[36] Andrei Popescu, Johannes Hölzl and Tobias Nipkow. Noninterfering Schedulers: When Possibilistic Noninterference Im
Security Type Systems and Deduction∗ Project Renewal Proposal Prof. Tobias Nipkow, Ph.D.
Andrei Popescu, Ph.D.
Technische Universität München
1
State of the art and preliminary work
This section reports on the work performed and the results achieved in phase II of our project. We start with an overview. In this project, we design reasoning methods and tools for information-flow security, including language-based and system security. We are concerned with both fundamental research and the practical realization of our results. We believe that the best environment to represent a complex system for precisely formulating and fully verifying its security properties is an interactive theorem prover, in our case Isabelle/HOL (developed at TU München among other places). This belief defines the first major theme of the project: mechanically verified security, including verification frameworks and verified concrete systems (§1.1). It is well-known that interactive verification involves a lot of work. Yet, with judicious automation support, the tedious details of the proof development could in principle be delegated to the machine, with the human only “intervening” in the critical/interesting aspects of the verification. To achieve this, Isabelle teams up with the automatic theorem prover SPASS (developed at MPI-INF Saarbrücken), having Isabelle’s Sledgehammer tool as a mediator. This yields our second major theme: integration of Isabelle with SPASS and other automatic theorem provers (§1.2). Our focus in phase II followed a selection of the directions put forward at the end of phase I (§1.3). An unforeseen development was our project’s central involvement in a new RS3 reference scenario.
1.1
Mechanically verified security
In phase I, we focused on noninterference for language-based security. Then part of our efforts in phase II were dedicated to improving, consolidating and publishing these results (§1.1.1). Additionally, we extended the scope of our research by studying system security and by switching from toy examples to realistic systems (§1.1.2). These extensions naturally called for a conceptual widening—the consideration of notions of information flow that are more flexible than noninterference. ∗ As participants in the first two phases of the project, Daniel Wand and Prof. Christoph Weidenbach have also contributed text in the “State of the art and preliminary work” section.
1
Possibilistic Noninterference
Noninterfering Schedulers
Probabilistic Noninterference
Figure 1: Summary of our projects’s language-based security topics 1.1.1
Language-based information-flow security
In phase I, we considered a while-language with parallel composition, for which we systematized security type systems proposed in the literature over the years, known under the umbrella term ”Volpano-Smith systems”. Such systems provide syntactic conditions ensuring that programs satisfy one or another variant of noninterference: information does not leak from confidential sources (e.g., designated variables or inputs) to public sinks (e.g., other designated variables or outputs). We showed that many security type systems from the literature and their soundness theorems emerge from the interplay and iteration of two simple principles operating on semantic notions of noninterference: ordering and compositionality. We also studied compositionality and type systems for probabilistic noninterference and a concept of noninterfering scheduler that mediates between possibilistic and probabilistic noninterference. The end product of phase I was a series of technical reports containing a lot of material and of some initial developments in Isabelle—however, no actual publication. In the first part of phase II, we focused on improving, structuring, generalizing and better explaining these results on language-based security. The results are now published [33–36], and the associated formalizations are completed and made available in Isabelle’s Archive of Formal Proof [30, 31]. 1.1.1.1 Possibilistic Noninterference The conference paper [33] presents a framework for inferring type-system-like syntactic criteria for possibilistic noninterference, and its journal version [34] additionally explains the main proof ideas underlying this framework for the non theorem-proving expert. In these papers, we identify several semantic resumption-based notions of noninterference: self-isomorphism (siso), discreetness (discr), strong self-bisimilarity (≈S ), weak self-bisimilarity (≈W ), 01-self-bisimilarity (≈01 ), and their termination-sensitive variants (≈WT , ≈01T ). These notions correspond to different degrees of information exposure during a command’s execution. For example, a command is deemed: selfisomorphic, if any two of its executions starting in attacker-indistinguishable states proceed identically w.r.t. both the program counter and the updates on the attackerobservable part of the state; discreet (often also called “high”), if it never modifies the attacker-observable part of the state; strongly self-bisimilar, if any two of its executions starting in attacker-indistinguishable states proceed lock-step synchronously, performing the same updates to the attacker-indistinguishable parts of the state. The 01- and weak- self-bisimilarities relax the synchronization requirement for executions by allowing to match one step against zero-or-one and zero-or-more steps, respectively. We analyze the ordering (i.e., relative strength) and compositionality of all these
2
c ≈W c c p 3; KS p p p p atm pp ppp p p p c ≈KS 01 cck N c ≈AI WT KS c NNN � � Seq c1 c2 NNNN ��� NNNN����� ��N ���� c ≈ c � � 01T KS ���� � � � If tst c1 c2 � ���� � � �� ���� c ≈KS S c discr c � � KS While tst d ���� � � �� � � �� ���� c1 k c2 discr c ∧ mayT c siso c
mayT c
discr c
True
pres atm
ϕc cpt atm
mayT c1 mayT c2
discr c1 discr c2
ϕ c1 ϕ c2
mayT c1 mayT c2
discr c1 discr c2
False
discr d
mayT c1 mayT c2
discr c1 discr c2
ϕ ∈ {siso, ≈S, ≈01T, ≈WT} ψ ∈ {≈01, ≈W} ψT ≡
�
cpt tst
ϕ c1 ϕ c2 cpt tst ϕd ϕ c1 ϕ c2
ψc cpt atm ψT c1 ψ c2 ψ c1 discr c2 cpt tst ψ c1 ψ c2 False
ψ c1 ψ c2
≈01T , if ψ = ≈01 ≈WT , if ψ = ≈W
Figure 2: Ordering and compositionality for possibilistic noninterference notions, yielding the situation in Figure 2. In the graph from the left, the arrows represent inclusions and mayT states that the command “may terminate”. The table from the right contains compositionality properties of these notions w.r.t. the language constructs. The first column lists the possible forms of a command c (c may be an atomic command atm, or a sequential composition Seq c1 c2 , etc.). The next columns list conditions under which the predicates stated on the first row hold for c. For example, row 3 column 3 says: if discr c1 and discr c2 then discr (Seq c1 c2 ). The conditions on the atomic commands refer to the effect these commands have on the attacker-observable part of the state: preservation (pres atm) means this part is not changed, and compatibility (cpt atm) means that it is only changed in a non-leaking way. The horizontal line in row 3 column 5 represents an “or”. Figure 2’s graph and table yield a simple method for proving that a program satisfies one or another notion of noninterference: To show that c is secure according to some notion N, first try to reduce the goal to proving N for the components of c; if this is not feasible due to the failure of the required compositionality of N w.r.t. the language construct Cns located at the top of c (e.g., Cns can be an If , or a While, etc.), try to identify a stronger notion M that is (more) compositional w.r.t. Cns, and so on, recursively. This method can be used to extract a syntactic criterion χ per each semantic notion χ, by simply turning the above analysis into recursive function definitions. Remarkably, these automatically synthesized syntactic criteria yield type systems from the literature and immediately produce their proofs of soundness. For example, ≈WT , ≈01 and ≈WT correspond to type systems proposed by Smith and Volpano [47], by Boudol and Castellani [8], and by Boudol in [7], respectively.1 In these works, the soundness theorems for the proposed type systems are given rather elaborate proofs, defining global bisimulation relations that involve multiple language constructs com1 Our
technical report [28] depicts these correspondences in detail.
3
bined in ingenious and ad hoc ways. These proofs are often hard to understand and mechanize. By contrast, our proof methodology is entirely local and uniform: for each language construct and each notion of security, we essentially do our best at proving (partial) compositionality. Using this approach, we also discovered optimized combinations of these principles, leading to novel type systems with better tradeoffs between requirements and guarantees. We were not the first to emphasize the strong connection between compositionality and security type systems—indeed, already Sabelfeld and Sands [43] explicitly note such a connection. However, our work studies it systematically and presents a general technique for exploiting it. 1.1.1.2 Probabilistic Noninterference The above analysis assumes a purely “possibilistic”, i.e., nondeterministic semantics of the programming language. In [35], we extend it to a probabilistic while-language. With the graph and the table in place, we can play the same game as in the possibilistic case obtaining uniformly type-system results from the literature [44–46, 52]. A strength of our results is the consideration of probabilistic behavior issuing from both the scheduler and the individual threads (via probabilistic choice), whereas previous works only consider sequential deterministic threads. On the downside, our compositionality-based technique does not cover important aspects such as dynamic thread creation and non-uniform schedulers. 1.1.1.3 Noninterfering Schedulers Whereas possibilistic noninterference is vulnerable to scheduling-refinement attacks, the above-studied probabilistic noninterference only applies to a fixed probabilistic scheduler—the uniform one. In [36], we focus on extending the scope of noninterference criteria to a wide class of schedulers, at the expense of renouncing the previous high compositionality standards. We describe a framework for analyzing scheduler security in isolation from thread-pool security, in such a manner that combining them yields overall secure behavior. We introduce a notion of noninterfering scheduler obtained by a novel reading, in a probabilistic key, of Goguen-Meseguer noninterference [13, p.11]: “One group of users is noninterfering with another group of users if what the first group does has no effect on what the second group of users can see.” In our interpretation, the users are the threads, the actions are thread execution steps, and the observations are the exit probabilities for the observable steps after taking zero or more unobservable steps. Roughly speaking, any scheduler that is “politically correct”, treating its threads unbiasedly, can be proved to be noninterfering—including the uniform, round-robin, and priority schedulers, as well as hybrids between these— [32] gives many examples. Our main result states that, if the individual threads are possibilistically noninterfering, then they are also probabilistically noninterfering if run under a noninterfering scheduler. A class of programs likely to be captured by our analysis (in conjunction with a powerful enough possibilistic type systems, e.g., [26, 45]) but not by previous scheduler-independent criteria from the literature [8, 26, 41, 41–43, 47] are nonterminating multi-threaded programs providing a form of service, which are widely encountered in web computing and operating systems.
4
1.1.2
System-based information-flow security
A main research direction put forward in our previous proposal was the verification of realistic systems, of which we listed as possible candidates the POSIX thread model and a simplified model of a web-based conference management system. We decided for the second candidate mainly because a more ambitious/holistic variant of this verification idea gained support as a new RS3 reference scenario at the beginning of phase II [16]. We ended up verifying not a simplified model, but a faithful representation of the system’s kernel implementation (§1.1.2.1). As a side-effect of this verification effort, we formalized a general framework for expressing and verifying information-flow properties (§1.1.2.2). Both the framework and the concrete system verification are described in our submitted paper [19], and the formalizations are made available [37,38]. 1.1.2.1 Verified implementation of a conference management system Recent years have seen the thriving of a wide variety of web-based systems aimed at sharing information between multiple users in a convenient, but controlled fashion. Examples include enterprise systems, social networks, e-commerce sites and cloud services. Unfortunately, most of these systems offer no guarantees concerning the prevention of undesired flows of information. All too often one reads in the news of an unintended disclosure of private information due to some design problem in such a system. The above motivation was the starting point of a new RS3 reference scenario, where we implement and throughly verify a realistic web-based workflow management system—namely, a conference system offering much of the functionality of widely used systems such as EasyChair [12] and HotCRP [11]. Within this scenario, our project took over the central task of implementing the system and verifying its kernel. Functionality Our implemented system, which we call CoCon (as in ConfidentialityChecked Conference System), functions similarly to EasyChair—it is available for testing online [18]. CoCon hosts multiple users and conferences, allowing the creation of new users and conferences at any time. Each conference is driven by its chairs through several successive phases: Setup, when the chairs appoint other users as chairs or PC members; Submission, when the authors register papers, submit new versions and declare conflict with PC members; Bidding, when the PC members select preferences for paper reviewing and declare conflicts with papers; Reviewing, when chairs appoint the reviewers from among PC members and the reviewers download the papers and edit their reviews; Discussion, when all the non-conflict PC members read the others’ reviews, post comments and transparently update their own reviews if necessary; Notification, when the authors read the decisions and reviews for their papers. Architecture The overall architecture of the system, shown in Figure 3, follows the paradigm of security by design: • The system’s kernel is formalized and verified in Isabelle • The formalization is automatically translated in a functional language • The translated program is wrapped in a web application
5
Isabelle Specification
code generation
Functional Program
Web Application
Figure 3: System Architecture We specify CoCon’s kernel in Isabelle as an input–output automaton (where the inputs are called “actions”). The automaton’s state holds information about users, conferences, and papers, and its actions represent user requests for manipulating documents and rights in the system: upload/download papers, edit reviews, assign reviewers, etc. The actions are parameterized by user IDs and passwords. The automaton’s step (transition) function takes a state and an action and returns a new state and an output. The specification was designed to fall within the executable fragment of Isabelle. This allows us to automatically synthesize, using Isabelle’s code generator [15], a program in the functional fragment of Scala isomorphic to the specification. Finally, the Scala program is wrapped in a web application, offering a menu-based interface. Upon login, a user sees his conferences and his roles for each of them; the menus offer rolesensitive choices, e.g., assign reviewers (for chairs) or upload papers (for authors). Verification So far, we focused on the information-flow verification of CoCon’s kernel. More specifically, we verified properties restricting the information flow from the various documents maintained by the system (papers, reviews, comments, decisions, reviewer assignments) towards the users of the system. The restrictions refer to certain conditions (e.g., authorship, PC membership) as well as to upper bounds (e.g., at most the last submitted version) for information release. Figure 4 summarizes our main verified properties. We aimed at a full coverage, both of the important information-sensitive documents of the system and of the situations under which information is allowed to be released—we call the latter declassification triggers; they refer to the roles of the users and the phases of the conference. Even when the declassification triggers fail, we cannot request the complete absence of information release, but can only state declassification (upper) bounds. For example, properties 1 and 2 in the table state paper confidentiality covering the two relevant roles: author and reviewer. 1. A user learns nothing about a paper beyond its last uploaded version unless he becomes an author of the paper 2. A user learns nothing about a paper beyond the absence of any upload unless he becomes an author of the paper or [he becomes a PC member in the paper’s conference and the conference moves to the bidding phase] The “unless” part indicates the declassification trigger, while the “beyond” part indicates the declassification bound. For the review documents (properties 3–5), the situation is more diverse than for papers, given that three roles are relevant here: author of 6
1 2
Source Declassification Trigger Paper Content Paper Authorship Paper Authorship or PC MembershipB
3
Review
4 5 6 7
Discussion Decision
8 9 10
Reviewer Assignment
Review Authorship
Declassification Bound Last Uploaded Version Absence of Any Upload Last Edited Version Before Discussion and All the Later Versions Last Edited Version Before Notification
Review Authorship or Non-Conflict PC MembershipD Review Authorship or Non-Conflict PC MembershipD or Absence of Any Edit PC MembershipN or Paper AuthorshipN Non-Conflict PC Membership Absence of Any Edit Non-Conflict PC Membership Last Edited Version Non-Conflict PC Membership or Absence of Any Edit PC MembershipN or Paper AuthorshipN Non-Conflict PC Membership Non-Conflict PC MembershipR of Reviewers and Number of Reviews Non-Conflict PC MembershipR or Non-Conflict PC Membership of Reviewers Paper AuthorshipN Phase Stamps: B = Bidding, D = Discussion, N = Notification, R = Review
Figure 4: Confidentiality properties the review, author of the reviewed paper, and (arbitrary) PC member. Properties 9 and 10 do not refer to standard documents, but to information connecting documents and users. 9 says that, unless a user becomes a non-conflict PC member and the conference moves to the reviewing phase, he will not learn anything about the assignment of reviewers to a paper beyond the following two pieces of information: the public information that reviewers are recruited among non-conflict PC members and the number of assigned reviewers—according to property 10, the latter information may only become available to the paper authors, and only in the notification phase. Note that Property 9, in conjunction with the safety property that an author is always in conflict with his own paper, ensures that an author does not learn the identity of his reviewers. We also verified safety properties as above, which were needed as either complements or auxiliaries to the more complex information-flow properties. Another interesting class of complementary properties arises from the following concern: we have proved that one does not learn such and such unless one acquires a certain role, e.g., authorship; but how can we know that only “legal” (or “intended”) users acquire that role, in particular, how can we know that an arbitrary user cannot acquire that role? For this, we track back all possible chains of events leading to certain roles in the valid traces of the system—the result is a form of integrity properties that we call forensics. E.g., we prove that, if a user is an author at some point on a system trace, this must have happened only by legal means—here, it must have been the case that either the user registered the paper himself or there exists a chain of coauthorship appointments leading back to a user who registered the paper. 1.1.2.2 General Framework for Information-Flow We found the existing frameworks from the literature not flexible enough to account for the above declassification bounds and triggers. Consequently, we designed our own security model where these 7
aspects are first-class citizens, and our own unwinding method that copes with them. Security Model The model applies to any system specified as an input–output automaton, and is further parameterized by an indication of the following data: a specification of the secrets of interest; a specification of the possible observations by the attacker; a declassification trigger; a declassification bound. Both the secrets and the observations are specified by selecting aspects of the automaton trace. E.g., for the secrets, one can select from a trace only the paper-upload actions, and from these actions further select the uploaded content (ignoring other aspects such as the user and conference IDs); for the observations, one can select from a trace only the actions performed by a user or a group of users. The declassification trigger is a safety property, e.g., “never becomes an author”. The declassification bound is a relation B between sequences of secrets ss and ss1 , with B ss ss1 stating that ss can be confused with ss1 . For instance, B requiring the sequences to have the same last element means the attacker should not find anything beyond this last element (which indicates, e.g., the last paper upload). Given these parameters, our security property says: If the trigger never holds (i.e., unless it eventually holds, i.e., until it holds), the attacker can learn nothing about the secrets beyond the declassification bound. We call this bounded-deducibility security (BD security), since it relaxes Sutherland’s early notion of nondeducibility [50] to restricted deducibility within specified bounds. It captures all our confidentiality properties from §1.1.2.1 by suitable instantiations of the parameters. Unwinding Proof Method To streamline reasoning about BD security we define a notion of incremental unwinding. It is inspired by the tradition of unwinding relations [14, 40], but departs from this tradition in several respects due to the need to adapt to BD-security’s wide flexibility: • It factors in not only states, but also sequences of secrets to account for arbitrary declassification bounds • It includes an exit option allowing one to rule out unreachable situations • It includes a fairness condition, which avoids indefinite postponement of the production of secrets (which would render the unwinding unsound) To further simplify the concrete proof development, we refine the notion of unwinding to a compositional variant, where we consider not a single monolithic relation that unwinds into itself, but rather several mutually recursive components that unwind into each other. This last compositional notion has been successfully employed in the verification of all the confidentiality properties from §1.1.2.1. In each case, the proof undergoes several stages, which are closely connected to the phases of the conference and role-acquiring events (e.g., being assigned a reviewer) and are formally represented as unwinding components; there are one or more critical stages, usually the ones where secrets are produced. The current abstract unwinding conditions of our framework were obtained after several rounds of trial and error in the process of completing these concrete proofs. In fact, the whole experience of modeling and verifying CoCon has shown us that considering realistic systems may provide insight into the design of a general and flexible verification infrastructure. 8
1.2
Integration of Isabelle with SPASS
Isabelle is integrated with SPASS through the Sledgehammer tool [27], which translates back and forth between Isabelle’s polymorphic higher-order logic and SPASS’s first-order logic. The integration’s success depends crucially on the quality of Sledgehammer’s translations and on the ability of (future versions of) SPASS to natively support some Isabelle features. In phase II of this project we worked on both these aspects. 1.2.1
Improvements on Sledgehammer
Sledgehammer works as follows: An Isabelle proof goal, together with a few hundred other facts (lemmas, definitions, etc.) deemed relevant for proving the goal, is encoded in the language of SPASS; if SPASS finds a proof, it is reconstructed and replayed through Isabelle’s kernel. A main challenge here is encoding polymorphic higher-order logic (Isabelle/HOL’s logic) into first-order logic (the SPASS’s logic) soundly and completely, yet efficiently. It turns out that the answer is not a single, optimal encoding, but a combination of encodings that follow different strategies [5]. We used Isabelle itself to formally certify the soundness and completeness of some of these encodings [6]. (Outside this project, there was also progress on the complementary challenge of proof reconstruction [48].) 1.2.2
Higher flexibility for SPASS
We extended SPASS’s superposition calculus with support for type systems, including polymorphic types and type classes in the style of Isabelle/HOL. We proved that this extended calculus is refutationally complete. Accordingly, SPASS’s input syntax was extended to support these features, as well as Isabelle-style datatype constructors. These extensions bring SPASS closer to Isabelle and facilitate translation—e.g., the previous monomorphization step, a source of incompleteness and noncompositionality, is no longer needed thanks to SPASS’s polymorphism. Concerning more security-specific enhancements, we developed macro inference rules for simulation proofs of process algebras based on incremental pattern-based coinduction [29]. The prototype implementation can automatically perform simple bisimilarity proofs such as associativity and commutativity of process parallel composition and equivalence of “similar programs” [49]. This forms a step towards automating parts of the security proofs based on (bi)simulation (as in §1.1.1.1 and §1.1.2.2).
1.3
Initial plans versus achievements
In the previous proposal, we listed four possible directions for mechanically verified security: (1) a framework for security of rich concurrent systems, (2) supporting rich data structures, (3) formalizing security of realistic systems, and (4) shallow embedding in Isabelle/HOL and parametricity. Moreover, a reviewer’s main suggestion was to study notions of information-flow security richer than noninterference. In phase II, having a new RS3 scenario as main trigger, direction 3 and the reviewers’ suggestion were amply developed, well beyond the original plan. Directions 1 9
and 2 were followed in the spirit, but not in the letter of the original plan: our systemsecurity framework covers concurrent multi-user systems, involves rich data structures, and studies proof methods and compositionality (albeit not in a language-based setting). Finally, direction 4 (already marked in the proposal as a “high-risk research endeavor”) was not pursued mainly due to the focus on direction 3. As for the Isabelle-SPASS integration, we successfully applied general-purpose enhancements which also helped security proofs. However, even though we have an initial prototype of an automatic bisimilarity prover, we were not yet equally successful with the security-directed improvements. Therefore the Isabelle-SPASS integration will be continued at the MPI-INF in Saarbrücken with local funding. Within RS3 we will concentrate on automation based on program analysis tools and model checkers. Consequently, Prof. Weidenbach is no longer involved in this proposal.
1.4
Project-related publications
[33] Andrei Popescu, Johannes Hölzl and Tobias Nipkow. Proving Concurrent Noninterference. In C. Hawblitzel and D. Miller (eds.) Certified Programs and Proofs (CPP 2012), LNCS 7679, pages 109–125, 2012. Receiver of the RS3 best paper award for 2012–2013. [34] Andrei Popescu, Johannes Hölzl and Tobias Nipkow. Formal Verification of Language-Based Concurrent Noninterference. Journal of Formalized Reasoning 6(1), pages 1–30, 2013. [35] Andrei Popescu, Johannes Hölzl and Tobias Nipkow. Formalizing Probabilistic Noninterference. In G. Gonthier and M. Norrish (eds.) Certified Programs and Proofs (CPP 2013), LNCS 8307, pages 259–275, 2013. [36] Andrei Popescu, Johannes Hölzl and Tobias Nipkow. Noninterfering Schedulers: When Possibilistic Noninterference Implies Probabilistic Noninterference. In R. Heckel and S. Milius (eds.) Algebra and Coalgebra in Computer Science (CALCO 2013), LNCS 8089, pages 236–252, 2013. [5] Jasmin Christian Blanchette, Sascha Böhme, Andrei Popescu and Nicholas Smallbone. Encoding Monomorphic and Polymorphic Types. In N. Piterman and S. A. Smolka (eds.) Tools and Algorithms for the Construction and Analysis of Systems (TACAS 2013), LNCS 7795, pages 493–507, 2013. [6] Jasmin Christian Blanchette and Andrei Popescu. Mechanizing the Metatheory of Sledgehammer. In P. Fontaine, C. Ringeissen and R. A. Schmidt (eds.) Frontiers of Combining Systems (FroCoS 2013), LNCS 8152, pages 245–260, 2013. Please note that according to DFG regulations we are only permitted to list three publications per year of the funding period. (Three rather than two because there were two applicants in the funding period.) This fits precisely the number of our relevant peer-reviewed publications, but prevents us from listing drafts, technical reports and public Isabelle formalizations—the latter are listed in the bibliography and cited from the report. 10
2
Objectives and work program
2.1
Anticipated total duration of the project
Twenty-four (24) months.
2.2
Objectives
The first three years of this project were mainly dedicated to fundamental research. In the fourth year, we started blending fundamental and applied research. For the final two years, we plan to continue this blend within the feedback loop of our verified conference management system CoCon. We plan to focus both on sharpening the usability and trustworthiness of CoCon and on harnessing the gained insight towards a reusable framework for the secure construction of web-based workflow management systems. The concrete objectives are as follows: • Holistic security guarantees for CoCon Although we verified the kernel and the thin interface gives us confidence in the security of the overall system, we now also want to address security of the interface formally: we will employ program analysis to ensure there is no leakage through the interface bypassing the kernel. • Usability of CoCon The system is not very efficient and lacks some user conveniences to render it truly usable and competitive. We will address this, for making the case that security verifiability needs not impair usability. • Stronger security guarantees for CoCon’s kernel The statement of the security properties for CoCon leaves some room for refinement attacks, where an unauthorized user may take advantage of knowledge from outside the system to learn secrets. While in principle this is an inherent problem of all security models, in our case the situation can be sensibly ameliorated by factoring in outside probabilistic knowledge and user strategies. • Reusable verification infrastructure An important end product of CoCon’s verification effort is an infrastructure that is reusable for web-based systems whose security is of wider interest, such as enterprise systems and online social networks. This infrastructure will consist of an integrated suite of compositional formal concepts and automated methods for information-flow security.
2.3 2.3.1
Work program including proposed research methods Holistic security guarantees for CoCon
Figure 5 refines Figure 3’s description of our system architecture—besides the kernel specified in Isabelle and extracted as Scala code, we have the outer part further stratified in two layers: a REST web service, itself written in Scala, and a user-interface application communicating with the service. So far we have verified that the kernel does not release information inappropriately (as described in §1.1.2.1). Moreover, the only function that the kernel exports is the system’s step function, taking a kernel action and the current state of the system and 11
Isabelle Specification
code generation
Scala Program REST Web Service Web Application
Figure 5: CoCon’s Architecture in More Detail returning an output and producing a new state. Each user request via the web application triggers several kernel actions—hence no more information can leak through the kernel by using the outer layers than by using the kernel directly. However, for now the outer layers still have to be trusted not to perform side leakages. We will remove (or, more precisely, greatly reduce) this trusted aspect by extending the scope of verification. We need to ensure that the two outer layers act as clean back and forth forwarders between well-defined sources and sinks: the web service forwards the requests to the kernel and forwards back the responses, and similarly for the web application w.r.t. the end user on one side and the service on the other. In both cases, the verification task is conceptually much simpler than the one for the kernel—it deals with single generic properties (not multitudes of document-specific and role-specific properties) which do not involve declassification. However, the code for which these properties need to be verified lies outside the scope of Isabelle’s code generator. Consequently, constructing and verifying in Isabelle a faithful model of this code is overkill, especially since there are automatic analysis tools for the rather simple information flow properties required of this code. Therefore, we reach outside of the theorem prover to ensure these properties, and then only come back to the prover for the wrap-up: a high-level proof showing that putting together the kernel properties with an abstract version of these outer-layer properties yields overall secure behavior. 2.3.1.1 Verification of the web service The main part of the web service consists of Scala methods that dispatch requests (corresponding to user actions) as sequences of calls to the kernel—this is where nontrivial information flow occurs. We will use the Joana tool [1] developed in the IFC4MC project to verify that sensitive information only flows between the kernel and the official outputs of these methods. (Note that Joana analyzes Java bytecode, which Scala also compiles to.) 2.3.1.2 Verification of the web application The application layer is simpler than the service layer in that no further one-to-many dispatch is necessary—there is a oneto-one correspondence between the application methods handling user requests and the calls to the service. On the other hand, unlike the service, the application is not entirely stateless—e.g., it stores passwords in the session. Yet, a similar information-flow property as for the service should hold here too, and this will be ensured by using a com-
12
bination between Joana and the Javascript monitoring tool developed in the IFC4BC project [4, 17]. 2.3.1.3 Putting the pieces together Abstractly, the whole architecture can be modeled as three nested IO automata. Each of the two outer automata is essentially a “controller” whose each action invokes one or more actions of its inner neighbor automaton; the web-application controller also stores a “session” state of its own. We model in Isabelle the essence of what we have verified/monitored outside the system—that the controllers are secure—as a noninterference property which we take as an assumption. Then we prove that the overall nested-automata system also satisfies the properties we proved for the kernel automaton. 2.3.1.4 Summary Our project’s main focus is the formalization of security in Isabelle. However, for the verification of CoCon, we found good reasons for integrating the Isabelle formalization in a larger verification and analysis environment. Isabelle will still be responsible for verifying the system’s critical core, whose complex properties fundamentally require an interactive theorem prover. On the other hand, the complementary verification of the system’s outer layers will be handled by automatic language-based tools. Our envisioned combination of tools will bring an unprecedented level of precision and pervasiveness for the verification of web-based systems. Moreover, RS3 is a perfect environment for exploring such a combination—we will rely on support from other RS3 projects in employing these tools (§5.4.1.1). Following the above cost-effectiveness principle—separate and verify interactively only what cannot be verified automatically—also improves reusability and scalability. 2.3.2
Usability of CoCon
CoCon is already a rich system, supporting many of the features present in EasyChair. It includes a facility for optimal reviewer assignment from the preferences and other parameters. However, it misses some functionality/convenience features, such as: (1) password recovery, (2) email notifications, (3) warnings issued to the chairs for preventing deadlocks (e.g., the impossibility of reviewer assignment due to the chair’s conflicts), (4) the possibility for the chair to roll back the conference to a previous phase and to remove conflicts after the bidding phase. Some of these (e.g., 1–3) can be implemented completely outside the kernel, whereas others (e.g., 4) require some careful design to avoid conflicts between security and the desired functionality. Despite systematic testing, there are surely functionality issues of which we are not even aware. The only way we can identify them is by deploying the system for real conferences or workshops. We will start by using CoCon for this year’s Isabelle workshop in conjunction with EasyChair—namely, the authors will be asked to submit on both systems, explaining them that CoCon is a child of Isabelle. For future Isabelle workshops we plan to switch to CoCon entirely. Moreover, as we make progress with the usability and efficiency of the system, we will encourage other verification-friendly events to use CoCon.
13
Another important usability aspect is efficiency. In general, it is straightforward to streamline the implementation of a system such as CoCon: one simply needs to pick up from the programming-language library more efficient representations of the data structures. However, what we have verified for security is the current (inefficient) representation, and we would like to avoid major proof rewriting and loss of automation due to the more sophisticated data types. Therefore we opt for a different solution. Instead of redoing the proofs for an efficient modification of the system, we will transfer the security results from the original system. This can be achieved semi-automatically employing Isabelle’s refinement framework developed by Peter Lammich [22]. 2.3.3
Stronger security guarantees for CoCon’s kernel
As explained in §1.1.2.2, the confidentiality properties we proved for the kernel are instances of our highly parameterized notion of BD security. In [19], we argue that BD security is a reasonable notion for indicating bounds and triggers for the information flowing from the system to designated observers. Essentially, it says that, for what the attacker knows from his observations, the sequence of secrets could have been not only what it is, but also any other sequence within the indicated declassification bound. But what if the attacker has extra information (beyond his own observations and knowledge of CoCon) such as, e.g., patterns of behaviors of other users in the system? To a certain extent, such extra power for the attacker can be modeled by the appropriate choice of the observation parameter in BD security. For example, we can declare as attacker observation not only the view of a particular attacker user, but also those of the attacker’s allies or spied users—and this is precisely what we currently do in our BD security instances of interest: we speak of groups of attackers, not of single attackers. However, BD security is not flexible enough to face all the nuances of the above question. E.g., we prove using BD security that an author (our attacker in this scenario) will learn nothing about the identity of his reviewers—but this implicitly makes the idealistic assumption that an author knows nothing about the way the chairs assign reviewers. At the other extreme, if we consider the chairs to be allies of the attacker, then the whole information is actually disclosed. A realistic modeling of the situation lies in between these extremes, assuming that an author has some knowledge about the behavior patterns of the chairs and proving that he will not learn anything beyond that—such patterns are best expressed as probability distributions, in our example stating the likelihood of the chairs assigning certain papers to certain PC members. To capture this, and hence be able to verify more realistic properties for CoCon, we plan to extend BD security with an explicit mechanism (possibilistic and/or probabilistic) for indicating knowledge from outside the system. We will aim at isolating the probabilistic component from the bulk of the proof development, so that the amount of (typically complex) probabilistic reasoning does not depend on the size of the system— Cock’s work [10] in the context of verifying probabilistic noninterference for the seL4 operating system kernel is an excellent example of such successful isolation. Another planned strengthening targets BD-security’s somewhat optimistic reliance on the user-behavior nondeterminism. We would ideally like to prove not only that
14
from the attacker’s point of view the secret sequence could have been anything within the declassification bound, but also that this is the case without the assumption that the other users (neutral to the attacker) may randomly change their behavior. This would address more accurately the notion of Trojan horses, which are secret-knowing users whose views are not immediately delivered to the attacker, but who try to cooperate with the attacker for releasing information through the system—such aspects are currently only partially regulated by BD-security’s declassification triggers, and deserve a first-class status in a more realistic security notion. 2.3.4
Reusable verification infrastructure
All the previous points in the work program were directly related to CoCon, and rightly so since a major topic in our plans is delivering a throughly verified, usable web-based system. However, there is an even more important topic that lies in the background, namely a reusable verification framework. Indeed, we are not content with completing CoCon’s verification, but wish to make a strong case for the feasibility of our methodology—here, notions such as automation and compositionality play key roles. We were already inspired by CoCon’s development to design BD security—namely, the need to express CoCon’s properties of interest led to a very flexible notion, and the need to manage their proofs’ complexity led to an unwinding method that copes with this flexibility. We plan to work at the following extensions and improvements of our BD security framework—also inspired by, and testable on, CoCon. 2.3.4.1 Refinement/abstraction mechanisms §2.3.2 already discusses a notion of security-preserving refinement in the context of improving CoCon’s efficiency. A related situation calling for transferring security statements is the following. Whereas CoCon’s kernel is an infinite system (storing infinite data such as strings and employing an unbounded number of users), its properties of interest (formulated as instances of BD security) appear to belong to a class enjoying a small model property: If the property holds for a version of the system with a fixed finite number of users exhibiting a good coverage of the roles (e.g., one conference, two authors, one chair, and one non-chair PC member) and having data from a small finite domain, then they hold for the original system as well. In other words, these properties are amenable to a form of security-reflecting abstraction. We will capture both these situations, namely security-preserving refinement and security-reflecting abstraction, as instances of a general theorem concerning the preservation of BD security under a suitable notion of (bi)simulation. The notion will allow matching one step of one system by multiple steps of the other system and will be subject to requirements of compatibility with the BD security parameters. 2.3.4.2 Automation The above opens the door for a promising automation- (hence scalability-) improving approach: BD security verification by sound abstraction in conjunction with fully automatic verification of finite-state systems. The abstraction will invoke the aforementioned preservation theorem to reduce the problem to a finite-state system—the process will not be completely automatic (as it will invoke the verification 15
of some conditions on the instances of the BD security parameters), but will be much lighter than what we currently do, namely interactive proofs of the properties. Concerning the finite-state system automatic verification, we first need to settle the decidability problem for BD security or a suitable sound approximation of it. We have some initial progress with encoding ∀∀ approximations of BD security (which is a ∀∃ statement) in SpAGAT’s HyperCTL∗ logic [9], whose model-checking problem is decidable. As for the actual tool to be used here, we will explore several candidates, including a HyperCTL∗ checker under development within SpAGAT and the MCK checker [2] for epistemic logic (a setting bearing similarities with BD security). This approach will require a suitable encoding of BD security and an automatic translation from Isabelle format to the specific input of such tools—for the scope of this project we will be content with trusting the external tool (as opposed to verifying its output in Isabelle in the style of Sledgehammer). For streamlining the whole abstractionplus-verification process, we will look into the abstract interpretation approach for document-management systems [21] also developed in SpAGAT. (See also §5.4.1.2.) 2.3.4.3 Compositionality The need for compositionality mechanisms for managing large-system verification is well established. So far, we studied compositionality for BD security only w.r.t. to decomposing proofs, without looking into the interaction between proof (de)composition and system composition from smaller coupled pieces. This last aspect has been successfully pursued in system-based security frameworks such as MAKS [24], which focus on (non)occurrence of events. Here, it poses interesting challenges for our more general notion which speaks about the declassification of certain aspects/values of the secrets—one such challenge is the controlled composition of declassification bounds, conceptually lying at the intersection of symbolic and quantitative reasoning. We will study such compositionality aspects, as well as the possibility to decompose BD security properties so that parts of them can be handled in simpler formalisms with lighter proof methods. (See also §5.4.1.3.) 2.3.4.4 Enhanced flexibility Although motivated by examples from CoCon, §2.3.3 makes plans that reach beyond this particular system, namely an extension of BD security with user strategies and probabilistic information. The literature contains useful pointers here. For instance, [53] proposes nondeducibility on strategies (including possibilistic and probabilistic notions), then [51] proves that, for asynchronous systems (such as ours), the possibilitic version of this notion is equivalent to the more standard notion of nondeducibility on inputs. Here, we plan to employ the strategies in a different manner, closer to the spirit of game theory (e.g., [23]): we do not try to guarantee their nondeducibility, but assume that Trojan-horse strategies are known to the attacker and still prove that deducibility is suitably bounded, perhaps provided some “high” users employ (counter-)strategies documented in a user manual. 2.3.4.5 Language-based security We will use the insights gained from developing system-security verification infrastructure to revisit a few problems unresolved by our previous work on language-based security. One such problem is a truly easy-to-check
16
(yet flexible) criterion for scheduler noninterference, perhaps via a probabilistic operational semantics for schedulers. BD security and its envisioned probabilistic extension could inspire a solution here, through its detailed bookkeeping of the information declassified by individual users (also viewable as threads in a multi-threaded program). 2.3.5
Timetable
We request funding for 1 researcher (Andrei Popescu) and 1 student assistant for 2 years (see §4.1). The planned work is distributed over time (in months) as follows: 01 03 05 07 09 11 13 15 17 19 21 23 P1 + P2 + P3 P2 + P4 P1: P2: P3: P4:
Holistic security guarantees for CoCon Usability of CoCon Stronger security guarantees for CoCon’s kernel Reusable verification framework
§2.3.1 §2.3.2 §2.3.3 §2.3.4
On packages P1 and P2, Popescu will be helped by a student assistant (Hiwi) with knowledge in web programming. On packages P3 and P4, Popescu will cooperate with Dr. Peter Lammich, an expert in verified refinement—although financed from a different source, Lammich is interested in the RS3 security work and has participated in the annual and staff meetings of RS3 ’s phase II. On the probabilistic matters concerning package P3, Popescu will continue his cooperation with Dr. Johannes Hölzl.
2.4
Data handling
Apart from publications, the main outcome of our work are Isabelle theories and program source code. The Isabelle theories are either incorporated in the official distribution or submitted to the Archive of Formal Proofs [20].
3
Bibliography
[1] The Joana website. http://pp.ipd.kit.edu/projects/joana. [2] Model-checking knowledge (MCK), 2014. http://cgi.cse.unsw.edu.au/~mck/pmck. [3] T. Bauereiß, C. Feller, P. Lammich, S. Lortz, M. Kovács, M. Ochoa, A. Popescu, and M. N. Rabe. Formal verification of information flow properties of web-based workflow management systems – topic workshop report. Available at http://www21.in.tum.de/~popescua/topic-workshop.pdf. [4] A. Bichhawat, V. Rajani, D. Garg, and C. Hammer. Information flow control in webkit’s javascript bytecode. To be presented at POST 2014. [5] J. C. Blanchette, S. Böhme, A. Popescu, and N. Smallbone. Encoding monomorphic and polymorphic types. In TACAS, pages 493–507, 2013. [6] J. C. Blanchette and A. Popescu. Mechanizing the metatheory of Sledgehammer. In FroCoS, pages 245–260, 2013. [7] G. Boudol. On typing information flow. In ICTAC, pages 366–380, 2005.
17
[8] G. Boudol and I. Castellani. Noninterference for concurrent programs and thread systems. Theoretical Computer Science, 281(1-2):109–130, 2002. [9] M. R. Clarkson, B. Finkbeiner, M. Koleini, K. K. Micinski, M. N. Rabe, and C. Sánchez. Temporal logics for hyperproperties. In POST, pages 265–284, 2014. [10] D. Cock. Practical probability: Applying pGCL to lattice scheduling. In ITP, pages 311–327, 2013. [11] The HotCRP conference system. http://read.seas.harvard.edu/~kohler/hotcrp. [12] The EasyChair conference system, 2014. http://easychair.org. [13] J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11–20, 1982. [14] J. A. Goguen and J. Meseguer. Unwinding and inference control. In IEEE Symposium on Security and Privacy, pages 75–87, 1984. [15] F. Haftmann and T. Nipkow. Code generation via higher-order rewrite systems. In FLOPS 2010, pages 103–117. Springer, 2010. [16] IFC4BC, IFC4MC, MORES, SecDed, and SpAGAT. Security in web-based workflow management systems – RS3 reference scenario report. Available at http://www21.in.tum.de/~popescua/rs3/ref-scen-2014.pdf. [17] S. Just, A. Cleary, B. Shirley, and C. Hammer. Information flow analysis for Javascript. In PLASTIC ’11, pages 9–18, 2011. [18] S. Kanav, P. Lammich, and A. Popescu. The CoCon website. http://www21.in.tum.de/~popescua/rs3/GNE.html. [19] S. Kanav, P. Lammich, and A. Popescu. A conference management system with verified document confidentiality. http://www21.in.tum.de/~popescua/pdf/confsys.pdf. [20] G. Klein, T. Nipkow, and L. Paulson, editors. The Archive of Formal Proofs. http://afp.sf.net/. [21] M. Kovács, H. Seidl, and B. Finkbeiner. Relational abstract interpretation for the verification of 2-hypersafety properties. In CCS, pages 211–222, 2013. [22] P. Lammich. Automatic data refinement. In ITP, pages 84–99, 2013. [23] M. H. Manshaei, Q. Zhu, T. Alpcan, T. Bac¸sar, and J.-P. Hubaux. Game theory meets network security and privacy. ACM Comput. Surv., 45(3):25:1–25:39, 2013. [24] H. Mantel. Possibilistic definitions of security - an assembly kit. In CSFW, pages 185–199, 2000. [25] H. Mantel and A. Sabelfeld. A generic approach to the security of multi-threaded programs. In CSFW, pages 200–214, 2001. [26] H. Mantel and H. Sudbrock. Flexible scheduler-independent security. In ESORICS, pages 116–133, 2010. [27] L. C. Paulson and J. C. Blanchette. Three years of experience with Sledgehammer, a practical link between automatic and interactive theorem provers. In IWIL 2010. [28] A. Popescu. Security type systems as recursive predicates. CoRR, abs/1308.3472, 2013. [29] A. Popescu and E. L. Gunter. Incremental pattern-based coinduction for process algebra and its Isabelle formalization. In FOSSACS, pages 109–127, 2010.
18
[30] A. Popescu and J. Hölzl. Possibilistic noninterference. Archive of Formal Proofs, 2012. [31] A. Popescu and J. Hölzl. Probabilistic noninterference. Archive of Formal Proofs, 2014. [32] A. Popescu, J. Hölzl, and T. Nipkow. Noninterfering schedulers - when possibilistic noninterference implies probabilistic noninterference. Technical Report, TU München, 2013. Available at http://mediatum.ub.tum.de/?id=1159789. [33] A. Popescu, J. Hölzl, and T. Nipkow. Proving concurrent noninterference. In CPP, pages 109–125, 2012. [34] A. Popescu, J. Hölzl, and T. Nipkow. Formal verification of language-based concurrent noninterference. Journal of Formalized Reasoning, 6(1), 2013. [35] A. Popescu, J. Hölzl, and T. Nipkow. Formalizing probabilistic noninterference. In CPP, pages 259–275, 2013. [36] A. Popescu, J. Hölzl, and T. Nipkow. Noninterfering schedulers - when possibilistic noninterference implies probabilistic noninterference. In CALCO, pages 236–252, 2013. [37] A. Popescu and P. Lammich. Verification of CoCon—formal Isabelle development. http://www21.in.tum.de/~popescua/rs3/cocon-form-2014.zip, 2013. [38] A. Popescu and P. Lammich. Bounded-deducibility security. Archive of Formal Proofs, 2014. [39] M. N. Rabe, P. Lammich, and A. Popescu. A shallow embedding of HyperCTL∗ . Archive of Formal Proofs, 2014. [40] J. Rushby. Noninterference, transitivity, and channel-control security policies. Technical report, dec 1992. [41] A. Russo and A. Sabelfeld. Securing interaction between threads and the scheduler. In IEEE Computer Security Foundations Workshop, pages 177–189, 2006. [42] A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, 2003. [43] A. Sabelfeld and D. Sands. Probabilistic noninterference for multi-threaded programs. In IEEE Computer Security Foundations Workshop, pages 200–214, 1999. [44] G. Smith. A new type system for secure information flow. In CSFW, pages 115–125, 2001. [45] G. Smith. Probabilistic noninterference through weak probabilistic bisimulation. In IEEE Computer Security Foundations Workshop, pages 3–13, 2003. [46] G. Smith. Improved typings for probabilistic noninterference in a multi-threaded language. Journal of Computer Security, 14(6):591–623, 2006. [47] G. Smith and D. Volpano. Secure information flow in a multi-threaded imperative language. In POPL, pages 355–364, 1998. [48] S. J. Smolka and J. C. Blanchette. Robust, semi-intelligible Isabelle proofs from ATP proofs. In PxTP@CADE, pages 117–132, 2013. [49] O. Strichman. Regression verification: Proving the equivalence of similar programs. In CAV, page 63, 2009. [50] D. Sutherland. A model of information. In 9th National Security Conference, pages 175–183, 1986.
19
[51] R. van der Meyden and C. Zhang. A comparison of semantic models for noninterference. In Formal Aspects in Security and Trust, pages 235–249, 2006. [52] D. Volpano and G. Smith. Probabilistic noninterference in a concurrent language. Journal of Computer Security, 7(2,3):231–253, 1999. [53] J. T. Wittbold and D. M. Johnson. Information flow in nondeterministic systems. In IEEE Symposium on Security and Privacy, pages 144–161, 1990.
4
Requested modules/funds
4.1 4.1.1
Staff costs Postdoctoral staff
We request funding for 1 full-time (100%) postdoctoral researcher on salary scale TVL E14 for 24 months. We intend to continue the employment of Dr. Popescu, who has held this position in phases 1 and 2. Because of his previous 4 years on this project he has become an irreplaceable expert and we request that he is now paid according to salary scale E14 as a postdoctoral researcher of at least 3 years experience. 4.1.2
Student assistants
We request EUR 28000 (Arbeitgeber-Gesamtkosten) for 1 student assistant (Hiwi) for 20 hours per week over 24 months. The student’s main task will be to maintain CoCon and to integrate the changes necessary for employing the program analysis tools. Thus the student’s work is essential not just for the usability of CoCon but also for the verifiability of the interface part of CoCon and thus for the success of the project.
4.2 4.2.1
Funding for direct project costs Equipment up to EUR 10,000, software and consumables
We request EUR 2500 for a high-end laptop to run the Isabelle system which is very resource-hungry. 4.2.2
Travel
We request EUR 12000 for travel over 2 years as follows: 1. Travel to the meetings within RS3 : Over two years, there are 2 main meetings (2 participants from TUM), 2 staff meetings (1 participant from TUM) and 1 tutorial meeting (1 participant from TUM). Budgeting EUR 500 per person per meeting, we require EUR 4000 for 2 years. 2. Travel to 2 international conferences per year: EUR 3000 per year. 3. Travel within Germany to visit the teams of other RS3 projects (IFC4BC, IFC4MC, Mores, SpAGAT) for working on the joint plans concerning the reference scenario: EUR 1000 per year (2 meetings per year). 20
5
Project requirements
5.1
Employment status information
Applicants: Tobias Nipkow, professor, tenured Andrei Popescu, postdoctoral researcher, employed until Sept. 2014 on the DFG project we are seeking to renew We list Dr. Popescu as a co-applicant because the project proposal has been written jointly with him. He will be employed by the project.
5.2
First-time proposal data—Not applicable
5.3
Composition of the project group
In addition to the applicants and the aforementioned staff, the following researchers will also contribute to the project: Peter Lammich, Ph.D., researcher, funded by TUM Johannes Hölzl, Ph.D., researcher, funded by DFG project NI 491/15-1
5.4 5.4.1
Cooperation with other researchers Researchers with whom you have agreed to cooperate on this project
5.4.1.1 Cooperation with IFC4MC (Information Flow Control for Mobile Components Based on Precise Analysis for Parallel Programs) and IFC4BC (Information Flow Control for Browser Clients) Joana, IFC4MC’s fully automatic tool for analyzing information flow in Java bytecode, is a key component of our holistic verification plans (§2.3.1), covering the web service and part of the web application verification. Preliminary discussions with the IFC4MC team revealed that deploying Joana for the task will be relatively easy. For guaranteeing security of the user interface to the service, we will employ a combination of Joana (for the server) and the IFC4BC Javascript monitoring tool (for the client). We will dedicate a few bilateral and/or trilateral meetings to performing and documenting this planned integration. 5.4.1.2 Cooperation with SpAGAT (Secrecy and Information Flow in Shared Document Bases) SpAGAT is a main driving force behind our “Verification of WebBased Workflow Management System” reference scenario [16]. In fact, the incentive to focus on the verification of a conference management systems came from SpAGAT. Moreover, all throughout phase II, the SpAGAT members were active designers and promoters of the scenario. Due to the infiniteness of the model and the desire to connect it as tightly as possibly to the actual code, the initial implementation and verification tasks were taken over by our project which centers around a proof assistant with code generation facilities. On the other hand, SpAGAT is developing automatic methods targeting the security analysis of a large class of finite (or finitely representable) systems. Their techniques
21
include security model checking [9] and relational abstract interpretation [21] and their motivating examples are often document-management systems in the style of CoCon. Now that CoCon’s security properties are fairly well understood and formally represented, it is time to take automation more seriously. During a scenario topic workshop [3] and a follow-up bilateral meeting with SpAGAT, we analyzed the connection between BD security and HyperCTL∗ [9], SpAGAT’s expressive temporallogic formalism—a first step we took was a shallow embedding of HyperCTL∗ in Isabelle [39]. We also experimented with running SpAGAT’s automatic analysis for tree-like structures [21] on a toy version of CoCon’s step function. Whereas our experiments with automatic verification of finite variations of CoCon are encouraging, a missing link is a provably correct method for reducing verification of infinite to finite systems as planned in §2.3.4—this work, triggered by CoCon but applicable to a whole class of IO–automata, will be pursued in close collaboration with SpAGAT, with feedback from their automation possibilities and limitations. 5.4.1.3 Cooperation with MORES (Modeling and Refinement of Security Requirements on Data and Processes) and Prof. Mantel’s group Several projects that are members of, or associated to, RS3 (including FMSecEng, MORES and MoVeSPAcI) make heavy use of IMAKS, an Isabelle formalization of MAKS developed at Prof. Mantel’s Chair. MAKS [24] is a mature assembly kit of possibilistic information flow notions specialized in (non)occurrence of events. On the other hand, we developed a different framework (BD security), taking inspiration from the challenges posed by our conference system: secret values related by arbitrary declassification bounds. In a workshop dedicated to the reference scenario [3], we analyzed together the relative strengths of both frameworks and the possibility to fruitfully combine them. In brief, BD security is more expressive, whereas MAKS is more compositional and provides lighter (hence easier to use) unwinding conditions. Together with MORES and with support from the IMAKS team, we are currently formalizing an embedding of the MAKS basic security predicates in the BD security framework and exploring possibilities for decomposing goals into two categories of components: those that really need BD-security’s expressiveness and those that can be formulated in MAKS. We believe that the combination of the two frameworks will improve compositionality and scalability (and hence reusability) of the reference-scenario formalization work, as envisioned in §2.3.4. 5.4.1.4 Cooperation with RSCP (Reliable Security for Concurrent Programs) Prof. Mantel’s RSCP project has results on scheduler-independent noninterference [26] and experience with bridging system and language-based security [25], relevant for our plans from §2.3.4.5. We will continue our collaboration with RSCP based on receiving support with security expertize and offering support with verification expertize. 5.4.2
Researchers with whom you have collaborated within the past three years
Javier Esparza, Orna Grumberg, Gerwin Klein, Lawrence Paulson, Helmut Seidl, Jan-Georg Smaus 22
