The domain is an instance of the hyperlevel (abstract) constants (Section6.2), and it checks whether a set of sets of values contains constant sets modulo ρ. Namely it contains only sets of values indistinguishable by ρ. In the following, all abstractions α are continuous (i.e. they preserve the least upper bound of chains), so their left adjoint α−always exists1.
The domain is an abstraction of ℘(℘(Z)). We have seen that a hyperdomain, i.e. a domain suitable for the verification of hyperproperties, can be decomposed in an inner abstraction, approximating traces, and in an outer abstraction, approximating properties of traces. Fol- lowing this idea, we use as inner abstraction just ρ. Instead, the outer abstraction checks whether the inner abstraction always returns (atomic) constant values, not necessarily the same. For instance, suppose ρ can distinguish values up-to their sign, then {{1}, {−1, −3}} contains only (atomic) constant sets, instead {{1}, {2, −3}} contains also a not-constant set (in this case ρ maps {2, −3} to Z).
1This is a sufficient condition in order to form a Galois connection.
114 114
Chapter 8. Application: Verification of Information Flows M. Pasqua
Given a upper closure operator ρ ∈ uco(℘(Z)), we denote with Atmρthe set of its atoms, namely the set Atmρ , {X ∈ ρ(℘(Z)) | ∀Y ∈ ρ(℘(Z)) . Y ⊆ X ⇒ (Y = ∅ ∨ Y = X)}2 of elements covering the bottom (∅ in this case). As explained in Section6.2, we assume that Atmρforms a partition of Z. In order to perform hyperlevel constants on ρ we consider the set of its atoms: these latter precisely identify the properties of concrete values observed in ρ. The hyperlevel (abstract) constants domain for ρ is ρhc , ℘(Atmρ) ∪ {ρ(℘(Z))}. The abstraction function αhc∈ ℘(℘(Z)) −→ ρhcis αhc(X ) , ∅ if X = ∅, αhc(X ) , {ρ(X) | X ∈ X } if {ρ(X) | X ∈ X } ⊆ Atmρ
and αhc(X ) , ρ(℘(Z)) otherwise. Its left adjoint is the identity function, namely γhc, α−hc= id. Then we have the Galois insertion:
h℘(℘(Z)), ⊆i −−−−→←−−−−−α−→
hc
γhc
hρhc, ⊆i
Example 22. Let ρ be the upper closure operator distinguishing the sign of integers, namely ρ = Sgndefined in Section 6.2. The set of its atoms is AtmSgn = {Z<0, Z=0, Z>0}. The
hyperlevel Sgn-constants domain is Sgnhc, ℘(Atm Sgn
) ∪ {Sgn(℘(Z))}, and αhc(X ) , X if, X = ∅ or ∀X ∈ X . Sgn(X) ∈ AtmSgn, and αhc(X ) = Sgn(℘(Z)) otherwise.
The set of sets X = {{−1, −2}, {3, 5, 4}} is abstracted in {Z<0, Z>0}, meaning that
the set is constant w.r.t. Sgn. Instead, Y = {{−1, 3}, {2, 4, 9}} is abstracted to Sgn(℘(Z)) since there are no atoms approximating Sgn({−1, 3}) = Z, meaning that Y is not con- stant. Suppose now that X , Y are the sets of possible sets of values a variable x may take; αhc(X ) ⊆ AtmSgnmeans that ∀X ∈ X and ∀n, n0∈ X . Sgn({n}) = Sgn({n0}), i.e. the vari- able x is constant w.r.t. Sgn. Conversely, αhc(Y) = Sgn(℘(Z)) means that ∃Y ∈ Y such that ∃n, n0∈ Y . Sgn({n}) 6= Sgn({n0}), i.e. the variable x is not constant w.r.t. Sgn.
This domain is sufficient for Abstract Non-Interference verification, as we will prove in Theorem23but it may be not machine-representable. We solve the problem approximating the domain with a finite version.
In the Case of Uncountable Domains. In the presentation of ρhcwe used an upper closure operator to describe the abstract domain. In an implementation of this latter one would use a machine-representable description of the domain, isomorphic to ρhc, defining all lattice operators accordingly. If Atmρis finite, no problems arise since ℘(Atmρ)is still finite (this is the case, for ρ = Sgn). If Atmρ is infinite, we have that ℘(Atmρ)is uncountable and hence we need to define a simpler domain, which is machine-representable but still able to verify Abstract Non-Interference (this is the case, for instance, when ρ is the domain for constants propagation: its set of atoms is isomorphic to Z). The solution we adopt is to abstract precisely the singletons of atoms and to lose precision on other elements of the poweset.
Let Atmρbe a set isomorphic to Atmρ, aiming at representing sets containing only one singleton, i.e. of the form {a}, given a ∈ Atmρ, which is the information we want to observe precisely, and let ¯ ∈ Atmρ−→ Atmρa bijection. Furthermore, we denote by Aρthe abstract
element representing the set of all atoms. Then we define Cρ
, {¯a | a ∈ Atmρ} ∪ {⊥, >, Aρ},
with the partial order E ⊆ Cρ × Cρ defined as c
1 E c2 , (c1 = ⊥ ∨ c1 = c2∨ (c1 = ¯a∧ 2We use the fact that an upper closure operator can be identified with the set of its fixpoints ρ(℘(Z)) = {X ∈ ℘(Z) | ρ(X) = X}.
M. Pasqua 8.1. Abstract Hypersemantics for Abstract Non-Interference
c2 = Aρ) ∨ c2 = >). Now consider the abstraction αCρ ∈ ρhc−→ Cρand the concretization
γCρ ∈ Cρ −→ ρhc: αCρ(X ) , ⊥ if X = ∅ ¯ a if X = {a} Aρ if X ⊆ Atmρ∧ |X | > 1 > otherwise γCρ(c) , ∅ if c = ⊥ {a} if c = ¯a Atmρ if c = Aρ ρ(℘(Z)) otherwise
Then we have the Galois insertion (ρhc, αCρ, γCρ, Cρ). The domain hCρ, E, Y, Z, ⊥,>i is a com-
plete lattice where Y, Z ∈ Cρ× Cρ−→ Cρare:
c1Y c2, > if c1= > ∨ c2= > ⊥ if c1= ⊥ ∧ c2= ⊥ ¯ a if (c1= ⊥ ∧ c2= ¯a) ∨ (c1= ¯a∧ c2= ⊥) ∨ (c1= ¯a∧ c2= ¯a) Aρ otherwise c1Z c2, > if c1= > ∧ c2= > ⊥ if c1= ⊥ ∨ c2= ⊥ ∨ (c1= ¯a16= ¯a2= c2) ¯ a if (c1= ¯a∧ c2∈ {Aρ, >}) ∨ (c2= ¯a∧ c1∈ {Aρ, >}) Aρ otherwise
By composition, αhρ , αCρ◦ αhcand γhρ , γhc◦ γCρ form the Galois insertion:
h℘(℘(Z)), ⊆i −−−−→←−−−−−α−→
hρ
γhρ
hCρ
, Ei
Example 23. The classic domain for constants propagation is given by the upper closure operator Cprp, defined as Cprp(X) , X if X ∈ {{n} | n ∈ Z} ∪ {∅} and Cprp(X) , Z otherwise. The set of its atoms is AtmCprp
= {{n} | n ∈ Z}, which is isomorphic to Z and hence it is (countably) infinite. In this case, we can define CCprp
as the set Z ∪ {⊥, >, ACprp}
and αCCprp ∈ Cprphc −→ CCprp as: αCCprp(X ) , ⊥ if X = ∅; αCCprp(X ) , n if X = {{n}};
αCCprp(X ) , ACprpif X ⊆ AtmCprp∧ |X | > 1; αCCprp(X ) = >otherwise. Note that, in this case,
AtmCprp= Z and the bijection ¯ maps sets {n} ∈ AtmCprpto integers n ∈ Z.
Memories Point-Wise Lift. Once we define the abstract domain for (sets of sets of) values, as usual in static analysis we need to extend it to (sets of sets of) memories. From now on, for simplicity, we use hCρ
, E, Y, Z, ⊥,>i as the values-domain for ANI. Note that the construction given in the previous paragraph can be applied also to domains ρhcalready machine-representable.
First of all, consider a “double” non-relational abstraction for sets of sets of memories, since we do not need to track relations between different variables. In classic static analysis, a non-relational abstraction for memories abstracts each program variable independently, thus forgetting any relation between variables. We can apply this concept to any functional space, meaning that given a set of functions we are not interested in the relations between objects and their images through the functions, as we do in the Non-Relational Abstraction
116 116
Chapter 8. Application: Verification of Information Flows M. Pasqua
of Chapter2.3. The Non-Relational Abstraction of a set of memories is an abstract domain of ℘(Mem). We can can lift this abstraction to sets of sets, as shown in Section6.2. The inner abstraction is αnr ∈ ℘(Mem) −→Mem, where we recall that˙ Mem , Var −˙ → ℘(Z). Then, we lift this latter to sets obtaining the Galois insertion:
h℘(℘(Mem)), ⊆i −−−−−−→←−−−−−−−−→ L(αnr)
G(αnr)
h℘( ˙Mem), ⊆i
Now we can apply again the Non-Relational Abstraction of Section2.3to ℘( ˙Mem), namely we have the Galois insertion, whereMem , Var −¨ → ℘(℘(Z)):
h℘( ˙Mem), ⊆i −−−−→←−−−−−−→ ˙ αnr ˙ γnr h ¨Mem, ¨⊆i ˙ αnr(X) , λx . { ˙m(x) | ˙m ∈ X} ˙γnr( ¨m) , { ˙m | ∀x ∈ Var . ˙m(x) ∈ ¨m(x)}
By composition, we have the abstraction between ℘(℘(Mem)) andMem¨ , formalized by the Galois insertion: h℘(℘(Mem)), ⊆i −−−−−→←−−−−−−α −→ nnr γnnr h ¨Mem, ˙⊆i αnnr(X ) , ˙αnr◦ L(αnr)(X ) = λx . {{m(x) | m ∈ X} | X ∈ X } γnnr( ¨m) , G(αnr) ◦ ˙γnr( ¨m) = {X | ∀x ∈ Var . {m(x) | m ∈ X} ∈ ¨m(x)}
Applying the Pointwise Construction introduced in Section2.3, we obtain the complete lattice hVar −→ Cρ, ˙
E, ˙Y, ˙Z, λx . ⊥, λx . >i. Then, applying the Pointwise Abstraction of Sec- tion2.3, we have the following Galois connection:
h ¨Mem, ˙⊆i −−−−→←−−−− ˙ αhρ ˙ γhρ hVar −→ Cρ, ˙ Ei ˙ αhρ( ¨m) , λx . αhρ◦ ¨m(x) γh˙ρ(m) , λx . γhρ◦ m(x)
Finally, by composition, we obtain the Galois connection (℘(℘(Mem)), αm, γm, Var −→ Cρ) where αm, ˙αhρ◦ αnnrand γm, γnnr◦ ˙γhρ. We denote with Memρthe set Var −→ Cρand we
call its elements m abstract memories. In order to simplify the notation, we let v , ˙E, t , ˙Y, u , ˙Z, m⊥, λx . ⊥ and m>, λx . >.
Example 24. Let us show how this abstraction works. Let ma = [x 7→ 0 y 7→ 0], mb = [x 7→ 0 y 7→ 1], mc = [x 7→ 1 y 7→ 0], md = [x 7→ 1 y 7→ 1]programs memories. Then we have: αm({{ma, mb}, {mc, md}}) = [x 7→ αhρ({{0}, {1}}) y 7→ αhρ({{0, 1}})] = [x 7→ Aρ y 7→ >].
Indeed ma, mbboth assign 0 to x and mc, mdboth provide 1 to x, while ma, mbprovide both 0and 1 to y and mc, mdprovide both 0 and 1 to y.
It is worth noting that, given X ⊆ equivρL, then every set in X contains L-equivalent mem-
ories, modulo ρ. This implies αm(X )(x) E Aρ, for each L variable x. So, the Abstract Non- Interference checkL P M I
2
ρ,φ ⊆ equiv
ρ
L becomes equivalent to checking, for each L variable
x, whether αm(L P M I
2
ρ,φ)(x) E A
ρholds or not.
Finally, we can show how the abstract domain Memρ can be used for Abstract Non- Interference verification, with the following theorem.
Theorem 23. Let mρ ∈ Memρ
be the abstract memory defined as mρ
(x) , Aρ if Γ(x) = L and
mρ
(x) , > otherwise. Then P |= ANIρφif and only if αm(L P M I
2 ρ,φ) v m
M. Pasqua 8.1. Abstract Hypersemantics for Abstract Non-Interference
Proof. By definition of Galois connection: αm(L P M I
2 ρ,φ) v m ρ if and only if L P M I 2 ρ,φ ⊆
γm(mρ). It is clear that γm(mρ) ⊆ equivρL, since the concretization of m
ρcontains L-equivalent memories, modulo ρ, by construction. Hence, due to Prop.14, the theorem is proved.
Theorem23does not dispense us from computing the concrete hypersemantics hence, as usual in abstract interpretation, we define an abstract semantics computing on the abstract domain, i.e. a function in Memρ−→ Memρ. Unfortunately, the constraint to have the same do- main in input and output (of the abstract semantics) and the fact that our abstract domain maps to τ every H variable, do not allow us to verify ANI with declassification. The abstract semantics presented in the next subsection cannot keep in consideration the declassification φ. Indeed, it verifies the hyperproperty ANIρτ(without declassification), which implies any- way ANIρφ, for any possible φ [Giacobazzi and Mastroeni,2018]. Clearly this is a limitation, we planned to extend the presented approach, in order to deal with declassification, as a future work.