Scheduler-related Confidentiality for Multi-threaded Programs

Observational determinism has been proposed in the literature as a way to ensure confidentiality for multi-threaded programs. Intuitively, a program is observationally deterministic if the behavior of the public variables is deterministic, i.e., independent of the private variables. Several formal definitions of observational determinism exist, but all of them have shortcomings; for example they accept insecure programs or they reject too many innocent programs. Besides, all the proposed definitions of observational determinism are not scheduler-independent: A program that is secure under one kind of scheduler might not be secure when executed with a different scheduler. The existing definitions do not ensure that a program behaves securely when the scheduling policy changes. Therefore, this paper proposes a new formalization of scheduler-specific observational determinism. It accepts programs that are secure when executed under a specific scheduler. Moreover, it is less restrictive on harmless programs under a particular scheduling policy. We discuss the properties of our definition and argue why it better approximates the intuitive understanding of observational determinism. Under the worst case assumption, i.e., where an attacker can choose the scheduler, the security specification should be scheduler-independent. Therefore, in addition, we propose a definition of scheduler-independent observational determinism that is robust with respect to any particular scheduling policy. Thus scheduler-independence means that if a program is accepted by a security specification then an attacker cannot derive any secret information from it, regardless of which scheduler is used.