Scheduler-Specific Confidentiality for Multi-Threaded Programs and Its Logic-Based Verification

Marieke Huisman, Minh Tri Ngo

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    10 Citations (Scopus)
    31 Downloads (Pure)


    Observational determinism has been proposed in the literature as a way to ensure condentiality for multi-threaded programs. Intuitively, a program is observationally deterministic if the behavior of the public variables is deterministic, i.e., independent of the private variables and the scheduling policy. Several formal denitions of observational determinism exist, but all of them have shortcomings; for example they accept insecure programs or they reject too many innocuous programs. Besides, the role of schedulers was ignored in all the proposed denitions. A program that is secure under one kind of scheduler might not be secure when executed with a dierent scheduler. The existing definitions do not ensure that an accepted program behaves securely under the scheduler that is used to deploy the program. Therefore, this paper proposes a new formalization of scheduler-specic observational determinism. It accepts programs that are secure when executed under a specic scheduler. Moreover, it is less restrictive on harmless programs under a particular scheduling policy. We discuss the properties of our denition and argue why it better approximates the intuitive understanding of observational determinism. In addition, we discuss how compliance with our denition can be veried, using model checking. We use the idea of self-composition and we rephrase the observational determinism property for a single program $C$ as a temporal logic formula over the program $C$ executed in parallel with an independent copy of itself. Thus two states reachable during the execution of $C$ are combined into a reachable program state of the selfcomposed program. This allows to compare two program executions in a single temporal logic formula. The actual characterization is done in two steps. First we discuss how stuttering equivalence can be characterized as a temporal logic formula. Observational determinism is then expressed in terms of the stuttering equivalence characterization. This results in a conjunction of n LTL and a CTL formula, that are amenable to model checking.
    Original languageUndefined
    Title of host publication2nd International Conference on Formal Verification of Object-Oriented Software (FoVeOOS 2011), Revised Selected Papers
    EditorsB. Beckert, F. Damiani, D. Gurov
    Place of PublicationBerlin
    Number of pages18
    ISBN (Print)978-3-642-31761-3
    Publication statusPublished - 2012
    Event2nd International Conference on Formal Verification of Object-Oriented Software, FoVeOOS 2011 - Turin, Italy
    Duration: 5 Oct 20117 Oct 2011

    Publication series

    NameLecture Notes in Computer Science
    PublisherSpringer Verlag
    ISSN (Print)0302-9743


    Conference2nd International Conference on Formal Verification of Object-Oriented Software, FoVeOOS 2011
    OtherOctober 5-7, 2011


    • METIS-285035
    • Confidentiality
    • IR-79437
    • Multi-threaded programs
    • EWI-21337
    • Security
    • Observational determinism
    • Temporal Logic
    • noninterference
    • Verification

    Cite this