Program Actions as Actual Causes: A Building Block for Accountability

TL;DR

This paper develops a formal framework to identify which program actions cause security violations, aiding accountability in protocols like authentication and voting, with proven applicability to safety properties and analysis of a key protocol.

Contribution

It introduces a formal definition of actual causes of violations in interacting programs and provides a sound method for cause analysis, applicable to security protocols.

Findings

Violations of certain safety properties always have an actual cause.

The formalism is applicable to security properties in protocols.

A cause analysis of a public key infrastructure protocol demonstrates practical utility.

Abstract

Protocols for tasks such as authentication, electronic voting, and secure multiparty computation ensure desirable security properties if agents follow their prescribed programs. However, if some agents deviate from their prescribed programs and a security property is violated, it is important to hold agents accountable by determining which deviations actually caused the violation. Motivated by these applications, we initiate a formal study of program actions as actual causes. Specifically, we define in an interacting program model what it means for a set of program actions to be an actual cause of a violation. We present a sound technique for establishing program actions as actual causes. We demonstrate the value of this formalism in two ways. First, we prove that violations of a specific class of safety properties always have an actual cause. Thus, our definition applies to relevant security properties. Second, we provide a cause analysis of a representative protocol designed to address weaknesses in the current public key certification infrastructure.