking algorithm.
a
B 1
A 1
a
a
A M
B M
a




K
FMf(K)
Thm FMf(K) is adequate for evaluating f.
FMf(K) is finite-state we can apply CTL model
checking.
23
Complexity Results.

• Model-checking
• Nesting-free fragments
• CTL PSPACE complete
• µ-calculus EXPTIME complete
• In general nonelementary (resp. undecidable)
• Good news Information flow properties,
  partial-information reachability games captured
  in the nesting-free fragments

24
Related Work.

• Logic of Knowledge Halpern et al
• Logic of Knowledge with perfect recall semantics
  van der Meyden, Shilov
• Conceptually models knowledge of the observer,
  as opposed to what a participant has revealed
• We have identified useful fragments, for which
  model checking problem is in PSPACE

25
Related Work.

• Language-based security (noninterference).
  Overview in Sabelfeld and Myers.
• Information flow properties are ensured by type
  systems.
• - Build programs that are safe by
  construction (as opposed to introducing bugs and
  then catching them).
• Advantages of verification
• 1) Specification separate from program,
  more high-level and more flexible.
• 2) Practical reason existing code.
  Informationflow type systems are not (yet) used
  in practice.

26
Future Work.

• Information flow analysis for Java programs
• Main issue construction of a
  confidentiality-preserving abstraction. Other
  approach static analysis.
• Logic for noninterference integrity properties.
• Probabilistic confidentiality.
• Program and protocol transformations that
  preserve secrecy.

27
Summary.

• Defined a specification and verification
  framework for confidentiality and other
  information flow properties.
• New model trees with path equivalences.
• Branching time logics that go with it.

28
Questions?
29
Thanks