Secrecy-preserving Refinement (NuSMV)¶
Description of the Case Study¶
Relating programs at different levels (e.g., high vs. low, abstract vs. concrete) is often involved in system design. For example, secure compilation specifies that when the compiler transforms the code (e.g., for optimization purposes), the compiled code should still satisfy the intended security property. For instance, to preserve the classic \(\forall \exists\) non-interference property during compilation, an \(\exists \forall \forall \exists \exists\) formula must be verified. That is, there exists a mapping \(M\) that preserves NI from code \(A\) to code \(B\).
The NuSMV model(s)¶
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
atom_p: boolean;
atom_q: boolean;
PC: 0..3;
ASSIGN
-- Initial Conditions
init(atom_p):= FALSE;
init(atom_q):= FALSE;
init(PC) := 0;
-- Transition Relations
next(atom_p) :=
case
(PC=0): {TRUE, FALSE};
(PC=1): {TRUE, FALSE};
(PC=2): FALSE;
TRUE: atom_p;
esac;
next(atom_q) :=
case
(PC=0): {TRUE, FALSE};
(PC=1): {TRUE, FALSE};
(PC=2): FALSE;
TRUE: atom_q;
esac;
next(PC) :=
case
(PC=3): 3;
TRUE: PC+1;
esac;
DEFINE
fAIL := (atom_p & atom_q);
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
atom_r: boolean;
atom_s: boolean;
PC: 0..3;
ASSIGN
-- Initial Conditions
init(atom_r):= FALSE;
init(atom_s):= FALSE;
init(PC) := 0;
-- Transition Relations
next(atom_r) :=
case
(PC=0): {TRUE, FALSE};
(PC=1): FALSE;
(PC=2): FALSE;
TRUE: atom_r;
esac;
next(atom_s) :=
case
(PC=0): {TRUE, FALSE};
(PC=1): TRUE;
(PC=2): FALSE;
TRUE: atom_s;
esac;
next(PC) :=
case
(PC=3): 3;
TRUE: PC+1;
esac;
DEFINE
fAIL := (atom_r & atom_s);
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
pr: boolean;
ps: boolean;
qr: boolean;
qs: boolean;
ASSIGN
-- Initial Conditions is arbitrary in mapping synth
init(pr) := {TRUE, FALSE};
init(ps) := {TRUE, FALSE};
init(qr) := {TRUE, FALSE};
init(qs) := {TRUE, FALSE};
-- Transition Relations
next(pr) := pr;
next(ps) := ps;
next(qr) := qr;
next(qs) := qs;
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
secret: 0..1;
Alice_Bob_sec: boolean;
Bob_Eve_pub: boolean;
Bob_sec: boolean;
Eve_secisnotempty: boolean;
STATE: 0..6;
ASSIGN
-- Initial Conditions
init(secret) := {0,1};
init(Alice_Bob_sec):= FALSE;
init(Bob_Eve_pub):= FALSE;
init(Bob_sec):= FALSE;
init(Eve_secisnotempty):= FALSE;
init(STATE):= 0;
-- Transition Relations
next(secret) := secret;
next(Alice_Bob_sec) := {TRUE, FALSE};
next(Bob_Eve_pub) := {TRUE, FALSE};
next(Bob_sec):= {TRUE, FALSE};
next(Eve_secisnotempty) := {TRUE, FALSE};
next(STATE) :=
case
(STATE=0) : {1, 2};
(STATE=1) : {3, 4};
(STATE=2) : {2, 1};
(STATE=3) : {3, 4};
(STATE=4) : {5, 6};
TRUE: STATE;
esac;
DEFINE
VALID := ((STATE=0) -> (!Alice_Bob_sec& !Bob_Eve_pub & !Bob_sec & !Eve_secisnotempty))
& ((STATE=1) -> (Alice_Bob_sec & !Bob_Eve_pub & !Bob_sec & !Eve_secisnotempty))
& ((STATE=2) -> (!Alice_Bob_sec & Bob_Eve_pub & !Bob_sec & !Eve_secisnotempty))
& ((STATE=3) -> (Alice_Bob_sec & !Bob_Eve_pub & Bob_sec & !Eve_secisnotempty))
& ((STATE=4) -> (!Alice_Bob_sec & Bob_Eve_pub & Bob_sec & !Eve_secisnotempty))
& ((STATE=5) -> (!Alice_Bob_sec & Bob_Eve_pub & Bob_sec & !Eve_secisnotempty & (secret=0)))
& ((STATE=6) -> (!Alice_Bob_sec & Bob_Eve_pub & Bob_sec & Eve_secisnotempty & (secret=1)));
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
S_R_sec: boolean;
S_R_pub: boolean;
R_pub: boolean;
R_sec: boolean;
STATE: 0..3;
ASSIGN
-- Initial Conditions
init(S_R_sec):= FALSE;
init(S_R_pub):= FALSE;
init(R_pub):= FALSE;
init(R_sec):= FALSE;
init(STATE):= 0;
-- Transition Relations
next(S_R_sec) := {TRUE, FALSE};
next(S_R_pub) := {TRUE, FALSE};
next(R_pub) := {TRUE, FALSE};
next(R_sec) := {TRUE, FALSE};
next(STATE) :=
case
(STATE=0) : {1, 2};
(STATE=1) : {1, 3};
(STATE=2) : {2};
(STATE=3) : {3};
TRUE: STATE;
esac;
DEFINE
VALID := ((STATE=0) -> (!S_R_sec & !S_R_pub & !R_pub & !R_sec ))
& ((STATE=1) -> (!S_R_sec & S_R_pub & R_pub & !R_sec ))
& ((STATE=2) -> ( S_R_sec & !S_R_pub & !R_pub & R_sec ))
& ((STATE=3) -> ( S_R_sec & !S_R_pub & R_pub & R_sec ));
--(adopted from: Tzu-Han Hsu, Borzoo Bonakdarpour, Eunsuk Kang, and Stavros Tripakis. Mapping synthesis for hyperproperties. In 2022 IEEE 35th Computer Security Foundations Symposium (CSF))
MODULE main
VAR
ABs_SRs: boolean;
ABs_SRp: boolean;
BEp_SRs: boolean;
BEp_SRp: boolean;
Bs_Rp: boolean;
Bs_Rs: boolean;
Es_Rp: boolean;
Es_Rs: boolean;
ASSIGN
-- Initial Conditions is arbitrary in mapping synth
init(ABs_SRs) := {TRUE, FALSE};
init(ABs_SRp) := {TRUE, FALSE};
init(BEp_SRs) := {TRUE, FALSE};
init(BEp_SRp) := {TRUE, FALSE};
init(Bs_Rp) := {TRUE, FALSE};
init(Bs_Rs) := {TRUE, FALSE};
init(Es_Rp) := {TRUE, FALSE};
init(Es_Rs) := {TRUE, FALSE};
-- Transition Relations
next(ABs_SRs) := ABs_SRs;
next(ABs_SRp) := ABs_SRp;
next(BEp_SRs) := BEp_SRs;
next(BEp_SRp) := BEp_SRp;
next(Bs_Rp) := Bs_Rp;
next(Bs_Rs) := Bs_Rs;
next(Es_Rp) := Es_Rp;
next(Es_Rs) := Es_Rs;
DEFINE
The HyperLTL formula(s)¶
The synthesis specification nests quantifiers to ensure that every abstract/concrete execution pair can be related by some mapping trace \(\pi_M\) that preserves non-interference. HyperQB searches for a witness mapping, increasing complexity by one alternation over the underlying security requirement.
\[\Phi_{\text{NI--ABM}} =
\exists \pi_M .
\forall \pi_{A_1} . \forall \pi_{B_1} .
\exists \pi_{A_2} . \exists \pi_{B_2} .
\left( \varphi_{\mathit{map}_1} \rightarrow
\left( \varphi_{\mathit{map}_2} \land \psi_{\text{NI}} \right) \right)\]
Exists A . Forall B . Forall C . Exists D . Exists E .
G
(
(pr[A]&~ps[A] & ~qr[A]&qs[A])
|
(~pr[A]&ps[A] & qr[A]&~qs[A])
)
&
(
G (
((pr[A]) -> ((atom_p[B]) -> (atom_r[C]))) &
((ps[A]) -> ((atom_p[B]) -> (atom_s[C]))) &
((qr[A]) -> ((atom_q[B]) -> (atom_r[C]))) &
((qs[A]) -> ((atom_q[B]) -> (atom_s[C]))) &
(~fAIL[B] & ~fAIL[C])
)
->
(
G (
((pr[A]) -> ((atom_p[D]) -> (atom_r[E]))) &
((ps[A]) -> ((atom_p[D]) -> (atom_s[E]))) &
((qr[A]) -> ((atom_q[D]) -> (atom_r[E]))) &
((qs[A]) -> ((atom_q[D]) -> (atom_s[E]))) &
(~fAIL[D] & ~fAIL[E])
)
&
G (
(atom_p[B]) -> (~atom_p[D])
)
)
)
Exists A . Forall B . Forall C . Exists D . Exists E .
(G (
((ABs_SRs[A]) -> ((Alice_Bob_sec[B]) -> (S_R_sec[C]))) &
((ABs_SRp[A]) -> ((Alice_Bob_sec[B]) -> (S_R_pub[C]))) &
((BEp_SRs[A]) -> ((Bob_Eve_pub[B]) -> (S_R_sec[C]))) &
((BEp_SRp[A]) -> ((Bob_Eve_pub[B]) -> (S_R_pub[C]))) &
((Bs_Rp[A]) -> ((Bob_sec[B]) -> (R_pub[C]))) &
((Bs_Rs[A]) -> ((Bob_sec[B]) -> (R_sec[C]))) &
((Es_Rp[A]) -> ((Eve_secisnotempty[B]) -> (R_pub[C]))) &
((Es_Rs[A]) -> ((Eve_secisnotempty[B]) -> (R_sec[C])))
)
->
(
G (
((ABs_SRs[A]) -> ((Alice_Bob_sec[D]) -> (S_R_sec[E]))) &
((ABs_SRp[A]) -> ((Alice_Bob_sec[D]) -> (S_R_pub[E]))) &
((BEp_SRs[A]) -> ((Bob_Eve_pub[D]) -> (S_R_sec[E]))) &
((BEp_SRp[A]) -> ((Bob_Eve_pub[D]) -> (S_R_pub[E]))) &
((Bs_Rp[A]) -> ((Bob_sec[D]) -> (R_pub[E]))) &
((Bs_Rs[A]) -> ((Bob_sec[D]) -> (R_sec[E]))) &
((Es_Rp[A]) -> ((Eve_secisnotempty[D]) -> (R_pub[E]))) &
((Es_Rs[A]) -> ((Eve_secisnotempty[D]) -> (R_sec[E])))
)
&
G ( ~(secret[B] = secret[D]) & (Eve_secisnotempty[B] = Eve_secisnotempty[D]))
)
)