Register now to access 7 million high quality study materials (What's Course Hero?) Course Hero is the premier provider of high quality online educational resources. With millions of study documents, online tutors, digital flashcards and free courseware, Course Hero is helping students learn more efficiently and effectively. Whether you're interested in exploring new subjects or mastering key topics for your next exam, Course Hero has the tools you need to achieve your goals.

Hyperproperties

Course: VIVO 23036, Fall 2008
School: Cornell
Rating:

Document Preview

Unformatted Document Excerpt

Coursehero >> New York >> Cornell >> VIVO 23036

Course Hero has millions of student submitted documents similar to the one
below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.

Course Hero has millions of student submitted documents similar to the one below including study guides, practice problems, reference materials, practice exams, textbook help and tutor support.

R. Hyperproperties Michael Clarkson Fred B. Schneider {clarkson,fbs}@cs.cornell.edu Department of Computer Science Cornell University Abstract Properties, which have long been used for reasoning about systems, are sets of traces. Hyperproperties, introduced here, are sets of properties. Hyperproperties can express security policies, such as secure information ow, that properties cannot. Safety and liveness are generalized to hyperproperties, and every hyperproperty is shown to be the intersection of a safety hyperproperty and a liveness hyperproperty. A verication technique for safety hyperproperties is given and is shown to generalize prior techniques for verifying secure information ow. Renement is shown to be valid for safety hyperproperties. A topological characterization of hyperproperties is given. a safety property proscribes bad things and can be proved using an invariance argument, and a liveness property prescribes good things and can be proved using a well-foundedness argument. Safety and liveness thus not only form an intuitively appealing fundamental basis from which all properties can be constructed, but they also are associated with specic verication methods. An analogous theory for security policies would be quite appealing. The fact that security policies also proscribe and prescribe behaviors of systems suggests that such a theory might exist. This paper initiates the development of that theory by introducing hyperproperties, which are sets of properties (i.e., sets of sets of traces), and dening two interesting classes of hyperproperties: safety and liveness. We show: Hyperproperties can describe properties and, moreover, can describe security policies, such as noninterference and average response time, that properties cannot. Indeed, we have not been able to nd requirements on system behavior that cannot be specied as a hyperproperty. Deterministic, nondeterministic, and probabilistic system models all can be handled using hyperproperties. Every hyperproperty is the intersection of a safety hyperproperty and a liveness hyperproperty. (Henceforth, we shorten these terms to hypersafety and hyperliveness.) Hypersafety and hyperliveness thus form a fundamental basis from which all hyperproperties can be constructed. The topological characterization of properties [4] can be generalized to characterize hyperproperties, and the result is equivalent to the lower Vietoris topology [44, 28, 39]. properties, appropriating the terms from Petri net theory, and he gave the rst formal denition of safety [20]. Alpern and Schneider [4] gave the rst formal denition of liveness and the proof that all properties are the intersection of safety and liveness properties; they later established the correspondence of safety to invariance and of liveness to well-foundedness [5]. 1 Introduction Important classes of security policies cannot be expressed using what have been termed properties [1, 26, 45, 12, 36, 42], sets of execution traces [20] for which membership of a trace depends on the trace alone and not on which other traces are in the property. For example, noninterference [13] is a condentiality policy that stipulates commands executed on behalf of users holding high clearances have no effect on system behavior observed by users with only low clearances. It is not a property, because whether some given trace is allowed depends on whether another trace (obtained by deleting command executions by high users) is allowed. As a second example, stipulating a bound on average response time over all executions is an availability policy that cannot be specied as a property, because the acceptability of delays in any given execution depends on the magnitude of delays in all other executions. Methods for specifying and reasoning about properties that a system satises are well understood [38, 22, 21]. It has been shown that every property is the intersection of a safety property and a liveness property,1 where in part by AFOSR grant F9550-06-0019, National Science Foundation Grants 0430161 and CCF-0424422 (TRUST), an Intel Foundation PhD Fellowship, and a gift from Microsoft Corporation. 1 Lamport [18] gave the rst informal denitions for safety and liveness Supported 1 We have not obtained complete verication methods for hypersafety or for hyperliveness, but we have been able to generalize prior work on using invariance arguments to verify information-ow policies [7, 42]. Our generalization is applicable to a class of hyperproperties we introduce called k-safety. The theory we have developed is also able to shed light on the problematic status of renement for security policies. Renement never invalidates a property but can invalidate a hyperproperty: Consider a system that nondeterministically chooses to output 0, 1, or the value of a secret bit h. System satises the security policy The possible output values are independent of the values of secrets. But one renement of is the system that always outputs h, and this does not satisfy the security policy. Previous work has identied certain policies [25] and composition operators [26] that are suitable for use with renement; we show in this paper that satisfaction of safety hyperproperties is preserved under renement of nondeterminism, yielding an entire class of security policies to which renement is applicable. We proceed as follows. Hyperproperties, hypersafety, ksafety, and hyperliveness are dened and explored in Sections 2, 3, 4, and 5, respectively. Section 6 presents the hyperproperty intersection theorem, topology is addressed in Section 7, and Section 8 concludes. A guide to notation is provided in Appendix A, the formal details of some of our longer examples of hyperproperties are given in Appendix B, and all proofs appear in the accompanying technical report [11]. For trace t = s0 s1 . . . and index i, dene the following indexing notation: t[i] t[..i] t[i..] si s0 s1 . . . si si si+1 . . . Concatenation of nite trace t and (nite or innite) trace t is denoted tt . The empty trace is denoted . A system is modeled by a non-empty set of innite traces, called its executions. If a system execution terminates (and thus could be represented by a nite trace), we represent it as an innite trace by innitely stuttering the nal state in the nite trace. 2.1 Properties A property is a set of innite traces. The set of all properties is Prop P(inf ), where P denotes powerset. A set T of traces satises a property P , denoted T |= P , iff all the traces of T are in P : T |= P T P. Some security policies are expressible as properties. For example, consider the policy, The system may not write to the network after reading from a le. Formally, this is the set of traces NRW {t inf | ( i, j N : i < j isFileRead (t[i]) isNetworkWrite(t[j]))}, (2.1) 2 Hyperproperties Many formalisms exist for modeling systems. We model system execution with traces, where a trace is a sequence of states; by employing rich enough notions of state, this model is sufciently general to encode many other representations of executions.2 The structure of a state is not important in the following denitions, so we leave , the set of states, abstract. However, the structure of a state is important for real examples, so we introduce predicates and functions, on states and on traces, as needede.g., for events, timing, and probability. Traces may be nite or innite and are categorized into the following sets: n inf 2 Appendix where isFileRead and isNetworkWrite are predicates on states. Similarly, access control is a property requiring every operation to be consistent with its requestors rights: AC {t inf | ( i N : rights(t[i]) acm(t[i 1])[subj (t[i]), obj (t[i])])}. (2.2) n inf . Function acm(s) yields the access control matrix in state s. Function subj (s) yields the subject who requested the operation that led to state s, function obj (s) yields the object involved in that operation, and function rights(s) yields the right(s) necessary for the operation to be allowed. As another example, guaranteed service is a property requiring that every request for service is eventually satised: GS {t inf | ( i N : isReq(t[i]) = ( j > i : isRespToReq(t[j], t[i])))}. 2 (2.3) B discusses how to model a labeled transition system as a set of traces, without losing information about the nondeterministic structure of the system. We leave the investigation of the meaning of hyperproperties in other models [46] as future work. Predicate isReq(s) identies whether a request is initiated in state s, and predicate isRespToReq(s , s) identies whether state s completes the response to the request initiated in state s. 2.2 Hyperproperties A hyperproperty is a set of sets of innite traces, or equivalently, a set of properties. The set of all hyperproperties is HP = P(P(inf )) P(Prop). The interpretation of a hyperproperty as a security policy is that the hyperproperty species exactly the systems allowed by that policy. Each property in a hyperproperty is an allowed system, specifying exactly which executions are possible for that system. Thus a set T of traces satises hyperproperty H , denoted T |= H , iff T is in H : T |= H T H. transition. Extend this notation to ev (t), denoting the sequence of events resulting from application of ev () to each state in trace t.3 We further assume that each user of a system is cleared at condentiality level L, representing low (i.e., public) information, or H, representing high (i.e., secret) information, and that each event is labeled with one of these condentiality levels. Dene ev L (t) to be the subsequence of low events contained within ev (t), and ev Hin (t) to be the subsequence of high input events contained within ev (t). Noninterference, as dened by Goguen and Meseguer [13], requires that commands issued by users holding high clearances be removable without affecting observations of users holding low clearances. Treating commands as inputs and observations as outputs, we model this policy as a hyperproperty requiring a system to contain, for any trace t, a trace t that has no high inputs yet has the same low events as t: GMNI {T Prop | T GMSys = ( t T : ( t T : ev Hin (t ) = ev L (t) = ev L (t )))}. (2.4) Antecedent T GMSys expresses the requirement that T be a system satisfying the assumptions made by Goguen and Meseguers formalization: T must be deterministic, and total with respect to inputs. We omit formalizing these requirements as hyperproperties. Generalized noninterference [24] generalizes Goguen and Meseguers denition of noninterference to nondeterministic systems. McLeans formulation [26] of generalized noninterference requires a system to contain, for any traces t1 and t2 , an interleaved trace t3 whose high inputs are the same as t1 and whose low events are the same as t2 . This is a hyperproperty: GNI {T Prop | ( t1 , t2 T : ( t3 T : ev Hin (t3 ) = ev Hin (t1 ) ev L (t3 ) = ev L (t2 )))}. (2.5) Note the use of bold type to denote hyperproperties and sets of hyperproperties. See Appendix A for a guide to our other typographical conventions and notation. Given a property P , there is a unique hyperproperty, which we denote [P ], that expresses the same policy as P . We call this hyperproperty the lift of P . For P and [P ] to express the same policy, they must be satised by the same sets of traces. Thus we can derive a denition of [P ]: ( T Prop : T |= P T |= [P ]) = ( T Prop : T P T [P ]) = [P ] = {T Prop | T P } = [P ] = P(P ). Consequently, [P ] P(P ). 2.3 Hyperproperties in Action Properties are satised by traces, whereas hyperproperties are satised by sets of traces. This additional level of sets means that hyperproperties can be more expressive than properties. We explore this added expressivity with some examples. Information ow. Information-ow security policies express requirements on what information may be learned by users of a system. Users interact with systems by providing inputs and observing outputs. To model this interaction, dene function ev (s) as the input or output event, if any, that occurs when a system transitions to state s. Assume that at most one event, input or output, can occur at each 3 Observational determinism [35, 47] requires a system to appear to a low user as a deterministic function of only the low inputs. Thus, it is a hyperproperty requiring that if any two traces have the same rst j 1 low events, then these traces must have equivalent j th low events: OD {T Prop | ( t1 , t2 T, j N : ev L (t1 )[..j 1] = ev L (t2 )[..j 1] = ev L (t1 )[j] in ev L (t2 )[j] ev L (t1 )[j] out ev L (t2 )[j])}. (2.6) 3 Depending on the nature of events in the particular system that is being modeled, it may be appropriate for ev (t) to eliminate stuttering of events. Here we have extended trace indexing notation to apply to sequences of events. Events l1 and l2 are low input equivalent, denoted l1 in l2 , iff they are both low input events (although the value input need not be the same in the two events). In contrast, events l1 and l2 are low output equivalent, denoted l1 out l2 , iff they are both low output events of the same value. Bisimulation-based denitions of information-ow security policies can also be formulated as hyperproperties.4 We give an example in Appendix B by formulating, as hyperproperty BCNI , Boudol and Castellanis [8] bisimulationbased denition of noninterference. All information-ow security policies we investigated were found to be hyperpropertiesnot properties. This is suggestive, but any stronger statement about the connection between information ow and hyperproperties would require a formal denition of information ow policies, and none is universally accepted. We believe, however, that information ow is intrinsically tied to correlations between (not within) executions. Hyperproperties are sufciently expressive to formulate such correlations, whereas properties are not. In particular, GMNI is not a property, as argued in Section 1, GNI is not a property because the presence of any two traces in the system necessitates the presence of a third trace, and OD is not a property because whether some trace is allowed depends on the low events appearing in all other traces of the system. Service level agreements. A service level agreement (SLA) species acceptable performance of a system. Such specications commonly use statistics, including: average response time, the average time that elapses between a request and a response; time service factor, the percentage of requests that are serviced within a specied time; and percentage uptime, the percentage of time during which the system is available to accept and service requests. These statistics can be used to dene policies with respect to each individual execution of a system or across all executions of a system. In the former case, the SLA would be a property. For example, the policy The average response time in each execution is less than 1 second might not be satised by a system if there are executions in which some response times are much greater than 1 second. Yet if these 4 Since hyperproperties are trace-based, this might at rst seem to contradict results, such as Focardi and Gorrieris [12], stating that bisimulation-based denitions are stronger (i.e., a ner equivalence) than trace-based denitions. However, by employing a richer notion of state [38, 1.3] in traces than Focardi and Gorrieri do, our hyperproperties are able to express bisimulations. executions are rare, then the system might still satisfy the policy The average response time over all executions is less than 1 second. This latter SLA is not a property, but it is a hyperproperty and can be stated formally as RT {T Prop | mean( tT respTime(t)) 1}. (2.7) Function mean(X) denotes the mean of a set X of real numbers, and function respTime(t) denotes the set of response times (in seconds) from request/response events in trace t.5 Policies derived from the other SLA statistics above can similarly be expressed as hyperproperties. Renement. One of the key differences between properties and hyperproperties is how they behave with respect to renement of nondeterminismremoving traces from a systems set of executions. A system S is rened by system S iff S S . By denition, whenever a system satises a property, any renement of the system also satises the property. Thus, properties are renement-closed: S |= P S S = S |= P. A hyperproperty is renement-closed if whenever a system satises the hyperproperty, any renement of the system also satises the hyperproperty. Dene RC to be the set of renement-closed hyperproperties. Hyperproperties resulting from lifted properties are renement-closed: S |= [P ] S S = S |= [P ]. However, hyperproperties in general are not renementclosed. System (Section 1) illustrates this fact. Beyond hyperproperties? We introduced another level of sets when generalizing properties to hyperproperties, and in doing so we gained expressive power for specifying policies on systems. Thus, it is natural to ask whether introducing yet one more level of sets might also be useful. We believe it is not. Suppose, for sake of contradiction, that some set H of hyperproperties (i.e., H is a set of sets of sets of traces) was more expressive than any hyperproperty. Whatever the denition of satisfaction, H must either be satised or not satised by any system S. So consider set H of all systems that satises H. But H is a hyperproperty (since it is a set of sets of traces), and H is equivalent to H, so H is not more expressive than any hyperproperty. 5 For mean() to be well-dened, it sufces that there be only a nite number of requests in T and that every request is serviced in nite time. The formulation of RT assumes all traces are equally likely. Modeling the case where some traces are more likely than others requires a probability measure on sets of traces. Obtaining such a measure is discussed in Section 6. 4 Another way to rationalize adding a level of sets would be to consider policies on sets of systems. For example, a policy might require that a set of systems exhibit sufcient diversity [34], meaning the systems all implement the same functionality but differ in their implementation details. This policy can be modeled as a hyperproperty on a single system that is a product6 of all the systems in the set. More generally, a policy on a sequence S of systems might be modeled as a set H of sequences of hyperproperties. Again, by taking the product of each element of H, we obtain an equivalent hyperproperty. The above conclusions will not surprise students of mathematical logic [27]. In rst-order logic, variables range over individual elements of some universe; in second-order logic, variables may also range over subsets of the universe. If the universe is the set inf of traces, then properties are rst-order predicates on traces, and hyperproperties are second-order predicates on traces. Second-order logic is more expressive than rst-order logic [43, 2.2], just as hyperproperties are more expressive than properties. Further, any higher-order logic (which would have variables ranging over sets (of sets of. . . sets) of subsets of the universe) is reducible to second-order logic [43, 4.3], just as we have reduced extra levels of sets, above, to hyperproperties. We leave further investigation of this connection as future work. One interesting avenue to explore would be whether the full power of second-order logic is necessary to express hyperproperties of interest. This has ramications for verication of hyperproperties, because although full second-order logic cannot be effectively and completely axiomatized, fragments of it can be [43, 2.3]. A bad thing is a nite trace that cannot be a prex of any execution satisfying the safety property. A nite trace t is a prex of a (nite or innite) trace t , denoted t t , iff t = tt for some t . Safety property. A property S is a safety property [4] iff ( t inf : t S = ( m n : m t / ( t inf : m t = t S))). / Dene SP to be the set of all safety properties. Notice that SP is itself a hyperproperty. We generalize safety to hypersafety by generalizing the bad thing from a nite trace to a nite7 set of nite traces. Dene Obs to be the set of such observations: Obs P n (n ), where P n (X) denotes the set of all nite subsets of set X. Prex on sets of traces is dened as:8 T T ( t T : ( t T : t t )). Note that this denition allows T to contain new traces that have no prex in T . Safety hyperproperty. A hyperproperty S is a safety hyperproperty (equivalently, is hypersafety) iff ( T Prop : T S = ( M Obs : M T / ( T Prop : M T = T S ))). / 3 Hypersafety According to Alpern and Schneider [4], the bad thing in a safety property must be both nitely observable, meaning its occurrence can be detected in nite time, and irremediable, so its occurrence can never be remediated by future events. For example, no-read-then-write NRW (2.1) and access control AC (2.2) are both safety. The bad thing for NRW is a nite trace in which a network write occurs after a le read. This bad thing is nitely observable, because the write can be detected in some nite prex of the trace, and irremediable, because the network write can never be undone. For AC , the bad thing is similarly a nite trace in which an operation is performed without appropriate rights. 6 The product of systems T 1 and T2 is the system comprising traces over pairs of states, dened as: T1 T2 {(t1 [0], t2 [0])(t1 [1], t1 [2]) . . . | t1 T1 t2 T2 }. Generalizing, the product of a set of n systems comprises traces over n-tuples of states. The denition of hypersafety parallels the denition of safetythe only change is that the domains involved now include an extra level of sets. Dene SHP to be the set of all safety hyperproperties. Some consequences of the denition of hypersafety are: Goguen and Meseguers noninterference GMNI (2.4) is hypersafety. The bad thing is a pair (t, t ) of traces where t contains no high inputs and contains the same low inputs as t, yet t and t have different low outputs. Observational determinism OD (2.6) is hypersafety. The bad thing is a pair of traces whose rst j 1 low events are the same, yet whose j th events are different low outputs. 7 Innite sets might at rst seem an attractive alternative, and many of the results in the rest of this paper would still hold. However, the topological characterization given in Section 7 (specically, Propositions 5 and 6) would be sacriced. 8 Other denitions of prex are possible, but inconsistent with our notion of observation. This denition coincides with the ordering of the lower (or Hoare) powerdomain on traces. We discuss this in Section 7. 5 Safety properties lift to safety hyperproperties. Proposition 1. ( S Prop : S SP [S] SHP) 4 Beyond 2-Safety Recent work gives system transformations that reduce verifying secure information ow to verifying a property of some transformed system. (Recall that secure information ow is a hyperproperty but not a property.) Pottier and Simonet [33] develop a type system for verifying secure information ow based on simultaneous reasoning about two executions of a program. Darvas et al. [3] show that secure information ow can be expressed in dynamic logic. Barthe et al. [7] give an equivalent formulation for Hoare logic and temporal logic, based on a self-composition construction. Dene the sequential self-composition of P as the program P ; P , where P denotes program P , but with every variable renamed to a primed variablee.g., variable x is renamed to x . Then, one way to verify that (terminationinsensitive) relational noninterference RNI (3.1) holds of program P is to establish the following property of transformed program P ; P : If for every low variable l, before execution l = l holds, then when execution terminates l = l still holds, no matter what the values of high variables were. Barthe et al. generalize the self-composition operator from ; to any operator that satises certain conditions, and they note that parallel composition satises these conditions. They also relax the equality constraints in the above property to partial equivalence relations, obtaining a generalization of relational noninterference. Terauchi and Aiken [42] further generalize the applicability of self-composition by showing that it can be used to verify any 2-safety property, which they dene informally as a property that can be refuted by observing two nite traces; their formal denition is very similar to a relational hyperproperty. Using hyperproperties, we can show that the above results are a special case of a more general theorem. Dene a k-safety hyperproperty as a safety hyperproperty in which the bad thing never involves more than k traces. k-safety hyperproperty. A hyperproperty S is a ksafety hyperproperty (equivalently, is k-safety) iff ( T Prop : T S = ( M Obs : / M T |M | k ( T Prop : (3.1) M T = T S ))). / Set SP of all safety properties is not a safety hyperproperty: There is no bad thing that prevents an arbitrary property from being extended to some safety property. Renement of hypersafety. All safety hyperproperties are renement-closed. Intuitively, this is because if a bad thing excludes property T from membership in some safety hyperproperty, then any property of which T is a renement would also contain the same bad thing. Theorem 1. SHP RC By this theorem, any information-ow security policy that is not renement-closed cannot be hypersafety. For example, generalized noninterference GNI (2.5) is not hypersafety, because it is not renement-closed: A system containing traces t1 and t2 , yet not containing the interleaved trace t3 required by the denition of GNI , may be extended to a system containing t3 . Relational hyperproperties. A program might be modeled as a system with a single action, which transitions from the input state (the initial state in the execution) to the output state (the nal state in the execution) with no other observable states.9 Dene a relational hyperproperty as a hyperproperty on traces with such a single action. The rst state in each trace is the initial state, the second state is the nal state, and the second state is innitely stuttered to produce an innite trace. Dene R to be the set of such traces, and dene RHP to be P(P(R )), the set of all relational hyperproperties. Relational hyperproperties facilitate the denition of an information-ow security policy that is commonly used in language-based security [37]. This policy, which we call relational noninterference, requires execution of a program to maintain the equivalence of states to a low observer. That is, if si is the output state resulting from executing with input state si , and s1 and s2 are low-equivalent, then s1 must be low-equivalent to s2 . In our formalism, relational noninterference can be dened as: RNI {T R | ( t1 , t2 T : ev L (t1 )[0] = ev L (t2 )[0] = ev L (t1 )[1] = ev L (t2 )[1])}. Inspecting this denition reveals it is a renement of observational determinism OD (2.6) where j = 1. Since OD is hypersafety, RNI is also hypersafety. 9 Since some programs do not terminate on some inputs, a special output state might be added to denote nontermination. This is the denition of hypersafety, with an added conjunct |M | k. Given a particular k, dene KSHP(k) to be the set of all k-safety hyperproperties. As an example of a k-safety hyperproperty for any k, consider a system that stores a secret by splitting it into 6 k shares. Suppose that an action of the system is to output share i. Then a hyperproperty of interest might be that the system cannot, across any of its executions, output all k shares (thereby outputting sufcient information for the secret to be reconstructed). We denote this k-safety hyperproperty as SS k . Note that the 1-safety hyperproperties are the lifted safety properties, KSHP(1) = {[S] | S SP}, a system cannot output all k shares of a secret for any ksecret sharing; formally, this is SS k SS k . This is not k-safety for any k, yet it is hypersafety, since any property not contained in it violates some SS k . 5 Hyperliveness According to Alpern and Schneider [4], the good thing in a liveness property is always possible, no matter what has occurred so far, and possibly innite, so it need not be a discrete event. For example, guaranteed service GS (2.3) is a liveness property in which the good thing is the eventual response to a request. This good thing is always possible because a response can always be appended to any nite trace containing a request, and it is not innite because the response is a discrete event. Liveness property. Property L is a liveness property [4] iff ( t n : ( t inf : t t t L)). Dene LP to be the set of all liveness properties. Not surprisingly, LP is itself a hyperproperty. Just as with hypersafety, we generalize liveness to hyperliveness by generalizing a nite trace to a nite set of nite traces. The denition of hyperliveness is essentially the same as the denition of liveness, except for an additional level of sets. Liveness hyperproperty. Hyperproperty L is a liveness hyperproperty (equivalently, is hyperliveness) iff ( T Obs : ( T Prop : T T T L )). Dene LHP to be the set of all liveness hyperproperties. Some consequences of the denition of hyperliveness are: Average response time RT (2.7) is not liveness but it is hyperliveness: the good thing is that the average response time is low enough. If this policy were approximated by limiting the maximum (rather than mean) response time in each execution, the hyperproperty would instead be a lifted safety property. The only hyperproperty that is both hypersafety and hyperliveness is true, where true Prop, the maximal hyperproperty with respect to the subset relation. (The minimal hyperproperty false, where false {}, is hypersafety but not hyperliveness.) 7 since the bad thing for a safety property is a single trace. Thus 1-safety and safety are synonymous. The Terauchi and Aiken denition of 2-safety properties (which we now identify as KSHP(2), the 2-safety hyperproperties) is based on a relational model of program execution, so it is limited to expressing relational 2-safety hyperproperties. Relational noninterference RNI (3.1) is an example of such a hyperproperty. Our denition, based on a trace model of execution, is more general and allows us to conclude that Goguen and Meseguers noninterference GMNI (2.4) and observational determinism OD (2.6), which are not relational, are also 2-safety hyperproperties.10 Dene the parallel self-composition of system S as the product system S S consisting of traces over : SS {(t[0], t [0])(t[1], t [1]) . . . | t S t S}. Dene the k-product of system S, denoted S k , to be the kfold parallel self-composition of S, comprising traces over k . Self-composition S S is equivalent to 2-product S 2 . Previous work has shown how to reduce a 2-safety hyperproperty of system S to a related safety property of S 2 . The following theorem generalizes that. Let Sys be the set of all systems. Then, for any system S, any k-safety hyperproperty of S can be reduced to a safety property of S k . Theorem 2. ( S Sys, K KSHP(k) : ( K SP : S |= K S k |= K)) The proof of this theorem (in the accompanying technical report [11]) shows how to construct K from K . Thus, Theorem 2 suggests a verication technique for k-safety, namely to reduce a k-safety hyperproperty to a safety property, then verify the safety property is satised by S k using invariance arguments. Since invariance arguments are relatively complete for safety properties [5], Theorem 2 yields a relatively complete verication methodology for k-safety. However, Theorem 2 does not provide the relatively complete verication procedure we seek for hypersafety, because there are safety hyperproperties that are not ksafety for any k. For example, consider the hyperproperty 10 This conclusion resolves the conjecture of Terauchi and Aiken that (termination-sensitive) secure information ow over innite traces is 2liveness [sic], for some denition of 2-liveness. Liveness properties lift to liveness hyperproperties. Proposition 2. ( L Prop : L LP [L] LHP) Proposition 3. PIF LHP Possibilistic information-ow policies, other than true, are therefore never hypersafety. Another way to reach this conclusion is to observe that closure operators sometimes yield hyperproperties that are not renement-closedyet, by Theorem 1, every safety hyperproperty is renementclosed. Temporal logics. Consider the hyperproperty for every initial state, there is some terminating trace, though not all traces need terminate, denoted as DT . In branching-time temporal logic, DT could be expressed more as precisely DT terminates, (5.1) Set LP of all liveness properties is a liveness hyperproperty: Every observation can be extended to any liveness property. Similarly, set SP of all safety properties is a liveness hyperproperty: Every observation can be extended to some safety property. Possibilistic information ow. Some information-ow security policies, such as observational determinism OD (2.6) and relational noninterference RNI (3.1), restrict nondeterminism of a system from being publicly observable. However, it could be useful to have observable nondeterminism. First, systems might exhibit nondeterminism due to scheduling. For example, if the scheduler cannot be inuenced by secret information (i.e., the scheduler does not serve as a covert timing channel), then it is reasonable to allow the scheduler to behave nondeterministically. Second, nondeterminism is a useful modeling abstraction when dealing with probabilistic systems (which we consider in more detail in Section 6). When the exact probabilities for a system are unknown, they can be abstracted by nondeterminism. For at least these reasons, there has been a history of research on possibilistic information-ow security policies, beginning with nondeducibility [41] and generalized noninterference [24]. Such policies are founded on the intuition that low observers of a system should gain little from their observations. Typically, these policies require that every low observation is consistent with some large set of possible high behaviors. McLean [26] argues that every possibilistic informationow security policy is expressible as a selective interleaving function. Such functions, given two executions of a system, specify another trace that must also be an execution of the system, as did the denition of generalized noninterference GNI (2.5). McLean shows that possibilistic informationow policies can be expressed as closure with respect to selective interleaving functions. Mantel [23] generalizes from these functions to closure operators, which extend a set S of executions to a set S such that S S . Mantel argues that every possibilistic information-ow policy can be expressed as a closure operator. Given a closure operator Cl that expresses a possibilistic information-ow policy, the hyperproperty PCl induced by Cl is: PCl {Cl (T ) | T Prop}. Dene the set PIF of all such hyperproperties to be Cl PCl . It is now easy to see that these are liveness hyperproperties: any observation T can be extended to its closure. 8 where terminates is a state predicate and is the not never operator.11 There is no liveness property equivalent to DT [19]; an approximation would be the liveness property that requires every trace to terminate. However, DT is hyperliveness because any nite trace can be extended to a set of executions, at least one of which terminates. This example suggests that hyperproperties can be models for branching-time temporal predicates whereas properties are limited to modeling linear-time temporal predicates. 6 Other Hyperproperties Hyperproperties are not necessarily either hypersafety or hyperliveness. Consider a medical information system that must maintain the condentiality of patient records and must also eventually notify patients whenever their records are accessed [6]. Assuming the condentiality requirement is interpreted as observational determinism OD (2.6), this system must both prevent bad things (OD , which is hypersafety) as well as guarantee good things (eventual notication, which can be formulated as liveness). As another example, consider a proactive secret sharing system that must maintain and periodically refresh a secret. Maintaining the condentiality of the secret can be formulated as hypersafety, and the eventual refresh of the secret shares can be formulated either as liveness (if every execution must eventually complete the refresh) or hyperliveness (if only some executions must complete). Both of these examples illustrate hyperproperties that are intersections of (hyper)safety and (hyper)liveness. In fact, every hyperproperty is the intersection of a safety hyperproperty and a liveness hyperproperty. This generalizes the result of Alpern and Schneider [4] that every property is the intersection of a safety property and a liveness property. Theorem 3. ( P HP : ( S SHP, L LHP : P = S L)) 11 Some temporal logics, such as CTL [9], express this formula as EFterminates. Probabilistic Hyperproperties. Although the formulation of systems and hyperproperties in Section 2 did not include probabilities, it is straightforward to incorporate them. A probabilistic system transitions from a state s to a state s with probability p(s, s ).12 Dene Prs,S (T ) to be the probability with which set T of nite traces is produced by system S with initial state s. This measure can be constructed from p(, ) [17, 31] and used in the denitions of hyperproperties. In information-ow security, the original motivations for adding probability to system models were to address covert channels and to establish connections between information theory and information ow [29, 14, 15]. A security policy that emerged from this line of research was probabilistic noninterference [16, 31]. Intuitively, this policy requires that the probability of every low trace be the same for every low-equivalent initial state. A formulation of this as hyperproperty PNI appears in Appendix B. PNI is an example of a hyperproperty that is intrinsically neither hypersafety nor hyperliveness: If two low traces have differing probabilities in some observation, it may or may not be possible to extend the observation to make the probabilities equal. Because it is neither always possible nor always impossible to do so, PNI is neither hypersafety nor hyperliveness. To measure quantity of leakage from repeated experiments in probabilistic programs, Clarkson et al. [10] use a probabilistic denotational semantics. This semantics can be used to dene a system, and the traces of the system represent repeated executions of the program. The hyperproperty the quantity of leakage over every series of experiments on deterministic program S is less than k bits (denoted QL ) then can be shown to be hypersafety. For details, see Appendix B. The channel capacity of a system is the rate (dened as a limit over all execution lengths) at which information ows through the system [15]. The hyperproperty the channel capacity is k bits (denoted CC ) can be shown to be hyperliveness. Intuitively, no matter what the rate is for some nite prex of the system, the rate can changed to any arbitrary amount by an appropriate extension that conveys more or less information. the system. At any point in time, the observer has seen only a nite prex of the (innite) execution. Thus, the observer should declare that the system satises P , after observing nite trace t, only if all possible extensions of t will also satisfy P . Abramsky names such properties nitely observable [2]. As with the bad thing for a safety property, a nitely observable property must be detectable in nite time, and once detected, hold thereafter. Formally, O is a nitely observable property iff ( t inf : t O = ( m n : m t ( t inf : m t = t O))). Dene O to be the set of nitely observable properties. Finitely observable properties satisfy two closure conditions. First, if O1 , . . . , On are nitely observable, then n i=1 Oi is also nitely observable. Second, if O is a (potentially innite) set of nitely observable properties, then OO O is also nitely observable. Thus we say that O is closed under nite intersections and innite unions. Recall that a topology on a set S is a set T P(S) such that T is closed under nite intersections and innite unions. The elements of T are called open sets. Because O satises these requirements, it is a topology on inf . We call O the Plotkin topology after its inventor. A convenient way to characterize a topology is to dene a base or a subbase for the topology. A base of topology T is a set B T such that every open set is a (potentially innite) union of elements of B. A subbase is a set A T such that the collection of nite intersections of A is a base for T . A base (also a subbase) of the Plotkin topology is OB { t | t n }, 7 Topology Topology enables an elegant characterization of the structure of hyperproperties. We begin by summarizing the topology of properties [40]. Consider an observer of an execution of a system, who is permitted to see each new state as it is produced by the system; otherwise, the system is opaque to the observer. The observer attempts to determine whether property P holds of 12 If this probability is dependent on the history of execution, then the implementation must have available, in each state, enough information to reconstruct that history. where t {t inf | t t } is the completion of a nite trace t. When t t we say that t extends t. The completion of t is thus the set of all innite extensions of t. The open sets O of the Plotkin topology are the sets in the closure of OB under innite unions. Alpern and Schneider [4] established that safety properties correspond to closed sets, and liveness properties correspond to dense sets, in the Plotkin topology. A closed set is the complement of an open set, and a set that is dense in T intersects every non-empty open set in T . (Hereafter, we shorten dense in T to dense.) Intuitively, non-membership in a closed set is nitely observable, with a nite trace constituting the bad thing for a safety property. And any nite observation can be extended to be in a dense set, constituting a good thing, so that dense set is live. We want to construct a topology on sets of traces that extends this correspondence to hyperproperties. The most important step is generalizing the notion of nite observability from properties to hyperproperties. Section 3 already 9 did this in generalizing a nite trace to a nite set of nite tracesi.e., an observation. The observer, as before, sees the system produce each new state in the execution. However, the observer may now reset the system at any time, causing it to begin a new execution. At any nite point in time, the observer has now collected a nite set of nite (thus partial) executions.13 An observation is thus an element of Obs, as dened in Section 3. An extension of an observation should allow the observer to perform additional resets of the system, yielding a larger set of traces. An extension should also allow each execution to proceed longer, yielding longer traces. So an extension corresponds to trace set prex as dened in Section 3. The completion of observation M Obs is M {T Prop | M T }. This theorem yields another topological characterization of safety hyperproperties. The set of lifted safety properties, closed under innite intersections and nite unions (denoted ), is the set of safety hyperproperties. Corollary 1. SHP = ({[S] | S SP}) Powerdomains. A powerdomain is a construction used to model the semantics of nondeterminism [32]. The denition of prex over sets of traces in Section 3 suggests we are working with the lower (or Hoare) powerdomain on traces. Theorem 4 validates this, since the lower Vietoris topology corresponds to the lower powerdomain [39]. The two other standard powerdomain constructions, the upper (or Smyth) and convex (or Plotkin) powerdomains, similarly correspond to the upper and convex Vietoris topologies [39]. These two topologies use different open sets than the lower Vietoris topology we are using, changing the notions of observable and trace prex: The upper construction makes all open sets renable, whereas the convex construction makes the impossibility of the production of a state observable. Thus, neither the upper nor the convex constructions yield opens sets that are the nitely observable properties; the equivalence of closed sets and hypersafety consequently is lost. This means that the upper and convex powerdomains on traces are unsuitable for our purposes. It is possible that these powerdomains might nonetheless be useful for a different semantic domain than traces; we leave this as future work. We can now dene our topology on sets of traces in terms of its subbase: O SB { M | M Obs}. The base O B of our topology is then O SB closed under nite intersections. The base and subbase turn out to be the same sets. Proposition 4. O B = O SB Finally, the topology O is O B closed under innite unions. Thus, open sets are unions of completed observations. Next, we provide the appropriate characterizations of safety and liveness for this topology. Dene C to be the closed sets and D to be the dense sets. Proposition 5. SHP = C Proposition 6. LHP = D Thus, just as safety and liveness correspond to closed and dense sets in the Plotkin topology, hypersafety and hyperliveness correspond to closed and dense sets in our generalization of that topology. The topology we developed here is actually equivalent to well-known topology. The Vietoris (or nite or convex Vietoris) topology is a standard construction of a topology on sets out of an underlying topology [44, 28]. This construction can be decomposed into the lower Vietoris and upper Vietoris constructions [39], which also yield topologies. Dene VL (T ) to be the lower Vietoris construction, which given topology T on space X produces a topology on P(X ). Our underlying topology was on traces, and we constructed the lower Vietoris topology on sets of traces. Theorem 4. O = VL (O) instead of allowing resets, the observer could run a nite collection of copies of the system. At any nite point in time, an observation can be made, comprising the set of traces the copies have produced. 13 Equivalently, 8 Concluding Remarks Many examples of security policies have been classied as hyperproperties in this paper. Figure 1 summarizes this classication. Although this paper formulates security policies with hyperproperties, security policies are typically formulated in terms of condentiality, integrity, and availability. The relation between these two formulations is an open question, but we can offer some observations: Information-ow condentiality is not a property, but it is a hyperproperty, and it can be hypersafety (e.g., observational determinism) or hyperliveness (e.g., generalized noninterference). Availability is sometimes hypersafety (maximum response time in any execution, which is also safety) and sometimes hyperliveness (mean response time over all executions). Integrity, which we have not discussed in this paper, also includes examples from both hypersafety and hyperliveness. 10 HP SHP KSHP(2) GNI QL SS GMNI OD PNI LHP PIF [SP] = KSHP(1) false NRW AC true GS CC DT [LP] SP LP Figure 1. Classication of security policies The language of condentiality, integrity, and availability therefore would seem to be orthogonal to hypersafety and hyperliveness. The language of hypersafety and hyperliveness has the advantages of being formalized and providing an orthogonal basis for constructing security policies. In contrast, there is no formalization that simultaneously characterizes condentiality, integrity, and availability,14 nor are condentiality, integrity, and availability orthogonal.15 In this work, we developed a theory of hyperproperties that parallels the theory of properties. There is a relatively complete verication methodology for properties: Given a property P , construct a safety property S and a liveness property L such that P = S L, then use invariance arguments to verify S and well-foundedness arguments to verify L [4, 5]. We have taken steps toward generalizing this methodology to apply to hyperproperties. Theorem 3 shows that every hyperproperty P can be expressed as the intersection of a safety hyperproperty S and a liveness hyperproperty L , and the proof of Theorem 3 shows that S and L can be constructed from P . If S is a k-safety hyperproperty, then by Theorem 2, it can be veried using reasoning about safety. It remains an open question whether general methods exist that are relatively complete for verication of safety hyperproperties that are not k-safety, or for liveness hyperproperties.16 Such methods would complete the ver14 The closest example of which we are aware is Zheng and Myers [48], who formalize a particular noninterference policy for condentiality, integrity, and availability. 15 For example, the requirement that a principal be unable to read a value could be interpreted as condentiality or unavailability of that value. 16 If, as discussed at the end of Section 2, the full power of second-order logic is necessary to express hyperproperties, then such methods could not ication methodology for hyperproperties. Then, security might take its place as just another functional requirement to be veried. Acknowledgments We thank Graeme Bailey, Stephen Chong, Dexter Kozen, Ueli Maurer, Andrew Myers, and Tom Roeder for discussions about this work. We also thank Martn Abadi, Bor zoo Bonakdarpour, Stephen Chong, Michael George, Leslie Lamport, Jed Liu, John McLean, John Mitchell, Greg Morrisett, Tamara Rezk, Tom Roeder, and Tachio Terauchi for their comments on a draft of this paper. References [1] M. Abadi and L. Lamport. Composing specications. ACM Transactions on Programming Languages and Systems, 15(1):73132, 1993. [2] S. Abramsky. Domain theory in logical form. Annals of Pure and Applied Logic, 51:177, 1991. a [3] Ad m Darvas, R. H hnle, and D. Sands. A theorem proving a approach to analysis of secure information ow. In Proc. of Workshop on Issues in the Theory of Security, Apr. 2003. [4] B. Alpern and F. B. Schneider. Dening liveness. Information Processing Letters, 21(4):181185, 1985. [5] B. Alpern and F. B. Schneider. Recognizing safety and liveness. Distributed Computing, 2(3):117126, 1987. [6] R. J. Anderson. A security policy model for clinical information systems. In Proc. of IEEE Symposium on Security and Privacy, pages 3043, 1996. exist. Nonetheless, methods for verifying fragments of the logic might sufce for verifying classes of hyperproperties that correspond to security policies. 11 [7] G. Barthe, P. R. DArgenio, and T. Rezk. Secure information ow by self-composition. In Proc. of IEEE Computer Security Foundations Workshop, pages 100114, June 2004. [8] G. Boudol and I. Castellani. Noninterference for concurrent programs and thread systems. Theoretical Computer Science, 281(12):109130, 2002. [9] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verication of nite-state concurrent systems using temporal logic specications. ACM Transactions on Programming Languages and Systems, 8(2):244263, 1986. [10] M. R. Clarkson, A. C. Myers, and F. B. Schneider. Belief in information ow. In Proc. of IEEE Computer Security Foundations Workshop, pages 3145, June 2005. [11] M. R. Clarkson and F. B. Schneider. Hyperproperties. Cornell University Computing and Information Science Technical Report, http://hdl.handle.net/1813/9480, Apr. 2008. [12] R. Focardi and R. Gorrieri. Classication of security properties (Part I: Information ow). In Foundations of Security Analysis and Design 2000, volume 2171 of Lecture Notes in Computer Science, pages 331396. Springer, 2001. [13] J. A. Goguen and J. Meseguer. Security policies and security models. In Proc. of IEEE Symposium on Security and Privacy, pages 1120, Apr. 1982. [14] J. W. Gray, III. Probabilistic interference. In Proc. of IEEE Symposium on Security and Privacy, pages 170179, 1990. [15] J. W. Gray, III. Towards a mathematical foundation for information ow security. In Proc. of IEEE Symposium on Security and Privacy, pages 2134, May 1991. [16] J. W. Gray, III and P. F. Syverson. A logical approach to multilevel security of probabilistic systems. Distributed Computing, 11(2):7390, 1998. [17] J. Y. Halpern. Reasoning About Uncertainty. MIT Press, 2003. [18] L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, 3(2):125143, 1977. [19] L. Lamport. Sometime is sometimes not never: On the temporal logic of programs. In Proc. of ACM Symposium on Principles of Programming Languages, pages 174185, Jan. 1980. [20] L. Lamport. Basic concepts: Logical foundation. In Distributed Systems: Methods and Tools for Specication, An Advanced Course, volume 190 of Lecture Notes in Computer Science, pages 1930. Springer, 1985. [21] L. Lamport. Specifying Systems: The TLA+ Language and Tools for Hardware and Software Engineers. AddisonWesley, 2002. [22] Z. Manna and A. Pnueli. Temporal Verication of Reactive Systems: Safety. Springer, 1995. [23] H. Mantel. Possibilistic denitions of security: An assembly kit. In Proc. of IEEE Computer Security Foundations Workshop, pages 185199, July 2000. [24] D. McCullough. Specications for multi-level security and a hook-up property. In Proc. of IEEE Symposium on Security and Privacy, pages 161166, Apr. 1987. [25] D. McCullough. A hookup theorem for multilevel security. IEEE Transactions on Software Engineering, 16(6):563 568, June 1990. [26] J. McLean. A general theory of composition for a class of possibilistic properties. IEEE Transactions on Software Engineering, 22(1):5367, 1996. [27] J. McLean, 2008. Personal communication. [28] E. Michael. Topologies on spaces of subsets. Transactions of the American Mathematical Society, 71(1):152182, July 1951. [29] J. Millen. Covert channel capacity. In Proc. of IEEE Symposium on Security and Privacy, pages 6066, Apr. 1987. [30] R. Milner. Communication and Concurrency. Prentice Hall, 1989. [31] K. R. ONeill, M. R. Clarkson, and S. Chong. Informationow security for interactive programs. In Proc. of IEEE Computer Security Foundations Workshop, pages 190201, July 2006. [32] G. Plotkin. Domains. Available from http://homepages. inf.ed.ac.uk/gdp/publications/Domains.ps, 1983. [33] F. Pottier and V. Simonet. Information ow inference for ML. In Proc. of ACM Symposium on Principles of Programming Languages, pages 319330, Jan. 2002. [34] R. Pucella and F. B. Schneider. Independence from obfuscation: A semantic framework for diversity. In Proc. of IEEE Computer Security Foundations Workshop, pages 230241, July 2006. [35] A. W. Roscoe. CSP and determinism in security modelling. In Proc. of IEEE Symposium on Security and Privacy, pages 114127, May 1995. [36] J. Rushby. Security requirements specications: How and what? (extended abstract). In Symposium on Requirements Engineering for Information Security, Mar. 2001. [37] A. Sabelfeld and A. C. Myers. Language-based informationow security. IEEE Journal on Selected Areas in Communications, 21(1):519, Jan. 2003. [38] F. B. Schneider. On Concurrent Programming. Springer, 1997. [39] M. B. Smyth. Power domains and predicate transformers: A topological view. In Proc. of International Colloquium on Automata, Languages, and Programming, pages 662675, July 1983. [40] M. B. Smyth. Topology. In Background: Mathematical Structures, volume 1 of Handbook of Logic in Computer Science. Oxford University Press, 1992. [41] D. Sutherland. A model of information. In National Security Conference, pages 175183, 1986. [42] T. Terauchi and A. Aiken. Secure information ow as a safety problem. In Proc. of Static Analysis Symposium, pages 352367, Sept. 2005. [43] J. van Benthem and K. Doets. Higher-order logic. In Elements of Classical Logic, volume 1 of Handbook of Philosophical Logic. D. Reidel Publishing, 1983. [44] L. Vietoris. Bereiche zweiter Ordnung. Monatschefte f r u Mathematik und Physik, 33:4962, 1923. [45] D. Volpano. Safety versus secrecy. In Proc. of Static Analysis Symposium, pages 303311, 1999. [46] G. Winskel and M. Nielsen. Models for concurrency. In Semantic Modelling, volume 4 of Handbook of Logic in Computer Science. Oxford University Press, 1994. [47] S. Zdancewic and A. C. Myers. Observational determinism for concurrent program security. In Proc. of IEEE Computer Security Foundations Workshop, pages 2943, June 2003. 12 [48] L. Zheng and A. C. Myers. End-to-end availability policies and noninterference. In Proc. of IEEE Computer Security Foundations Workshop, pages 272286, June 2005. A Summary of Notation P is a property, H is a hyperproperty, M is a named set of properties, and N is a named set of hyperproperties. We use bold to denote hyper and sans serif to denote named sets. Predicates and functions always begin with lower case, whereas properties always begin with upper case. n inf t[i] t[..i] t[i..] Prop P N NRW AC GS HP [P ] GMNI GNI OD RT RC SP P n Obs SHP R RHP RNI KSHP(k) Sys SS LP LHP true false PIF DT PNI set of all states set of all nite traces set of all innite traces set of all traces trace index trace prex trace sufx set of all properties powerset operator the natural numbers property no read then write property access control property guaranteed service set of all hyperproperties lift of property P to equivalent hyperproperty hyperproperty Goguen and Meseguers noninterference hyperproperty generalized noninterference hyperproperty observational determinism hyperproperty average response time set of all renement-closed hyperproperties set of all safety properties nite powerset operator (set of all nite subsets) set of all observations trace (or trace set) prex set of all safety hyperproperties set of all relational traces set of all relational hyperproperties hyperproperty relational noninterference set of all k-safety hyperproperties set of all systems hyperproperty secret sharing set of all liveness properties set of all liveness hyperproperties maximal hyperproperty minimal hyperproperty set of all possibilistic information-ow hyperproperties hyperproperty sometimes terminates hyperproperty probabilistic noninterference 13 QL CC O O C D VL hyperproperty quantitative leakage hyperproperty channel capacity open sets of Plotkin topology completion of observation open sets of our topology closed sets of our topology dense sets of our topology lower Vietoris construction closure under innite intersection and nite union B Example Hyperproperties Bisimulation. Boudol and Castellani [8] give a bisimulation-based noninterference policy for concurrent programs. They model execution as a binary relation on program terms and memoriesa program term P and a memory step to a new program term P and memory . Dene P , the set of states for program P , to be the set of pairs of a program term and a memory, prog(s) to be the program term in state s, and mem(s) to be the memory in state s. Dene traces(P ) to be the set of all traces t such that prog(t[0]) is P , and for all i, t[i] t[i + 1]; this yields a semantic model of P as a set of traces. Let =L be an equivalence relation on memories such that 1 =L 2 means 1 and 2 are indistinguishable to a low observer. Say that state s can take a step to state s when there exists some trace t in traces(P ) such that, for some i, we have t[i] = s and t[i + 1] = s . Informally, dene P (read bisimilar) to be a binary relation on P such L that if s1 is bisimilar to s2 , then s1 and s2 must have indistinguishable memories to a low observer. Further, if s1 can take a step to reach state s1 , then either s1 remains bisimilar to s2 , or s2 can take a step to reach s2 where s1 and s2 are bisimilar. Formally, bisimilarity P is the largest symmetL ric binary relation on P such that s1 P s2 = mem(s1 ) =L mem(s2 ) L ( t traces(P ), i N, s1 : t[i] = s1 t[i + 1] = s1 = s1 P s2 L ( t traces(P ), j N, s2 : t [j] = s2 t [j + 1] = s2 s1 P s2 )). L Boudol and Castellani dene program P to be secure, which we denote as BCNI (P ), iff it is bisimilar to itself in all initially low-equivalent memories: BCNI (P ) ( 1 , 2 : 1 =L 2 = (P, 1 ) P (P, 2 )). L The hyperproperty BCNI containing all secure programs according to Boudol and Castellanis denition is: BCNI {T Prop | ( P : T = traces(P ) BCNI (P ))}. (B.1) Let the set of initial states of property T be denoted Init(T ), where Init(T ) {s | {s} T }. Probabilistic noninterference can then be expressed as We have shown how to model a particular bisimulationbased denition of noninterference as a hyperproperty. But the example also suggests a general methodology for modeling other bisimulation-based denitions: 1. Model the system used in such a denition as a set of traces, enriching set of states as appropriate. 2. State the bisimulation over . 3. Dene the hyperproperty, using . Although the second and third steps in this methodology depend on the particular bisimulation-based denition being modeled, there is a general construction for the rst step. The system model generally used for bisimulation-based denitions is a labeled transition system, a triple (S, L, ) where S is a set of LTS-states,17 L is a set of labels, and is a relation on S L S [30]. Elements of relation are usually notated s1 s2 , meaning that the system has a transition labeled from LTS-state s1 to LTS-state s2 . To model labeled transition system (S, L, ) as a set of traces, it sufces to dene the state space for systems to be S L. Given state s , let st(s) denote the LTSstate from s and lab(s) denote the label from s. Dene traces(S, L, ) to be {t | ( i N : st(t[i]) lab(t[i+1]) PNI {T Prop | ( s1 , s2 Init(T ) : ev (s1 , L) = ev (s2 , L) = ( t inf : Prs1 ,T ([t]L ) = Prs2 ,T ([t]L )))}. Hyperproperty PNI is neither hypersafety nor hyperliveness. It is not hypersafety, because even if T fails to be in PNI because of some equivalence class [t]L , it may be possible to extend T to be in PNI by extending some prex of [t]L in T .18 Neither is PNI hyperliveness: A system that deterministically produces two non-low-equivalent traces from two initial low-equivalent states cannot be extended to satisfy PNI . Quantitative ow. In the model of Clarkson et al. [10], a state has a high component and a low component. A repeated experiment on program S is a series of executions of S. In each execution, the initial state must have the same high component but may have a different low component. We use traces to represent repeated experiments. The rst event in the trace is the high component of the initial state. After this follows a series of pairs of low input and low output events. Each low output must have the correct probability of occurring according to S, the initial high input component, and the most recent low input component. The probabilistic behavior of S is modeled by a semantics S that maps inputs states to output distributions. Thus, ( S s)(s ) is the probability that S begun in state s terminates in state s . Let Syst(S) denote the system of such traces resulting from program S: Syst(S) {t n | ( even i : ev (t[i], H) = ev (t[0], H) p(t[i + 1]) = ( S t[i])(t[i + 1]))}. Note that p(s) is not dened at all states in these traces. Further, the set of program states must be nite for the probability distributions to be well-dened. 18 Consider two low-equivalent initial states s and s of T . Suppose 1 2 that the probability of [t]L from s1 is 0, but that the probability of some prex of [t]L is 1. Further suppose that the probability of [t]L from s2 is 1. These assumptions imply that T PNI . But it may be possible to / extend the prex of [t]L from s1 such that the trace is now low-equivalent to t. This extended system would now satisfy PNI . Thus PNI is not hypersafety. st(t[i + 1]))}. Note that this construction would not work with an impoverished notion of state, as observed by Focardi and Gorrieri [12] for states that are elements of L. Dening a state as an element of S L captures enough information in the set of traces to express bisimulation-based policies. Probabilistic noninterference. To formulate probabilistic noninterference as a hyperproperty, we need some notation: Let the low equivalence class of a nite trace t be denoted [t]L , where [t]L {t n | ev (t, L) = ev (t , L)}. Prs,S ([t]L ) is the probability that system S, starting in state s, produces an execution low-equivalent to t. 17 We use the term LTS-state to distinguish these from the states dened in Section 2. 14 We now formalize the quantity of ow over a trace t. Each pair of states t[i] and t[i + 1] can be used to dene an experiment, which describes how an attackers beliefs change as a result of observing execution of the program. The quantity of ow in an experiment follows from denitions given in [10], and the quantity of ow over the trace is the sum of the ow for each experiment in the trace: (|t|1)/2 Q(bH , t) i=0 Q(E(t, i, bH )) pre = E(t, i 1).post; h = ev (t[2i], H); l = ev (t[2i], L); post = (bH , l)|ev (t[2i + 1], L) H E(t, i, bH ) (bH , l) s . bH (ev (s, H) Pr([(ev (s, H) l), ev (s, L)]). Hyperproperty QL is the set of all systems that exhibit less than k bits of ow over any experiment: QL {T Prop | ( S : T = Syst(S) ( t T, bH : Q(bH , t) k))}. 15

Find millions of documents on Course Hero - Study Guides, Lecture Notes, Reference Materials, Practice Exams and more. Course Hero has millions of course specific materials providing students with the best way to expand their education.

Below is a small sample set of documents:

1813-9480.pdf

Cornell - VIVO - 23036

HyperpropertiesMichael R. ClarksonFred B. Schneider{clarkson,fbs}@cs.cornell.edu Department of Computer Science Cornell University Computing and Information Science Technical Report http:/hdl.handle.net/1813/9480 January 25, 2008Hyperproperti

chaos7.pdf

Cornell - MATH - 7

Chaos in a spatial epidemic modelRick Durrett* and Daniel Remenik *Department of Mathematics and Center for Applied Mathematics, Cornell University, Ithaca, New York 14853 November 17, 2008Abstract We investigate an interacting particle system ins

finley_joachims_08a.pdf

Cornell - VIVO - 24452

Training Structural SVMs when Exact Inference is IntractableThomas Finley tomf@cs.cornell.edu Thorsten Joachims tj@cs.cornell.edu Cornell University, Department of Computer Science, Upson Hall, Ithaca, NY 14853 USAAbstractWhile discriminative tr

yue_joachims_08a.pdf

Cornell - VIVO - 24452

Predicting Diverse Subsets Using Structural SVMsYisong Yue Department of Computer Science, Cornell University, Ithaca, NY 14853 USA Thorsten Joachims Department of Computer Science, Cornell University, Ithaca, NY 14853 USAyyue@cs.cornell.edu tj@c

radlinski_etal_08a.pdf

Cornell - VIVO - 24452

Learning Diverse Rankings with Multi-Armed BanditsFilip Radlinski Robert Kleinberg Thorsten Joachims Department of Computer Science, Cornell University, Ithaca, NY 14853 USA filip@cs.cornell.edu rdk@cs.cornell.edu tj@cs.cornell.eduAbstractAlgorit

shaparenko_joachims_07a.pdf

Cornell - VIVO - 24452

Information Genealogy: Uncovering the Flow of Ideas in Non-Hyperlinked Document DatabasesBenyah ShaparenkoDepartment of Computer Science Cornell University Ithaca, NY 14853Thorsten JoachimsDepartment of Computer Science Cornell University Ithaca

radlinski_joachims_07a.pdf

Cornell - VIVO - 24452

Active Exploration for Learning Rankings from Clickthrough DataDepartment of Computer Science Cornell University Ithaca, NY, USAFilip Radlinskilip@cs.cornell.eduDepartment of Computer Science Cornell University Ithaca, NY, USAThorsten Joachi

finley_joachims_07a.pdf

Cornell - VIVO - 24452

Parameter Learning for Loopy Markov Random Fields with Structural Support Vector MachinesThomas Finley tomf@cs.cornell.edu Thorsten Joachims tj@cs.cornell.edu Cornell University, Department of Computer Science, Upson Hall, Ithaca, NY 14853 USAAbs

yue_etal_07a.pdf

Cornell - VIVO - 24452

A Support Vector Method for Optimizing Average PrecisionYisong YueCornell University Ithaca, NY, USA yyue@cs.cornell.eduThomas FinleyCornell University Ithaca, NY, USA tomf@cs.cornell.eduFilip RadlinskiCornell University Ithaca, NY, USA lip@c

yu_etal_07a.pdf

Cornell - VIVO - 24452

Support Vector Training of Protein Alignment ModelsChun-Nam John Yu1 , Thorsten Joachims1 , Ron Elber1 , and Jaroslaw Pillardy21Dept. of Computer Science, Cornell University, Ithaca NY 14853, USA {cnyu,tj,ron}@cs.cornell.edu 2 Cornell Theory Cent

pohl_etal_07a.pdf

Cornell - VIVO - 24452

Recommending Related Papers Based on Digital Library Access RecordsStefan Pohl sp424@cs.cornell.edu ABSTRACTAn important goal for digital libraries is to enable researchers to more easily explore related work. While citation data is often used as a

joachims_06a.pdf

Cornell - VIVO - 24452

Training Linear SVMs in Linear TimeThorsten JoachimsDepartment of Computer Science Cornell University Ithaca, NY, USAtj@cs.cornell.eduABSTRACTLinear Support Vector Machines (SVMs) have become one of the most prominent machine learning techniqu

radlinski_joachims_06a.pdf

Cornell - VIVO - 24452

Minimally Invasive Randomization for Collecting Unbiased Preferences from Clickthrough LogsFilip Radlinski and Thorsten JoachimsDepartment of Computer Science Cornell University, Ithaca, NY {lip,tj}@cs.cornell.eduAbstractClickthrough data is a p

shaparenko_etal_05a.pdf

Cornell - VIVO - 24452

Identifying Temporal Patterns and Key Players in Document CollectionsBenyah Shaparenko Rich Caruana Johannes Gehrke Thorsten Joachims Department of Computer Science Cornell University Ithaca, NY 14853 {benyah, caruana, johannes, tj}@cs.cornell.edu

joachims_hopcroft_05a.pdf

Cornell - VIVO - 24452

Error Bounds for Correlation ClusteringThorsten Joachims tj@cs.cornell.edu Cornell University, Dept. of Computer Science, 4153 Upson Hall, Ithaca, NY 14853 USA John Hopcroft jeh@cs.cornell.edu Cornell University, Dept. of Computer Science, 5144 Ups

radlinski_joachims_05b.pdf

Cornell - VIVO - 24452

Evaluating the Robustness of Learning from Implicit FeedbackFilip Radlinski Department of Computer Science, Cornell University, Ithaca, NY 14853 USA Thorsten Joachims Department of Computer Science, Cornell University, Ithaca, NY 14853 USAfilip@c

domshlak_joachims_05a.pdf

Cornell - VIVO - 24452

Unstructuring User Preferences: Ecient Non-Parametric Utility RevelationCarmel Domshlak Fac. of Industrial Engineering & Management Technion - Israel Institute of Technology Haifa, Israel 32000Thorsten Joachims Computer Science Dept. Cornell Univ

joachims_etal_05b.pdf

Cornell - VIVO - 24452

Learning to Align Sequences: A Maximum-Margin ApproachThorsten Joachims Tamara Galor Ron Elber Department of Computer Science Cornell University Ithaca, NY 14853 {tj,galor,ron}@cs.cornell.edu June 24, 2005Abstract We propose a discriminative method

granka_etal_04a.pdf

Cornell - VIVO - 24452

Eye-Tracking Analysis of User Behavior in WWW SearchLaura A. GrankaCornell University Human-Computer Interaction GroupThorsten JoachimsCornell University Department of Computer ScienceGeri GayCornell University Human-Computer Interaction Grou

caruana_etal_04a.pdf

Cornell - VIVO - 24452

KDD-Cup 2004: Results and AnalysisRich CaruanaCornell University Dept. of Computer Science Ithaca, NY, USThorsten JoachimsCornell University Dept. of Computer Science Ithaca, NY, USLars BackstromCornell University Dept. of Computer Science It

schultz_joachims_03a.pdf

Cornell - VIVO - 24452

Learning a Distance Metric from Relative ComparisonsMatthew Schultz and Thorsten Joachims Department of Computer Science Cornell University Ithaca, NY 14853 schultz,tj @cs.cornell.eduAbstractThis paper presents a method for learning a distance m

joachims_03a.pdf

Cornell - VIVO - 24452

Transductive Learning via Spectral Graph PartitioningThorsten Joachims tj@cs.cornell.edu Cornell University, Department of Computer Science, Upson Hall 4153, Ithaca, NY 14853 USAAbstractWe present a new method for transductive learning, which ca

joachims_02b.pdf

Cornell - VIVO - 24452

Evaluating Retrieval Performance using Clickthrough DataThorsten Joachims Cornell University Department of Computer Science Ithaca, NY 14853 USA tj@cs.cornell.eduAbstract This paper proposes a new method for evaluating the quality of retrieval func

joachims_01a.pdf

Cornell - VIVO - 24452

A Statistical Learning Model of Text Classication for Support Vector MachinesThorsten JoachimsGMD Forschungszentrum IT, AIS.KD Schloss Birlinghoven, 53754 Sankt Augustin, GermanyThorsten.Joachims@gmd.de ABSTRACT

joachims_etal_01a.pdf

Cornell - VIVO - 24452

joachims_00a.pdf

Cornell - VIVO - 24452

Estimating the Generalization Performance of an SVM E cientlyThorsten JoachimsInformatik LS VIII, Universitat Dortmund, Baroper Str. 301, 44221 Dortmund, Germanyjoachims@ls8.informatik.uni-dortmund.deThis paper proposes and analyzes an e cient a

joachims_99a.pdf

Cornell - VIVO - 24452

11Making Large-Scale SVM Learning PracticalThorsten Joachims Universitat Dortmund, Informatik, AI-Unit Thorsten Joachims@cs.uni-dortmund.de http: www-ai.cs.uni-dortmund.de PERSONAL joachims.html To be published in: 'Advances in Kernel Methods - S

morik_etal_99a.pdf

Cornell - VIVO - 24452

Combining statistical learning with a knowledge based approach | A case study in intensive care monitoringKatharina Morik and Peter Brockhausen and Thorsten Joachimsfmorik,brockhausen,joachimsg@ls8.cs.uni-dortmund.deUniversitat Dortmund, LS VIII 4

joachims_98a.pdf

Cornell - VIVO - 24452

Text Categorization with Support Vector Machines: Learning with Many Relevant FeaturesThorsten JoachimsUniversitat Dortmund Informatik LS8, Baroper Str. 301 44221 Dortmund, GermanyAbstract. This paper explores the use of Support Vector Machines

joachims_98c.pdf

Cornell - VIVO - 24452

UNIVERSITAT DORTMUNDFachbereich Informatik Lehrstuhl VIII Kunstliche IntelligenzMaking Large-Scale SVM Learning PracticalLS 8 Report 24Thorsten JoachimsDortmund, 15. June, 1998Universitat Dortmund Fachbereich InformatikUniversity of Dortmu

joachims_97a.pdf

Cornell - VIVO - 24452

A Probabilistic Analysis of the Rocchio Algorithm with TFIDF for Text CategorizationThorsten JoachimsUniversitat Dortmund, Fachbereich Informatik, Lehrstuhl 8 Baroper Str. 301 44221 Dortmund, Germany thorsten@ls8.informatik.uni-dortmund.deAbstrac

joachims_97b.pdf

Cornell - VIVO - 24452

UNIVERSITAT DORTMUNDFachbereich Informatik Lehrstuhl VIII Kunstliche IntelligenzText Categorization with Support Vector Machines: Learning with Many Relevant FeaturesLS 8 Report 23Thorsten JoachimsDortmund, 27. November, 1997 Revised: 19. Apri

joachims_96a.pdf

Cornell - VIVO - 24452

DiplomarbeitEinsatz eines intelligenten, lernenden Agenten fr das World Wide WebThorsten JoachimsDiplomarbeit am Fachbereich Informatik der Universitt Dortmund4. Dezember 1996Betreuer: Prof. Dr. Katharina Morik Prof. Dr. Norbert FuhrZusamm

joachims_etal_95a.pdf

Cornell - VIVO - 24452

WebWatcher: Machine Learning and HypertextThorsten Joachims, Tom Mitchell, Dayne Freitag, and Robert ArmstrongSchool of Computer Science Carnegie Mellon University May 29, 1995This paper describes the rst implementation of WebWatcher, a Learning

conf_pvalue_GIW07.pdf

Cornell - VIVO - 24707

July 24, 200723:27WSPC - Proceedings Trim Size: 9.75in x 6.5inpaper1A conservative parametric approach to motif signicance analysisUri Keich, Patrick Ng Department of Computer Science, Cornell University, Ithaca, NY, USA We suggest a novel

Apples_to_apples_ISMB06.pdf

Cornell - VIVO - 24707

BIOINFORMATICSVol. 22 no. 14 2006, pages e393e401 doi:10.1093/bioinformatics/btl245Apples to apples: improving the performance of motif nders and their signicance analysis in the Twilight ZonePatrick Ng1, Niranjan Nagarajan1, Neil Jones2 and Uri

Evalue_finders_draft.pdf

Cornell - VIVO - 24707

Rening motif nders with E-value calculationsNiranjan Nagarajan, Patrick Ng, Uri Keich Department of Computer Science, Cornell University, Ithaca, NY, USAAbstract Motif nders are an important tool for searching for regulatory elements in DNA. Popula

bagFFT_JCGS06.pdf

Cornell - VIVO - 24707

A Fast and Numerically Robust Method for Exact Multinomial Goodness-of-Fit TestUri KEICH and Niranjan NAGARAJANEvaluating the signicance of goodness-of-ts tests for multinomial data in general, and estimating the p value of the log-likelihood ratio

csFFT_ismb2005.pdf

Cornell - VIVO - 24707

BIOINFORMATICSVol. 21 Suppl. 1 2005, pages i311i318 doi:10.1093/bioinformatics/bti1044Computing the P -value of the information content from an alignment of multiple sequencesNiranjan Nagarajan1 , Neil Jones2 and Uri Keich1,Science Department,

bagFFT_WABI04.pdf

Cornell - VIVO - 24707

A Faster Reliable Algorithm to Estimate the p-Value of the Multinomial llr StatisticUri Keich and Niranjan NagarajanDepartment of Computer Science, Cornell University, Ithaca, NY-14850, USA {keich,niranjan}@cs.cornell.eduAbstract. The subject of

sFFT_JCB05.pdf

Cornell - VIVO - 24707

JOURNAL OF COMPUTATIONAL BIOLOGY Volume 12, Number 4, 2005 Mary Ann Liebert, Inc. Pp. 416430sFFT: A Faster Accurate Computation of the p-Value of the Entropy ScoreURI KEICHABSTRACT We present sFFT, an algorithm for efciently computing the p-val

sequencing_Degui_TCBB07.pdf

Cornell - VIVO - 24707

54IEEE/ACM TRANSACTIONS ON COMPUTATIONAL BIOLOGY AND BIOINFORMATICS,VOL. 4,NO. 1, JANUARY-MARCH 2007Correcting Base-Assignment Errors in Repeat Regions of Shotgun AssemblyDegui Zhi, Uri Keich, Pavel Pevzner, Steffen Heber, and Haixu TangAbs

spaced_seeds_DAM04.pdf

Cornell - VIVO - 24707

Discrete Applied Mathematics 138 (2004) 253 263www.elsevier.com/locate/damOn spaced seeds for similarity searchUri Keicha; , Ming Lib , Bin Mac , John Trompda Computer b BioinformaticsScience & Engineering Department, University of Californi

spaced_seeds_RECOMB03.pdf

Cornell - VIVO - 24707

Designing Seeds for Similarity Search in Genomic DNAJeremy Buhler (jbuhler@cse.wustl.edu) Uri Keich (keich@cs.ucsd.edu) Yanni Sun (yanni@cse.wustl.edu) Submitted to RECOMB 2003Department of Computer Science and Engineering, Campus Box 1045, Washin

gwa-psb03.pdf

Cornell - VIVO - 24707

H 2 2 ) ! ' 2 ) ' 5 ! 8 5 8 5 ! v5 !5 # 5 2 ) ' {55y I )5 2 ' H @C(G(C&U06&%Cf&C6Gi6@4&(6g9&SP&C%(&%8 5 8 5 ! v5 {5y ! 5 ) 2 # 2 8 5 ! v5 8 # X t 3 ) 2 H ! &D&C6Gi6@o9gz@&G&xw9CeCU&C6Gi6@BC4e%u6US p5

sig_det_RECOMB.pdf

Cornell - VIVO - 24707

Finding motifs in the twilight zoneUri KeichDepartment of Computer Science and Engineering University of California San Diego La Jolla, CA 92093, USAPavel A. PevznerDepartment of Computer Science and Engineering University of California San Dieg

Schurs.pdf

Cornell - VIVO - 24707

STATIONARY TANGENT: THE DISCRETE AND NON-SMOOTH CASEU. KEICH Abstract. In [5] we dene a stationary tangent process, or a locally optimal stationary approximation, to a real non-stationary smooth Gaussian process. This paper extends the idea by const

interpolation.pdf

Cornell - VIVO - 24707

OPTIMAL DECOMPOSITIONS FOR THE K-FUNCTIONAL FOR A COUPLE OF BANACH LATTICES.MICHAEL CWIKEL AND URI KEICHAbstract. Let f = gt + ht be the optimal decomposition for calculating the exact value of the K-functional K(t, f ; X) of an element f with res

tangents.pdf

Cornell - VIVO - 24707

A POSSIBLE DEFINITION OF A STATIONARY TANGENTU. KEICH Abstract. This paper oers a way to construct a locally optimal stationary approximation for a non-stationary Gaussian process. In cases where this construction leads to a unique stationary approx

strings_CPAM.pdf

Cornell - VIVO - 24707

Kreins Strings, the Symmetric Moment Problem, and Extending a Real Positive Denite FunctionURI KEICHCalifornia Institute of TechnologyAbstract The symmetric moment problem is to nd a possibly unique, positive symmetric measure that will produce a

Kakeya.pdf

Cornell - VIVO - 24707

ON Lp BOUNDS FOR KAKEYA MAXIMAL FUNCTIONS AND THE MINKOWSKI DIMENSION IN R2U. KEICH Abstract. We prove that the bound on the Lp norms of the Kakeya type maximal functions studied by Cordoba [2], and by Bourgain [1] are sharp for p > 2. The proof is

sharp_shepp.pdf

Cornell - VIVO - 24707

ABSOLUTE CONTINUITY BETWEEN THE WIENER AND STATIONARY GAUSSIAN MEASURESU. KEICH Abstract. It is known that the entropy distance between two Gaussian measures is nite if, and only if, they are absolutely continuous with respect to one another. Shepp

ent_bm.pdf

Cornell - VIVO - 24707

THE ENTROPY DISTANCE BETWEEN THE WIENER AND STATIONARY GAUSSIAN MEASURESU. KEICH Abstract. Investigating the entropy distance between the Wiener measure,Wt0 , , and stationary Gaussian measures, Qt0 , on the space of continuous functions C[t0 , t0

wktalk6.pdf

Cornell - MATH - 6

The ProblemWaiting for k mutationsRick Durrett Deena Schmidt (IMA) Jason Schweinsberg (UCSD)Given a population of size N, how long does it take until k the rst time we have an individual with a prespecied sequence of k mutations? Initially all i

Wald1x6.pdf

Cornell - MATH - 1

RecentWaldLecturesinProbability Recent Wald Lectures in Probability WaldLecture1: PhilosophyandAnecdotesRick Durrett,CornellUPDFsoftalks(6slidesperpage)andpapers: www.math.cornell.edu/~durrett/(2005)S.Varadhan (2005) S Varadhan (1999)CharlesNewma

Wald2bx6.pdf

Cornell - MATH - 2

The ProblemWald Lecture 2 My Work in Genetics with Jason SchweinsbregRick DurrettGiven a population of size N, how long does it take until k the rst time we have an individual with a prespecied sequence of k mutations? We use the Moran model. In

Wald3x6.pdf

Cornell - MATH - 3

The planWald Lecture 3 Coexistence in Stochastic Spatial ModelsRick DurrettIn this talk I will review 20 years of work on Q. When is there coexistence in stochastic spatial models? The answer, announced in Durrett and Levin (1994), is that this

twoRGs6.pdf

Cornell - MATH - 6

Problem 1Consider the contact process on a random graph with a power law degree distribution. Power law random graph. Following Newman, Strogatz, and Watts (2000, 2001) Let d1 , d2 . . . be i.i.d. with P(di = k) Ck with > 3 so that var (di ) < .

603_Spr04_syllabus.pdf

Cornell - VIVO - 22810

Government 603: American Politics Field Seminar Spring 2004 Wednesday 4:30-6:30 Professor Elizabeth Sanders 314 White Hall 255-2305 mes14@cornell.eduThis course introduces a wide selection of important and methodologically/theoretically diverse wor

683syllabus.pdf

Cornell - VIVO - 22810

Government 683US Foreign Policy in PerspectiveInstructors: Elizabeth Sanders Telephone: 255-2305 Email: mes14@cornell.edu Office: 314 White Hall Office Hours: MF 12:30-2 Matthew Evangelista 255-8672 mae10@cornell.edu 320 White Hall Wed, 10 am noo

dms.sjm.hippo.pdf

Cornell - VIVO - 19598

HIPPOCAMPUS 16:000000 (2006)Hippocampal Place Cells, Context, and Episodic MemoryDavid M. Smith* and Sheri J.Y. MizumoriABSTRACT: Although most observers agree that the hippocampus has a critical role in learning and memory, there remains conside