Program Actions as Actual Causes: A Building Block for Accountability

Datta, Anupam; Garg, Deepak; Kaynar, Dilsun; Sharma, Divya; Sinha, Arunesh

doi:10.1109/csf.2015.25

Cited by 26 publications

(35 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We want to assume the control flow to be (locally) determined and not consider failure in, e.g., conditional branching. The same assumption is made by Datta, Garg, Kaynar, Sharma and Sinha (DGKSS) [6] and Beckers [2].…”

Section: Modelling Control Flowmentioning

confidence: 82%

“…We can capture this through the actual value of the control flow variables. DGKSS [6] and Beckers [2] require interventions to be consistent with the actual temporal order in which events occurred. Translated to our setting, this is akin to considering X s.t.…”

Section: Preserving Control Flowmentioning

confidence: 99%

“…DGKSS's notion of causation [6] is based on a source code transformation of non-branching programs within a simple process calculus. We therefore cast their idea of intervening on events that do not appear in the candidate cause within Pearl's framework (see Definition 4).…”

Section: Sufficient Causationmentioning

confidence: 99%

See 2 more Smart Citations

Causality & Control Flow

Künnemann

Garg

Backes

2019

Electron. Proc. Theor. Comput. Sci.

Self Cite

View full text Add to dashboard Cite

Causality has been the issue of philosophic debate since Hippocrates. It is used in formal verification and testing, e.g., to explain counterexamples or construct fault trees. Recent work defines actual causation in terms of Pearl's causality framework, but most definitions brought forward so far struggle with examples where one event preempts another one. A key point to capturing such examples in the context of programs or distributed systems is a sound treatment of control flow. We discuss how causal models should incorporate control flow and discover that much of what Pearl/Halpern's notion of contingencies tries to capture is captured better by an explicit modelling of the control flow in terms of structural equations and an arguably simpler definition. Inspired by causality notions in the security domain, we bring forward a definition of causality that takes these control-variables into account. This definition provides a clear picture of the interaction between control flow and causality and captures these notoriously difficult preemption examples without secondary concepts. We give convincing results on a benchmark of 34 examples from the literature. NotationWe write t for a sequence t 1 , . . . ,t n if n is clear from the context and use (a 1 , . . . , a n ) · (b 1 , . . . , b m ) = (a 1 , . . . , a n , b 1 , . . . , b m ) to denote concatenation. We filter a sequence l by a set S, denoted l| S , by removing each element that is not in S. Causality framework (Review)We review the causality framework introduced by Pearl [23], also known as the structural equations model. The causality framework models how random variables influence each other. The set of random variables, which we assume discrete, is partitioned into a set U of exogenous variables, variables that are outside the model, e.g., in the case of a security protocol, the scheduling and the attack the adversary decides to mount, and a set V of endogenous variables, which are ultimately determined by the value of the exogenous variables. A signature is a triple consisting of U , V and function R associating a range, i.e., a set, to each variable Y ∈ U ∪ V . A causal model on this signature defines the relation between endogenous variables and exogenous variables or other endogenous variables in terms of a set of equations.Definition 1 (Causal model). A causal model M over a signature S = (U , V , R) is a pair of said signature S and a set of functions F = { F X } X∈V such that, for each X ∈ V ,Each causal model induces a causal network, a graph with a node for each variable in V , and an edge from X to Y iff F Y depends on X. (Y depends on X iff there is a setting for the variables in V ∪U \{ X,Y } 1. V can be partitioned into V rch and a set of data variables V dat , 2. R(V rch ) = { , ⊥ } for any V rch ∈ V rch , and, Table 1: Set of causes for various examples from the literature. The suffix (ctl) marks models adapted to Definition 5.

show abstract

Section: Modelling Control Flowmentioning

confidence: 82%

Section: Preserving Control Flowmentioning

confidence: 99%

See 1 more Smart Citation

Causality & Control Flow

Künnemann

Garg

Backes

2019

Electron. Proc. Theor. Comput. Sci.

Self Cite

View full text Add to dashboard Cite

show abstract

“…The definition we provide here is a simplified version of an earlier, causality-based definition [25], adapted to a setting where there is only a single adversary controlling all deviating parties, or equivalently, where the deviating parties share all the knowledge they obtain. Both definitions are based on sufficient causation [12,24]. The intuition is to capture all parties for which the fact that they are deviating at all is causing the violation.…”

Section: Accountabilitymentioning

confidence: 99%

“…We discuss three approaches for relating factual and counterfactual traces: ‚ by control-flow: r c pt, t 1 q iff t and t 1 have similar controlflow. Several works in the causality literature relate traces by their control-flow [12,25,27], requiring counterfactuals to retain, to varying degree, the same control-flow. See [26] for a detailed discussion about control flow in Pearl's influential causation framework.…”

Section: Counterfactual Relationmentioning

confidence: 99%

Automated Verification of Accountability in Security Protocols

Künnemann

Esiyok

Backes

2019

2019 IEEE 32nd Computer Security Foundations Symposium (CSF)

View full text Add to dashboard Cite

Accountability is a recent paradigm in security protocol design which aims to eliminate traditional trust assumptions on parties and hold them accountable for their misbehavior. It is meant to establish trust in the first place and to recognize and react if this trust is violated. In this work, we discuss a protocol-agnostic definition of accountability: a protocol provides accountability (w.r.t. some security property) if it can identify all misbehaving parties, where misbehavior is defined as a deviation from the protocol that causes a security violation.We provide a mechanized method for the verification of accountability and demonstrate its use for verification and attack finding on various examples from the accountability and causality literature, including Certificate Transparency and Kroll's Accountable Algorithms protocol. We reach a high degree of automation by expressing accountability in terms of a set of trace properties and show their soundness and completeness.‚ a new definition of accountability in the single-adversary setting (which is simpler than the previous definition [25]

show abstract

Towards Causal Analysis of Protocol Violations

Khan

Soutchanski

2019

Advances in Artificial Intelligence

View full text Add to dashboard Cite

Program Actions as Actual Causes: A Building Block for Accountability

Cited by 26 publications

References 39 publications

Causality & Control Flow

Causality & Control Flow

Automated Verification of Accountability in Security Protocols

Towards Causal Analysis of Protocol Violations

Contact Info

Product

Resources

About