Declassification Predicates for Controlled Information Release

Abstract

Declassification refers to the controlled release of sensitive information by a program. It is well recognised that security analyses, formal or otherwise, need to take declassification into account to be practically usable. This paper introduces the concept of declassification predicates which enable a programmer to define precisely what can be declassified in a given program, and where in the program it can be released. We show how declassification predicates can be added to an existing information flow logic, and how the extended logic can be implemented within the Dafny program verifier.

A A Soundness

Theorem 1

Given a program c with variables \(v_1,\ldots ,v_n\) and set of initial states \(S_0\), if \(S_0 \Rightarrow \textit{wpif}(v^0_1 := v_1; \ldots ; v^0_n := v_n; c, true)\), where \(v^0_1,\ldots ,v^0_n\) are fresh, then qualified release (Definition 4) holds for all initial states \(i_1, i_2 \in S_0\).

Proof

Let \(m_1\) and \(m_2\) be two program states such that \(m_1 =_\ell m_2\). Following Definition 4, we need to prove that there exists a relation \(R_{m_1,m_2}\) such that \(\langle c, m_1\rangle \) \(R_{m_1,m_2} \langle c, m_2\rangle \) for each program c considered secure under wpif. The proof is by induction over the instructions of the simple programming language whose operational semantics with respect to an initial state i is given below.

Let stop denote the program with no instructions, and \(\varepsilon _i(\textsf{stop},m) = \varnothing \).

skip According to the operational semantics, the skip instruction changes neither the state m nor introduces escape-hatch expressions, and results in the program stop. Therefore, choosing \(R_{m_1,m_2} = \{(\langle \textsf{skip}, m_1\rangle , \langle \textsf{skip}, m_2\rangle ), (\langle \textsf{stop}, m_1\rangle ,\) \(\langle \textsf{stop}, m_2\rangle )\}\) will satisfy Definition 4. For both configuration pairs, requirement 1 of Definition 4 holds trivially and requirement 2(i) holds due to \(m_1=_\ell m_2\) holding in the starting state. Requirement 2(ii) holds for the second pair due to there being no further program steps and, since it holds for the second pair, also holds for the first pair.

\(x := e\) An assignment updates the state m and results in the program stop. If the assignment has a declassification annotation then (according to the wpif rule) the program will only be secure when the associated predicate is true in any state that may hold immediately before the assignment. Assume this is the case, and hence the declassification predicate is true in \(m_1\) and \(m_2\). Given this, any escape hatches introduced only depend on e and the level of declassification d (see the operational semantics). Hence, requirement 1 of Definition 4 trivially holds. Consider the relation \(R_{m_1,m_2} = \{(\langle x:=e, m_1\rangle ,\) \(\langle x:=e, m_2\rangle ), (\langle \textsf{stop}, m_1'\rangle , \langle \textsf{stop}, m_2'\rangle )\}\), where \(m_1'\) and \(m_2'\) are derived from \(m_1\) and \(m_2\), respectively, by updating the value of x.

For the first configuration pair, if the released expressions are distinguishable on \(m_1\) and \(m_2\) then there is nothing further to prove. If they are indistinguishable then, since the assignments will replace x by an expression which is in the released expressions and at a level \(d\sqsubseteq \ell \) (as required by the wpif rule), requirement 2(i) (which holds for the first pair) is preserved. Requirement 2(ii) also holds for the second pair (as argued for skip) and hence holds for the first pair.

If the assignment does not have a declassification annotation then no escape hatches will be introduced and requirement 1 trivially holds. The value of x will be replaced by e for both initial states. The wpif rule for assignment only holds when \(\varGamma _E(e) \sqsubseteq \mathcal{L}(x)\). Hence, if x is low so is e, and low equivalence of states (requirement 2(i)) is preserved. Requirement 2(ii) is also satisfied by the first pair due to the second pair satisfying all requirements.

\(c_1;c_2\) By the induction hypothesis, there exists a relation \(R_{m_1,m_2}^1\) such that \(\langle c_1, m_1\rangle R^1_{m_1,m_2} \langle c_1,m_2\rangle \) and \(R^1_{m_1,m_2}\) satisfies Definition 4. Let \(\langle c_1, m_1\rangle \rightarrow ^n \langle c_1',m_1'\rangle \) and \(\langle c_1, m_2\rangle \rightarrow ^n \langle c_1',m_2'\rangle \), for some n. Note that both ending configurations have the same program, \(c_1'\), since the logic does not allow branching on high data.

If \(\lnot (m_1' \,I(\varepsilon _i(c_1',m_1'))\, m_2')\) then there are no further requirements to prove and the following relation satisfies Definition 4 for \(c_1;c_2\).

$$\begin{aligned} R_{m_1,m_2}= \,&\{(\langle c_1^1; c_2, m_1'\rangle , \langle c_1^2; c_2, m_2'\rangle ) |\\&\ \qquad {\exists }n\cdot \langle c_1,m_1\rangle \longrightarrow ^n \langle c_1^1, m_1'\rangle \wedge \langle c_1,m_2\rangle \longrightarrow ^n \langle c_1^2, m_2'\rangle \wedge \\&\ \qquad \langle c_1^1, m_1'\rangle R^1_{m_1,m_2} \langle c_1^2, m_2'\rangle \} \end{aligned}$$

If \(m_1' \,I(\varepsilon _i(c_1',m_1'))\, m_2'\) and \(\langle c_1', m_1'\rangle \rightarrow \langle \textsf{stop}, m_1''\rangle \) and \(\langle c_1', m_2'\rangle \rightarrow \langle \textsf{stop}, m_2''\rangle \), i.e., \(c_1'\) terminates after its next instruction, then \(m_1''=_\ell m_2''\) by Definition 4. By the induction hypothesis, there exists a relation \(R_{m_1'',m_2''}^2\) satisfying Definition 4 where \(\langle c_2, m_1''\rangle R^2_{m_1'',m_2''} \langle c_2,m_2''\rangle \). Consider then the following relation.

$$\begin{aligned} R_{m_1,m_2}= \,&\{(\langle c_1^1; c_2, m_1'\rangle , \langle c_1^2; c_2, m_2'\rangle ) |\\&\ \qquad {\exists }n\cdot \langle c_1,m_1\rangle \longrightarrow ^n \langle c_1^1, m_1'\rangle \wedge \langle c_1,m_2\rangle \longrightarrow ^n \langle c_1^2, m_2'\rangle \wedge \\&\ \qquad \langle c_1^1, m_1'\rangle R^1_{m_1,m_2} \langle c_1^2, m_2'\rangle \} \\&\ {{\cup }}\, \{(\langle c_2^1, m_1'''\rangle , \langle c_2^2, m_2'''\rangle ) |\\&\ \qquad {\exists }n\cdot \langle c_2,m_1''\rangle \longrightarrow ^n \langle c_2^1, m_1'''\rangle \wedge \langle c_2,m_2''\rangle \longrightarrow ^n \langle c_2^2, m_2'''\rangle \wedge \\&\ \qquad \langle c_2^1, m_1'''\rangle R^2_{m_1'',m_2''} \langle c_2^2, m_2'''\rangle \} \end{aligned}$$

This clearly relates \(\langle c_1;c_2,m_1\rangle \) and \(\langle c_1;c_2,m_2\rangle \). We now show that it also satisfies Definition 4 by considering two cases: a sequence of steps in program \(c_1\), and a sequence of steps in program \(c_2\).

First case: \(\langle c_1, m_1\rangle \longrightarrow ^n \langle c_1^1, m_1'\rangle \) and \(\langle c_1, m_2\rangle \longrightarrow ^n \langle c_1^2, m_2'\rangle \) such that \(\langle c_1^1, m_1'\rangle R^1_{m_1,m_2} \langle c_1^2, m_2'\rangle \). The latter implies requirements 1 and 2(i) for \(R_{m_1,m_2}\). If \(c_1^1\) has not terminated then requirement 2(ii) follows from requirement 2(ii) of \(R^1_{m_1,m_2}\). If \(c^1_1\) has terminated, i.e., \(m_1'=m_1''\) and \(m_2'=m_2''\) (since the absence of branching on high data means the runs will terminate together), then from the operational semantics for sequential composition we know that \(\langle c_1; c_2, m_1\rangle \longrightarrow ^{n} \langle c_2, m_1''\rangle \) and \(\langle c_1;c_2, m_2\rangle \longrightarrow ^{n} \langle c_2, m_2''\rangle \). And since \(\langle c_2, m_1''\rangle \) and \(\langle c_2, m_2''\rangle \) are related by \(R^2_{m_1'',m_2''}\), they are also related by \(R_{m_1,m_2}\) and we have requirement 2(ii).

Second case: \(\langle c_2, m_1''\rangle \longrightarrow ^n \langle c_2^1, m_1'''\rangle \) and \(\langle c_2, m_2''\rangle \longrightarrow ^n \langle c_2^2, m_2'''\rangle \) such that \(\langle c_2^1, m_1'''\rangle R^2_{m_1,m_2} \langle c_2^2, m_2'''\rangle \). As before, the latter implies requirements 1 and 2(i) for \(R_{m_1,m_2}\). In this case, requirement 2(ii) of \(R_{m_1,m_2}\) also follows from requirement 2(ii) of \(R^2_{m_1'',m_2''}\).

\(\mathsf{if~} b \mathsf{~then~} c_1 \mathsf{~else~} c_2\) By the induction hypothesis, there exists relations \(R^1_{m_1,m_2}\) and \(R_{m_1,m_2}^2\) satisfying Definition 4 such that \(\langle c_1,m_1\rangle R^1_{m_1,m_2} \langle c_1,m_2\rangle \), and \(\langle c_2,m_1\rangle \) \(R^2_{m_1,m_2}\langle c_2,m_2\rangle \). Consider the first configuration pair of the following relation.

$$\begin{aligned} R_{m_1,m_2} = \,&\{(\langle \mathsf{if~}b \mathsf{~then~} c_1 \mathsf{~else~} c_2, m_1\rangle ,\langle \mathsf{if~}b \mathsf{~then~} c_1 \mathsf{~else~} c_2, m_2\rangle )\}\\&{{\cup }}\, R_{m_1,m_2}^1 {{\cup }}\, R_{m_1,m_2}^2 \end{aligned}$$

If the guard has a declassification annotation then, following the proof for assignment, requirements 1 and 2(i) trivially hold, and requirement 2(ii) follows from the requirements holding for subsequent configurations. These hold due to the fact that the wpif rule for conditionals requires \(\varGamma _E(b) \sqsubseteq \ell \) or, when b is declassified to security level d, \(d \sqsubseteq \ell \). Hence, when any released expressions are indistinguishable on \(m_1\) and \(m_2\), the choice of branch \(c_1\) or \(c_2\) will be the same for the low-equivalent states \(m_1\) and \(m_2\) (according to the operational semantics). Therefore, all resulting configurations will be related by either \(R^1_{m_1,m_2}\) or \(R^2_{m1,m2}\).

\(\textsf{while}(b)\,c\) The wpif rule for loops requires a loop invariant which holds in both \(m_1\) and \(m_2\) to be provided. Let M be the set of all memories satisfying the loop invariant and consider the following relation. By the induction hypothesis, for each \(m_1',m_2'\in M\) such that \(m_1'=_\ell m_2'\) there exists a relation \(R_{m_1,m_2}^1\) such that \(\langle c, m_1'\rangle R^1_{m_1',m_2'} \langle c,m_2'\rangle \) and \(R^1_{m_1',m_2'}\) satisfies Definition 4.

Given \(m_1,m_2\in M\), the proof follows the proof for conditionals with the following changes based on the operational semantics: (i) when b is false, the subsequent program is stop and the state is unchanged, and (ii) when b is true, the subsequent program is \(c; \textsf{while}(b)\, c\). Note that in the latter case, since the loop invariant will be true after c terminates, requirement 2(ii) will hold due to the distributed union over all states satisfying the invariant in the definition of \(R_{m_1,m_2}\).    \(\square \)