Datalog Static Analysis in Secrecy

We present a secure static-analysis-as-a-service (SaaaS) system where a client may outsource static analysis to the cloud. To address copyright concerns associated with SaaaS, clients are allowed to encrypt the source code of a target program and upload it to the cloud. Our goal is to secure the privacy of the design and implementation of static analysis as well as the source code of the target program. Considering a family of static analyses written in Datalog, we propose a generic protocol that combines homomorphic encryption (HE) with secure two-party computation to manage the huge cost of HE operations. The server occasionally delegates sub-parts of analysis which are costly in the cipher-world to the client without exposing the design of analysis. During server-client interactions, the information of both sides (client and server) is not leaked to the opposite. We evaluated our system on two static analyses in Datalog in secrecy, which have not been feasible using the previous techniques. For example, Andersen pointer analysis is completed in an average of 45 mins for 14 C programs comprising up to 1.6 KLoC.


I. INTRODUCTION
There have been two ways for a user to adopt a static analysis tool in software development to identify potential bugs for improving software quality. One way is to run the static analyzer in the user's self-hosted environment. In this way, the user downloads an open-source tool, or purchases/subscribes to a license to have free access to an on-premise version of a commercial tool. The other way is to use software-as-aservice (SaaS) applications [1]- [4] where the user uploads the target program to the cloud and gets the analysis result back.
From a perspective of two-party computation where two parties (here, the user and the analysis provider) jointly compute a result on their inputs, either of the two parties inevitably reveals its secret to the opposing party. On one hand, the design and implementation of a static analysis may be revealed to the user when the user has free access to the analyzer. On the other hand, the source code of the target program to be analyzed may be exposed to the analysis provider when the static analysis is outsourced to the cloud.
If static analysis can be performed without sharing any information between the two (called static analysis in secrecy [5]), the usability of static analysis will be improved in the following two aspects.
• No copy-right concerns: The user can upload the target program to a static-analysis-as-a-service (SaaaS) system without any copy-right concerns. This gives better flexibility to the user who can promote the cost savings by the cloud (e.g., payment per Line of Code (LoC) [4]) rather than on-premise systems. • Security enhancement: Static analysis-based malware detection mechanisms need to be unknown to malware developers as much as possible to prevent evasive malware [6], [7]. Attackers have a vested interest in crafting their code to evade the detection of analysis tools through mechanisms such as code obfuscation, while remaining effective at exploiting benign users. Maintaining security of detection mechanisms can hamper such attempts.
One immediate method for achieving this goal is to use Fully Homomorphic Encryption (FHE) [8]. FHE allows for computation on encrypted data without requiring the decryption key. Using FHE, the program owner can encrypt and upload the program to the static analysis service while the service provider can still analyze the encrypted program without decryption. Only the owner of the decryption key (the program owner) can decrypt the encrypted analysis result. It is theoretically guaranteed that no information is Contrast to the prior work, we propose an efficient method for a broader class of static analyses in secrecy. We target static analyses written in a subset of Datalog. Thanks to its concise and declarative nature and powerful fixed point frameworks [13], [14], Datalog has been popularly used to write sophisticated static analyses for highly precise pointer analysis [15], detecting common security vulnerabilities [16] and malware [17] among many others.
In particular, we consider a subset of Datalog where each recursive rule is of the form (known as tail-recursive or linear recursive) R 1 (u 1 ) ← R 2 (u 2 ), R 1 (u 3 ).
where the R i are relation names (i.e., predicates) and the u i are argument tuples. And there are no constraints over non- recursive rules. This family includes useful standard static analyses such as pointer analysis and escape analysis which will be detailed in Section II-C.
Our key insight for efficiency is to reduce the cost of homomorphic evaluation of a linear recursive rule by delegating a sub-part of computation which is costly in cipher-world to the client. The client can easily compute the sub-part, and send the result to the server, followed by HE operations to complete the rule evaluation on the server-side. During the interaction, the server and client never reveal their secret to the opposing party. Figure 1 depicts our secure protocol. First, the client provides the program information to the server after encryption. Then, the server performs a static analysis on it by evaluating Datalog rules in cipher-world. During the evaluation in secrecy, the server occasionally delegates a sub-part of computation, namely a function f , which is costly in cipher-world to the client. This interaction is depicted in Figure 1 with the dotted blue strokes. Suppose the server wants to apply the f function to the ciphertext of x, which is an intermediate analysis result. A simple method for the delegation is to send the ciphertext of x to the client, who decrypts it, applies f , and sends back the ciphertext of the result to the server. However, x may contain partial information from which the client may infer the design of the analysis. To prevent such an information leak, the server homomorphically obfuscates x with a random one-time pad and obtains ciphertext of x? before the delegation. After decryption, the client can infer no information about the analysis design from x?, which looks different from x. The client applies the expensive function f , obtains f (x?), and then sends back ciphertext of it to the server. The server homomorphically deobfuscates it to obtain the ciphertext of f (x), which is the desired result. This process is repeated until the server obtains a final analysis result. After the analysis is complete, the server returns the encrypted analysis result to the client, who can inspect the final results after decryption.
We evaluate our method by performing two standard Dat-alog analyses in secrecy: escape analysis for Java being used in Petablox [18], a program analysis platform, and Andersen pointer analysis for C. Our method shows viable performance. For example, for 10 Java programs (∼ 700 LoC), escape analysis in secrecy is completed in an average of 75 mins. For 14 C programs (∼ 1.6 KLoC), our Andersen pointer analysis in secrecy is completed in an average of 45 mins. On the other hand, even for the smallest one (290 LoC) among the 14 programs, the previous method for Andersen pointer analysis in secrecy takes over 6 hours.

C. CONTRIBUTIONS
• A novel secure protocol for efficient evaluation of Datalog rules in secrecy: we combine a novel secure twoparty computation protocol with homomorphic encryption. Our secure two-party computation protocol requires the client and the server to collaboratively perform computation. At the cost of only slight overhead on the client-side, our protocol is much more efficient than the previous approach solely based on FHE. • Confirming the method's effectiveness: in the experiments with five Datalog analyses, the method shows viable performance which could not be achieved by the previous technique.

D. OUTLINE
Section II defines the problem of datalog static analysis in secrecy with the background concepts of homomorphic encryption and Datalog. Section III describes a basic protocol for datalog static analysis in secrecy, which is simple but inefficient. Section IV presents an advanced protocol that is much more efficient than the basic protocol in Section III. Section V presents the experimental studies. Section VI discusses related work. Section VII discusses how to further improve scalability and security of our approach and Section VIII concludes the paper.

II. PROBLEM DEFINITION
In this section, we define the problem of static analysis in secrecy. We first provide background on homomorphic encryption (Section II-A) and Datalog (Section II-B). In Section II-C, the problem is formally stated.

A. HOMOMORPHIC ENCRYPTION
Homomorphic encryption (HE) enables arbitrary computation over encrypted data. This enables secure outsourcing of computation where an untrusted third party, such as a cloud provider, performs computation over a client's private data without obtaining any (even partial) information of it.
In this paper, we consider HE schemes that operate over integers and are homomorphic concerning addition and multiplication. A fully homomorphic encryption (FHE) scheme with integer plaintext space Z w = {0, 1, · · · , w − 1} (where w is a positive integer) can be described by the interface: where pk is a public key, sk is a secret key, Ω is a ciphertext space (e.g. large cardinality set such as Z t , i.e., integers modulo an integer t). For all plaintexts m 1 , m 2 ∈ Z w , the interface should satisfy the following algebraic properties: Dec sk (Add pk (Enc pk (m 1 ), Enc pk (m 2 ))) = m 1 + m 2 , Dec sk (Mul pk (Enc pk (m 1 ), Enc pk (m 2 ))) = m 1 × m 2 .
Example 1. As an example, let us consider a simple symmetric version (where only a secret key is used for both encryption and decryption) of the HE scheme [19] based on approximate common divisor problems [20]: • The secret key (sk ) is a random integer p.
• For a plaintext m, Enc(m) outputs pq+wr+m, where q and r are randomly chosen integers such that |r| |p|. r is a noise for ensuring semantic security [21]. • For a ciphertextc, Dec(c) outputs ((c mod p) mod w). • For ciphertextsc 1 andc 2 ,c 1+c2 outputsc 1 +c 2 . • For ciphertextsc 1 andc 2 ,c 1×c2 outputsc 1 ×c 2 . For ciphertextsc 1 ← Enc(m 1 ) andc 2 ← Enc(m 2 ), we know eachc i is of the formc i = pq i + wr i + m i for some integer q i and noise r i . Hence Dec(c i ) = (c i mod p) mod w) = m i , if |wr i + m i | < p. Then, the following equations hold: Based on these properties, we can show that Dec(c 1 +c 2 ) = m 1 + m 2 and Dec(c 1 ×c 2 ) = m 1 · m 2 if the absolute values of noise Add and noise Mult are less than p.
The random noise injected with ciphertexts to ensure security should be properly managed to certify the correctness of homomorphic evaluation. In the above example scheme, the noise in the resulting ciphertext increases during homomorphic addition and multiplication (twice and quadratically as much noise as before respectively). If the noise becomes larger than p, the decryption may return a random garbage value. To prevent such situations, one may set parameters (e.g., p in the example scheme) of HE schemes large enough. However, larger parameter values increase the memory footprint of ciphertexts and require more compute resources to operate over large-sized ciphertexts.
Because multiplication dominates noise growth, the performance of homomorphic evaluation is often measured by the maximum multiplicative depth of evaluated arithmetic circuits. The maximum multiplicative depth influences the parameters of a HE scheme. Minimizing the multiplicative depth results in not only smaller ciphertexts but also less overall execution time. For example, if we support a few numbers of consecutive multiplications, the secret key p can be small in the above example HE scheme, leading to VOLUME 4, 2016 less overall computational costs. Many FHE schemes are leveled (also called somewhat homomorphic) in that, for fixed encryption parameters they only support computation of a particular depth. 1 Note that any arithmetic circuit that performs up to n consecutive multiplications on ciphertexts can be evaluated by HE schemes supporting O(log n) multiplicative depth. For example, suppose we aim to acquire the product of an array of n ciphertexts. We can recursively cut the array in half and multiply the two halves, resulting in O(log n) depth.

B. DATALOG
Let us assume there are fixed sets of variables, constants, and relation symbols (i.e., predicates) each of which is associated with an arity. For brevity, we assume every constant is an integer 2 . An atom is an application of a relation symbol to a vector of variables and constants, e.g., r(x, y) for a relation r with arity 2. A ground atom is an application of a relation symbol to constants. A Datalog rule R is an expression of the form: where A, B 1 , · · · , B n are atoms. The literal to the left of the ":-" operator is called the head. On the other hand, the literals on the right hand side form the rule body. A Datalog rule can be interpreted as a logical implication where all variables are universally quantified: "For all variable valuations, if B 1 , · · · , B n are true, so is A". A Datalog program is a finite set of rules P = {R 1 , R 2 , · · · , R n }, and we will denote P (r) as a set of rules of which head is of relation symbol r. There are two kinds of relation symbols: the input relations I whose contents are given, and the output reations O whose contents are derived from the input relations by evaluation of the program P . Only output relations can appear in the head of a rule. We use I to denote the set of facts (ground atoms) in the input relations. The Herbrand Base B denotes all possible applications of the output relations to vectors of constants in I. A Datalog program is recursive if a relation symbol appears in both the head and the body of a rule.
Evaluating P on I yields a minimal Herbrand model, which is the smallest ground atoms satisfying the rules in P and input I. Informally, one can obtain such a model by starting with the input tuples I and repeatedly instantiating the variables of each rule to derive new output tuples, until no further conclusions can be added. We will write P (I) for the set of output tuples (i.e., a minimal Herbrand model) produced by a Datalog program operating on a set of input tuples I. 1 A leveled scheme may be turned into a fully homomorphic one by introducing a bootstrapping operation [8], which is computationally heavy. Thus, we only consider somewhat HE schemes in this paper. 2 We assume constants of other types can be transformed into integers using a numbering scheme (e.g., hashing).

1) A Subset of Datalog of Interest
In this work, we are interested in a subset of Datalog where each rule is either of the following forms: r( x 0 ) :-r 1 ( x 1 ), . . . , r n ( x n ). (1) where the x i are vectors of variables of arity 2, or r(x, y) :-p(x, z), r(z, y). (2) In other words, every relation is binary without negation 3 , and every recursive rule is linear in that the head relation of a rule appears only once in the body of the rule. This subset of Datalog is called linear Datalog [22].

2) Problem
We assume that a program owner (i.e., client) and an analysis provider (i.e., server) are semi-honest. In this security model, the client and the server run the protocol exactly as specified, but may try to learn as much as possible about the analysis design and the program information, respectively. We aim to create a generic protocol that allows both parties to jointly perform the analysis on the target program with the following security requirements.
• The analysis provider can learn no information about the target program other than the program size (more precisely, the size of the Herbrand Base B). • The client can learn no information of the analysis other than input/output relation symbols (i.e., I and O) and their associated arities (i.e., relational schema).

III. BASIC METHOD
In this section, we present a basic method for Datalog evaluation in secrecy which the prior work [5] is based on. In this method, an integer arithmetic circuit of a Datalog program is designed only using integer additions and multiplications. The program owner encrypts some numbers representing her program under a HE scheme. On the encrypted data, the server performs a series of corresponding homomorphic operations referring to the arithmetic circuit and outputs encrypted pointer analysis results. This basic approach is simple but very costly. In the next section, a more efficient method improved upon the basic one will be described.

A. A LINEAR ALGEBRAIC APPROACH TO DATALOG
The basic method is based on a linear algebraic approach that encodes relations as matrices and obtains the least solution of a Datalog program P given input I by performing operations over the matrices. We begin with some notations.
We first introduce a matrix encoding of relations. From now on, matrices are denoted by boldface uppercase letters like "A". In particular, I is an identity matrix, and 0 is the zero matrix. For a matrix A = [a ij ], we write (A) ij = a ij to denote the element of A at i-th row and j-th column. We introduce an operator norm for matrices, |A| ∞ = max i j |a ij |, which means the maximum sum of entries in a row. In addition, we use a non-linear function In other words, if the entry of matrix R r at i-th row and j-th column is not zero, we conclude r(i, j) can be derived from the initial input I by evaluating the Datalog program P . With these concepts, we are ready to formulate evaluation of Datalog programs as consecutive matrix operations. For rules of type (1), we introduce matrices R r , R r1 , · · · R rn that encode relations of forms r(·, ·), r 1 (·, ·), · · · , r n (·, ·) respectively. Then, the following equation should hold.
where R • ri is either R T ri or R ri . Example 2. Consider the task of identifying sibling nodes in a directed graph. Two nodes x, y are sibling if there exist edges from x to z and y to z for some node z. The problem involves one input relation edge and one output relation sibling with the following meaning: • edge(x,y) : there is an edge from node x to y. • sib(x,y) : node x are y are sibling. Suppose the user populates the input relation as follows: edge(1, 2), edge(2, 3), edge(3, 1), edge(4, 1).
We can obtain the least solution as follows: which means that we have the following output relations as a result.
For a recursive rule of type (2), similarly we introduce matrices R r and R p encoding relations r(·, ·) and p(·, ·). We may well assume there is at least one non-recursive rule whose head involves r (otherwise, no ground atoms for r could be derived). Let R r denote the resulting matrix after evaluating the non-recursive rules. Then, for the recursive rule of type (2), the following equation should hold.
The least solution of (4) gives r(·, ·) in the least model P (I).
Here, "least" means the ordering among matrices defined by To obtain the least solution, we define a series of monotonically increasing matrices {R It is customary to prove that the limit lim k→∞ {R (k) r } gives the least solution of (4).
Example 3. Suppose we want to compute transitive closure of the graph in Example 2. The problem involves one input relation edge described in Example 2 and one output relation path where path(x, y) means there exists a path from node x to y. The Datalog rules for computing transitive closure is path(x, y) :-edge(x, y). path(x, z) :-path(x, y), edge(y, z).
Given the input relations in Example 2, we can obtain the least solution after 4 iterations (starting from R In summary, we can compute the least solution of P by repeatedly updating R r for each output relation symbol r according to equations (3) and (5) until saturation.

B. BASIC PROTOCOL
Now we present the basic protocol for Datalog analysis in secrecy based on the linear algebra approach in the previous section.
To handle matrices, we make an additional assumption over an underlying HE scheme; it is capable of encrypting matrices and performing homomorphic operations over the matrices.

1) Homomorphic Matrix Operations
Many modern HE schemes [23], [24] allow to efficiently encrypt matrices and perform various operations such as addition, multiplication, and transposition over the encrypted matrices. Those schemes allow a vector of plaintext integers VOLUME 4, 2016 Basic Protocol Server Input: • A Datalog program P • The sets I and O of input and output relations resp. Client Input: Input tuples derived from a target program Shared Information: if R is of form r(·, ·) :-r 1 (·, ·), · · · , rn(·, ·) then 5) to be encrypted into a single ciphertext with operations behaving in a SIMD manner (known as ciphertext packing). Therefore, one can represent a matrix as multiple vectors in either row-major order or column-major order, encrypt each vector, and efficiently perform homomorphic SIMD operations over the ciphertexts (see [25], [26] for more details). Assuming such a HE scheme is available, from now on, we will denote an encrypted version of a matrix A as A. With a slight abuse of notation, we will denote + and · as homomorphic matrix-matrix addition and multiplication respectively to simplify the presentation. The homomorphic matrix transposition operator will be denoted as HE.MatTrans. In terms of noise growth, matrix multiplication is significant whereas the other operations are negligible. Fig. 2 depicts the basic protocol. The server has a Datalog program P (i.e., analysis), and the client has a target program. The server and client share the information of the input and output relation symbols I and O, and the number N of all constants in a target program.
The client first populates input relations from the target program, represents them as matrices, and encrypts the matrices and sends them to the server (Program Encryption in Fig. 2).
Next, the server performs Datalog analysis in secrecy (Analysis in Secrecy in Fig. 2). It initializes the matrices of output relations to be encrypted zero matrices (line 1), and repeats the main loop (lines 2 -8) N 2 times. The main loop incrementally updates matrices of output relations by homomorphically evaluating each rule in P . If a currently considered rule whose head involves r is non-recursive (line 4), it updates R r according to the equation (3) (lines 5-6). If the rule is recursive (line 7), it updates R r according to the equation (5) (line 8). Note that the server updates R r N times because the server should evaluate the rule as if in the worst case. The main loop is repeated N 2 times because the server cannot know if a fixpoint is reached. Specifically, a single iteration of the main loop can add at least a single analysis fact (i.e., groud atom) to the analysis result computed so far, and we may have at most N 2 ground atoms for each output relation.
Lastly, the server sends the encrypted matrices for all the output relations to the client, who decrypts each matrix R r and interprets each non-zero element R ij in the matrix as an analysis fact r(i, j) (Output Determination in Fig. 2).

C. LIMITATION OF THE BASIC PROTOCOL
The basic protocol suffers from a scalability issue in practice due to the huge number of consecutive homomorphic multiplications. For example, if we perform Andersen's pointer analysis in secrecy using the basic protocol, we would need O(N 2 log N ) multiplicative depth where N is the number of pointer variables in a target program [5]. A toy program having 10 variables requires an arithmetic circuit of depth 300, which is infeasible to be homomorphically evaluated even by the state-of-the-art HE schemes. Lee et al. [5] reduces the number of the main loop iterations (lines 2 -8) from N 2 to n where n is the maximum level of pointer, which is very small (≤ 5) in usual C programs. Despite this domainspecific optimization reducing the depth from O(N 2 log N ) to O(n log N ), however, it takes over one day to analyze even a tiny program of 40 variables.

IV. ADVANCED PROTOCOL
In this section, we present an advanced protocol that is much more efficient than the basic protocol in Section III The performance degradation of the basic protocol is caused by the following two factors that increase the overall multiplicative depth.
• Inefficient evaluation of linear recursive rules: For each linear recursive rule, the server should perform matrixmatrix multiplication N times consecutively. • Worst-case fixpoint iterations: Since the server cannot know if a fixpoint is reached, the analysis in secrecy always assumes the worst-case regardless of actual inputs.
We will show how to improve the above two components with aid of the client. Section IV-A will describe how to more efficiently evaluate linear recursive rules. Section IV-B will explain how to avoid the always-worst-case fixpoint iterations. Section IV-C will show a working example to facilitate understanding of our protocol. Lastly, Section IV-D will explain some optimizations additionally applied to the protocol to improve efficiency in practice.

A. EFFICIENT HANDLING OF LINEAR RECURSION
Recently, a more efficient linear algebraic approach to evaluation of linear recursive rules has been proposed [27].
where is a small number such that (I − R p ) −1 exists, for example 0 < < 1 |Rp|∞ . The least solution of (6) is the limit of series {R k r } k=0,1,··· which is defined to be In other words, R Theorem 1 (from [27]). Suppose 0 < ≤ 1 |Rp|∞+1 . The least solution of (4) is equal to the conversion of (I − R p ) −1 R r to a 0-1 matrix by thresholding matrix entries at 0.

Example 4.
Recall the transitive closure computation in Example 3. As |R edge | ∞ = max{1, 1, 1, 1} = 1, we can set to be (1 + |R edge | ∞ ) −1 = 1 2 . We can obtain the least solution R path as follows: This new method (7) for linear recursion is more efficient than the basic method (5) since the worst-case time complexity of computing (7) is O(N 3 ), whereas that of the basic method is O (N 4 ). Because the cost of homomorphic evaluation follows the worst-case complexity, we could take advantage of this new method to expedite our analysis in secrecy.
However, the problem here is that computing (7) involves matrix inversion (due to (I − R p ) −1 ), and to the best of our knowledge, there is no known efficient method for homomorphic matrix inversion 4 .
We can solve this problem by delegating the matrix inversion to the client. To simplify notations from now on, let us introduce a function Prep which is defined as follows: Using this notation, our goal is written as to delegate computation of Prep(R p ) to the client. If the server gives the ciphertext of R p to the client asking it for computing Prep(R p ) and sending back ciphertext of it, the server will be able to just multiply the result by ciphertext of R r to obtain the final evaluation result of the linear recursive rule. This trick would drastically reduce the depth by replacing the previous N matrix multiplications in (5) by single matrix multiplication.
Unfortunately, this method potentially introduces a security threat. The problem here is that R p may contain partial information of the analysis design if it has been derived as an evaluation result of other Datalog rules. Thus, the client can potentially infer the analysis design by inspecting R p .
Our key idea to solve this security issue is to let the server obfuscate ciphertext of R p before giving it to the client. The server and the client perform the following steps.
1) The server determines = 1 t and shares it with the client. Here, t is a random large positive integer such that for every relation r, the norm |R r | ∞ is smaller than t during the analysis.
2) The server generates a random non-zero matrix A such that (I + A) −1 exists.

3) The server computes
Let us denote the result by T. 4) The server sends T to the client, who gets T and decrypts it. 5) The client computes Prep(T), sends the result to the server after encryption. Let us call this encrypted matrix K. 6) The server computes (I + A) · K. Following the above steps, the server can get ciphertext of Prep(R p ) without any security issues for the following reason. When the client gets T, due to the random matrix (i.e., one-time pad) A, it cannot infer any information of R p . And, what the server computes at the last step (6) gives ciphertext of Prep(R p ) because By multiplying it with a current R r , the server can obtain a newly updated R r as a result of the homomorphic evaluation of the linear recursive rule. This method is reflected in the advanced protocol depicted in Fig. 3.
Remark In many integer HE schemes, the plaintext space is often defined as non-negative integers modulo some integer VOLUME 4, 2016 w, i.e., Z w . When the server computes T, the matrix may contain negative integers as 1 = t in the expression (8) is a large integer. This issue can be easily solved by interpreting integers in the range of [w/2, w) as negative ones. In other words, the plaintext can be adjusted to integers in [−w/2, w/2). In addition, in the above step, K may contain real numbers since is a real number, thereby requiring homomorphic operations over real number entries on the server side. Modern integer FHE schemes can support fixedpoint arithmetic with an explicit scaling factor. For instance, we can represent 3.14 as 314 with scale 100 (n denotes a ciphertext of n). 5 Lastly, care is needed when determining t. It should not be too large to prevent underflow when computing (8). If any matrix entry becomes smaller than − w 2 , underflow occurs and the entry may suddenly become positive. Possible mitigation to this potential issue is to set w to be an even larger integer when determining the plaintext space so that it can be much greater than t.

B. AVOIDING THE ALWAYS-WORST-CASE ITERATIONS
We avoid the always-worst-case iterations by resorting to server-client interactions. We apply the semi-naive method [22] into our setting, but at a coarse granularity; we are at the level of relation symbols instead of ground tuples. Instead of using the full content of all the relations in each iteration as in the naive method, we only use the content of relations which may be updated in each iteration. Relation symbols of possible updates in each iteration can be easily identified from dependencies between relations. Specifically, the server first construct a precedence graph G P of the Datalog program P prior to the analysis. The graph G P visualizes dependencies between relations in P . Nodes in G P are relation symbols, and edges are derived as follows: if A :-. . . B . . . ∈ P , B → A is added as an edge in G P . By referring to the graph, the server can homomorphically evaluate each Datalog rule in order that guarantees the server does not evaluate rules that certainly will never generate new tuples (similarly to the worklist algorithm). In other words, the server visits each output relation in the graph in topological order and homomorphically evaluates rules involving the relation in turn.
Example 5. Consider the following rules for computing all strongly connected components in a directed graph.
where scc(x,y) denotes nodes x and y are strongly connected to each other -i.e., there is a path from x to y and vice versa. The precedence graph for the rules is as follows: 5 The scaling factor may quickly grow with multiplication. The state-ofthe-art integer FHE schemes such as CKKS [23] enables "rescaling" to address this issue. For example, it can convert 2000 at fixed-point scale 100 to 20 at scale 1.

11)
Send T to the client and get K from the client s.t. K ≡ Enc pk (Prep(Dec sk (T)))

12)
Rr  Sorting the relations topologically tells us to evaluate the two rules for path first, and then the rule for scc next.
After evaluating all the rules once, the server asks the client if a fixpoint is reached. Please note that the precedence graph can be constructed only by the server who knows about the rules and the graph is not revealed to the client. Fig. 3 depicts the final protocol with this idea. The server derives graph G P from P , and stores content derived so far for every relation (line 2), which will be used for checking the termination condition later. The server visits each output relation r in topological order of G P (line 3), and homomorphically evaluates each rule whose head involves r. After evaluating all the rules, the server determines whether or not the evaluation in secrecy should continue. The server computes the set of encrypted matrices S as specified on line 13, and sends it to the client. If there has been no update in the content of r, R r − R old r will be an encrypted zero matrix. Otherwise, it will be an encrypted non-zero matrix, which may contain partial information of the analysis. Again, we use random one-time pad matrices (i.e., A i in the protocol).
If all the matrices from the server are zero matrices, the client responds "Yes" to the server meaning a fixpoint has been reached, which makes the protocol end. Otherwise, the server repeats the process again by going back to line (2) (line 16). The protocol continues until a fixpoint is reached. As we will show in the evaluation, the number of server-client interactions is small in practice.
The overall multiplicative depth required for the advanced protocol is O(k log n), where is the length of the longest path in the precedence graph, n is the maximum length of bodies in the rules, and k is the number of iterations of the main loop (lines 2 -16) until a fixpoint is reached.

C. WORKING EXAMPLE
We present a working example using the Andersen pointer analysis for a better understanding of our protocol.

1) Datalog Rules
The pointer analysis involves four input relations pt0, copy0, load, store, and two output relations pt and copy with the following meanings.

2) Program Encryption
Suppose we aim to analyze the following simple C program. int ** a; int * b, * c, * d; a = &b; * b = d; c = b; c = * d and we assign an integer ID to each variable as follows: The client populating input relations obtains the following matrices encoding them. The client encrypts the matrices and sends them to the server.

3) Analysis in Secrecy
The server determines to be 10 −3 and lets the client know about it. The server initializes each of R pt , R old pt , R cp , and R old cp to be an encrypted zero matrix. The server performs assignments R cp ← R cp0 and R pt ← R pt0 , which are for homomorphic evaluation of the rules (9) and (11), respectively. The server generates a ciphertext of random matrix A such that I + A is invertible and a ciphertext of T of which entries are as follows: The client gets the ciphertext T, decrypts it, and computes The server gets a ciphertext of K and homomorphically evaluates the rule (10) by performing the following assignment.
Next, to evaluate the rules (12) and (13), the server performs assignment The client decrypts the matrices and confirms there exist nonzero entries. Since the termination condition has not been met, the process should return to line (2) of the protocol to begin the next round.
Next, R old cp and R old pt are assigned R cp and R pt , respectively. The server generates a one-time pad matrix A similarly to the previous round and ciphertext of T of which entries are as follows: The server gets K, and homomorphically evaluates the rule VOLUME 4, 2016 (10) similarly to the previous round. As a result, there is no update in R pt and R cp . Because R pt and R cp are equal to their old versions, the set S will only contain ciphertexts of zero matrices. The client checks that all the matrices in S are zero matrices, and transmits "Yes" to the server as the termination condition has been met. The server sends R pt and R cp to the client as the encrypted final analysis result.

D. OPTIMIZATIONS 1) Delegation of Computations over Input Relations to the Client
To reduce the number of communication rounds required for analysis in secrecy, the client may compute Prep(R r ) for each input relation r in advance and send them to the server. Similarly, to reduce the cost for homomorphic matrix transposition on the server-side, the client may compute R T r for every input relation r in advance and send them to the server.

2) Fake Interactions
The number of communication rounds until a fixpoint is reached may expose partial information of the analysis design to the client. To prevent a leak of partial information, the server may perform fake interactions. Even if analysis in secrecy does not require client-server interactions, we compel it to perform meaningless ones. The time spent by both for such a fictitious interaction is negligible and has almost no effect on total processing time.

V. EVALUATION
We implemented our method as a tool named SecureDL 6 . This section evaluates our SecureDL system to answer the questions: Q1: Given the level of overhead in HE computation, can SecureDL show viable performance for standard Datalog static analyses in secrecy? Q2: How does SecureDL compare with the existing technique for static analysis in secrecy which does not involve any client intervention during analysis? All of our experiments were conducted on Linux machines with 40 cores of Intel Xeon 2.6GHz CPU and 256G of memory.

A. EXPERIMENTAL SETUP 1) Target analyses
For our evaluation, we use the following two static analyses excerpted from the benchmarks used in [29]. All of the analyses are written in the subset of Datalog described in Section II-C.
• escape is an escape analysis for Java. This analysis consists of 11 Datalog rules (6 input relations and 3 output relations), including recursive rules with a multiplicative depth of 5. 6 A System for Secure Evaluation of DataLog • andersen is a classic pointer analysis for C. It has overall 5 Datalog rules which contain recursive rules with a multiplicative depth of 10 (4 input relations and 2 output relations). We chose these analyses for the following reasons. First, the analyses are standard and fundamental in that other more complex static analyses are built upon them [18]. Given the significant cost of HE, showing the viability of our method in these analyses is the first necessary step for more complex analyses in secrecy. Second, the analyses are non-trivial in terms of homomorphic evaluation in that they comprise up to 11 Datalog rules and 6 input relations with recursion (escape), thus good targets for testing the efficiency of our method.

2) Implementation
We have implemented two modules for server and client. The client module populates input relations from syntax of a given target program to be analyzed and communicates with the server module as specified in our protocol. The server module takes Datalog rules of a static analysis and performs analysis in secrecy interacting with the client module as specified in the protocol. We use the latest version of HElib [30], an open-source library that implements HE. Among the HE schemes the library provides, we use the BGV scheme [24]. To derive input relations from a target program, we use the front-end of Petablox [18] for Java and Sparrow [31] for C. Petablox and Sparrow are open-source static analysis frameworks. Our implementation runs in parallel using the multi-threading supported by HElib.

3) Target programs
Our benchmark of target programs comprises 10 Java programs and 14 C programs. The details can be found in Table 2 and 1. The Java programs are from the evaluation benchmarks [32] used along with Petablox. They originated from programming assignments in a software course. The C programs are from the benchmark by Zitser et al. [33] that include 14 source code examples containing serious buffer overflow vulnerabilities found in three security-sensitive applications. Though the programs are small, they exhibit diverse language features common in practice.

4) Baseline
We compare SecureDL to the work by Lee et al. [5], which is the only prior work of static analysis in secrecy to the best of our knowledge. The approach is similar to the basic protocol described in Figure 2 along with optimizations specialized for the pointer analysis. We conduct an experimental comparison only for the pointer analysis for C since the prior work only targets the pointer analysis. To compare SecureDL against the previous approach, we run the authors' implementation on our benchmark programs. The implementation of the prior work obtained from the authors also uses the same version of HElib with the BGV scheme, thus the comparison is on equal footing.

B. PERFORMANCE OF SECUREDL
We evaluate SecureDL on the five static analyses. For each analysis of each target program, we measure the time taken by the client and server modules. The timeout limit is set to 24 hours. In all the analyses, we set the security parameter 72, which means a ciphertext can be broken in a worst-case time proportional to 2 72 . For each analysis, we checked the correctness by comparison to the result of plaintext analysis using a Datalog solver [13]. Table. 1 shows the results for the four Java analyses, and Table 2 summarizes the result for Andersen pointer analysis for C. The column Client gives the time for all the parts entitled "Client's work" in the protocol depicted in Fig. 3 along with the computation of K on line (11). The column (Server) gives the time taken for all the parts entitled "Server's work". All of the analyses could be completed within a small number of communication rounds (≤ 3).
SecureDL is able to analyze all the programs in all the analyses within the timeout limit. As far as the time taken by the client is concerned, it is always negligible compared to the time taken by the server. The time taken by the server is also roughly proportional to N , but not always. This variance is due to "ciphertext packing" supported by the underlying HE scheme described in Section III-B. How many plaintext messages can be "packed" into a single ciphertext is called the number of slots (namely l), and it affects the overall performance of homomorphic matrix operations. The performance variance is due to that it is non-trivial to set l to a number we want.
In summary, SecureDL could perform all the analyses on every target program within the timeout limit, which shows the viability of our method.

C. COMPARISON TO THE BASELINE
As can be seen in Table 2, our method significantly outperforms the previous approach [5] by reducing the required multiplicative depth thanks to the client intervention during analysis. Only one out of 14 programs could be analyzed by Lee et al., whereas our method could analyze all the programs within the timeout limit. The important advantage of SecureDL against the prior work is that the depth in our protocol is determinedly independently of the number of constants N , i.e., the number of pointer variables in each target program. In all the programs, our Andersen analysis in secrecy could be performed with a depth 10. On the other hand, the depth required for Lee et al. [5] is proportional to N . For example, the smallest program sm-6 requires a depth of 43. The programs bind-1, bind-2, sm-3, and sm-7 require depth of 61, and the other remaining programs require depth of 55. Because ciphertext sizes are non-linearly proportional to depth in general [34], the significant differences in the depths lead to the remarkable performance gap between the two methods.

A. STATIC ANALYSIS IN SECRECY
To the best of our knowledge, the work by Lee et al. [5] is the only prior work of static analysis in secrecy. As a first step, they present a HE algorithm for the simple Andersen pointer analysis. To expedite the analysis, they propose a way to perform pointer analysis level-by-level, reducing the overall multiplicative depth of the analysis as already described in Section III-C. Our method is more generally applicable to static analyses written in the subset of Datalog described in Section II-C, and even without any domain-specific optimization techniques, it outperforms the previous method as shown in the evaluation. However, our protocol may require more communication cost than the prior work by delegating subparts of analysis to the client.

B. COMBINING HOMOMORPHIC ENCRYPTION AND SECURE MULTI-PARTY COMPUTATION (MPC)
In various application domains, there have been attempts to combine homomorphic encryption and secure MPC in order to reduce the number of homomorphic operations solely performed by the server. Gazelle [35], SecureML [36], and Min-iONN [37] are secure neural network inference system that combines homomorphic encryption with secure two-party computation techniques. Another line of work employed HE for arithmetic operations and resort to Yao's Garbled Circuit VOLUME 4, 2016 (GC) for the other operations that can be represented as Boolean circuits. Nikolaenko et al. [38] propose a secure matrix factorization method based on this approach. Blanton et al. [39] also follow this approach and propose a secure protocol for biometric identification of which goal is to enable secure biometric data matching performed by two distrusted parties, one of which holds one biometric image while the other owns a possibly large biometric collection.
Although combining homomorphic encryption with secure MPC has been explored in various domains, to the best of our knowledge, we are the first to adopt this approach to static analysis in secrecy.

C. COMPUTATION ON ENCRYPTED DATA
DFAuth [40] minimizes potential attack surfaces when employing a secure enclave by operating over data encrypted with partially homomorphic encryption (PHE) schemes on an untrusted server. In the trusted module, switching to different PHE schemes is done to perform diverse operations on the server. While promising in terms of performance, partial information of target programs may be leaked because an attacker would be able to observe the control flow of the analysis algorithm that runs on the server.
Our new approach ensures that no information is leaked to opposing parties.

A. FOR BETTER SCALABILITY
While we believe the experimental result is indicative of the viability of our idea, there is still a long way to go toward practical use. We discuss possible ways to scale to analyses at a larger scale. First, clients can help to improve the scalability by encrypting only sensitive sub-parts of their target programs. The other parts are provided without encryption. In this case, analysis operations with the mixture of ciphertexts and plaintexts can be used (e.g., homomorphically multiply a ciphertext by a plaintext integer). These kinds of operations are much more efficient than operations between ciphertexts incurring smaller noise increases. Second, we may improve the overall performance by taking advantage of the latest results for more efficient homomorphic matrix multiplication [41], [42]. Currently, we are using a standard method [25] also used by Lee et al. [5]. Integrating the stateof-the-art HE algorithms for matrix multiplication is left for future work. Lastly, constant developments and advances in FHE and much room for parallelization are other opportunities. Because each homomorphic matrix operation used in our algorithm is an embarrassingly parallel workload (as shown in the experiment, we have used 40 cores to run the protocol in parallel), we can easily boost efficiency further by using more threads.

B. PREVENTING EVASIVE MALWARE
Static analysis in secrecy can be potentially used for detecting malware without revealing the detection mechanism to malware developers. Only input and output of a Datalog-based static analysis are revealed to the user so that the user cannot infer any partial information of the entire Datalog rules. Learning Datalog programs from input-output samples (a process known as inductive logic programming) is a difficult endeavor; even approximate learning is difficult [43]. Therefore, the encryption procedure protects the analysis algorithm against attackers to maintain the algorithm's privacy.

C. ABOUT THE CLIENT INTERVENTION
The client's operations for the server do not impose significant overhead on the client since the operations are rather simple (matrix inversion and checking if a zero matrix is sent from the server). In addition, we have shown the number of communication rounds is small in practice, so that the number of client operations can be also small. If the client is not available during analysis, the server can fall back to the basic protocol described in Figure 2. However, in that case, the analysis would be much more costly than that with the advanced protocol currently adopted by SecureDL.

D. ABOUT SECURITY
In our protocol, the client can learn an upper bound of the size of the server's Datalog rules. The overall multiplicative depth should be determined by the server before analysis and known by the client for encryption of the target program. Since the depth is O(k log n) with the number k of communication rounds, the length of the longest path in the precedence graph, and the maximum length n of bodies of the rules, the client can learn about an upper bound of the size of the server's Datalog rules. However, this security threat can be easily mitigated by setting the depth larger than actually necessary along with fake interactions already described in Section IV-D.
On the other hand, the server can learn an upper bound of the size of the target program (more precisely, the number N of Datalog constants, e.g., Java program variables in case of escape analysis). This security threat can be also easily mitigated by the client's setting N larger than actually necessary.
Other than that, there is no other information revealed since all messages are encrypted under the BGV-type cryptosystem which is secure under the hardness of the ring learning with errors (RLWE) problem (see [24] for the details).

VIII. CONCLUSION
We have shown a secure static-analysis-as-a-service (SaaaS) system where a client may outsource static analysis to the cloud without privacy concerns. Our method ensures privacy of the design and implementation of static analysis as well as the source code of the target program. Considering a family of static analyses written in Datalog, we propose a generic protocol that combines homomorphic encryption (HE) with secure two-party computation to manage the huge cost of HE operations. We have demonstrated the viability of our method by evaluating our system using Andersen pointer analysis for 14 C programs and escape analysis for 10 Java programs.