Abstract
Declassification refers to the controlled release of sensitive information by a program. It is well recognised that security analyses, formal or otherwise, need to take declassification into account to be practically usable. This paper introduces the concept of declassification predicates which enable a programmer to define precisely what can be declassified in a given program, and where in the program it can be released. We show how declassification predicates can be added to an existing information flow logic, and how the extended logic can be implemented within the Dafny program verifier.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
When concurrency is not a consideration, this definition (as well as the others in this section) can be weakened to only consider the point where the program terminates.
- 2.
For capturing concurrent algorithms, the simple language also supports atomic compare-and-swap (CAS) instructions which are not considered in this paper.
References
Almeida, J.B., Barbosa, M., Barthe, G., Dupressoir, F., Emmi, M.: Verifying constant-time implementations. In: Holz, T., Savage, S. (eds.) 25th USENIX Security Symposium, USENIX Security 2016, pp. 53–70. USENIX Association (2016)
Askarov, A., Sabelfeld, A.: Gradual release: unifying declassification, encryption and key release policies. In: 2007 IEEE Symposium on Security and Privacy (S &P 2007), pp. 207–221. IEEE Computer Society (2007). https://doi.org/10.1109/SP.2007.22
Askarov, A., Sabelfeld, A.: Localized delimited release: combining the what and where dimensions of information release. In: Hicks, M.W. (ed.) Proceedings of the 2007 Workshop on Programming Languages and Analysis for Security, PLAS 2007, pp. 53–60. ACM (2007). https://doi.org/10.1145/1255329.1255339
Chudnov, A., Naumann, D.A.: Assuming you know: epistemic semantics of relational annotations for expressive flow policies. In: 31st IEEE Computer Security Foundations Symposium, CSF 2018, pp. 189–203. IEEE Computer Society (2018). https://doi.org/10.1109/CSF.2018.00021
Goguen, J.A., Meseguer, J.: Security policies and security models. In: 1982 IEEE Symposium on Security and Privacy, pp. 11–20. IEEE Computer Society (1982). https://doi.org/10.1109/SP.1982.10014
Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR 2010. LNCS (LNAI), vol. 6355, pp. 348–370. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17511-4_20
Mantel, H., Reinhard, A.: Controlling the what and where of declassification in language-based security. In: De Nicola, R. (ed.) ESOP 2007. LNCS, vol. 4421, pp. 141–156. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-71316-6_11
Mantel, H., Sands, D.: Controlled declassification based on intransitive noninterference. In: Chin, W.-N. (ed.) APLAS 2004. LNCS, vol. 3302, pp. 129–145. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30477-7_9
Mantel, H., Sands, D., Sudbrock, H.: Assumptions and guarantees for compositional noninterference. In: Proceedings of the 24th IEEE Computer Security Foundations Symposium, CSF 2011, pp. 218–232. IEEE Computer Society (2011). https://doi.org/10.1109/CSF.2011.22
Molnar, D., Piotrowski, M., Schultz, D., Wagner, D.: The program counter security model: automatic detection and removal of control-flow side channel attacks. In: Won, D.H., Kim, S. (eds.) ICISC 2005. LNCS, vol. 3935, pp. 156–168. Springer, Heidelberg (2006). https://doi.org/10.1007/11734727_14
Murray, T.C., Sison, R., Engelhardt, K.: Covern: a logic for compositional verification of information flow control. In: 2018 IEEE European Symposium on Security and Privacy, EuroS &P 2018, pp. 16–30. IEEE (2018). https://doi.org/10.1109/EuroSP.2018.00010
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003). https://doi.org/10.1109/JSAC.2002.806121
Sabelfeld, A., Myers, A.C.: A model for delimited information release. In: Futatsugi, K., Mizoguchi, F., Yonezaki, N. (eds.) ISSS 2003. LNCS, vol. 3233, pp. 174–191. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-37621-7_9
Sabelfeld, A., Sands, D.: Declassification: dimensions and principles. J. Comput. Secur. 17(5), 517–548 (2009). https://doi.org/10.3233/JCS-2009-0352
Volpano, D.M., Irvine, C.E., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4(2/3), 167–188 (1996). https://doi.org/10.3233/JCS-1996-42-304
Winter, K., Coughlin, N., Smith, G.: Backwards-directed information flow analysis for concurrent programs. In: 34th IEEE Computer Security Foundations Symposium, CSF 2021, pp. 1–16. IEEE (2021). https://doi.org/10.1109/CSF51468.2021.00017
Zdancewic, S., Myers, A.C.: Robust declassification. In: 14th IEEE Computer Security Foundations Workshop (CSFW-14 2001), 11–13 June 2001, pp. 15–23. IEEE Computer Society (2001). https://doi.org/10.1109/CSFW.2001.930133
Acknowledgements
Thanks to Kirsten Winter for her feedback on this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A A Soundness
A A Soundness
Theorem 1
Given a program c with variables \(v_1,\ldots ,v_n\) and set of initial states \(S_0\), if \(S_0 \Rightarrow \textit{wpif}(v^0_1 := v_1; \ldots ; v^0_n := v_n; c, true)\), where \(v^0_1,\ldots ,v^0_n\) are fresh, then qualified release (Definition 4) holds for all initial states \(i_1, i_2 \in S_0\).
Proof
Let \(m_1\) and \(m_2\) be two program states such that \(m_1 =_\ell m_2\). Following Definition 4, we need to prove that there exists a relation \(R_{m_1,m_2}\) such that \(\langle c, m_1\rangle \) \(R_{m_1,m_2} \langle c, m_2\rangle \) for each program c considered secure under wpif. The proof is by induction over the instructions of the simple programming language whose operational semantics with respect to an initial state i is given below.
Let stop denote the program with no instructions, and \(\varepsilon _i(\textsf{stop},m) = \varnothing \).
skip According to the operational semantics, the skip instruction changes neither the state m nor introduces escape-hatch expressions, and results in the program stop. Therefore, choosing \(R_{m_1,m_2} = \{(\langle \textsf{skip}, m_1\rangle , \langle \textsf{skip}, m_2\rangle ), (\langle \textsf{stop}, m_1\rangle ,\) \(\langle \textsf{stop}, m_2\rangle )\}\) will satisfy Definition 4. For both configuration pairs, requirement 1 of Definition 4 holds trivially and requirement 2(i) holds due to \(m_1=_\ell m_2\) holding in the starting state. Requirement 2(ii) holds for the second pair due to there being no further program steps and, since it holds for the second pair, also holds for the first pair.
\(x := e\) An assignment updates the state m and results in the program stop. If the assignment has a declassification annotation then (according to the wpif rule) the program will only be secure when the associated predicate is true in any state that may hold immediately before the assignment. Assume this is the case, and hence the declassification predicate is true in \(m_1\) and \(m_2\). Given this, any escape hatches introduced only depend on e and the level of declassification d (see the operational semantics). Hence, requirement 1 of Definition 4 trivially holds. Consider the relation \(R_{m_1,m_2} = \{(\langle x:=e, m_1\rangle ,\) \(\langle x:=e, m_2\rangle ), (\langle \textsf{stop}, m_1'\rangle , \langle \textsf{stop}, m_2'\rangle )\}\), where \(m_1'\) and \(m_2'\) are derived from \(m_1\) and \(m_2\), respectively, by updating the value of x.
For the first configuration pair, if the released expressions are distinguishable on \(m_1\) and \(m_2\) then there is nothing further to prove. If they are indistinguishable then, since the assignments will replace x by an expression which is in the released expressions and at a level \(d\sqsubseteq \ell \) (as required by the wpif rule), requirement 2(i) (which holds for the first pair) is preserved. Requirement 2(ii) also holds for the second pair (as argued for skip) and hence holds for the first pair.
If the assignment does not have a declassification annotation then no escape hatches will be introduced and requirement 1 trivially holds. The value of x will be replaced by e for both initial states. The wpif rule for assignment only holds when \(\varGamma _E(e) \sqsubseteq \mathcal{L}(x)\). Hence, if x is low so is e, and low equivalence of states (requirement 2(i)) is preserved. Requirement 2(ii) is also satisfied by the first pair due to the second pair satisfying all requirements.
\(c_1;c_2\) By the induction hypothesis, there exists a relation \(R_{m_1,m_2}^1\) such that \(\langle c_1, m_1\rangle R^1_{m_1,m_2} \langle c_1,m_2\rangle \) and \(R^1_{m_1,m_2}\) satisfies Definition 4. Let \(\langle c_1, m_1\rangle \rightarrow ^n \langle c_1',m_1'\rangle \) and \(\langle c_1, m_2\rangle \rightarrow ^n \langle c_1',m_2'\rangle \), for some n. Note that both ending configurations have the same program, \(c_1'\), since the logic does not allow branching on high data.
If \(\lnot (m_1' \,I(\varepsilon _i(c_1',m_1'))\, m_2')\) then there are no further requirements to prove and the following relation satisfies Definition 4 for \(c_1;c_2\).
If \(m_1' \,I(\varepsilon _i(c_1',m_1'))\, m_2'\) and \(\langle c_1', m_1'\rangle \rightarrow \langle \textsf{stop}, m_1''\rangle \) and \(\langle c_1', m_2'\rangle \rightarrow \langle \textsf{stop}, m_2''\rangle \), i.e., \(c_1'\) terminates after its next instruction, then \(m_1''=_\ell m_2''\) by Definition 4. By the induction hypothesis, there exists a relation \(R_{m_1'',m_2''}^2\) satisfying Definition 4 where \(\langle c_2, m_1''\rangle R^2_{m_1'',m_2''} \langle c_2,m_2''\rangle \). Consider then the following relation.
This clearly relates \(\langle c_1;c_2,m_1\rangle \) and \(\langle c_1;c_2,m_2\rangle \). We now show that it also satisfies Definition 4 by considering two cases: a sequence of steps in program \(c_1\), and a sequence of steps in program \(c_2\).
First case: \(\langle c_1, m_1\rangle \longrightarrow ^n \langle c_1^1, m_1'\rangle \) and \(\langle c_1, m_2\rangle \longrightarrow ^n \langle c_1^2, m_2'\rangle \) such that \(\langle c_1^1, m_1'\rangle R^1_{m_1,m_2} \langle c_1^2, m_2'\rangle \). The latter implies requirements 1 and 2(i) for \(R_{m_1,m_2}\). If \(c_1^1\) has not terminated then requirement 2(ii) follows from requirement 2(ii) of \(R^1_{m_1,m_2}\). If \(c^1_1\) has terminated, i.e., \(m_1'=m_1''\) and \(m_2'=m_2''\) (since the absence of branching on high data means the runs will terminate together), then from the operational semantics for sequential composition we know that \(\langle c_1; c_2, m_1\rangle \longrightarrow ^{n} \langle c_2, m_1''\rangle \) and \(\langle c_1;c_2, m_2\rangle \longrightarrow ^{n} \langle c_2, m_2''\rangle \). And since \(\langle c_2, m_1''\rangle \) and \(\langle c_2, m_2''\rangle \) are related by \(R^2_{m_1'',m_2''}\), they are also related by \(R_{m_1,m_2}\) and we have requirement 2(ii).
Second case: \(\langle c_2, m_1''\rangle \longrightarrow ^n \langle c_2^1, m_1'''\rangle \) and \(\langle c_2, m_2''\rangle \longrightarrow ^n \langle c_2^2, m_2'''\rangle \) such that \(\langle c_2^1, m_1'''\rangle R^2_{m_1,m_2} \langle c_2^2, m_2'''\rangle \). As before, the latter implies requirements 1 and 2(i) for \(R_{m_1,m_2}\). In this case, requirement 2(ii) of \(R_{m_1,m_2}\) also follows from requirement 2(ii) of \(R^2_{m_1'',m_2''}\).
\(\mathsf{if~} b \mathsf{~then~} c_1 \mathsf{~else~} c_2\) By the induction hypothesis, there exists relations \(R^1_{m_1,m_2}\) and \(R_{m_1,m_2}^2\) satisfying Definition 4 such that \(\langle c_1,m_1\rangle R^1_{m_1,m_2} \langle c_1,m_2\rangle \), and \(\langle c_2,m_1\rangle \) \(R^2_{m_1,m_2}\langle c_2,m_2\rangle \). Consider the first configuration pair of the following relation.
If the guard has a declassification annotation then, following the proof for assignment, requirements 1 and 2(i) trivially hold, and requirement 2(ii) follows from the requirements holding for subsequent configurations. These hold due to the fact that the wpif rule for conditionals requires \(\varGamma _E(b) \sqsubseteq \ell \) or, when b is declassified to security level d, \(d \sqsubseteq \ell \). Hence, when any released expressions are indistinguishable on \(m_1\) and \(m_2\), the choice of branch \(c_1\) or \(c_2\) will be the same for the low-equivalent states \(m_1\) and \(m_2\) (according to the operational semantics). Therefore, all resulting configurations will be related by either \(R^1_{m_1,m_2}\) or \(R^2_{m1,m2}\).
\(\textsf{while}(b)\,c\) The wpif rule for loops requires a loop invariant which holds in both \(m_1\) and \(m_2\) to be provided. Let M be the set of all memories satisfying the loop invariant and consider the following relation. By the induction hypothesis, for each \(m_1',m_2'\in M\) such that \(m_1'=_\ell m_2'\) there exists a relation \(R_{m_1,m_2}^1\) such that \(\langle c, m_1'\rangle R^1_{m_1',m_2'} \langle c,m_2'\rangle \) and \(R^1_{m_1',m_2'}\) satisfies Definition 4.
Given \(m_1,m_2\in M\), the proof follows the proof for conditionals with the following changes based on the operational semantics: (i) when b is false, the subsequent program is stop and the state is unchanged, and (ii) when b is true, the subsequent program is \(c; \textsf{while}(b)\, c\). Note that in the latter case, since the loop invariant will be true after c terminates, requirement 2(ii) will hold due to the distributed union over all states satisfying the invariant in the definition of \(R_{m_1,m_2}\). \(\square \)
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Smith, G. (2022). Declassification Predicates for Controlled Information Release. In: Riesco, A., Zhang, M. (eds) Formal Methods and Software Engineering. ICFEM 2022. Lecture Notes in Computer Science, vol 13478. Springer, Cham. https://doi.org/10.1007/978-3-031-17244-1_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-17244-1_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17243-4
Online ISBN: 978-3-031-17244-1
eBook Packages: Computer ScienceComputer Science (R0)