G. Barthe, B. Grégoire, Charlie Jacomme, S. Kremer, Pierre-Yves Strub
Code-based game-playing is a popular methodology for proving security of cryptographic constructions and side-channel countermeasures. This methodology relies on treating cryptographic proofs as an instance of relational program verification (between probabilistic programs), and decomposing the latter into a series of elementary relational program verification steps. In this paper, we develop principled methods for proving such elementary steps for probabilistic programs that operate over finite fields and related algebraic structures. We focus on three essential properties: program equivalence, information flow, and uniformity. We give characterizations of these properties based on deducibility and other notions from symbolic cryptography. We use (sometimes improve) tools from symbolic cryptography to obtain decision procedures or sound proof methods for program equivalence, information flow, and uniformity. Finally, we evaluate our approach using examples drawn from provable security and from side-channel analysis - for the latter, we focus on the masking countermeasure against differential power analysis. A partial implementation of our approach is integrated in EasyCrypt, a proof assistant for provable security, and in MaskVerif, a fully automated prover for masked implementations.
{"title":"Symbolic Methods in Computational Cryptography Proofs","authors":"G. Barthe, B. Grégoire, Charlie Jacomme, S. Kremer, Pierre-Yves Strub","doi":"10.1109/CSF.2019.00017","DOIUrl":"https://doi.org/10.1109/CSF.2019.00017","url":null,"abstract":"Code-based game-playing is a popular methodology for proving security of cryptographic constructions and side-channel countermeasures. This methodology relies on treating cryptographic proofs as an instance of relational program verification (between probabilistic programs), and decomposing the latter into a series of elementary relational program verification steps. In this paper, we develop principled methods for proving such elementary steps for probabilistic programs that operate over finite fields and related algebraic structures. We focus on three essential properties: program equivalence, information flow, and uniformity. We give characterizations of these properties based on deducibility and other notions from symbolic cryptography. We use (sometimes improve) tools from symbolic cryptography to obtain decision procedures or sound proof methods for program equivalence, information flow, and uniformity. Finally, we evaluate our approach using examples drawn from provable security and from side-channel analysis - for the latter, we focus on the masking countermeasure against differential power analysis. A partial implementation of our approach is integrated in EasyCrypt, a proof assistant for provable security, and in MaskVerif, a fully automated prover for masked implementations.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129166526","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Diffie-Hellman groups are a widely used component in cryptographic protocols in which a shared secret is needed. These protocols are typically proven to be secure under the assumption they are implemented with prime order Diffie Hellman groups. However, in practice, many implementations either choose to use non-prime order groups for reasons of efficiency, or can be manipulated into operating in non-prime order groups. This leaves a gap between the proofs of protocol security, which assume prime order groups, and the real world implementations. This is not merely a theoretical possibility: many attacks exploiting small subgroups or invalid curve points have been found in the real world. While many advances have been made in automated protocol analysis, modern tools such as Tamarin and ProVerif represent DH groups using an abstraction of prime order groups. This means they, like many cryptographic proofs, may miss practical attacks on real world protocols. In this work we develop a novel extension of the symbolic model of Diffie-Hellman groups. By more accurately modelling internal group structure, our approach captures many more differences between prime order groups and their actual implementations. The additional behaviours that our models capture are surprisingly diverse, and include not only attacks using small subgroups and invalid curve points, but also a range of proposed mitigation techniques, such as excluding low order elements, single coordinate ladders, and checking the elliptic curve equation. Our models thereby capture a large family of attacks that were previously outside the symbolic model. We implement our improved models in the Tamarin Prover. We find a new attack on the Secure Scuttlebutt Gossip protocol, independently discover a recent attack on the Tendermint protocol, and show how our analysis finds previous Bluetooth attacks and evaluate the effectiveness of the proposed countermeasures.
{"title":"Prime, Order Please! Revisiting Small Subgroup and Invalid Curve Attacks on Protocols using Diffie-Hellman","authors":"C. Cremers, Dennis Jackson","doi":"10.1109/CSF.2019.00013","DOIUrl":"https://doi.org/10.1109/CSF.2019.00013","url":null,"abstract":"Diffie-Hellman groups are a widely used component in cryptographic protocols in which a shared secret is needed. These protocols are typically proven to be secure under the assumption they are implemented with prime order Diffie Hellman groups. However, in practice, many implementations either choose to use non-prime order groups for reasons of efficiency, or can be manipulated into operating in non-prime order groups. This leaves a gap between the proofs of protocol security, which assume prime order groups, and the real world implementations. This is not merely a theoretical possibility: many attacks exploiting small subgroups or invalid curve points have been found in the real world. While many advances have been made in automated protocol analysis, modern tools such as Tamarin and ProVerif represent DH groups using an abstraction of prime order groups. This means they, like many cryptographic proofs, may miss practical attacks on real world protocols. In this work we develop a novel extension of the symbolic model of Diffie-Hellman groups. By more accurately modelling internal group structure, our approach captures many more differences between prime order groups and their actual implementations. The additional behaviours that our models capture are surprisingly diverse, and include not only attacks using small subgroups and invalid curve points, but also a range of proposed mitigation techniques, such as excluding low order elements, single coordinate ladders, and checking the elliptic curve equation. Our models thereby capture a large family of attacks that were previously outside the symbolic model. We implement our improved models in the Tamarin Prover. We find a new attack on the Secure Scuttlebutt Gossip protocol, independently discover a recent attack on the Tendermint protocol, and show how our analysis finds previous Bluetooth attacks and evaluate the effectiveness of the proposed countermeasures.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125908207","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Distributed applications cannot assume that their security policies will be enforced on untrusted hosts. Trusted execution environments (TEEs) combined with cryptographic mechanisms enable execution of known code on an untrusted host and the exchange of confidential and authenticated messages with it. TEEs do not, however, establish the trustworthiness of code executing in a TEE. Thus, developing secure applications using TEEs requires specialized expertise and careful auditing. This paper presents DFLATE, a core security calculus for distributed applications with TEEs. DFLATE offers high-level abstractions that reflect both the guarantees and limitations of the underlying security mechanisms they are based on. The accuracy of these abstractions is exhibited by asymmetry between confidentiality and integrity in our formal results: DFLATE enforces a strong form of noninterference for confidentiality, but only a weak form for integrity. This reflects the asymmetry of the security guarantees of a TEE: a malicious host cannot access secrets in the TEE or modify its contents, but they can suppress or manipulate the sequence of its inputs and outputs. Therefore DFLATE cannot protect against the suppression of high-integrity messages, but when these messages are delivered, their contents cannot have been influenced by an attacker.
{"title":"Information Flow Control for Distributed Trusted Execution Environments","authors":"Anitha Gollamudi, Stephen Chong, Owen Arden","doi":"10.1109/CSF.2019.00028","DOIUrl":"https://doi.org/10.1109/CSF.2019.00028","url":null,"abstract":"Distributed applications cannot assume that their security policies will be enforced on untrusted hosts. Trusted execution environments (TEEs) combined with cryptographic mechanisms enable execution of known code on an untrusted host and the exchange of confidential and authenticated messages with it. TEEs do not, however, establish the trustworthiness of code executing in a TEE. Thus, developing secure applications using TEEs requires specialized expertise and careful auditing. This paper presents DFLATE, a core security calculus for distributed applications with TEEs. DFLATE offers high-level abstractions that reflect both the guarantees and limitations of the underlying security mechanisms they are based on. The accuracy of these abstractions is exhibited by asymmetry between confidentiality and integrity in our formal results: DFLATE enforces a strong form of noninterference for confidentiality, but only a weak form for integrity. This reflects the asymmetry of the security guarantees of a TEE: a malicious host cannot access secrets in the TEE or modify its contents, but they can suppress or manipulate the sequence of its inputs and outputs. Therefore DFLATE cannot protect against the suppression of high-integrity messages, but when these messages are delivered, their contents cannot have been influenced by an attacker.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114943717","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
K. Chatzikokolakis, Natasha Fernandes, C. Palamidessi
Quantitative Information Flow (QIF) and Differential Privacy (DP) are both concerned with the protection of sensitive information, but they are rather different approaches. In particular, QIF considers the expected probability of a successful attack, while DP (in both its standard and local versions) is a max-case measure, in the sense that it is compromised by the existence of a possible attack, regardless of its probability. Comparing systems is a fundamental task in these areas: one wishes to guarantee that replacing a system A by a system B is a safe operation, that is the privacy of B is no-worse than that of A. In QIF, a refinement order provides strong such guarantees, while in DP mechanisms are typically compared (w.r.t. privacy) based on the ε privacy parameter that they provide. In this paper we explore a variety of refinement orders, inspired by the one of QIF, providing precise guarantees for max-case leakage. We study simple structural ways of characterising them, the relation between them, efficient methods for verifying them and their lattice properties. Moreover, we apply these orders in the task of comparing DP mechanisms, raising the question of whether the order based on ε provides strong privacy guarantees. We show that, while it is often the case for mechanisms of the same "family" (geometric, randomised response, etc.), it rarely holds across different families.
{"title":"Comparing Systems: Max-Case Refinement Orders and Application to Differential Privacy","authors":"K. Chatzikokolakis, Natasha Fernandes, C. Palamidessi","doi":"10.1109/CSF.2019.00037","DOIUrl":"https://doi.org/10.1109/CSF.2019.00037","url":null,"abstract":"Quantitative Information Flow (QIF) and Differential Privacy (DP) are both concerned with the protection of sensitive information, but they are rather different approaches. In particular, QIF considers the expected probability of a successful attack, while DP (in both its standard and local versions) is a max-case measure, in the sense that it is compromised by the existence of a possible attack, regardless of its probability. Comparing systems is a fundamental task in these areas: one wishes to guarantee that replacing a system A by a system B is a safe operation, that is the privacy of B is no-worse than that of A. In QIF, a refinement order provides strong such guarantees, while in DP mechanisms are typically compared (w.r.t. privacy) based on the ε privacy parameter that they provide. In this paper we explore a variety of refinement orders, inspired by the one of QIF, providing precise guarantees for max-case leakage. We study simple structural ways of characterising them, the relation between them, efficient methods for verifying them and their lattice properties. Moreover, we apply these orders in the task of comparing DP mechanisms, raising the question of whether the order based on ε provides strong privacy guarantees. We show that, while it is often the case for mechanisms of the same \"family\" (geometric, randomised response, etc.), it rarely holds across different families.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"77 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130885881","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The cheapest attacks are often time-consuming, and those requiring high level of technical skills might occur rarely but result in disastrous consequences. Therefore, analysis focusing on a single parameter at a time, e.g., only cost or time, is insufficient for the successful selection of the appropriate measures increasing system^{prime}s security. In practice, security engineers are thus confronted with the problem of multi-parameter analysis. The objective of this work is to address this problem and propose a sound, general framework for multi-parameter analysis of security. In order to ensure the usability of our solution for real-life applications, our proposal relies on the attack– defense tree model that security experts from industry are already familiar with. We present mathematical foundations of our framework and characterize the class of parameters it is suitable for. We identify conditions under which the proposed method applies to attack–defense trees where several nodes represent the same action. We discuss the complexity of our approach and implement the underlying algorithms in a proof of concept tool. We analyze its performance on a number of trees of varying complexity, and validate our proposal on a case study borrowed from industry.
{"title":"Efficient Attack-Defense Tree Analysis using Pareto Attribute Domains","authors":"Barbara Kordy, Wojciech Wideł","doi":"10.1109/CSF.2019.00021","DOIUrl":"https://doi.org/10.1109/CSF.2019.00021","url":null,"abstract":"The cheapest attacks are often time-consuming, and those requiring high level of technical skills might occur rarely but result in disastrous consequences. Therefore, analysis focusing on a single parameter at a time, e.g., only cost or time, is insufficient for the successful selection of the appropriate measures increasing system^{prime}s security. In practice, security engineers are thus confronted with the problem of multi-parameter analysis. The objective of this work is to address this problem and propose a sound, general framework for multi-parameter analysis of security. In order to ensure the usability of our solution for real-life applications, our proposal relies on the attack– defense tree model that security experts from industry are already familiar with. We present mathematical foundations of our framework and characterize the class of parameters it is suitable for. We identify conditions under which the proposed method applies to attack–defense trees where several nodes represent the same action. We discuss the complexity of our approach and implement the underlying algorithms in a proof of concept tool. We analyze its performance on a number of trees of varying complexity, and validate our proposal on a case study borrowed from industry.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"67 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128195556","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Information-flow control (IFC) enforcing languages can provide high assurance that software does not leak information or allow an attacker to influence critical systems. IFC hardware description languages have also been used to design secure circuits that eliminate timing channels. However, there remains a gap between IFC hardware and software; these two components are built independently with no abstraction for how to compose their security guarantees. This paper presents a proposal for an instruction set architecture (ISA) that can provide the appropriate abstraction for joining hardware and software IFC mechanisms. Our ISA describes a RISC-V processor that tracks information-flow labels at run time and uses these labels to eliminate or mitigate timing channels. To make the ISA more practical, it allows constrained downgrading of information; it permits trading off security for performance; and still offers control primitives such as system calls. We prove timing-sensitive noninterference modulo downgrading and nonmalleability for programs executing our ISA. This involves novel restrictions on the mutability of labels beyond previous dynamic IFC systems. Furthermore, we define specific security conditions which correct hardware can implement to provide software-level security and sketch how such hardware may be designed and verified.
{"title":"Using Information Flow to Design an ISA that Controls Timing Channels","authors":"Drew Zagieboylo, Edward Suh, A. Myers","doi":"10.1109/CSF.2019.00026","DOIUrl":"https://doi.org/10.1109/CSF.2019.00026","url":null,"abstract":"Information-flow control (IFC) enforcing languages can provide high assurance that software does not leak information or allow an attacker to influence critical systems. IFC hardware description languages have also been used to design secure circuits that eliminate timing channels. However, there remains a gap between IFC hardware and software; these two components are built independently with no abstraction for how to compose their security guarantees. This paper presents a proposal for an instruction set architecture (ISA) that can provide the appropriate abstraction for joining hardware and software IFC mechanisms. Our ISA describes a RISC-V processor that tracks information-flow labels at run time and uses these labels to eliminate or mitigate timing channels. To make the ISA more practical, it allows constrained downgrading of information; it permits trading off security for performance; and still offers control primitives such as system calls. We prove timing-sensitive noninterference modulo downgrading and nonmalleability for programs executing our ISA. This involves novel restrictions on the mutability of labels beyond previous dynamic IFC systems. Furthermore, we define specific security conditions which correct hardware can implement to provide software-level security and sketch how such hardware may be designed and verified.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114327119","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pool mining is a common way to reduce income variance for miners in Proof of Work Cryptocurrencies. A vast majority of mining does happen in pools, where a popular scheme to distribute rewards is Pay per last N Shares (PPLNS). In PPLNS and related schemes, miners are frequently making decisions whose rewards are not immediate and will only manifest in the future. This implies that models of inter-temporal utility are relevant when considering the incentives of miners. We show that when including these features of human behaviour in models of rational pool miners, the conditions that lead to decentralisation are hampered because larger pools may be more attractive to miners. We present a new game theoretical model of PPLNS where rational miners have time preferences. In this setup, the incentives of miners to work for a pool depend on the initial distribution of power between mining pools, as well as the specific details of how time is discounted. Agents jumping to larger pools face a trade-off between reducing the expected payoff from their shares in their current pool, or getting faster rewards in the future by joining a larger pool. We consider a case where pools of different mining power have the same size of reward window N. According to our study, in equilibrium larger pools have a tendency to accumulate a disproportionate share of the network power at the expense of smaller pools. This outcome is prevalent over a large range of realistic model parameters. Our model shows that PPLNS may be harmful to the decentralised governance of cryptocurrencies. A way to ameliorate these negative effects, is to encourage pools to have diverse window sizes, or use different reward mechanisms. Doing this in a decentralised fashion is an open challenge.
{"title":"Time-Dependent Decision-Making and Decentralization in Proof-of-Work Cryptocurrencies","authors":"Y. Zolotavkin, Julián García, Joseph K. Liu","doi":"10.1109/CSF.2019.00015","DOIUrl":"https://doi.org/10.1109/CSF.2019.00015","url":null,"abstract":"Pool mining is a common way to reduce income variance for miners in Proof of Work Cryptocurrencies. A vast majority of mining does happen in pools, where a popular scheme to distribute rewards is Pay per last N Shares (PPLNS). In PPLNS and related schemes, miners are frequently making decisions whose rewards are not immediate and will only manifest in the future. This implies that models of inter-temporal utility are relevant when considering the incentives of miners. We show that when including these features of human behaviour in models of rational pool miners, the conditions that lead to decentralisation are hampered because larger pools may be more attractive to miners. We present a new game theoretical model of PPLNS where rational miners have time preferences. In this setup, the incentives of miners to work for a pool depend on the initial distribution of power between mining pools, as well as the specific details of how time is discounted. Agents jumping to larger pools face a trade-off between reducing the expected payoff from their shares in their current pool, or getting faster rewards in the future by joining a larger pool. We consider a case where pools of different mining power have the same size of reward window N. According to our study, in equilibrium larger pools have a tendency to accumulate a disproportionate share of the network power at the expense of smaller pools. This outcome is prevalent over a large range of realistic model parameters. Our model shows that PPLNS may be harmful to the decentralised governance of cryptocurrencies. A way to ameliorate these negative effects, is to encourage pools to have diverse window sizes, or use different reward mechanisms. Doing this in a decentralised fashion is an open challenge.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125760658","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A. Lochbihler, S. Reza Sefidgar, D. Basin, U. Maurer
Computer-aided cryptography increases the rigour of cryptographic proofs by mechanizing their verification. Existing tools focus mainly on game-based proofs, and efforts to formalize composable frameworks such as Universal Composability have met with limited success. In this paper, we formalize an instance of Constructive Cryptography, a generic theory allowing for clean, composable cryptographic security statements. Namely, we extend CryptHOL, a framework for game-based proofs, with an abstract model of Random Systems and provide proof rules for their equality and composition. We formalize security as a special kind of system construction in which a complex system is built from simpler ones. As a simple case study, we formalize the construction of an information-theoretically secure channel from a key, a random function, and an insecure channel.
{"title":"Formalizing Constructive Cryptography using CryptHOL","authors":"A. Lochbihler, S. Reza Sefidgar, D. Basin, U. Maurer","doi":"10.1109/CSF.2019.00018","DOIUrl":"https://doi.org/10.1109/CSF.2019.00018","url":null,"abstract":"Computer-aided cryptography increases the rigour of cryptographic proofs by mechanizing their verification. Existing tools focus mainly on game-based proofs, and efforts to formalize composable frameworks such as Universal Composability have met with limited success. In this paper, we formalize an instance of Constructive Cryptography, a generic theory allowing for clean, composable cryptographic security statements. Namely, we extend CryptHOL, a framework for game-based proofs, with an abstract model of Random Systems and provide proof rules for their equality and composition. We formalize security as a special kind of system construction in which a complex system is built from simpler ones. As a simple case study, we formalize the construction of an information-theoretically secure channel from a key, a random function, and an insecure channel.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"31 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126155971","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This work explores methods for proving and disproving security of systems under adaptive adversaries. Adaptive adversaries are ones which make their next move based on the previous observations. Our first contribution is a new game based characterization of security. We show that the game accurately captures security of deterministic and probabilistic systems against adaptive (probabilistic) adversaries. In addition, we build on top of the game characterization and present techniques that expedite proving the existence of attacker and defender strategies, and consequently proving security or vulnerability of systems. The first is what we call attack (and defense) slopes which give simple sufficient criteria for existence of winning strategies (for attacker and defender). The second is reductions of one game to another achieved by mapping a strategy of one to that of the other. We show that such reductions can prove or disprove security by reducing from a game of a secure system or reducing to that of a non-secure system.
{"title":"Games for Security Under Adaptive Adversaries","authors":"Timos Antonopoulos, Tachio Terauchi","doi":"10.1109/CSF.2019.00022","DOIUrl":"https://doi.org/10.1109/CSF.2019.00022","url":null,"abstract":"This work explores methods for proving and disproving security of systems under adaptive adversaries. Adaptive adversaries are ones which make their next move based on the previous observations. Our first contribution is a new game based characterization of security. We show that the game accurately captures security of deterministic and probabilistic systems against adaptive (probabilistic) adversaries. In addition, we build on top of the game characterization and present techniques that expedite proving the existence of attacker and defender strategies, and consequently proving security or vulnerability of systems. The first is what we call attack (and defense) slopes which give simple sufficient criteria for existence of winning strategies (for attacker and defender). The second is reductions of one game to another achieved by mapping a strategy of one to that of the other. We show that such reductions can prove or disprove security by reducing from a game of a secure system or reducing to that of a non-secure system.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130221765","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Hyperproperties elevate the traditional view of trace properties form sets of traces to sets of sets of traces and provide a formalism for expressing information-flow policies. For trace properties, algorithms for verification, monitoring, and synthesis are typically based on a representation of the properties as omega-automata. For hyperproperties, a similar, canonical automata-theoretic representation is, so far, missing. This is a serious obstacle for the development of algorithms, because basic constructions, such as learning algorithms, cannot be applied. In this paper, we present a canonical representation for the widely used class of regular k-safety hyperproperties, which includes important polices such as noninterference. We show that a regular k-safety hyperproperty S can be represented by a finite automaton, where each word accepted by the automaton represents a violation of S. The representation provides an automata-theoretic approach to regular k-safety hyperproperties and allows us to compare regular k-safety hyperproperties, simplify them, and learn such hyperproperties. We investigate the problem of constructing automata for regular k-safety hyperproperties in general and from formulas in HyperLTL, and provide complexity bounds for the different translations. We also present a learning algorithm for regular k-safety hyperproperties based on the L* learning algorithm for deterministic finite automata.
{"title":"Canonical Representations of k-Safety Hyperproperties","authors":"B. Finkbeiner, Lennart J. Haas, Hazem Torfah","doi":"10.1109/CSF.2019.00009","DOIUrl":"https://doi.org/10.1109/CSF.2019.00009","url":null,"abstract":"Hyperproperties elevate the traditional view of trace properties form sets of traces to sets of sets of traces and provide a formalism for expressing information-flow policies. For trace properties, algorithms for verification, monitoring, and synthesis are typically based on a representation of the properties as omega-automata. For hyperproperties, a similar, canonical automata-theoretic representation is, so far, missing. This is a serious obstacle for the development of algorithms, because basic constructions, such as learning algorithms, cannot be applied. In this paper, we present a canonical representation for the widely used class of regular k-safety hyperproperties, which includes important polices such as noninterference. We show that a regular k-safety hyperproperty S can be represented by a finite automaton, where each word accepted by the automaton represents a violation of S. The representation provides an automata-theoretic approach to regular k-safety hyperproperties and allows us to compare regular k-safety hyperproperties, simplify them, and learn such hyperproperties. We investigate the problem of constructing automata for regular k-safety hyperproperties in general and from formulas in HyperLTL, and provide complexity bounds for the different translations. We also present a learning algorithm for regular k-safety hyperproperties based on the L* learning algorithm for deterministic finite automata.","PeriodicalId":249093,"journal":{"name":"2019 IEEE 32nd Computer Security Foundations Symposium (CSF)","volume":"6 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-06-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125191749","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: