55 research outputs found
RHLE: Modular Deductive Verification of Relational Properties
Relational program logics are used to prove that a desired relationship holds
between the execution of multiple programs. Existing relational program logics
have focused on verifying that all runs of a collection of programs do not fall
outside a desired set of behaviors. Several important relational properties,
including refinement and noninterference, do not fit into this category, as
they require the existence of specific desirable executions. This paper
presents RHLE, a logic for verifying a class of relational properties which we
term properties. properties assert that for
all executions of a collection of programs, there exist executions of another
set of programs exhibiting some intended behavior. Importantly, RHLE can reason
modularly about programs which make library calls, ensuring that
properties are preserved when the programs are linked with any
valid implementation of the library. To achieve this, we develop a novel form
of function specification that requires the existence of certain behaviors in
valid implementations. We have built a tool based on RHLE which we use to
verify a diverse set of relational properties drawn from the literature,
including refinement and generalized noninterference
Deductive Controller Synthesis for Probabilistic Hyperproperties
Probabilistic hyperproperties specify quantitative relations between the
probabilities of reaching different target sets of states from different
initial sets of states. This class of behavioral properties is suitable for
capturing important security, privacy, and system-level requirements. We
propose a new approach to solve the controller synthesis problem for Markov
decision processes (MDPs) and probabilistic hyperproperties. Our specification
language builds on top of the logic HyperPCTL and enhances it with structural
constraints over the synthesized controllers. Our approach starts from a family
of controllers represented symbolically and defined over the same copy of an
MDP. We then introduce an abstraction refinement strategy that can relate
multiple computation trees and that we employ to prune the search space
deductively. The experimental evaluation demonstrates that the proposed
approach considerably outperforms HyperProb, a state-of-the-art SMT-based model
checking tool for HyperPCTL. Moreover, our approach is the first one that is
able to effectively combine probabilistic hyperproperties with additional
intra-controller constraints (e.g. partial observability) as well as
inter-controller constraints (e.g. agreements on a common action)
Introducing Asynchronicity to Probabilistic Hyperproperties
Probabilistic hyperproperties express probabilistic relations between
different executions of systems with uncertain behavior. HyperPCTL allows to
formalize such properties, where quantification over probabilistic schedulers
resolves potential non-determinism. In this paper we propose an extension named
AHyperPCTL to additionally introduce asynchronicity between the observed
executions by quantifying over stutter-schedulers, which may randomly decide to
delay scheduler decisions by idling. To our knowledge, this is the first
asynchronous extension of a probabilistic branching-time hyperlogic. We show
that AHyperPCTL can express interesting information-flow security policies, and
propose a model checking algorithm for a decidable fragment.Comment: to be published in the Proceedings of QEST 202
Journey Beyond Full Abstraction: Exploring Robust Property Preservation for Secure Compilation
âGood programming languages provide helpful abstractions for writing secure code, but the security properties of
the source language are generally not preserved when compiling a
program and linking it with adversarial code in a low-level target
language (e.g., a library or a legacy application). Linked target
code that is compromised or malicious may, for instance, read and
write the compiled programâs data and code, jump to arbitrary
memory locations, or smash the stack, blatantly violating any
source-level abstraction. By contrast, a fully abstract compilation
chain protects source-level abstractions all the way down, ensuring that linked adversarial target code cannot observe more about
the compiled program than what some linked source code could
about the source program. However, while research in this area
has so far focused on preserving observational equivalence, as
needed for achieving full abstraction, there is a much larger space
of security properties one can choose to preserve against linked
adversarial code. And the precise class of security properties one
chooses crucially impacts not only the supported security goals
and the strength of the attacker model, but also the kind of
protections a secure compilation chain has to introduce.
We are the first to thoroughly explore a large space of formal
secure compilation criteria based on robust property preservation, i.e., the preservation of properties satisfied against arbitrary
adversarial contexts. We study robustly preserving various classes
of trace properties such as safety, of hyperproperties such as
noninterference, and of relational hyperproperties such as trace
equivalence. This leads to many new secure compilation criteria,
some of which are easier to practically achieve and prove than
full abstraction, and some of which provide strictly stronger
security guarantees. For each of the studied criteria we propose an equivalent âproperty-freeâ characterization that clarifies
which proof techniques apply. For relational properties and
hyperproperties, which relate the behaviors of multiple programs,
our formal definitions of the property classes themselves are
novel. We order our criteria by their relative strength and show
several collapses and separation results. Finally, we adapt existing
proof techniques to show that even the strongest of our secure
compilation criteria, the robust preservation of all relational
hyperproperties, is achievable for a simple translation from a
statically typed to a dynamically typed language
Logical methods for the hierarchy of hyperlogics
In this thesis, we develop logical methods for reasoning about hyperproperties. Hyperproperties describe relations between multiple executions of a system. Unlike trace properties, hyperproperties comprise relational properties like noninterference, symmetry, and robustness. While trace properties have been studied extensively, hyperproperties form a relatively new concept that is far from fully understood. We study the expressiveness of various hyperlogics and develop algorithms for their satisfiability and synthesis problems. In the first part, we explore the landscape of hyperlogics based on temporal logics, first-order and second-order logics, and logics with team semantics. We establish that first-order/second-order and temporal hyperlogics span a hierarchy of expressiveness, whereas team logics constitute a radically different way of specifying hyperproperties. Furthermore, we introduce the notion of temporal safety and liveness, from which we obtain fragments of HyperLTL (the most prominent hyperlogic) with a simpler satisfiability problem. In the second part, we develop logics and algorithms for the synthesis of smart contracts. We introduce two extensions of temporal stream logic to express (hyper)properties of infinite-state systems. We study the realizability problem of these logics and define approximations of the problem in LTL and HyperLTL. Based on these approximations, we develop algorithms to construct smart contracts directly from their specifications.In dieser Arbeit beschreiben wir logische Methoden, um ĂŒber Hypereigenschaften zu argumentieren. Hypereigenschaften beschreiben Relationen zwischen mehreren AusfĂŒhrungen eines Systems. Anders als pfadbasierte Eigenschaften können Hypereigenschaften relationale Eigenschaften wie Symmetrie, Robustheit und die Abwesenheit von Informationsfluss ausdrĂŒcken. WĂ€hrend pfadbasierte Eigenschaften in den letzten Jahrzehnten ausfĂŒhrlich erforscht wurden, sind Hypereigenschaften ein relativ neues Konzept, das wir noch nicht vollstĂ€ndig verstehen. Wir untersuchen die AusdrucksmĂ€chtigkeit verschiedener Hyperlogiken und entwickeln ausfĂŒhrbare Algorithmen, um deren ErfĂŒllbarkeits- und Syntheseproblem zu lösen. Im ersten Teil erforschen wir die Landschaft der Hyperlogiken basierend auf temporalen Logiken, Logiken erster und zweiter Ordnung und Logiken mit Teamsemantik. Wir stellen fest, dass temporale Logiken und Logiken erster und zweiter Ordnung eine Hierarchie an AusdrucksmĂ€chtigkeit aufspannen. Teamlogiken hingegen spezifieren Hypereigenschaften auf eine radikal andere Art. Wir fĂŒhren auĂerdem das Konzept von temporalen Sicherheits- und Lebendigkeitseigenschaften ein, durch die Fragmente der bedeutensten Logik HyperLTL entstehen, fĂŒr die das ErfĂŒllbarkeitsproblem einfacher ist. Im zweiten Teil entwickeln wir Logiken und Algorithmen fĂŒr die Synthese digitaler VertrĂ€ge. Wir fĂŒhren zwei Erweiterungen temporaler Stromlogik ein, um (Hyper)eigenschaften in unendlichen Systemen auszudrĂŒcken. Wir untersuchen das Realisierungsproblem dieser Logiken und definieren Approximationen des Problems in LTL und HyperLTL. Basierend auf diesen Approximationen entwickeln wir Algorithmen, die digitale VertrĂ€ge direkt aus einer Spezifikation erstellen
Logics and Algorithms for Hyperproperties
System requirements related to concepts like information flow, knowledge, and robustness cannot be judged in terms of individual system executions, but rather require an analysis of the relationship between multiple executions. Such requirements belong to the class of hyperproperties, which generalize classic trace properties to properties of sets of traces. During the past decade, a range of new specification logics has been introduced with the goal of providing a unified theory for reasoning about hyperproperties. This paper gives an overview on the current landscape of logics for the specification of hyperproperties and on algorithms for satisfiability checking, model checking, monitoring, and synthesis
- âŠ