Observational determinism has been proposed in the literature as a way to ensure condentiality for multi-threaded programs. Intuitively, a program is observationally deterministic if the behavior of the public variables is deterministic, i.e., independent of the private variables and the scheduling policy. Several formal denitions of observational determinism exist, but all of them have shortcomings; for example they accept insecure programs or they reject too many innocuous programs. Besides, the role of schedulers was ignored in all the proposed denitions. A program that is secure under one kind of scheduler might not be secure when executed with a dierent scheduler. The existing definitions do not ensure that an accepted program behaves securely under the scheduler that is used to deploy the program. Therefore, this paper proposes a new formalization of scheduler-specic observational determinism. It accepts programs that are secure when executed under a specic scheduler. Moreover, it is less restrictive on harmless programs under a particular scheduling policy. We discuss the properties of our denition and argue why it better approximates the intuitive understanding of observational determinism. In addition, we discuss how compliance with our denition can be veried, using model checking. We use the idea of self-composition and we rephrase the observational determinism property for a single program $C$ as a temporal logic formula over the program $C$ executed in parallel with an independent copy of itself. Thus two states reachable during the execution of $C$ are combined into a reachable program state of the selfcomposed program. This allows to compare two program executions in a single temporal logic formula. The actual characterization is done in two steps. First we discuss how stuttering equivalence can be characterized as a temporal logic formula. Observational determinism is then expressed in terms of the stuttering equivalence characterization. This results in a conjunction of n LTL and a CTL formula, that are amenable to model checking.
展开▼
机译:文献中已经提出了观察确定性,以确保多线程程序的保密性。直观地,如果公共变量的行为是确定性的,即独立于私有变量和调度策略,则程序在观察上是确定性的。存在观察确定性的几种形式上的定义,但是它们都有缺点。例如,他们接受不安全的程序,或者拒绝太多无害的程序。此外,在所有提议的定义中都忽略了调度程序的作用。用不同的调度程序执行时,在一种调度程序下安全的程序可能不安全。现有定义不能确保在用于部署程序的调度程序下安全地接受程序。因此,本文提出了一种新的形式化调度程序专用观察确定性。它接受在特定调度程序下执行的安全程序。而且,它在特定的调度策略下对无害程序的限制较小。我们讨论了定义的性质,并争论了为什么它更好地近似了观察性确定论的直觉理解。此外,我们讨论了如何使用模型检查来验证对我们的约束的遵守情况。我们使用自我构成的思想,并改写了单个程序$ C $的观察性确定性,作为与独立副本并行执行的程序$ C $的时间逻辑公式。因此,在$ C $执行期间可到达的两个状态被合并为自编程序的可到达程序状态。这允许在单个时间逻辑公式中比较两个程序执行。实际表征分两个步骤进行。首先,我们讨论如何将口吃等效性描述为时间逻辑公式。然后,根据口吃等效性表征来表达观察确定性。这导致n LTL和CTL公式相结合,可用于模型检查。
展开▼
