secret static analysis - rosaec centerrosaec.snu.ac.kr/meet/file/20140115f.pdf · 2018-04-12 ·...

8x, y.F (x) t F (y) = F (x t y)

X = F (?)

F : 2D ! 2D 2D D

!

이우석,�� 허기홍,�� 이광근

서울대학교

{wslee,�� khheo,�� kwang}@ropas.snu.ac.kr

비밀�� 프로그램�� 정적�� 분석

•프로그래머는�� 자신의�� 프로그램,�� 분석서비스�� 제공자는�� 분석기를�� 서로에게�� 조금도�� 노출시키고�� 싶지�� 않음��

•양측의�� 완벽한�� 보안을�� 지키면서�� 분석서비스�� 제공

SERVER CLIENT

(encrypted alarm report generation)

��

Final analysis report

computes

�(mk)

computes

F [[·]] : P ! D ! Dmk,mk+1

where mi = F [[P ]]i(?D)

mkvmk+1 (= mk v mk+1)

�(mk) (= �(mk))

�(mk)

mk v mk+1

��

��

��

if fixpoint reached

if fixpoint NOT reached,try again with larger k

Secret Static Analysis

Woosuk Lee

AbstractThis article proposes a protocol to provide a static analysis asa web-service maintaining client’s and server’s privacy. A clientwho requests a static analysis service does not want to revealhis code to a service provider, whileas the server wants to hideinformation about its static analysis from the client. The protocol isbased on the homomorphic encryption technique, which is capableof performing encrypted computation for given encrypted inputs.Based on the semantic security of a base encryption scheme, theprotocol prevents privacy leakages of each side.

1. IntroductionConsider a plausible situation: a client wants to use a static analysisservice without having to reveal its program code to a serviceprovider. On the other hand, the service provider wants to provideits static analyzer without revealing its technical know-how orreleasing a reusable binary executable to the client.

As a solution to this ironic situation, we devised an interactiveprotocol fulfilling the requirements of both sides. We provides away to perform secret static analysis for a given program on theclient side. Our secret static analysis protocol guarantees that 1)secret static analysis is totally secure, in the sense that attackerscan never grasp any piece of abstract domain on which the analysisis based, and 2) encrypted analysis results are correct, in the sensethat the decryption yields the very results of ordinary static analysisof input programs.

In this article, we present our protocol which is generally ap-plicable to static analysis based on finite abstract domain, and asan example, we show how a simple sign analysis is designed andperformed secretly on the protocol.

2. Preliminaries2.1 Basic conceptsPublic-key cryptosystem In public-key cryptosystem, anyone canencrypt messages using the public key, but only the holder of thepaired private key can decrypt. Security depends on the secrecy ofthe private key.

Probabilistic encryption Probabilistic encryption is the use ofrandomness in an encryption algorithm, so that when encryptingthe same message several times it will, in general, yield differentciphertexts. To hide even partial information about the plaintext, anencryption scheme must be probabilistic.

Homomorphic encryption Homomorphic encryption refers toencryption schemes that enable to perform operations on encrypteddata. A homomorphic encryption E is said to preserve an operationop if it provides op, an encrypted version of op, such that for a plaintext m,

op(E(m)) ⌘ E(op(m))

Fully Homomorphic Encryption Scheme If a homomorphic en-cryption scheme preserves any operations, it is said to be fully ho-

momorphic. A fully homomorphic encryption scheme[1] we con-sider preserves a series of addition(modulo 2) and multiplicationoperations, i.e., for plaintexts m1, m2 2 {0, 1},

E(m1) + E(m2) ⌘ E(m1 + m2)

E(m1) ⇥ E(m2) ⌘ E(m1 ⇥ m2)

Note that addition(modulo 2) and multiplication operators functionas boolean AND, XOR gates respectively. As an arbitrary circuitcan be encoded with AND, XOR gates, the above scheme preservesany operations.

Static Analysis We consider a static analysis designed by abstractinterpretation. In abstract interpretation, a static analysis is speci-fied with an abstract domain D and semantic function F : D ! D,where D is a cpo (complete partial order) and F is monotone. Theanalysis’ job is to compute the following sequence until stabilized:

G

i2NF

i(?) = F

0(?) t F

1(?) t F

2(?) t · · · (1)

where F

0(?) = ? and F

i+1(?) = F (F i(?)).

2.2 Notations•

mp : a ciphertext encrypted under p’s public key. Decryptionusing p’s private key yields the plaintext m. p may be eitherc(client) or s(server).

•mp1,p2

: a ciphertext multiply encrypted under p1’s and p2’spublic key. Decryption using both private keys results in theplaintext.

• opp

: a homomorphic version of operation op that permitscomputation on data encrypted under p’s public key.

• Dp : encrypted abstract domain under p’s public key. As anabstract domain consists of elements and abstract operators,encrypted abstract domain provides encryption algorithm forelements, and homomorphic abstract operators applicable toamong encrypted domain elements.

3. Protocol3.1 Assumptions1. A server and a client are “honest but curious” in the sense that

they run the protocol exactly as specified, but may try to learn asmuch as possible about the input of the other from their viewsof the protocol. Hence, we want the view of each side not toleak more knowledge than necessary.

2. A crucial part of information about static analysis is abstractdomain.

3. A base encryption scheme used in the protocol is public-keybased, probabilistic, semantically secure, and fully homomor-phic.

1 2013/12/19

동형암호(Homomorphic�� Encryption)?�� 암호문에�� 연산�� 적용한�� 결과와�� 평문에�� 연산�� 적용한�� 결과를�� 암호화한�� 것이�� 같은�� 연산을�� 지원하는�� 암호체계

완전동형암호(Fully�� Homomorphic�� Encryption)?�� 모든�� 종류의�� 연산을�� 지원하는�� 동형암호

Secret Static Analysis

Woosuk Lee

AbstractThis article proposes a protocol to provide a static analysis asa web-service maintaining client’s and server’s privacy. A clientwho requests a static analysis service does not want to revealhis code to a service provider, whileas the server wants to hideinformation about its static analysis from the client. The protocol isbased on the homomorphic encryption technique, which is capableof performing encrypted computation for given encrypted inputs.Based on the semantic security of a base encryption scheme, theprotocol prevents privacy leakages of each side.

1. IntroductionConsider a plausible situation: a client wants to use a static analysisservice without having to reveal its program code to a serviceprovider. On the other hand, the service provider wants to provideits static analyzer without revealing its technical know-how orreleasing a reusable binary executable to the client.

As a solution to this ironic situation, we devised an interactiveprotocol fulfilling the requirements of both sides. We provides away to perform secret static analysis for a given program on theclient side. Our secret static analysis protocol guarantees that 1)secret static analysis is totally secure, in the sense that attackerscan never grasp any piece of abstract domain on which the analysisis based, and 2) encrypted analysis results are correct, in the sensethat the decryption yields the very results of ordinary static analysisof input programs.

In this article, we present our protocol which is generally ap-plicable to static analysis based on finite abstract domain, and asan example, we show how a simple sign analysis is designed andperformed secretly on the protocol.

2. Preliminaries2.1 Basic conceptsPublic-key cryptosystem In public-key cryptosystem, anyone canencrypt messages using the public key, but only the holder of thepaired private key can decrypt. Security depends on the secrecy ofthe private key.

Probabilistic encryption Probabilistic encryption is the use ofrandomness in an encryption algorithm, so that when encryptingthe same message several times it will, in general, yield differentciphertexts. To hide even partial information about the plaintext, anencryption scheme must be probabilistic.

Homomorphic encryption Homomorphic encryption refers toencryption schemes that enable to perform operations on encrypteddata. A homomorphic encryption E is said to preserve an operationop if it provides op, an encrypted version of op, such that for a plaintext m,

op(E(m)) ⌘ E(op(m))

Fully Homomorphic Encryption Scheme If a homomorphic en-cryption scheme preserves any operations, it is said to be fully ho-

momorphic. A fully homomorphic encryption scheme[1] we con-sider preserves a series of addition(modulo 2) and multiplicationoperations, i.e., for plaintexts m1, m2 2 {0, 1},

E(m1) + E(m2) ⌘ E(m1 + m2)

E(m1) ⇥ E(m2) ⌘ E(m1 ⇥ m2)

Note that addition(modulo 2) and multiplication operators functionas boolean AND, XOR gates respectively. As an arbitrary circuitcan be encoded with AND, XOR gates, the above scheme preservesany operations.

Static Analysis We consider a static analysis designed by abstractinterpretation. In abstract interpretation, a static analysis is speci-fied with an abstract domain D and semantic function F : D ! D,where D is a cpo (complete partial order) and F is monotone. Theanalysis’ job is to compute the following sequence until stabilized:

G

i2NF

i(?) = F

0(?) t F

1(?) t F

2(?) t · · · (1)

where F

0(?) = ? and F

i+1(?) = F (F i(?)).

2.2 Notations•

mp : a ciphertext encrypted under p’s public key. Decryptionusing p’s private key yields the plaintext m. p may be eitherc(client) or s(server).

•mp1,p2

: a ciphertext multiply encrypted under p1’s and p2’spublic key. Decryption using both private keys results in theplaintext.

• opp

: a homomorphic version of operation op that permitscomputation on data encrypted under p’s public key.

• Dp : encrypted abstract domain under p’s public key. As anabstract domain consists of elements and abstract operators,encrypted abstract domain provides encryption algorithm forelements, and homomorphic abstract operators applicable toamong encrypted domain elements.

3. Protocol3.1 Assumptions1. A server and a client are “honest but curious” in the sense that

they run the protocol exactly as specified, but may try to learn asmuch as possible about the input of the other from their viewsof the protocol. Hence, we want the view of each side not toleak more knowledge than necessary.

2. A crucial part of information about static analysis is abstractdomain.

3. A base encryption scheme used in the protocol is public-keybased, probabilistic, semantically secure, and fully homomor-phic.

1 2013/12/19

간단한�� 방법�� :�� 암호화된�� 프로그램을�� 동형적으로�� 분석

A(E(P )) ⌘ E(A(P ))

안되는�� 이유�� :��

•프로그램이�� 암호화됨에�� 따라�� 생기는�� 비효율��

예)�� 실행함수�� (�� 명령문�� )�� =��

�� (명령문�� ≟�� 할당문)�� ×�� (할당문의�� 좌변�� ≟�� 변수1)�� ×�� (�� 실행결과1�� )�� +�� (명령문�� ≟�� 할당문)�� ×�� (할당문의�� 좌변�� ≟�� 변수2)�� ×�� (�� 실행결과2�� )�� +

......�� (명령문�� ≟�� 분기문)�� ×�� (분기문의�� 형태�� ≟�� 부정�� 조건문)�� ×�� (�� 실행결과3�� )�� +�� (명령문�� ≟�� 분기문)�� ×�� (분기문의�� 형태�� ≟�� 조건문)�� ×�� (�� 실행결과4�� )��

......

완전동형암호의�� 간단한�� 예�� (공개키는�� pq,�� 비밀키는�� p)�� :

1.�� 암호화된�� 분석기를�� 클라이언트가�� 실행시킴�� (프로그램�� 암호화할�� 필요�� 없음)

2.�� 분석�� 과정에서�� 노이즈가�� 누적되지�� 않게�� 조절

•동형적�� 동일성�� 검사는�� 노이즈를�� 거의�� 유발하지�� 않음.��

•전체�� 노이즈는�� F가�� 유발하는�� 노이즈�� S�� (원시적인�� 방법�� :�� Sn)

•�� 일�� 때�� :�� 테이블의�� 엔트리�� 수�� 감소��

•�� 일때,�� 대신�� 의�� 원소들에�� 대해서만�� 테이블�� 구성��

•동일성�� 검사�� 대신에�� 소속여부�� 검사

•더�� 복잡한�� 도메인에�� 대해서�� 노이즈�� 누적을�� 회피할�� 방법�� 모색

•적절한�� 인스턴스�� 찾아서�� 구현

•안드로이드�� 앱의�� 개인정보누출�� 분석기를�� 고려�� 중

M = Z2 = {0, 1}덧셈은�� XOR,�� 곱셈은�� AND에�� 해당,�� 이�� 둘을�� 이용해서�� 모든�� 회로를�� 시뮬레이션�� 할�� 수�� 있음

E(m) = m+ pq + 2✏

D(c) = (c mod p) mod 2

•p보다�� 작은�� 난수�� •같은�� 평문이�� 똑같은�� 암호문이�� 되지�� 않게�� 하는�� 역할.�� •노이즈�� 누적의�� 원인

공개키�� 암호체계란?�� 암호는�� 아무나,�� 복호화는�� 특정인만�� 비밀키로

확률적�� 암호?�� 같은�� 평문이라도�� 암호화�� 할�� 때마다�� 결과다름(통계�� 공격�� 회피)

완전동형암호는�� 실용성이�� 문제!

•동형적�� 연산을�� 거듭하면�� 노이즈가�� 커짐�� (곱셈(AND)이�� 노이즈�� 크게�� 키움)��

•노이즈가�� 비밀키보다�� 커지면�� 복호화가�� 불능

•이를�� 해결하는�� 비용이�� 비쌈.�� 그러므로�� 노이즈�� 조절이�� 관건

(암호화된)�� 분석기�� 제공

(이중�� 암호화된)�� 분석�� 결과�� 계산

이중�� 암호화된�� 분석�� 결과부분�� 복호화

고정점�� 도달�� 여부�� 체크

(이중�� 암호화된)�� 분석�� 결과�� 보고서�� 작성

요약전이함수를�� 거듭�� 적용하는�� 것을�� 피하기(유한도메인만�� 가능):��

•요약전이함수가�� 내재한�� 노이즈가�� 누적되지�� 않게��

... ...

d1

dm

F (d1)

F (dm)

단계1.�� 다음�� 테이블�� 구성

(d1, . . . , dm 2 D)

단계2.�� 지금까지�� 계산된�� 값과�� 같은�� 원소를�� 동형적으로�� 찾기�� (처음엔�� )

... ...

d1

dm

F (d1)

F (dm)

X

단계�� 3.��

값이�� 고정점이면�� 완료��

아니면�� X를�� 갱신�� 후�� 단계�� 2로

�� 하고�� 싶은�� 것

�� 배경지식

�� 프로토콜

�� 노이즈�� 누적을�� 회피하는�� 법

�� 앞으로�� 해결방안

�� 간단한�� 해결책과�� 문제

secret static analysis - rosaec centerrosaec.snu.ac.kr/meet/file/20140115f.pdf · 2018-04-12 ·...

Documents