Trace Equivalence and Epistemic Logic to Express Security Properties

In process algebras, security properties are expressed as equivalences between processes, but which equivalence is suitable is not clear. This means that there is a gap between an intuitive security notion and the formulation. Appropriate formalization is essential for verification, and our purpose is bridging this gap. By chasing scope extrusions, we prove that trace equivalence is congruent. Moreover, we construct an epistemic logic for the applied pi calculus and show that its logical equivalence agrees with the trace equivalence. We use the epistemic logic to show that trace equivalence is pertinent in the presence of a non-adaptive attacker

A Spatial-Epistemic Logic for Reasoning about Security Protocols

Reasoning about security properties involves reasoning about where the information of a system is located, and how it evolves over time. While most security analysis techniques need to cope with some notions of information locality and knowledge propagation, usually they do not provide a general language for expressing arbitrary properties involving local knowledge and knowledge transfer. Building on this observation, we introduce a framework for security protocol analysis based on dynamic spatial logic specifications. Our computational model is a variant of existing pi-calculi, while specifications are expressed in a dynamic spatial logic extended with an epistemic operator. We present the syntax and semantics of the model and logic, and discuss the expressiveness of the approach, showing it complete for passive attackers. We also prove that generic Dolev-Yao attackers may be mechanically determined for any deterministic finite protocol, and discuss how this result may be used to reason about security properties of open systems. We also present a model-checking algorithm for our logic, which has been implemented as an extension to the SLMC system.Comment: In Proceedings SecCo 2010, arXiv:1102.516

A Temporal Logic for Hyperproperties

Hyperproperties, as introduced by Clarkson and Schneider, characterize the correctness of a computer program as a condition on its set of computation paths. Standard temporal logics can only refer to a single path at a time, and therefore cannot express many hyperproperties of interest, including noninterference and other important properties in security and coding theory. In this paper, we investigate an extension of temporal logic with explicit path variables. We show that the quantification over paths naturally subsumes other extensions of temporal logic with operators for information flow and knowledge. The model checking problem for temporal logic with path quantification is decidable. For alternation depth 1, the complexity is PSPACE in the length of the formula and NLOGSPACE in the size of the system, as for linear-time temporal logic

Statistical Epistemic Logic

We introduce a modal logic for describing statistical knowledge, which we call statistical epistemic logic. We propose a Kripke model dealing with probability distributions and stochastic assignments, and show a stochastic semantics for the logic. To our knowledge, this is the first semantics for modal logic that can express the statistical knowledge dependent on non-deterministic inputs and the statistical significance of observed results. By using statistical epistemic logic, we express a notion of statistical secrecy with a confidence level. We also show that this logic is useful to formalize statistical hypothesis testing and differential privacy in a simple and abstract manner

Reconciling operational and epistemic approaches to the formal analysis of crypto-based security protocols

We propose a unifying framework for formal specification and verification of both epistemic and behavioral aspects of security protocols. The main novelty of the proposed framework is the explicit support for cryptographic constructs, which is among the most essential ingredients of security protocols. Due to this feature, the indistinguishability relation for the epistemic constructs gets a dynamic semantics by taking the communicated keys and cryptographic terms in the operational specification into account

An Epistemic Approach to the Formal Specification of Statistical Machine Learning

We propose an epistemic approach to formalizing statistical properties of machine learning. Specifically, we introduce a formal model for supervised learning based on a Kripke model where each possible world corresponds to a possible dataset and modal operators are interpreted as transformation and testing on datasets. Then we formalize various notions of the classification performance, robustness, and fairness of statistical classifiers by using our extension of statistical epistemic logic (StatEL). In this formalization, we show relationships among properties of classifiers, and relevance between classification performance and robustness. As far as we know, this is the first work that uses epistemic models and logical formulas to express statistical properties of machine learning, and would be a starting point to develop theories of formal specification of machine learning.Comment: Accepted in Software and Systems Modeling https://rdcu.be/b7ssR This paper is the journal version of the SEFM'19 conference paper arxiv:1907.1032

Privacy by Design: a Formal Framework for the Analysis of Architectural Choices (extended version)

The privacy by design approach has already been put into practice in different application areas. We believe that the next challenge today is to go beyond individual cases and to provide methodologies to explore the design space in a systematic way. As a first step in this direction, we focus in this report on the data minimization principle and consider different options using decentralized architectures in which actors do not necessarily trust each other. We propose a framework to express the parameters to be taken into account (the service to be performed, the actors involved, their respective requirements, etc.) and an inference system to derive properties such as the possibility for an actor to detect potential errors (or frauds) in the computation of a variable. This inference system can be used in the design phase to check if an architecture meets the requirements of the parties or to point out conflicting requirements.La démarche de protection de la vie privée par conception (ou "privacy by design") a déjà été mise en pratique dans différents domaines d'applications. Le prochain défi en la matière est de dépasser le traitement au cas par cas pour fournir des méthodes de conception plus systématiques. Dans ce rapport, nous proposons à cet effet une méthode mettant en oeuvre le principe de minimisation des données. Elle permet d'analyser différents choix de conception reposant sur des architectures décentralisées dans lesquelles les acteurs ne s'accordent pas forcément une totale confiance. Le cadre proposé permet d'exprimer les paramètres à prendre en compte (service à assurer, acteurs impliqués, exigences en terme de protection des données ou d'accès aux informations, etc.) et d'analyser les choix d'architectures à l'aide d'un système d'inférence. Ce système peut être utilisé dans la phase de conception pour montrer qu'une architecture satisfait toutes les propriétés requises ou pour détecter des exigences inconciliables

A temporal logic approach to information-flow control

Information leaks and other violations of information security pose a severe threat to individuals, companies, and even countries. The mechanisms by which attackers threaten information security are diverse and to show their absence thus proved to be a challenging problem. Information-flow control is a principled approach to prevent security incidents in programs and other technical systems. In information-flow control we define information-flow properties, which are sufficient conditions for when the system is secure in a particular attack scenario. By defining the information-flow property only based on what parts of the executions of the system a potential attacker can observe or control, we obtain security guarantees that are independent of implementation details and thus easy to understand. There are several methods available to enforce (or verify) information-flow properties once defined. We focus on static enforcement methods, which automatically determine whether a given system satisfies a given information-flow property for all possible inputs to the system. Most enforcement approaches that are available today have one problem in common: they each only work for one particular programming language or information-flow property. In this thesis, we propose a temporal logic approach to information-flow control to provide a simple formal basis for the specification and enforcement of information-flow properties. We show that the approach can be used to enforce a wide range of information-flow properties with a single algorithm. The main challenge is that the standard temporal logics are unable to express information-flow properties. They lack the ability to relate multiple executions of a system, which is essential for information-flow properties. We thus extend the temporal logics LTL and CTL* by the ability to quantify over multiple executions and to relate them using boolean and temporal operators. The resulting temporal logics HyperLTL and HyperCTL* can express many information-flow properties of interest. The extension of temporal logics com- pels us to revisit the algorithmic problem to check whether a given system (model) satisfies a given specification in HyperLTL or HyperCTL*; also called the model checking problem. On the technical side, the main contribution is a model checking algorithm for HyperLTL and HyperCTL* and the detailed complexity analysis of the model checking problem: We give nonelementary lower and upper bounds for its computational complexity, both in the size of the system and the size of the specification. The complexity analysis also reveals a class of specification, which includes many of the commonly consid- ered information-flow properties and for which the algorithm is efficient (in NLOGSPACE in the size of the system). For this class of efficiently checkable properties, we provide an approach to reuse existing technology in hardware model checking for information-flow control. We demonstrate along a case study that the temporal logic approach to information-flow control is flexible and effective. We further provide two case studies that demonstrate the use of HyperLTL and HyperCTL* for proving properties of error resistant codes and distributed protocols that have so far only been considered in manual proofs.Informationssicherheit stellt eine immer größere Bedrohung für einzelne Personen, Firmen und selbst ganze Länder dar. Ein grundlegender Ansatz zur Vorbeugung von Sicherheitsproblemen in technischen Systemen, wie zum Beispiel Programmen, ist Informationsflusskontrolle. In der Informationsflusskontrolle definieren wir zunächst sogenannte Informationsflusseigenschaften, welche hinreichende Bedingungen für die Sicherheit des gegebenen Systems in einem Sicherheitsszenario darstellen. Indem wir Informationsflusseigenschaften nur auf Basis der möglichen Beobachtungen eines Angreifers über das System definieren, erhalten wir einfach zu verstehende Sicherheitsgarantien, die unabhängig von Implementierungsdetails sind. Nach der Definition von Eigenschaften muss sichergestellt werden, dass ein gegebenes System seine Informationsflusseigenschaft erfüllt, wofür es bereits verschiedene Methoden gibt. Wir fokussieren uns in dieser Arbeit auf statische Methoden, welche für ein gegebenes System und eine gegebene Informationsflusseigenschaft automatisch entscheiden, ob das System die Eigenschaft für alle möglichen Eingaben erfüllt, was wir auch das Modellprüfungsproblem nennen. Die meisten verfügbaren Methoden zum Sicherstellen der Einhaltung von Informationsflusseigenschaften teilen jedoch eine Schwäche: sie funktionieren nur für eine einzelne Programmiersprache oder eine einzelne Informationsflusseigenschaft. In dieser Arbeit verfolgen wir einen Ansatz basierend auf Temporallogiken, um eine einfache theoretische Basis für die Spezifikation von Informationsflusseigenschaften und deren Umsetzung zu erhalten. Wir analysieren den Zusammenhang von der Ausdrucksmächtigkeit von Spezifikationssprachen und dem algorithmischen Problem Spezifikationen für ein System zu überprüfen. Anhand einer Fallstudie im Bereich der Hardwaresicherheit zeigen wir, dass der Ansatz dazu geeignet ist eine breite Palette von bekannten und neuen Informationsflusseigenschaften mittels eines einzelnen Modellprüfungsalgorithmus zu beweisen. Das Kernproblem hierbei ist, dass wir in den üblichen Temporallogiken Informationsflusseigenschaften nicht ausdrücken können, es fehlt die Fähigkeit mehrere Ausführungen eines Systems miteinander zu vergleichen, was der gemeinsame Nenner von Informationsflusseigenschaften ist. Wir erweitern Temporallogiken daher um die Fähigkeit über mehrere Ausführungen zu quantifizieren und diese miteinander zu vergleichen. Der Hauptbeitrag auf der technischen Ebene ist ein Modellprüfungsalgorithmus und eine detaillierte Analyse der Komplexität des Modellprüfungsproblems. Wir geben einen Modellprüfungsalgorithmus an und beweisen, dass der Algorithmus asymptotisch optimal ist. Die Komplexitätsanalyse zeigt auch eine Klasse von Eigenschaften auf, welche viele der üblichen Informationsflusseigenschaften beinhaltet, und für welche der gegebene Algorithmus effizient ist (in NLOGSPACE in der Größe des Systems). Für diese Klasse von effizient überprüfbaren Eigenschaften diskutieren wir einen Ansatz bestehende Technologie zur Modellprüfung von Hardware für Informationsflusskontrolle wiederzuverwenden. Anhand einer Fallstudie zeigen wir, dass der Ansatz flexibel und effektiv eingesetzt werden kann. Desweiteren diskutieren wir zwei weitere Fallstudien, welche demonstrieren, dass die vorgeschlagene Erweiterung von Temporallogiken auch eingesetzt werden kann, um Eigenschaften für fehlerresistente Kodierungen und verteilte Protokolle zu beweisen, welche bisher nur Abstrakt betrachtet werden konnten