Observational determinism has been proposed in the literature as a way to ensure confidentiality for multi-threaded programs. Intuitively, a program is observationally deterministic if the behavior of the public variables is deterministic, i.e., independent of the private variables and the scheduling policy. Several formal definitions of observational determinism exist, but all of them have shortcomings; for example they accept insecure programs or they reject too many innocuous programs. Besides, the role of schedulers was ignored in all the proposed definitions. A program that is secure under one kind of scheduler might not be secure when executed with a different scheduler. The existing definitions do not ensure that an accepted program behaves securely under the scheduler that is used to deploy the program. Therefore, this paper proposes a new formalization of scheduler-specific observational determinism. It accepts programs that are secure when executed under a specific scheduler. Moreover, it is less restrictive on harmless programs under a particular scheduling policy. In addition, we discuss how compliance with our definition can be verified, using model checking. We use the idea of self-composition and we rephrase the observational determinism property for a single program $C$ as a temporal logic formula over the program $C$ executed in parallel with an independent copy of itself. Thus two states reachable during the execution of $C$ are combined into a reachable program state of the self-composed program. This allows to compare two program executions in a single temporal logic formula. The actual characterization is done in two steps. First we discuss how stuttering equivalence can be characterized as a temporal logic formula. Observational determinism is then expressed in terms of the stuttering equivalence characterization. This results in a conjunction of an LTL and a CTL formula, that are amenable to model checking.
展开▼
机译:文献中提出了观察性确定性,以确保多线程程序的机密性。直观地,如果公共变量的行为是确定性的,即独立于私有变量和调度策略,则程序在观察上是确定性的。存在观察确定性的几种正式定义,但是它们都有缺点。例如,他们接受不安全的程序,或者拒绝太多无害的程序。此外,在所有提出的定义中都忽略了调度程序的作用。用另一种调度程序执行时,在一种调度程序下安全的程序可能不安全。现有定义不能确保在用于部署程序的调度程序下安全地接受程序。因此,本文提出了一种新的形式化的特定于调度程序的观测确定性形式。它接受在特定调度程序下执行的安全程序。而且,它在特定的调度策略下对无害程序的限制较小。此外,我们讨论了如何使用模型检查来验证是否符合我们的定义。我们使用自我构成的思想,并改写了单个程序$ C $的观察性确定性,作为与独立副本并行执行的程序$ C $的时间逻辑公式。因此,在$ C $执行期间可到达的两个状态被合并为自编写程序的可到达程序状态。这允许在单个时间逻辑公式中比较两个程序执行。实际表征分两个步骤进行。首先,我们讨论如何将口吃等效性描述为时间逻辑公式。然后,根据口吃等效性表征来表达观察确定性。这导致了LTL和CTL公式的结合,可以进行模型检查。
展开▼
