EliminatingCovertFlowswithMinimumTypingsyDennisVolpanoComputerScienceD - PDF document

EliminatingCovertFlowswithMinimumTypingsyDennisVolpanoComputerScienceDepartmentNavalPostgraduateSchoolMonterey,CA93943,USAE-mail:volpano@cs.nps.navy.milGeoffreySmithSchoolofComputerScienceFloridaInternationalUniversityMiami,FL33199,USAE-mail:smithg@cs.fiu.eduAbstractAtypesystemisgiventhateliminatestwokindsofcovertowsinanimperativeprogramminglanguage.Therstkindarisesfromnonterminationandtheotherfrompartialoperationsthatcanraiseexceptions.Thekeyideaistolimitthesourceofnonterminationinthelanguagetoconstructswithminimumtypings,andtoevaluatepartialoperationswithinexpressionsoftrycommandswhichalsohavemini-mumtypings.Amutualprogresstheoremisprovedthatba-sicallystatesthatnotwoexecutionsofawell-typedprogramcanbedistinguishedonthebasisofnonterminationversusabnormalterminationduetoapartialoperation.Theproofusesanewstyleofprogramminglanguagesemanticswhichwecallanaturaltransitionsemantics.1.IntroductionIn[9],wegaveatypesystemforsecureinformationowinacoreimperativelanguage.Thetypesystemiscomposedofasetoftypesandtypingrulesfordeducingthetypesofexpressionsandcommands.Typescorrespondtopartially-orderedsecurityclasseslikelow(L)andhigh(H),whereLH.Theorderingisthebasisforasubtyperelationwhichallowsupwardinformationows.Weprovedaformofnoninterferenceforthetypesystem.However,thesystemdoesnotaddresscovertowsinprogramsthatarisefromnonterminationandpartialoperations.Toillustratethesekindsofows,wegivepartofthethreadbodiesoftwoJavaappletsthatmerelypromptaclientforapasswordviaatexteld.Therstappletcre-atesaninspectorthreadforeachcharacterinthepassword.PartoftheinspectorthreadbodyisgiveninFigure1.Itloopsindenitelywhenitdiscoversthecharacterstoredat yThismaterialisbaseduponactivitiessupportedbyDARPAundercon-tractBEA96-1125andbytheNationalScienceFoundationundergrantCCR-9612176.while(p:charAt(i)==0a0);ps:println(i+"nota");while(p:charAt(i)==0b0);ps:println(i+"notb");Figure1.CovertFlowfromNonterminationpositioni.Untilthen,itrecordsthecharactersithasexam-inedbyopeningasocketconnectionbacktoanotherportontheserverfromwhichtheappletoriginated.Thisconnec-tionispermittedunderthecurrent“sandbox”modelofJavasecurity.Asimilarinspectorthreadbodycanbedesignedtorevealapasswordusingapartialoperation.PartofsuchabodyisgiveninFigure2.Itusesdivisionandfailstocatchif(1=(p:charAt(i)0a0)==0);ps:println(i+"nota");if(1=(p:charAt(i)0b0)==0);ps:println(i+"notb");Figure2.CovertFlowfromaPartialOperationthearithmeticexception.Thethreadbodiesofthepreced-ingexamplesarewelltypedinouroriginalsecure-owtypesystem.Weshowhowthesekindsofcovertowscanbehandledwithjustasimplemodicationtoouroriginaltypesystembasedonthenotionofaminimumtype.Wesaythatatypeisminimumif0foreverytype0.Tohandlethecovertowarisingfromnontermination,wemerelychange thetypingruleforwhileedoctorequirethatehavemini-mumtype.Similarly,weintroduceatrycommandforeachpartialoperationandtypethecommandminimally.Now,thevariablec,intheexamplesabove,wouldnothavemin-imumtype,sothethreadbodieswouldnotbewelltypedsinceneithercouldbetypedminimally.Thenewtypingrulesallowustoprovetheoremsaboutcovertows.Ourrstcovert-owtheoremestablishesthepropertyofterminationagreementforwell-typedprograms.Itisprovedwithrespecttoanatural,or“big-step”,seman-tics.Terminationagreementisasomewhatweakerstate-mentaboutcovertowthanwedesire.Thiswillleadustoasecondtheoremthatestablishesastrongerpropertyforwell-typedprograms,namelymutualprogress.Toprovemutualprogress,weneedatransitional,or“small-step”,styleofsemanticsinordertomakestatementsaboutpartialexecutions.Weuseaformoftransitionse-manticsforthispurposewhichwecallanaturaltransitionsemantics(NTS)[7].Itisderivabledirectlyfromournatu-ralsemantics.SoundnessandcompletenessoftheNTS,withrespecttothenaturalsemantics,allowsustoswitchfromoneseman-ticstyletotheotherwhereappropriate.Theproofofmu-tualprogress,forinstance,dependsonterminationagree-mentwhichcanbeprovedmoreeasilyinthenaturalse-manticsthanintheNTSsinceanaturalsemanticsiswellsuitedforreasoningaboutcompleteevaluationderivations.Sowejumpoutoftheprogressproof,byNTSsoundness,togetterminationagreement,whichisprovedinthenaturalsemantics,andthenre-enter,byNTScompleteness,tocarryouttheprogressproof.Finally,weconsideramorerestrictivetypesystemthatalsorequiresconditionalstobetypedminimally.Thenwegetanevenstrongercovert-owresultthatbasicallyrulesoutcoverttimingchannelsinprograms.Thatis,notwoexecutionsofawell-typedprogramcanbedistinguishedbytimingdifferences.2.TheTypeSystemThecorelanguageweconsiderconsistsofphrases,eachofwhichiseitheranexpressionoracommand.Weletmetavariableprangeoverphrases,eoverexpressions,andcovercommands:p::=ejce::=xjljnje+e0jee0je=e0jee0c::=e:=e0jc;c0jifethencelsec0jwhileedocjletvarx:=eincjtryx=ee0incMetavariablexrangesoveridentiers,loverlocations,andnoverintegerliterals.Integersaretheonlyvalues.Weuse0forfalseand1fortrue,andassumethatlocationsarewellordered.AllprogramI/Oisdonethroughfreelocationsinaprogram.Thecorelanguageincludesatrycommandforonepartialoperation,namely,integerdivision.Thescopeofxinatrycommandisc.Otherpartialoperationscanbeintroducedinthesamefashion.Wewanttoconsideronlythoseprogrammingconstructsthatarefundamentaltoatreatmentofcovertowsinanimperativelanguage.Forthisreason,proceduresandanassortmentofotherlanguagefeatures,suchasarrays,arenotincluded.Noticethattrycommandsdonothavecatchclausesforexceptionhandling.Acommandliketryx=ee0inccatchc0introducesanimplicitowfromeande0toc0thatcanbehandledwithatypingrulelikethoseforanyguardedcom-mands.Here,wefocusonthecasewhereexceptionsarenotcaughtandthereforedonotconsidertry-catchcommands.Asinourearliertypesystem,thetypesofthecorelan-guagearestratied:::=s::=jvarjcmdMetavariablesrangesoversecurityclasses,whichweas-sumearepartiallyorderedby.Typevaristhetypeofavariableandcmdisthetypeofacommand.ThetypingrulesforthecoreimperativelanguagearegiveninFigure3.Theyformadeductiveproofsystemforassigningtypestoexpressionsandcommands.Theyaregiveninasyntax-directedformandareequivalenttoamoreexiblesystemwherecoercionscanbeappliedmorefreely.Typingrulesforsomeexpressionsareomittedsincetheyaresimilartorule(ARITH).Typingjudgementshavetheform;\r`p:whereisalocationtypingand\risanidentiertyping.Thejudgementmeansthatphrasephastype,assumingprescribestypesforlocationsinpand\rprescribestypesforanyfreeidentiersinp.Anidentiertypingisanitefunctionmappingidentierstotypes;\r(x)isthetypeassignedtoxby\rand\r[x:]assignstypetoxandtovariablex0=x,type\r(x0).If\risdroppedfromajudge-ment,asin`p:,thenitisassumedtobeempty.Alocationtypingisalsoanitefunction,butitmapsloca-tionstotypes.Thenotationalconventionsforlocationtypingsaresimilar.Onecanunderstandtheintuitionbehindourtypesystemasfollows:inaguardedcommandlikewhileedoc,when-evercisexecuted,itisknownthatewastrue.Hence,if (INT);\r`n:(VAR);\r`x:var\r(x)=var(VARLOC);\r`l:var(l)=(ARITH);\r`e:;;\r`e0: ;\r`e+e0:(R-VAL);\r`e:var;0 ;\r`e:0(ASSIGN);\r`e:var;;\r`e0:;0 ;\r`e:=e0:0cmd(COMPOSE);\r`c:cmd;;\r`c0:cmd ;\r`c;c0:cmd(IF);\r`e:;;\r`c:cmd;;\r`c0:cmd;0 ;\r`ifethencelsec0:0cmd(TRY);\r`e:;;\r`e0:;;\r[x:]`c:cmd;isminimum ;\r`tryx=ee0inc:cmd(WHILE);\r`e:;;\r`c:cmd;isminimum ;\r`whileedoc:cmd(LETVAR);\r`e:;;\r[x:var]`c:0cmd ;\r`letvarx:=einc:0cmdFigure3.TypingRulesforEliminatingCovertFlows e:H,thencmustnotassigntoanyvariablesofclassL,forsuchassignmentswouldconstituteanillegaldownwardow.ThetypingrulethereforerequiresthatcinthiscasehavetypeHcmd,whichmeansthatitonlyassignstovari-ablesofclassH.However,assigningtovariablesisnottheonlywayforacommandtotransmitinformation—acom-mandcanalsotransmitinformationbyfailingtoterminateorbyaborting.Suchfailedexecutionstransmitinformation(covertly)toanoutsideobserveroftheprogram'sexecu-tion,whomustberegardedasL.Topreventsuchdownwardcovertows,werequirethatthesourcesoffailedexecutions(i.e.theguardofawhileloopandthedenominatorofadi-visioninatrycommand)haveminimumtype.1Thenewrestrictionsonwhileandtryensurethatexecutingacom-mandoftypeHcmddoesnottransmitcovertinformationtoanoutsideobserver,becausethecommandisguaranteedtoterminatesuccessfully.Ofcourse,thisdoesnotruleouttimingchannels,whichuseprogramexecutiontimetotransmitinformationtotheoutsideobserver.Inournalcovert-owtheoreminSec-tion5,weconsidereliminatingtimingchannelsbyalsore-quiringtheguardofconditionalcommandstohavemini-mumtype.Butthismaymakethetypesystemtoorestric-tivetobepractical.Moreexperienceisneededtobesure.3.OurFirstCovert-FlowTheoremOurrstcovert-owtheoremisexpressedwithrespecttoanaturalsemanticsforclosedphrasesinthecorelanguage.Aclosedphraseisevaluatedrelativetoamemory,whichisanitefunctionfromlocationstovalues.Thecontentsofalocationl2dom()isthevalue(l),andwewrite[l:=n]forthememorythatassignsvaluentolocationl,andvalue(l0)toalocationl0=l;[l:=n]isanupdateofifl2dom()andanextensionofotherwise.TheevaluationrulesaregiveninFigure4.Theyallowustoderivejudgementsoftheform`e)nforexpressionsand`c)0forcommands.Evaluatingaclosedexpres-sioneinamemoryresultsinanintegern.Expressionsarepureinthattheydonotaltermemorywhenevaluated.Evaluatingaclosedcommandcinamemoryresultsinanewmemory0.Commandsdonotyieldvalues.Wewrite[e=x]ctodenotethesubstitutionofeforallfreeoccurrencesofxinc,andletlbememorywithloca-tionldeletedfromitsdomain.Notetheuseofsubstitutioninrules(DIV)and(BINDVAR).Itallowsustoavoidusingenvironmentsinthesemantics.3.1.TerminationAgreementNowwecanstateourrstcovert-owtheorem: 1Forsimplicity,wealsorequirethenumeratorofadivisiontohaveminimumtype.Thisrestrictioncanberelaxed.Theorem3.1(TerminationAgreement)Suppose(a)`c:,(b)`c)0,(c)isamemorysuchthatdom()=dom()=dom(),and(d)(l)=(l)foralllsuchthat(l).Thenthereisamemory0suchthat`c)0and0(l)=0(l)foralllsuchthat(l).Analternativestatementofthetheoremisifacommandciswelltyped,andandarememoriessuchthat(c)and(d)aretrue,theneither1.cfailstoterminatesuccessfullyunderand,or2.cterminatessuccessfullyunderandandtheresult-ingmemoriesagreeonalllocationswhosetypesareboundedby.Thetheoremdepartsfromthenoninterferencetheoremof[9]inthatitdoesnotrequirectoterminatesuccessfullyun-derbothand.Thereisahypothesisaboutthesuccessfulterminationofcunderonly.Withtheremaininghypothe-ses,itisenoughtoensurethatcalsoterminatessuccessfullyunder.Beforeprovingthetheorem,weneedanumberoflem-mas.Therstfourlemmasaretakenfromourearlierwork[9].TheycanbeprovedforthetypingrulesinFigure3aswell.Lemma3.2(SimpleSecurity)If`e:,thenforeveryline,(l).Lemma3.3(Connement)If;\r`c:cmd,thenforeverylassignedtoinc,(l).Lemma3.4(ExpressionSubstitution)If;\r[x:]`p:,then;\r`[n=x]p:,andif;\r`l:and;\r[x:]`p:0,then;\r`[l=x]p:0.Lemma3.5If`c)0,thendom()=dom(0).Weintroducethefollowinglemmas,eachofwhichcanbeprovedbyinductiononphrasestructure.Lemma3.6(Determinism)Suppose(l)=(l),forev-eryline,`e)n,and`e)n0.Thenn=n0.Lemma3.7Suppose`e:andisamemorysuchthatdom()=dom().Thenthereisanintegernsuchthat`e)n. (VAL)`n)n(CONTENTS)`l)(l)l2dom()(ADD)`e)n;`e0)n0 `e+e0)n+n0(UPDATE)`e)n `l:=e)[l:=n]l2dom()(SEQUENCE)`c)0;0`c0)00 `c;c0)00(BRANCH)`e)n;(nnonzero)`c)0 `ifethencelsec0)0`e)0;`c0)0 `ifethencelsec0)0(DIV)`e)n;`e0)n0;(n0nonzero)`[(nn0)=x]c)0 `tryx=ee0inc)0(LOOP)`e)0 `whileedoc)`e)n;(nnonzero)`c)0;0`whileedoc)00 `whileedoc)00(BINDVAR)`e)n;listheleastlocationnotindom();[l:=n]`[l=x]c)0 `letvarx:=einc)0lFigure4.CoreLanguageNaturalSemantics Lemma3.8If;\r`c:cmdandccontainsanoccur-renceofwhileortry,thenisminimum.Lemma3.9Suppose`c:cmdandcdoesnotcontainaninstanceofwhileortry,andisamemorysuchthatdom()=dom().Thenthereisamemory0suchthat`c)0.Noticethepurelysyntactichypothesesunderwhichter-minationisguaranteedinLemma3.9.Limitingpartialre-cursiontotypedcommandsinalanguage(e.g.whileorle-trec)makesiteasiertogetasoundandpracticaltypesys-temtocontrolcovertows.Someprogramminglanguagefeaturesmakeitmuchhardertoachievesuchasystem.Forexample,somepeoplehaveproposedextendingJavawithhigher-orderfunctions.Inthecontextofanimperativelan-guage,suchasJava,higher-orderfunctionsmakerecursionpossiblethroughcircularityinmemory:onecanbindavari-abletoafunctioncontainingafreeoccurrenceofthatvari-able[8].Suchanextensionmakesitharderforthetypesystemtobeawareofpotentiallynonterminatingprograms,andyetbeexible.Typingthewhileandtrycommandsminimallypreventsthemfromtakingdifferentexecutionpathsundertwomem-oriesthatagreeonlocationswithminimumtype.Acondi-tional,however,isstillfreetotakedifferentexecutionpathsundertwosuchmemories.Theproofoftheterminationagreementtheoremresem-blestheproofofnoninterferencein[9].Itproceedsbyin-ductiononthestructureof`c)0.Wegivetheproofforoneofthemoreinterestingcases,namely,evaluationrule(BRANCH).Theremainingevaluationrulesaretreatedsimilarly.(BRANCH).Suppose`ifethencelsec0)0andthetypingderivationendswithanapplicationofrule(IF):`e:0;`c:0cmd;`c0:0cmd;000 `ifethencelsec0:00cmdTherearetwocases:1.0.Thensupposetheevaluationunderendswiththesecondrulefor(BRANCH):`e)0`c0)0 `ifethencelsec0)0Bythesimplesecuritylemma,(l)0foreverylineandso(l)foreveryline.Byhypothesis(d)then,(l)=(l)foreveryline,andthus`e)0byLemmas3.6and3.7.Byinductionthereisamemory0suchthat`c0)0and0(l)=0(l)foralllsuchthat(l).Then`ifethencelsec0)0bythesecondrulefor(BRANCH).Evaluationunderendingwiththerstrulefor(BRANCH)ishandledsimilarly.2.06.Then0isnotminimum,andthusbyLemma3.8,neithercnorc0containsanoccurrenceofwhileortry.Sothereisamemory0suchthat`ifethencelsec0)0byLemma3.9.BytheConnementLemma,(l)0foreverylassignedtoincorc0.Thusforeverylassignedtoincorc0,(l)6sinceotherwise0.Soifl2dom()and(l),thenlisnotassignedtoincorc0.So0(l)=(l)and0(l)=(l)foralllsuchthat(l),andwe'redoneby(d).4.OurSecondCovert-FlowTheoremTerminationagreementisstillasomewhatweakerstate-mentthanwewantaboutwhatthetypesystemactuallyguaranteesintermsofprotectionagainstcovertows.Itsaysthatifcdoesnotterminatesuccessfullyunderonememorythenitdoesn'tterminatesuccessfullyundertheothermemoryeither.Sothetwoexecutionscannotbedis-tinguishedbyoneofthemterminatingsuccessfullyandtheotherfailingtodoso.Butwhataboutdistinguishingnon-terminationfromabnormaltermination?Thetheoremdoesnotruleoutthepossibilitythatcfailstoterminateunderonememoryandgetsstuck(aborts)undertheother.Forexample,supposelocationlrangesover0and1andthatl2dom()andl2dom().Nowifandagreeonalllocationsofminimumtype,thentryz=2linwhile(l�0)do;maygetstuckunderyetfailtoterminateunderifldoesnothaveminimumtype.Thesetwoexecutionscanbedis-tinguished.Whatwewanttoshowyetisthatifacommandciswelltypedanditfailstoterminatesuccessfullyinsomewayunder,thenitalsofailstoterminatesuccessfullyinthesamewayunder.Statedinanotherway,executionofcundermakesprogressiffitsexecutionunderdoes.Thisbringsustooursecondcovert-owtheorem:themu-tualprogresstheorem.However,beforewecanstateandprovethetheorem,weneedanotherformofsemantics.Anaturalsemanticsallowsustostatepropertiesaboutsuccessfulorcompleteprogramexecutions,notpartialones.Soitisnotsuitedforprovingpropertiesaboutin-termediatestepsofacomputationlikeprogresstheorems.Forthis,weuseanewformofsemanticswhichwecallanaturaltransitionsemantics(NTS)becauseitisderiveddi-rectlyfromthenaturalsemantics[7].Unlikethetreatment ofNTSin[7],hereitisformulatedasasetoftransitionrules.Theserulesadmitproofsofpropertiesaboutasingletransitionbyinductiononthestructureofitsderivation.4.1.NaturalTransitionSemanticsAtraditionaltransitionsemanticsforanimperativepro-gramminglanguagedenestransitionsbetweencongura-tionsthatinvolvememoriesandtermsofthelanguage[3].Herewedenetransitionsbetweenpartialderivationtreeswhichrepresentpartialderivationsinthenaturalsemantics.Partialderivationtreesaredenedasfollows.First,weaddtothecompletejudgments`e)nand`c)0,anewkindofjudgmentcalledapendingjudgmentwhichhastheform`p)?wherepisaphrase.Thenpartialderivationtreesaredenedinductively:1.[`e)n],[`c)0]and[`p)?]arepartialderivationtrees.2.ifPisapredicate,then[P]isapartialderivationtree.3.ifT1;:::;Tnarepartialderivationtrees,then[`e)n](T1;:::;Tn),[`c)0](T1;:::;Tn),and[`p)?](T1;:::;Tn)arepartialderivationtrees.Forexample,[`l)(l)]([l2dom()])isapartialderivationtree.Wesaythatapartialderivationiscompleteifithasnosubtreerootedat[`p)?].Everycompletederivationtreeisapartialderivationtree.WeletI,J,andKrangeovercompletederivationtreesandToverpartialderivationtrees.Rulesofthenaturaltransitionsemanticsforexpressionsandthewhileandtrycommands,aregiveninFigures5,6,and7.Weusem,j,andkintherulesasindicesthatstartatzero.Transitionruleshavebeenomittedfortheothercom-mandssincetheirformulationfromthenaturalsemanticsissimilar.Let!bethereexiveandtransitiveclosureof!,thatis,T0!T,foranyT,Tk+1!T0ifthereexistsT00suchthatTk!T00andT00!T0,andT!T0ifTk!T0forsomek0.Thetransitionrulesalsoincludearule(CONGRUENCE)whichallowsexecutionofcompoundphrases:T!T0 [`p)?](J1;:::;Jn;T)Itallowsthesemanticsto“scaleup”:Lemma4.1SupposethatTandT0arepartialderivationtrees,n0,andk0.ThenTk!T0iff[`p)?](J1;:::;Jn;T)kProof.Bothdirectionscanbeprovedbyinductiononk,usingrule(CONGRUENCE).The(if)directionrequiresob-servingthatifT!T0thenthenumberofchildrenoftherootofT0isatleastthatoftherootofT,andifTform0,thenTisrootedat[`p)?]. Itshouldbenotedthatcontrollingthelifetimeoflo-cationsinatraditionaltransitionsemanticsistrickysinceoneislimitedtotransitionsbetweencongurationsinvolv-inglanguageterms.Butwithtransitionsbetweenpartialderivationtrees,wecanexploitdifferenttreestructureandavoidintroducingextrainformationintocongurationslikethenumberof“live”locations[6].Thetransitionrulethatallocatesalocationforaninstanceofletvarisatransitionfromatreewhoseroothasexactlyonechildtoonewhoseroothasexactlythreechildren.Thisdifferenttreestructurecanbeexploitedintherulestospecifyinamorenaturalwaywhenlocationsshouldbedeallocated.WesaythatapartialderivationtreeTissoundifforeverynodeinToftheform[`c)0],wehave`c)0,foreverynodeoftheform[`e)n],wehave`e)n,andforeverynodeoftheform[P],Pistrue.Lemma4.2IfTandT0arepartialderivationtreessuchthatTissoundandT!T0,thenT0issound.Proof.InductiononthestructureofthederivationofT!T0. Byaneasyinductiononthenumberoftransitions,wehavethatifT!T0andTissound,thensoisT0.Thisleadstothefollowingcorollary:Proposition4.3(NTSSoundness)If[`e)?]then`e)n.Further,ifwehave[`c)?],then`c)0.CompletenessofthetransitionsemanticsisgivenbyProposition4.4(NTSCompleteness)Supposethat`e)nandthatthejudgmenthasacompletederivationtreeJ.Then[`e)?]!J.Further,if`c)0andthisjudgmenthasacompletederivationtreeJ,then[`c)?]!J.Proof.Inductiononthestructureofthederivationof`e)nandof`c)0,usingLemma4.1. (T-VAL)[`n)?]l2dom() [`l)?]])(T-ADD)[`e+e0)?]?])(1)[`e+e0)?]([`e)n](J1;:::;Jk))n](J1;:::;Jk);[`e0)?])(2)[`e+e0)?]([`e)n](J1;:::;Jk);[`e0)n0](K1;:::;Km))n](J1;:::;Jk);[`e0)n0](K1;:::;Km))Figure5.NaturalTransitionSemanticsforExpressions4.2.MutualProgressNextweestablishthemutualprogresspropertyforthetypesystem.Theorem4.5(MutualProgress)Suppose(a)`c:,(b)andarememoriessuchthatdom()=dom()=dom(),(c)(l)=(l)foralllsuchthat(l),(d)[`c)?]!T,and(e)Thasaleafoftheform[0`c0)?]wherec0isatrycommand.Thenthereisalocationtyping0andpartialderivationtreeT0suchthatT0hasaleafoftheform[0`c0)?],[`c)?]!T0,0,dom(0)=dom(0)=dom(0),and0(l)=0(l),foralllsuchthat0(l).Proof.Inductiononthenumberoftransitionsin[`c)?]!T.Asidefromthebasis,weshowonlyonecase,namely(T-LOOP).Itisagoodrepresentativecasebecauseitillustratesthekeystepsoneneedsinordertoprovethetheoremforallotherrulesofthetransitionsemantics.Forzerotransitions,wehave[`c)?]![`c)?]wherecisatrycommand.Let0=andwe'redonebyhypotheses(b)and(c).Nowsupposeciswhileedoc00.Therearetwosubcasestoconsiderhere.Theycorrespondtowhethertheleafofhypothesis(e)arisesbeforeorafterchasmadeatransitionaccordingtorule(T-LOOP)(3).Firstweconsiderthecasewhenitarisesbefore.Sincecommandsarenotexpressions,wehave,byhypotheses(d)and(e),thatc00containsatrycommandc0,[`c)?]?])whereJ1isacompletederivationtreerootedat[`e)n]andnisnonzero,andnallythat[`c)?](J1)?])whereTcontainsaleafoftheform[0`c0)?].Byrule(T-LOOP),wehave[`c)?]?]) (T-DIV)[`tryx=ee0inc)?]?])(1)[`tryx=ee0inc)?]([`e)n](K1;:::;Km))n](K1;:::;Km);[`e0)?])(2)n0nonzero [`tryx=ee0inc)?]([`e)n](K1;:::;Km);[`e0)n0](J1;:::;Jk))n](K1;:::;Km);[`e0)n0](J1;:::;Jk)[n0nonzero];[`[(nn0)=x]c)?])(3)[`tryx=ee0inc)?]([`e)n](K1;:::;Km);[`e0)n0](J1;:::;Jk);[n0nonzero];[`[(nn0)=x]c)0](I1;:::;Ij))n](K1;:::;Km);[`e0)n0](J1;:::;Jk);[n0nonzero];[`[(nn0)=x]c)0](I1;:::;Ij))Figure6.NaturalTransitionSemanticsfortry (T-LOOP)[`whileedoc)?]?])(1)[`whileedoc)?]([`e)0](J1;:::;Jk))0](J1;:::;Jk))(2)nnonzero [`whileedoc)?]([`e)n](J1;:::;Jk))n](J1;:::;Jk);[nnonzero];[`c)?])(3)[`whileedoc)?]([`e)n](J1;:::;Jk);[nnonzero];[`c)0](K1;:::;Km))n](J1;:::;Jk);[nnonzero];[`c)0](K1;:::;Km);[0`whileedoc)?])(4)[`whileedoc)?]([`e)n](J1;:::;Jk);[nnonzero];[`c)0](K1;:::;Kj);[0`whileedoc)00](I1;:::;Im))n](J1;:::;Jk);[nnonzero];[`c)0](K1;:::;Kj);[0`whileedoc)00](I1;:::;Im))Figure7.NaturalTransitionSemanticsforwhile Nowwehave`e:0anddom()=dom(),sothereisanintegern0suchthat`e)n0,byLemma3.7.SupposethisjudgmenthasacompletederivationtreeJ01rootedat[`e)n0].Bycompletenessofthetransitionsemantics,[`e)?]!J01Atthispoint,weneedtoshowthatexecutionofcdoesnotproceedwithatransitionbyrule(T-LOOP)(1)sincethisrulecannotleadtoaderivationtreewiththedesiredleaf.Wehave`e:0and0isminimumbythetypingrule(WHILE).So(l)0foreverylinebythesimplesecuritylemma.Also,0since0isminimum.So(l)foreveryline,andthus(l)=(l)foreveryline,byhypothesis(c).Further,bysoundnessofthetransitionsemantics,`e)n.Thus,n0=nbyLemma3.6.Son0isnonzeroandwethenhavebyrule(T-LOOP)(2)andLemma4.1,that[`c)?]([`e)?])?])NowbyLemma4.1,[`c00)?]!Tandsobyinduction,[`c00)?]!T0T0hasaleafoftheform[0`c0)?]andthereisaloca-tiontyping0suchthat0,dom(0)=dom(0)=dom(0),and0(l)=0(l)foralllsuchthat0(l).Finally,byLemma4.1again,[`c)?](J01;[n0nonzero];[`c00)?])Nowconsiderthecasewhentheleafarisesafterthewhilecommandhasmadeatransitionaccordingtorule(T-LOOP)(3).Supposethat[`c)?]?])whereJ1isacompletederivationtreerootedat[`e)n],suchthatnisnonzero,J2isacompletederivationtreerootedat[`c00)0],andThasaleafoftheform[00`c0)?].ByLemma3.7,`e)n0.SupposethisjudgmenthasacompletederivationtreeJ01rootedat[`e)n0].Wealsohave`e:0where0isminimumbytypingrule(WHILE).Sobythesimplesecuritylemmaandhypothe-sis(c),(l)=(l)foreveryline.Thus,n0=n,byLemma3.6,andson0isnonzero.Bythesoundnessofthetransitionsemantics,wehave`c00)0.Sobytheterminationagreementtheorem,thereisa0suchthat`c00)0and0(l)=0(l)foralllsuchthat(l).SupposethisjudgmenthascompletederivationtreeJ02rootedat[`c00)0].Bythecompletenessofthetransitionsemantics,Lemma4.1,andrules(T-LOOP),(T-LOOP)(2)and(T-LOOP)(3),wehave[`c)?]?])NowbyLemma4.1,[0`c)?]!TByLemma3.5,andsincedom()=dom()=dom(),wehavedom(0)=dom(0)=dom().Thus,byinduction,[0`c)?]!T0T0hasaleafoftheform[00`c0)?]andthereisaloca-tiontyping0suchthat0,dom(00)=dom(00)=dom(0)and00(l)=00(l)foralllsuchthat0(l).Finally,byLemma4.1,[`c)?](J01;[n0nonzero];J02;[0`c)?])andwe'redone. Noticeintheproofthatwehavetheguardofawhilecommandevaluatingtothesamevalueunderandsincethecommandistypedminimallybyrule(WHILE).Theproofalsoneedstheguardofaconditionaltoevaluatetothesamevalueunderand,yetrule(IF)doesnotrequireaconditionaltobeminimallytyped.Nevertheless,itwillbeminimallytypedduetohypotheses(a)and(e)ofthetheorem,andLemma3.8.Themutualprogresstheoremtellsusthatifexecutionofacommandcinamemorydependsonexecutingtryx=ee0inc0insomememory0,thenc'sexecutioninalsodependsonexecutingthetrycommandinsomememory0.Fur-thermore,wehavethat;\r`e0:,forminimumtype,sinceciswelltyped.Thetheoremgivesusatyping0thatcontains,andhence0;\r`e0:.Thetheoremalsotellsusthat0and0agreeonalllocationsinthedomainof0withminimumtype.Thuseitherbothexecutionsproceed(e0evaluatestothesamenonzerointegerin0and0)orbothgetstuck(e0evaluatestozeroin0and0).5.OurThirdCovert-FlowTheoremLookingatthemutualprogresstheoremmoreclosely,ifexecutionofacommandcgetsstuckunderamemory, thenitsexecutionalsogetsstuckunderanyothermemorythatagreeswithonlocationsofminimumtype.Thissaysthatexecutionsofcundermemoriesthatdifferonlyonlocationsofnonminimumtypecannotbedistinguishedonthebasisofabnormalterminationversusnontermination.Butthenumberofstepsctakesunderandmaydiffer.Considerawell-typedcompositionc;c0whereccontainsaconditional,withanonminimumguard,andonlyc0con-tainsatrycommand.Thenalthoughc0maygetstuckunderand,morestepsmaybeneededtodosounderonemem-orythanundertheotherduetodifferentexecutionpathstakenbytheconditionalinc.(Rememberthatcondition-alswithnonminimumguardscanstillbetypedminimallybysubtyping.)Aslongasconditionalsarenottypedmini-mally,wecannotsaythatifexecutionofawell-typedcom-mandcgetsstuckafterkstepsunder,thenitdoessoafterkstepsunderaswell.Asournalcovert-owtheorem,weproveatimingagreementtheoremforamorerestrictedtypesystem.Therestrictedsystemistheoriginaltypesystemwithrule(IF)changedsothatisrequiredtobeminimum.Assume,here-after,that`nowreferstothemorerestrictedsystem.Firstweneedtwolemmas:Lemma5.1Ifandarememories,dom()=dom()and[`e)?]k,then[`e)?]kProof.Straightforwardinductiononk,usingLemma4.1. Thenextlemmaisastrongerformofterminationagree-ment(Theorem3.1)forthemorerestrictedtypesystem.Itdoesnotholdifconditionalsarenotminimallytyped.Lemma5.2Suppose`c:,andarememoriessuchthatdom()=dom()=dom(),(l)=(l)foralllsuchthat(l),and[`c)?]kThenwehave[`c)?]kand0(l)=0(l)foralllsuchthat(l).Proof.Inductiononk,usingLemmas4.1and5.1. Theorem5.3(TimingAgreement)Suppose(a)`p:,(b)andarememoriessuchthatdom()=dom()=dom(),(c)(l)=(l)foralllsuchthat(l),classTimingChannelimplementsRunnable{booleanval=false;TimingChannel()throwsInterruptedException{newTimeSlicer(5);newThread(this).start();tryThread.sleep(2);finally;System.out.println("val=true");}publicvoidrun(){doublex;if(val)for(inti=0;i64;i++)x=Math.exp(Math.PI)+i;System.out.println("val=false");}publicstaticvoidmain(Stringargs[])throwsInterruptedException{trynewTimingChannel();finally;}}Figure8.TimingChannelwithJavaThreads(d)[`p)?]k!T,fork0,and(e)Thasaleafoftheform[0`p0)?].Thenthereisalocationtyping0andpartialderivationtreeT0suchthatT0hasaleafoftheform[0`p0)?],[`p)?]k!T0,0,dom(0)=dom(0)=dom(0),and0(l)=0(l),foralllsuchthat0(l).Proof.Inductiononk,usingLemmas4.1and5.2. Clearlytimingagreementisastrongerpropertythanei-therterminationagreementormutualprogress.Butthecostforthisaddedstrengthisamuchmorerestrictivetypingruleforconditionals.Thoughitmightbearguedtheruleisim-practicalforwritingsystemssoftwareorTCBsourcecode,itmaybethekindofrulethatshouldbeusedinwriting“Webprograms”likeJavaApplets.Thereasonisthatwiththreads,timingdifferencesbecomequiteeasytoobservefromwithinprograms.Forexample,taketheJavaprograminFigure8.Theideaisthatwewanttodeterminethecontentsofthebooleanvariablevalbysettinguptwocompetingthreads.Themainthreadcreatesanotherthread,theTimingChannelthread,whoserunmethodcheckswhethervalistrue,doingsomecomputationifitisandnothingotherwise,exceptprintastring.NoticethattherunmethoddoesnothaveanyillegalimplicitowsinthesenseofDen-ning'sprogramcertication[2,9].Thereisathirdthread, calledtheTimeSlicer,whichisadaemonthreadrun-ningatahigherpriority.Itre-awakenseveryvemillisec-ondsandimmediatelygoesbacktosleepwhichguaranteesround-robinschedulingamongtheothertwothreads.2Af-tercreatingtheTimingChannelthread,themainthreadsleepsfortwomilliseconds.IfitawakensbeforetheTimingChannelthreadcompletes,thentherststringoutputwillbeval=true,otherwiseitwillbeval=false.Therststringusuallyreectsthevariable'scon-tentsaccurately.Thisisnotacompletelyreliablewayofgettingthecontentsduetothreadschedulingvariations,butitworksoftenenough.Soitseemsthatconditionalsshouldalsobetypedmin-imally.Butthismaynotbethebestwaytodealwiththem.Afterall,unliketheearlierJavaexamples,threadshereseemtohaveacriticalrole.Perhapswithapropertreatmentofthreads,conditionalswon'tneedtobetypedsorestrictively.6.ConclusionTheideaofanalyzingsourcecodeforcovertinforma-tionowisnotnew.HeandGligor,forexample,infor-mallydescribeanalyzingTCBsourcecodeforsuchows[4].OthershaverecognizedtheneedtoaugmentDenning'soriginalsecure-owcerticationwithrulesthatdealwithglobalowsarisingfromloopsandpossiblynonterminat-ingprograms[1,5].Buttheseeffortsprovidenoformalspecicationnorproofofthepropertiesthatareguaranteedtoholdforprogramsthatpasstheanalyses.Incontrast,wehavegivenarigorousaccountofvariouspropertiesthataprogramhasifitistypeableinourcovert-owtypesystem.References[1]G.AndrewsandR.Reitman.AnAxiomaticApproachtoIn-formationFlowinPrograms.ACMTrans.onProg.Lang.andSystems,2(1):56–76,1980.[2]D.DenningandP.Denning.CerticationofProgramsforSecureInformationFlow.Commun.ACM,20(7):504–513,1977.[3]C.Gunter.SemanticsofProgrammingLanguages.TheMITPress,1992.[4]J.HeandV.Gligor.FormalMethodsandAutomatedToolforTiming-ChannelIdenticationinTCBSourceCode.InPro-ceedings2ndEuropeanSymposiumonResearchinComputerSecurity,pages57–75,November1992.[5]M.MizunoandA.Oldehoeft.InformationFlowControlinaDistributedObject-OrientedSystemwithStatically-BoundObjectVariables.InProceedings10thNationalComputerSecurityConference,pages56–67,1987. 2Thetimeslicerwasneededbecauseourexamplewasdevelopedus-ingSolarisJDK1.02which,unliketheJDKforWindowsNT,doesnotschedulethreadsinaround-robinfashion.[6]M.Ozgen.ATypeInferenceAlgorithmandTransitionSe-manticsforPolymorphicC.Master'sthesis,NavalPostgrad-uateSchool,1996.[7]G.SmithandD.Volpano.ASoundPolymorphicTypeSystemforaDialectofC.ScienceofComputerProgramming,1997.Toappear.[8]D.VolpanoandG.Smith.ATypeSoundnessProofforVari-ablesinLCFML.InformationProcessingLetters,56(3):141–146,1995.[9]D.Volpano,G.Smith,andC.Irvine.ASoundTypeSys-temforSecureFlowAnalysis.JournalofComputerSecurity,4(3):167–187,1996.