A Temporal Logic Approach to Information-flow Control

Markus N. Rabe

Information leaks and other violations of information security pose a severe threat to individuals, companies, and even countries. The mechanisms by which attackers threaten information security are diverse and to show their absence thus proved to be a challenging problem. Information-flow control is a principled approach to prevent security incidents in programs and other technical systems. In information-flow control we define information-flow properties, which are sufficient conditions for when the system is secure in a particular attack scenario. By defining the information-flow property only based on what parts of the executions of the system a potential attacker can observe or control, we obtain security guarantees that are independent of implementation details and thus easy to understand. There are several methods available to enforce (or verify) information-flow properties once defined. We focus on static enforcement methods, which automatically determine whether a given system satisfies a given information-flow property for all possible inputs to the system. Most enforcement approaches that are available today have one problem in common: they each only work for one particular programming language or information-flow property.

In this thesis, we propose a temporal logic approach to information-flow control to provide a simple formal basis for the specification and enforcement of information-flow properties. We show that the approach can be used to enforce a wide range of information-flow properties with a single algorithm.

The main challenge is that the standard temporal logics are unable to express information-flow properties. They lack the ability to relate multiple executions of a system, which is essential for information-flow properties. We thus extend the temporal logics LTL and CTL* by the ability to quantify over multiple executions and to relate them using boolean and temporal operators. The resulting temporal logics HyperLTL and HyperCTL* can express many information-flow properties of interest. The extension of temporal logics compels us to revisit the algorithmic problem to check whether a given system (model) satisfies a given specification in HyperLTL or HyperCTL*; also called the model checking problem. On the technical side, the main contribution is a model checking algorithm for HyperLTL and HyperCTL* and the detailed complexity analysis of the model checking problem: We give nonelementary lower and upper bounds for its computational complexity, both in the size of the system and the size of the specification. The complexity analysis also reveals a class of specification, which includes many of the commonly considered information-flow properties and for which the algorithm is efficient (in NLOGSPACE in the size of the system). For this class of efficiently checkable properties, we provide an approach to reuse existing technology in hardware model checking for information-flow control. We demonstrate along a case study that the temporal logic approach to information-flow control is flexible and effective. We further provide two case studies that demonstrate the use of HyperLTL and HyperCTL* for proving properties of error resistant codes and distributed protocols that have so far only been considered in manual proofs.

PhD Thesis.