Security Properties as Nested Causal Statements

TL;DR

This paper extends the Halpern-Pearl causality framework to express nested causal statements, enhancing its ability to analyze complex security properties involving causality chains and their causes.

Contribution

It introduces a novel extension of the HP framework for nested causal reasoning, specifically tailored for security property analysis.

Findings

Enhanced expressivity for nested causal statements

Ability to distinguish between complex causal scenarios

Reevaluation of previous causality assumptions in security contexts

Abstract

Thinking in terms of causality helps us structure how different parts of a system depend on each other, and how interventions on one part of a system may result in changes to other parts. Therefore, formal models of causality are an attractive tool for reasoning about security, which concerns itself with safeguarding properties of a system against interventions that may be malicious. As we show, many security properties are naturally expressed as nested causal statements: not only do we consider what caused a particular undesirable effect, but we also consider what caused this causal relationship itself to hold. We present a natural way to extend the Halpern-Pearl (HP) framework for causality to capture such nested causal statements. This extension adds expressivity, enabling the HP framework to distinguish between causal scenarios that it could not previously naturally tell apart. We moreover revisit some design decisions of the HP framework that were made with non-nested causal statements in mind, such as the choice to treat specific values of causal variables as opposed to the variables themselves as causes, and may no longer be appropriate for nested ones.