Observational determinism has been proposed in the literature as a way to ensure condentiality for multi-threaded programs. Intuitively, a program is observationally deterministic if the behavior of the public variables is deterministic, i.e., independent of the private variables and the scheduling policy. Several formal denitions of observational determinism exist, but all of them have shortcomings; for example they accept insecure programs or they reject too many innocuous programs. Besides, the role of schedulers was ignored in all the proposed denitions. A program that is secure under one kind of scheduler might not be secure when executed with a dierent scheduler. The existing definitions do not ensure that an accepted program behaves securely under the scheduler that is used to deploy the program. Therefore, this paper proposes a new formalization of scheduler-specic observational determinism. It accepts programs that are secure when executed under a specic scheduler. Moreover, it is less restrictive on harmless programs under a particular scheduling policy. We discuss the properties of our denition and argue why it better approximates the intuitive understanding of observational determinism. In addition, we discuss how compliance with our denition can be veried, using model checking. We use the idea of self-composition and we rephrase the observational determinism property for a single program $C$ as a temporal logic formula over the program $C$ executed in parallel with an independent copy of itself. Thus two states reachable during the execution of $C$ are combined into a reachable program state of the selfcomposed program. This allows to compare two program executions in a single temporal logic formula. The actual characterization is done in two steps. First we discuss how stuttering equivalence can be characterized as a temporal logic formula. Observational determinism is then expressed in terms of the stuttering equivalence characterization. This results in a conjunction of n LTL and a CTL formula, that are amenable to model checking.
|Name||Lecture Notes in Computer Science|
|Conference||2nd International Conference on Formal Verification of Object-Oriented Software, FoVeOOS 2011|
|Period||5/10/11 → 7/10/11|
|Other||October 5-7, 2011|
- Multi-threaded programs
- Observational determinism
- Temporal Logic