2000-07-20 Secrecy and Group Creation (MFCSIT Cork).A4

8/14/2019 2000-07-20 Secrecy and Group Creation (MFCSIT Cork).A4

1/18

Talk August 11, 2000 10:54 am 1

Secrecy and Group CreationLuca Cardelli

Microsoft Research

with Giorgio Ghelli (University of Pisa)

and Andrew Gordon (Microsoft Research)Cork, 2000-07-20


2/18

Talk August 11, 2000 10:54 am 2

Introduction

Group creation is a new general construct that can be added to vir-

tually any language of formalism.

In its simplest form, it is a natural extension of the sort-based type

systems developed for the -calculus:

(G) (n:G) (m:G) ...

create a new group (i.e., unstructured type or collection) G,

and populate it with new elements n, m, ...

While studying it for other purposes (control of mobility), we no-

ticed an interesting and subtle connection with secrecy. A secret

like n can never escape from the initial scope ofG, as a simple mat-ter of typechecking.


3/18

Talk August 11, 2000 10:54 am 3

Leaking Secrets

Consider a configuration, with aplayerP and an opponentO:

O | P

P wants to create a fresh secretx not shared by the opponent. In the

-calculus this is obtained by letting P evolve into a configuration:

O | (x)P

which means: create a newx to be used in the scope ofP; with the

intent thatx should remain forever private to P.

Such a privacy policy is violated if the system then evolves into a

situation such as this, for a public channelp:

p(y)O | (x)(pjxk | P)

wherepjxk may happen accidentally or maliciously.


4/18

Talk August 11, 2000 10:54 am 4

For the actual communication, and leakage, to happen, the -calcu-

lus provides extrusion rules for (x), so that the system automati-

cally becomes:

(x) (p(y)O | pjxk | P)

After which, the opponents obtains the secret:

(x) (O{yx} | P)


5/18

Talk August 11, 2000 10:54 am 5

Preventing Leakage

The secret x has been leaked by a combination of an output pjxk

(possibly a bug) and extrusion of (x). Can leakage be prevented?

Restricting output: it is not easy to say thatpjxk should not hap-

pen becausep could be obtained dynamically. (Flow analysis...)

Restricting extrusion: technically difficult, because extrusion is

needed for legitimate communication.

One can look for solutions based on typed -calculi: Declarex to be Private. Unfortunately, in standard sorting sys-

tems all sorts are global, so the opponent can be typechecked:

p(y:Private).O | (x:Private) (pjxk| P)

Hint: we want the secretx to belong to a sort G which is itself

secret...


6/18

Talk August 11, 2000 10:54 am 6

Group Creation

In general, we want the ability to create fresh groups (sorts) on de-

mand, and then to create fresh elements of those groups.

Creating arbitrary new groups does not restrict us to a rigid dis-

tinction between public and private groups, which works only

between two parties.

We extend the sorted -calculus with an operator, (G)P, to dy-

namically create new a new group G in a scope P. This is a dynamic

operator; it can be used to create a fresh group after an input:

q(z:T).(G)P.

Still, the group information can be tracked statically to ensure thatnames of different groups are not confused.

N.B.: (G) extrudes very much like (x:T), for the same reasons.


7/18

Talk August 11, 2000 10:54 am 7

Leakage to a well-typed opponent is now prevented simply lexical

scoping and typing rules (where G[] is the type of channels of group

G that carry no values):

p(y:T).O | (

G) (x:G[]) (p

jx

k| P)

This term cannot be typed: the type Twould have to mention G,

which is out of scope.


8/18

Talk August 11, 2000 10:54 am 8

Untyped Opponents

Problem: opponents cheat. Suppose the opponent is untyped, or not

well-typed (e.g.: running on an untrusted machine):

(p:U) (p(y).O | (G) (x:G[]) (pjxk | P))untrusted | untrusted | trusted locally typechecked

name server | opponent | player

Will an untyped opponent, by cheating on the type of the public

channelp, be able to acquire secret information?

Fortunately, no. The fact that the player is well-typed is sufficient

to ensure secrecy, even in presence of untyped opponents. Essen-

tially becausepjxk must be locally well-typed.

We do not even need to trust the type of the public channelp, ob-

tained from a potentially untrusted name server.


9/18

Talk August 11, 2000 10:54 am 9

Secrecy

Summary: a player creating a fresh group G cannot communicate

channels of group G to an opponent outside of the initial scope ofG:

either because a (well-typed) opponent cannot name G to receive

the message,

or because a well-typed player cannot use public channels to

communicate G information to an (untyped) opponent.

Programmers reference manual:Channels of group G remain secret, forever,

outside the initial scope of (G).


10/18

Talk August 11, 2000 10:54 am 10

Thus, secrecy is reduced to scoping and typing restrictions. But the

situation is still fairly subtle because of

the extrusion rules associated with scoping,

the fact that scoping restrictions in the ordinary -calculus do notprevent leakage,

and the possibility of untyped opponents.

The only essential requirement is that the player must be

typechecked with respect to a global (untrusted) environment with-

in a trusted context. This seems reasonable. This is all our secrecy

theorem needs to assume.


11/18

Talk August 11, 2000 10:54 am 11

A Typed Pi-Calculus with Groups

Good Environments

Good Types

Good Messages

E T xdom(E) E / Gdom(E)

/ E,x:T/ E, G /

Gdom(E) E T1 ... E Tk

EG[T1, ..., Tk]

E,x:T,E /

E,x:T,E x : T


12/18

Talk August 11, 2000 10:54 am 12

Good Processes

E, G P E, x:TP

E (G)P E (x:T)P

E/ EP EQ EP

E0 EP | Q E !P

Ex : G[T1, ..., Tk] E, y1:T1, ..., yk:TkP

Ex(y1:T1, ...,yk:Tk).P

Ex : G[T1, ..., Tk] Ey1:T1 ... E yk:Tk

Exjy1, ...,ykk


13/18

Talk August 11, 2000 10:54 am 13

Structural Congruence and Reduction

PP

PQ QP

PQ, QR PR

(Struct Refl)

(Struct Symm)

(Struct Trans)

PQ (G)P (G)Q

PQ (x:T)P (x:T)Q

PQ P |RQ |R

PQ !P !Q

PQ

x(y1:T1, ..., yk:Tk).Px(y1:T1, ..., yk:Tk).Q

(Struct GRes)

(Struct Res)

(Struct Par)

(Struct Repl)

(Struct Input)

P | 0P

P | QQ | P

(P | Q) |RP | (Q |R)

!PP | !P

(Struct Par Zero)

(Struct Par Comm)

(Struct Par Assoc)

(Struct Repl Par)


14/18

Talk August 11, 2000 10:54 am 14

(x:T)(x:T)P (x:T)(x:T)P ifx!x

(x:T)(P | Q) P | (x:T)Q ifxfn(P)

(Struct Res Res)

(Struct Res Par)

(G)(G)P (G)(G)P(G)(x:T)P (x:T)(G)P ifGfn(T)

(G)(P | Q) P | (G)Q ifGfn(P)

(Struct GRes GRes)(Struct GRes Res)

(Struct GRes Par)

xjz1, ..., zkk |x(y1:T1, ..., yk:Tk).PxyyzP{y1z1, ..., ykzk}

PxyyzQ P |RxyyzQ |R

PxyyzQ (G)Pxyyz (G)Q

PxyyzQ (x:T)Pxyyz (x:T)Q

PP, PxyyzQ, QQ PxyyzQ


15/18

Talk August 11, 2000 10:54 am 15

Secrecy by Subject Reduction

For well-typed opponents, subject reduction already has secrecy

implications.

Theorem (Subject Reduction)

IfEP and PQ thenEQ.

IfEP and PxyyzQ thenEQ.

Corollary (No Leakage)Let P = (G)(x:G[T1, ..., Tk])P. IfEP for someEthen

there is no Q, Q", C{-} such that P (G)(x:G[T1, ...,

Tk])Q and QxyyzQ" and Q"C{pjxk} wherep andx are notbound by C{-}.

But we need to consider also untyped opponents.

A S Th


16/18

Talk August 11, 2000 10:54 am 16

A Secrecy Theorem

Theorem (Secrecy):

Suppose thatE (G)(x:T)P where Gfg(T). Let S be the names

occurring in dom(E). Then the type erasure (x)erase(P) of

(G)(x:T)P preserves the secrecy of the restricted namex from S.

Where preserves the secrecy ofx from the environment S is defined

in terms of a relation that traces the execution of the process, keepingtrack of the names that the process exchanges with the environment.

(Similar to Abadis definition.) The opponent process here is idealized

as a set of names known to the environment. See paper for details.

I t d A li ti


17/18

Talk August 11, 2000 10:54 am 17

Instances and Applications

The notion of group creation has surfaced in many places. We think

we have identified a particularly pure version of this notion. Many

connections are still vague:

type generativity in languages such as SML.

newlockin Flanagan and Abadis types for safe locking.

runSTin Lauchbury and Peyton Jones state threads.

At least a couple of applications have been worked out in detail:

Groups model Tofte and Talpins regions. Andy Gordon and Sil-

vano Dal-Zilio offer an embedding of a typed -calculus with re-

gions into a typed -calculus with groups and effects.

Groups are used in a type system for the Ambient Calculus to

statically restrict mobility (L.Cardelli, G.Ghelli, A.D.Gordon).

C l i


18/18

Talk August 11, 2000 10:54 am 18

Conclusions

A new programming construct that allows programmers to easily

state some secrecy intentions, as well as other intentions of the kind

this will not escape (e.g.: pointers).

Most suitable for groups of unstructured entities with little more

than equality on them: channels, keys, nonces, pointers.

While groups are similar to the sorts used in typed versions of the

-calculus, a new sortoperator does not seem to have been consid-

ered in the -calculus literature.

The basic idea can be adapted to any language: concurrent, func-

tional or imperative.

Easily statically checkable by routine typechecking (no flow anal-

ysis, information flow, etc.).

Documents

2000-07-20 Secrecy and Group Creation (MFCSIT Cork).A4