Secrecy-preserving Refinement¶
Description of the Case Study¶
Relating programs at different levels (e.g., high vs. low, abstract vs. concrete) is often involved in system design. For example, secure compilation specifies that when the compiler transforms the code (e.g., for optimization purposes), the compiled code should still satisfy the intended security property. For instance, to preserve the classic \(\forall \exists\) non-interference property during compilation, an \(\exists \forall \forall \exists \exists\) formula must be verified. That is, there exists a mapping \(M\) that preserves NI from code \(A\) to code \(B\), as follows:
\[\Phi_{\text{NI--ABM}} =
\exists \pi_M .
\forall \pi_{A_1} . \forall \pi_{B_1} .
\exists \pi_{A_2} . \exists \pi_{B_2} .
\left( \varphi_{\mathit{map}_1} \rightarrow
\left( \varphi_{\mathit{map}_2} \land \psi_{\text{NI}} \right) \right)\]
HyperQB is able to correctly synthesize a correct mapping (i.e., the leading \(\exists\)) if one exists. Such a formula with multiple quantifier alternations bumps up the complexity of model checking by one step in the polynomial hierarchy compared to the original non-interference formula.
Benchmarks¶
The Model(s)
--MAPSYNTH
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
atom_p: boolean;
atom_q: boolean;
PC: 0..3;
ASSIGN
-- Initial Conditions
init(atom_p):= FALSE;
init(atom_q):= FALSE;
init(PC) := 0;
-- Transition Relations
next(atom_p) :=
case
(PC=0): {TRUE, FALSE};
(PC=1): {TRUE, FALSE};
(PC=2): FALSE;
TRUE: atom_p;
esac;
next(atom_q) :=
case
(PC=0): {TRUE, FALSE};
(PC=1): {TRUE, FALSE};
(PC=2): FALSE;
TRUE: atom_q;
esac;
next(PC) :=
case
(PC=3): 3;
TRUE: PC+1;
esac;
DEFINE
fAIL := (atom_p & atom_q);
--MAPSYNTH
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
atom_r: boolean;
atom_s: boolean;
PC: 0..3;
ASSIGN
-- Initial Conditions
init(atom_r):= FALSE;
init(atom_s):= FALSE;
init(PC) := 0;
-- Transition Relations
next(atom_r) :=
case
(PC=0): {TRUE, FALSE};
(PC=1): FALSE;
(PC=2): FALSE;
TRUE: atom_r;
esac;
next(atom_s) :=
case
(PC=0): {TRUE, FALSE};
(PC=1): TRUE;
(PC=2): FALSE;
TRUE: atom_s;
esac;
next(PC) :=
case
(PC=3): 3;
TRUE: PC+1;
esac;
DEFINE
fAIL := (atom_r & atom_s);
--MAPSYNTH
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
pr: boolean;
ps: boolean;
qr: boolean;
qs: boolean;
ASSIGN
-- Initial Conditions is arbitrary in mapping synth
init(pr) := {TRUE, FALSE};
init(ps) := {TRUE, FALSE};
init(qr) := {TRUE, FALSE};
init(qs) := {TRUE, FALSE};
-- Transition Relations
next(pr) := pr;
next(ps) := ps;
next(qr) := qr;
next(qs) := qs;
DEFINE
Formula
Exists A . Forall B . Forall C . Exists D . Exists E .
G
(
(pr[A]&~ps[A] & ~qr[A]&qs[A])
|
(~pr[A]&ps[A] & qr[A]&~qs[A])
)
&
(
G (
((pr[A]) -> ((atom_p[B]) -> (atom_r[C]))) &
((ps[A]) -> ((atom_p[B]) -> (atom_s[C]))) &
((qr[A]) -> ((atom_q[B]) -> (atom_r[C]))) &
((qs[A]) -> ((atom_q[B]) -> (atom_s[C]))) &
(~fAIL[B] & ~fAIL[C])
)
->
(
G (
((pr[A]) -> ((atom_p[D]) -> (atom_r[E]))) &
((ps[A]) -> ((atom_p[D]) -> (atom_s[E]))) &
((qr[A]) -> ((atom_q[D]) -> (atom_r[E]))) &
((qs[A]) -> ((atom_q[D]) -> (atom_s[E]))) &
(~fAIL[D] & ~fAIL[E])
)
&
G (
(atom_p[B]) -> (~atom_p[D])
)
)
)
The Model(s)
--MAPSYNTH
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
secret: 0..1;
Alice_Bob_sec: boolean;
Bob_Eve_pub: boolean;
Bob_sec: boolean;
Eve_secisnotempty: boolean;
STATE: 0..6;
ASSIGN
-- Initial Conditions
init(secret) := {0,1};
init(Alice_Bob_sec):= FALSE;
init(Bob_Eve_pub):= FALSE;
init(Bob_sec):= FALSE;
init(Eve_secisnotempty):= FALSE;
init(STATE):= 0;
-- Transition Relations
next(secret) := secret;
next(Alice_Bob_sec) := {TRUE, FALSE};
next(Bob_Eve_pub) := {TRUE, FALSE};
next(Bob_sec):= {TRUE, FALSE};
next(Eve_secisnotempty) := {TRUE, FALSE};
next(STATE) :=
case
(STATE=0) : {1, 2};
(STATE=1) : {3, 4};
(STATE=2) : {2, 1};
(STATE=3) : {3, 4};
(STATE=4) : {5, 6};
TRUE: STATE;
esac;
DEFINE
VALID := ((STATE=0) -> (!Alice_Bob_sec& !Bob_Eve_pub & !Bob_sec & !Eve_secisnotempty))
& ((STATE=1) -> (Alice_Bob_sec & !Bob_Eve_pub & !Bob_sec & !Eve_secisnotempty))
& ((STATE=2) -> (!Alice_Bob_sec & Bob_Eve_pub & !Bob_sec & !Eve_secisnotempty))
& ((STATE=3) -> (Alice_Bob_sec & !Bob_Eve_pub & Bob_sec & !Eve_secisnotempty))
& ((STATE=4) -> (!Alice_Bob_sec & Bob_Eve_pub & Bob_sec & !Eve_secisnotempty))
& ((STATE=5) -> (!Alice_Bob_sec & Bob_Eve_pub & Bob_sec & !Eve_secisnotempty & (secret=0)))
& ((STATE=6) -> (!Alice_Bob_sec & Bob_Eve_pub & Bob_sec & Eve_secisnotempty & (secret=1)));
--MAPSYNTH
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
S_R_sec: boolean;
S_R_pub: boolean;
R_pub: boolean;
R_sec: boolean;
STATE: 0..3;
ASSIGN
-- Initial Conditions
init(S_R_sec):= FALSE;
init(S_R_pub):= FALSE;
init(R_pub):= FALSE;
init(R_sec):= FALSE;
init(STATE):= 0;
-- Transition Relations
next(S_R_sec) := {TRUE, FALSE};
next(S_R_pub) := {TRUE, FALSE};
next(R_pub) := {TRUE, FALSE};
next(R_sec) := {TRUE, FALSE};
next(STATE) :=
case
(STATE=0) : {1, 2};
(STATE=1) : {1, 3};
(STATE=2) : {2};
(STATE=3) : {3};
TRUE: STATE;
esac;
DEFINE
VALID := ((STATE=0) -> (!S_R_sec & !S_R_pub & !R_pub & !R_sec ))
& ((STATE=1) -> (!S_R_sec & S_R_pub & R_pub & !R_sec ))
& ((STATE=2) -> ( S_R_sec & !S_R_pub & !R_pub & R_sec ))
& ((STATE=3) -> ( S_R_sec & !S_R_pub & R_pub & R_sec ));
--MAPSYNTH
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
ABs_SRs: boolean;
ABs_SRp: boolean;
BEp_SRs: boolean;
BEp_SRp: boolean;
Bs_Rp: boolean;
Bs_Rs: boolean;
Es_Rp: boolean;
Es_Rs: boolean;
ASSIGN
-- Initial Conditions is arbitrary in mapping synth
init(ABs_SRs) := {TRUE, FALSE};
init(ABs_SRp) := {TRUE, FALSE};
init(BEp_SRs) := {TRUE, FALSE};
init(BEp_SRp) := {TRUE, FALSE};
init(Bs_Rp) := {TRUE, FALSE};
init(Bs_Rs) := {TRUE, FALSE};
init(Es_Rp) := {TRUE, FALSE};
init(Es_Rs) := {TRUE, FALSE};
-- Transition Relations
next(ABs_SRs) := ABs_SRs;
next(ABs_SRp) := ABs_SRp;
next(BEp_SRs) := BEp_SRs;
next(BEp_SRp) := BEp_SRp;
next(Bs_Rp) := Bs_Rp;
next(Bs_Rs) := Bs_Rs;
next(Es_Rp) := Es_Rp;
next(Es_Rs) := Es_Rs;
DEFINE
Formula
Exists A . Forall B . Forall C . Exists D . Exists E .
(G (
((ABs_SRs[A]) -> ((Alice_Bob_sec[B]) -> (S_R_sec[C]))) &
((ABs_SRp[A]) -> ((Alice_Bob_sec[B]) -> (S_R_pub[C]))) &
((BEp_SRs[A]) -> ((Bob_Eve_pub[B]) -> (S_R_sec[C]))) &
((BEp_SRp[A]) -> ((Bob_Eve_pub[B]) -> (S_R_pub[C]))) &
((Bs_Rp[A]) -> ((Bob_sec[B]) -> (R_pub[C]))) &
((Bs_Rs[A]) -> ((Bob_sec[B]) -> (R_sec[C]))) &
((Es_Rp[A]) -> ((Eve_secisnotempty[B]) -> (R_pub[C]))) &
((Es_Rs[A]) -> ((Eve_secisnotempty[B]) -> (R_sec[C])))
)
->
(
G (
((ABs_SRs[A]) -> ((Alice_Bob_sec[D]) -> (S_R_sec[E]))) &
((ABs_SRp[A]) -> ((Alice_Bob_sec[D]) -> (S_R_pub[E]))) &
((BEp_SRs[A]) -> ((Bob_Eve_pub[D]) -> (S_R_sec[E]))) &
((BEp_SRp[A]) -> ((Bob_Eve_pub[D]) -> (S_R_pub[E]))) &
((Bs_Rp[A]) -> ((Bob_sec[D]) -> (R_pub[E]))) &
((Bs_Rs[A]) -> ((Bob_sec[D]) -> (R_sec[E]))) &
((Es_Rp[A]) -> ((Eve_secisnotempty[D]) -> (R_pub[E]))) &
((Es_Rs[A]) -> ((Eve_secisnotempty[D]) -> (R_sec[E])))
)
&
G ( ~(secret[B] = secret[D]) & (Eve_secisnotempty[B] = Eve_secisnotempty[D]))
)
)