159 research outputs found
Democratising migration governance : temporary labour migration and the responsibility to represent
Defence date: 20 January 2020Examining Board: Professor Rainer Bauböck, European University Institute (Supervisor); Professor Richard Bellamy, European University Institute Professor; Iseult Honohan, University College Dublin; Professor Valeria Ottonelli, Università degli Studi di GenovaThis thesis explores the possibility of democratic citizenship of temporary migrants. The main problem I investigate is the persistent and systemic vulnerability of temporary migrants to domination. I argue temporary migrants’ vulnerability to domination stems primarily from the fact that responsibilities towards them and their political membership are divided between their country of residence and of origin. While their lives are conditioned by both countries, they are democratically isolated from both. Are they merely partial citizens detached from any democratic politics? If not, what responsibility should each country bear towards temporary migrants within and beyond their jurisdictions? Should our commitments to democracy lead us to endorse a radical conception of migrant citizenship through which migrants represent their interests and perspectives in-between their country of residence and origin? This thesis addresses these normative issues surrounding temporary labour migration. It develops a democratic theory applicable to this phenomenon, explores the moral and political basis of migrants’ freedom, and explains how the current arrangements might be changed to produce a more democratically just outcome. Its main contribution lies in establishing a new account of democratic citizenship and responsibility that coherently accommodates the political agencies of temporary migrants. The thesis introduces, in particular, a new normative concept and political agenda – the Responsibility to Represent (R2R). Under a system of R2R, both sending and receiving countries bear a shared obligation to stage migrants’ contestatory voices in their public policy-making process for creating a society where everyone is free from domination. In summary, I argue that temporary migration programmes are just and legitimate, if and only if both sending and receiving states (1) recognise temporary migrants as bearers of a distinct life plan deserving equal treatment and non-domination, (2) provide them with necessary protections and sufficient resources for carrying out their plans while accommodating their possible changes, and (3) institutionalise contestatory channels for them to (de)legitimise the current structure of responsibility in-between two states
CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity
Information flow security ensures that the secret data manipulated by a
program does not influence its observable output. Proving information flow
security is especially challenging for concurrent programs, where operations on
secret data may influence the execution time of a thread and, thereby, the
interleaving between different threads. Such internal timing channels may
affect the observable outcome of a program even if an attacker does not observe
execution times. Existing verification techniques for information flow security
in concurrent programs attempt to prove that secret data does not influence the
relative timing of threads. However, these techniques are often restrictive
(for instance because they disallow branching on secret data) and make strong
assumptions about the execution platform (ignoring caching, processor
instructions with data-dependent runtime, and other common features that affect
execution time). In this paper, we present a novel verification technique for
secure information flow in concurrent programs that lifts these restrictions
and does not make any assumptions about timing behavior. The key idea is to
prove that all mutating operations performed on shared data commute, such that
different thread interleavings do not influence its final value. Crucially,
commutativity is required only for an abstraction of the shared data that
contains the information that will be leaked to a public output. Abstract
commutativity is satisfied by many more operations than standard commutativity,
which makes our technique widely applicable. We formalize our technique in
CommCSL, a relational concurrent separation logic with support for
commutativity-based reasoning, and prove its soundness in Isabelle/HOL. We
implemented CommCSL in HyperViper, an automated verifier based on the Viper
verification infrastructure, and demonstrate its ability to verify challenging
examples
Formal Methods for Trustworthy Voting Systems : From Trusted Components to Reliable Software
Voting is prominently an important part of democratic societies, and its outcome may have a dramatic and broad impact on societal progress. Therefore, it is paramount that such a society has extensive trust in the electoral process, such that the system’s functioning is reliable and stable with respect to the expectations within society. Yet, with or without the use of modern technology, voting is full of algorithmic and security challenges, and the failure to address these challenges in a controlled manner may produce fundamental flaws in the voting system and potentially undermine critical societal aspects.
In this thesis, we argue for a development process of voting systems that is rooted in and assisted by formal methods that produce transparently checkable evidence for the guarantees that the final system should provide so that it can be deemed trustworthy. The goal of this thesis is to advance the state of the art in formal methods that allow to systematically develop trustworthy voting systems that can be provenly verified. In the literature, voting systems are modeled in the following four comparatively separable and distinguishable layers: (1) the physical layer, (2) the computational layer, (3) the election layer, and (4) the human layer. Current research usually either mostly stays within one of those layers or lacks machine-checkable evidence, and consequently, trusted and understandable criteria often lack formally proven and checkable guarantees on software-level and vice versa.
The contributions in this work are formal methods that fill in the trust gap between the principal election layer and the computational layer by a reliable translation of trusted and understandable criteria into trustworthy software. Thereby, we enable that executable procedures can be formally traced back and understood by election experts without the need for inspection on code level, and trust can be preserved to the trustworthy system.
The works in this thesis all contribute to this end and consist in five distinct contributions, which are the following:
(I) a method for the generation of secure card-based communication schemes,
(II) a method for the synthesis of reliable tallying procedures,
(III) a method for the efficient verification of reliable tallying procedures,
(IV) a method for the computation of dependable election margins for reliable audits,
(V) a case study about the security verification of the GI voter-anonymization software.
These contributions span formal methods on illustrative examples for each of the three principal components, (1) voter-ballot box communication, (2) election method, and (3) election management, between the election layer and the computational layer.
Within the first component, the voter-ballot box communication channel, we build a bridge from the communication channel to the cryptography scheme by automatically generating secure card-based schemes from a small formal model with a parameterization of the desired security requirements. For the second component, the election method, we build a bridge from the election method to the tallying procedure by (1) automatically synthesizing a runnable tallying procedure from the desired requirements given as properties that capture the desired intuitions or regulations of fairness considerations, (2) automatically generating either comprehensible arguments or bounded proofs to compare tallying procedures based on user-definable fairness properties, and (3) automatically computing concrete election margins for a given tallying procedure, the collected ballots, and the computed election result, that enable efficient election audits. Finally, for the third and final component, the election management system, we perform a case study and apply state-of-the-art verification technology to a real-world e-voting system that has been used for the annual elections of the German Informatics Society (GI – “Gesellschaft für Informatik”) in 2019. The case study consists in the formal implementation-level security verification that the voter identities are securely anonymized and the voters’ passwords cannot be leaked.
The presented methods assist the systematic development and verification of provenly trustworthy voting systems across traditional layers, i.e., from the election layer to the computational layer. They all pursue the goal of making voting systems trustworthy by reliable and explainable formal requirements. We evaluate the devised methods on minimal card-based protocols that compute a secure AND function for two different decks of cards, a classical knock-out tournament and several Condorcet rules, various plurality, scoring, and Condorcet rules from the literature, the Danish national parliamentary elections in 2015, and a state-of-the-art electronic voting system that is used for the German Informatics Society’s annual elections in 2019 and following
Information Flow Control in Spring Web Applications
Companies rely extensively on frameworks and APIs when developing their systems,
as these mechanisms are quite advantageous. Two of the most conspicuous benefits
are their ease of use and workload reduction, allowing for shorter and more responsive
development cycles. However, most frameworks do not provide security properties such
as data confidentiality as other tools do. A prime example is a Spring. It is the most
heavily used Java web development framework, hosting a vast array of functionalities,
ranging from data layer functionalities (c.f. hibernate and JPA), security providers, and
metrics providers to provide statistical data on the application itself as well as a layer for
REST communication. However, to achieve such advanced functionalities, Spring resorts
to bytecode manipulation and generation during its startup period, hindering the use of
other formal analysis tools that use similar processes in their execution.
In a broader sense, we provide a comprehensive approach for the static analysis of
spring-based web applications. We introduce hooks in the Spring pipeline, making
feasible the formal analysis and manipulation of the complete, run-time-generated appli-
cation bytecode through a well-defined interface. The hooks provide not only access to
the entire web application’s bytecode but also allow for the replacement of the applica-
tion’s component, enabling more complex analysis requiring the instrumentation of the
application.
To address data confidentiality-related issues in web applications developed with this
framework, we propose integrating information flow control tools in the framework’s
pipeline. Namely, we combine Spring with Snitch, a tool for hybrid information flow
control in Java bytecode that will be used as a case-study.As empresas apoiam-se cada vez mais em frameworks e APIs quando desenvolvem
os seus sistemas, pois estas ferramentas fornecem grandes vantagens. Duas das maiores
vantages destes sistemas são a sua fácil utilização/integração nos sistemas bem como a
quantidade de trabalho que reduzem ao desenvolvedor, permitindo assim perĂodos de
desenvolvimento mais curtos e responsivos. Ainda assim, a mrioria das frameworks nĂŁo
têm como lidar com propriedades de segurança fundamentais como confidencialidade dos
dados. Um dos exemplos mais conhecidos é o Spring. É a framework mais usada em Java
para desenvolvimento web, oferecendo um vasto leque de funcionalidades, variando entre
uma camada que lida com dados (eg: hibernate e JPA), uma camada gestora de segurança
nas aplicações, uma camada estatĂstica que permite analisar a performance do sistema e
também uma camada para comunicação REST. Para alcançar estas funcionalidades, que
não são triviais, o Spring recorre a mecanismos de manipulação de bytecode e geração
de cĂłdigo durante o seu perĂodo de inicialização, perturbando o uso de ferramentas de
análise formais que recorrem a processos semelhantes na sua execução.
Em geral, nós fornecemos uma nova forma de lidar com análise formal em aplicações
web Spring. Aqui introduzimos hooks no processo de inicialização do Spring, tornando
possĂvel que a análise formal e a manipulação de todo o bytecode gerado da aplicação a
partir duma interface cuidadosamente definida. Os hooks fornecidos fornecem acesso ao
bytecode da aplicação na sua totalidade bem como permitem a substituição do componente
da aplicação, permitindo assim a análise complexa e formal por parte da ferramenta que
pode requerer instrumentação da aplicação.
Para lidar com problemas relacionados com confidencialidade dos dados em aplicações
web desenvolvidas com a framework, propomos a integração de ferramentas de controlo
do fluxo de informação na prórpia framework. Assim, juntamos Spring e Snitch, uma
ferramenta que analisa bytecode para verificar a segurança do fluxo de informação hĂbrida
Expressiveness and Decidability of Temporal Logics for Asynchronous Hyperproperties
Hyperproperties are properties of systems that relate different executions traces, with many applications from security to symmetry, consistency models of concurrency, etc. In recent years, different linear-time logics for specifying asynchronous hyperproperties have been investigated. Though model checking of these logics is undecidable, useful decidable fragments have been identified with applications e.g. for asynchronous security analysis. In this paper, we address expressiveness and decidability issues of temporal logics for asynchronous hyperproperties. We compare the expressiveness of these logics together with the extension S1S[E] of S1S with the equal-level predicate by obtaining an almost complete expressiveness picture. We also study the expressive power of these logics when interpreted on singleton sets of traces. We show that for two asynchronous extensions of HyperLTL, checking the existence of a singleton model is already undecidable, and for one of them, namely Context HyperLTL (HyperLTLC), we establish a characterization of the singleton models in terms of the extension of standard FO[<] over traces with addition. This last result generalizes the well-known equivalence between FO[<] and LTL. Finally, we identify new boundaries on the decidability of model checking HyperLTL
Expressiveness and Decidability of Temporal Logics for Asynchronous Hyperproperties
Hyperproperties are properties of systems that relate different executions traces, with many applications from security to symmetry, consistency models of concurrency, etc. In recent years, different linear-time logics for specifying asynchronous hyperproperties have been investigated. Though model checking of these logics is undecidable, useful decidable fragments have been identified with applications e.g. for asynchronous security analysis. In this paper, we address expressiveness and decidability issues of temporal logics for asynchronous hyperproperties. We compare the expressiveness of these logics together with the extension S1S[E] of S1S with the equal-level predicate by obtaining an almost complete expressiveness picture. We also study the expressive power of these logics when interpreted on singleton sets of traces. We show that for two asynchronous extensions of HyperLTL, checking the existence of a singleton model is already undecidable, and for one of them, namely Context HyperLTL (HyperLTL_C), we establish a characterization of the singleton models in terms of the extension of standard FO[<] over traces with addition. This last result generalizes the well-known equivalence between FO[<] and LTL. Finally, we identify new boundaries on the decidability of model checking HyperLTL_C
Programming Languages and Systems
This open access book constitutes the proceedings of the 29th European Symposium on Programming, ESOP 2020, which was planned to take place in Dublin, Ireland, in April 2020, as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2020. The actual ETAPS 2020 meeting was postponed due to the Corona pandemic. The papers deal with fundamental issues in the specification, design, analysis, and implementation of programming languages and systems
On Compositional Information Flow Aware Refinement
The concepts of information flow security and refinement are known to have had a troubled relationship ever since the seminal work of McLean. In this work we study refinements that
support changes in data representation and semantics, including the addition of state variables that may induce new observational power or side channels. We propose a new epistemic approach to ignorance-preserving refinement where an abstract model is used as a specification of a system’s permitted information flows, that may include the declassification of secret information. The core idea is to require that refinement steps must not induce observer knowledge that is not already available in the abstract model.
Our study is set in the context of a class of shared variable multi-agent models similar to interpreted systems in epistemic logic. We demonstrate the expressiveness of our framework through a series of small examples and compare our approach to existing, stricter notions of information-flow secure refinement based on bisimulations and noninterference preservation. Interestingly, noninterference preservation is not supported “out of the box” in our setting, because refinement steps may introduce new secrets that are independent of secrets already present at abstract level. To support verification, we first introduce a “cube-shaped” unwinding condition related to conditions recently studied in the context of value-dependent noninterference, kernel verification, and secure compilation. A fundamental problem with ignorance-preserving refinement, caused by the support for general data and observation refinement, is that sequential composability is lost. We propose a solution based on relational pre- and post-conditions and illustrate its use together with unwinding on the oblivious RAM construction of Chung and Pass
Timing Sensitive Dependency Analysis and its Application to Software Security
Ich präsentiere neue Verfahren zur statischen Analyse von
AusfĂĽhrungszeit-sensitiver Informationsflusskontrolle in Softwaresystemen.
Ich wende diese Verfahren an zur Analyse nebenläufiger Java
Programme, sowie zur Analyse von Ausführungszeit-Seitenkanälen in
Implementierungen kryptographischer Primitive.
Methoden der Informationsflusskontrolle zielen darauf ab, Fluss von
Informationen (z.B.: zwischen verschiedenen externen Schnittstellen
einer Software-Komponente) anhand expliziter Richtlinien einzuschränken.
Solche Methoden können daher zur Einhaltung sowohl
von Vertraulichkeit als auch Integrität eingesetzt werden. Der Ziel korrekter
statischer Programmanalysen in diesem Umfeld ist der Nachweis,
dass in allen Ausführungen eines gegebenen Programms die zugehörigen
Richtlinien eingehalten werden. Ein solcher Nachweis erfordert
ein Sicherheitskriterium, welches formalisiert, unter welchen
Bedingungen dies der Fall ist.
Jedem formalen Sicherheitskriterium entspricht implizit ein
Programm- und Angreifermodell. Einfachste Nichtinterferenz-Kriterien
beschreiben beispielsweise nur nicht-interaktive Programme. Dies
sind Programme die nur bei Beginn und Ende der AusfĂĽhrung Ein- und
Ausgaben erlauben. Im zugehörigen Angreifer-Modell kennt der
Angreifer das Programm, aber beobachtet nur bestimmte (öffentliche)
Aus- und Eingaben oder stellt diese bereit. Ein Programm ist nichtinterferent,
wenn der Angreifer aus seinen Beobachtungen keinerlei
RĂĽckschlĂĽsse auf geheime Aus- und Eingaben terminierender AusfĂĽhrungen
machen kann. Aus nicht-terminierenden AusfĂĽhrungen
hingegen sind dem Angreifer in diesem Modell Schlussfolgerungen
auf geheime Eingaben erlaubt.
Seitenkanäle entstehen, wenn einem Angreifer aus Beobachtungen realer
Systeme RĂĽckschlĂĽsse auf vertrauliche Informationen ziehen kann,
welche im formalen Modell unmöglich sind. Typische Seitenkanäle
(also: in vielen formalen Sicherheitskriterien unmodelliert) sind neben
Nichttermination beispielsweise auch Energieverbrauch und die AusfĂĽhrungszeit
von Programmen. Hängt diese von geheimen Eingaben
ab, so kann ein Angreifer aus der beobachteten AusfĂĽhrungszeit auf
die Eingabe (z.B.: auf den Wert einzelner geheimer Parameter) schlieĂźen.
In meiner Dissertation präsentiere ich neue Abhängigkeitsanalysen,
die auch Nichtterminations- und Ausführungszeitkanäle berücksichtigen.
In Hinblick auf Nichtterminationskanäle stelle ich neue Verfahren
zur Berechnung von Programm-Abhängigkeiten vor. Hierzu entwickle
ich ein vereinheitlichendes Rahmenwerk, in welchem sowohl
Nichttermination-sensitive als auch Nichttermination-insensitive Abhängigkeiten
aus zueinander dualen Postdominanz-Begriffen resultieren.
Für Ausführungszeitkanäle entwickle ich neue Abhängigkeitsbegriffe
und dazugehörige Verfahren zu deren Berechnung. In zwei Anwendungen
untermauere ich die These:
Ausführungszeit-sensitive Abhängigkeiten ermöglichen korrekte statische
Informationsfluss-Analyse unter Berücksichtigung von Ausführungszeitkanälen.
Basierend auf Ausführungszeit-sensitiven Abhängigkeiten entwerfe
ich hierfür neue Analysen für nebenläufige Programme.
Ausführungszeit-sensitive Abhängigkeiten sind dort selbst für
AusfĂĽhrungszeit-insensitive Angreifermodelle relevant, da dort interne
Ausführungszeitkanäle zwischen unterschiedlichen Ausführungsfäden
extern beobachtbar sein können. Meine Implementierung für
nebenläufige Java Programme basiert auf auf dem Programmanalyse-
System JOANA.
Außerdem präsentiere ich neue Analysen für Ausführungszeitkanäle
aufgrund mikro-architektureller Abhängigkeiten. Exemplarisch untersuche
ich Implementierungen von AES256 BlockverschlĂĽsselung. Bei einigen
Implementierungen fĂĽhren Daten-Caches dazu, dass die AusfĂĽhrungszeit
abhängt von Schlüssel und Geheimtext, wodurch diese
aus der AusfĂĽhrungszeit inferierbar sind. FĂĽr andere Implementierungen
weist meine automatische statische Analyse (unter Annahme
einer einfachen konkreten Cache-Mikroarchitektur) die Abwesenheit
solcher Kanäle nach
- …