Dynamic Noninterference: Consistent Policies, Characterizations and Verification (original) (raw)
Related papers
Characterizing intransitive noninterference for 3-domain security policies with observability
IEEE Transactions on Automatic Control, 2000
This note introduces a new algorithmic approach to the problem of checking the property of intransitive noninterference (INI) using discrete-event systems (DESs) tools and concepts. INI property is widely used in formal verification of security problems in computer systems and protocols. The approach consists of two phases: First, a new property called -observability (observability based on a purge function) is introduced to capture INI. We prove that a system satisfies INI if and only if it is -observable. Second, a relation between -observability and -observability (observability as used in DES) is established by transforming the automaton modeling a system/protocol into an automaton where -observability (and, hence, -observability) can be determined. This allows us to check INI by checking -observability, which can be done efficiently. Our approach can be used for all systems/protocols with three domains or levels, which is sufficient for most noninterference problems for cryptographic protocols and systems.
An algorithmic approach to verification of intransitive non-interference in security policies
2004 43rd IEEE Conference on Decision and Control (CDC) (IEEE Cat. No.04CH37601), 2004
In this paper, we generalize our algorithmic approach to the problem of verification of the property of intransitive non-interference (INI) using tools and concepts of discrete event systems (DES) that we first proposed in . The reason that we are interested in INI is that it can be used to solve several important security problems in systems and protocols. We have shown that the notion of iP -observability captures precisely the property of INI. In [3], we have developed algorithms to check iP -observability by indirectly checking P -observability. This indirect method works only for systems with at most three security levels. In this paper, we develop a direct method for checking iP -observability, which is based on an insightful observation that iP -purge is a left-congruence in terms of relations on formal languages. This direct method can be used for checking systems with more than three security levels. To demonstrate the applicability of our approach, we propose a formal method to detect denial of service vulnerabilities in security protocols based on INI. This method is illustrated using the TCP/IP protocol.
Runtime Enforcement of Noninterference by Duplicating Processes and Their Memories
flowgate.net
This paper presents a formal model for enforcing noninterference running one process of a program per level in the security lattice. The I/O effects of these processes are isolated from one another by restricting each processes to write only to output channels at the same or higher levels. This approach is intended to be implemented in general purpose operating systems. It is therefore more compatible with existing code. A Linux implementation is briefly described.
Complexity and unwinding for intransitive noninterference
The paper considers several definitions of information flow security for intransitive policies from the point of view of the complexity of verifying whether a finite-state system is secure. The results are as follows. Checking (i) P-security (Goguen and Meseguer), (ii) IP-security (Haigh and Young), and (iii) TA-security (van der Meyden) are all in PTIME, while checking TO-security (van der Meyden) is undecidable, as is checking ITO-security (van der Meyden). The most important ingredients in the proofs of the PTIME upper bounds are new characterizations of the respective security notions, which also lead to new unwinding proof techniques that are shown to be sound and complete for these notions of security, and enable the algorithms to return simple counterexamples demonstrating insecurity. Our results for IP-security improve a previous doubly exponential bound of Hadj-Alouane et al.
State-oriented Noninterference for CCS
Electronic Notes in Theoretical Computer Science, 2007
We address the question of typing noninterference (NI) in Milner's Calculus of Communicating Systems (CCS), in such a way that Milner's translation of a standard parallel imperative language into CCS preserves both an existing NI property and the associated type system. Recently, Focardi, Rossi and Sabelfeld have shown that a variant of Milner's translation, restricted to the sequential fragment of the language, maps a time-sensitive NI property to that of Persistent Bisimulation-based Non Deducibility on Compositions (PBNDC) on CCS. However, since CCS was not equipped with a security type system, the question of whether the translation preserves types could not be addressed. We extend Focardi, Rossi and Sabelfeld's result by showing that a slightly different variant of Milner's translation preserves a time-insensitive NI property on the full parallel language, by mapping it again to PBNDC. As a by-product, we formalise a folklore result, namely that Milner's translation preserves a natural behavioural equivalence on programs. We present a type system ensuring the PBNDC-property on CCS, inspired from type systems for the π-calculus. Unfortunately, this type system as it stands is too restrictive to grant the expected type preservation result. We sketch a solution to overcome this problem.
Formal Verification of Language-Based Concurrent Noninterference
We perform a formal analysis of compositionality techniques for proving possibilistic noninterference for a while language with parallel composition. We develop a uniform framework where we express a wide range of noninterference variants from the literature and compare them w.r.t. their contracts: the strength of the security properties they ensure weighed against the harshness of the syntactic conditions they enforce. This results in a simple algorithm for proving that a program has a specific noninterference property, using only compositionality, which captures uniformly several security type-system results from the literature and suggests a further improved syntactic criterion. All formalism and theorems have been mechanically verified in Isabelle/HOL. This is an extended version of the conference paper [31]; it additionally includes more detailed explanations of the discussed concepts and techniques, proof sketches, a presentation of the Isabelle formalization, and addresses more related work. The work reported here has been supported by the DFG project Ni 491/13-2 (part of the DFG priority program Reliably Secure Software Systems-RS3) and by NI 491/15-1.
On the Verification of Intransitive Noninterference in Mulitlevel Security
IEEE Transactions on Systems, Man and Cybernetics, Part B (Cybernetics), 2005
and the Swedish Institute in Computer Science (SICS), Kista, Sweden. His research interests include applications of mathematical logic to the analysis of concurrency and security: models and calculi for concurrent systems (including object-oriented and mobile systems) and security systems (e.g., security controllers and security protocols), modal and temporal logics with fixed points, and applications to system verification and description. Mohamed Moez Yeddes was born in Korba, Tunisia, in 1971. He received the degree from the Computer Engineering Faculty of the University of Tunisia, Tunis, in 1996, and the DEA diploma and Ph.D. degree from the
A unified framework for concurrent security
Proceedings of the 41st annual ACM symposium on Symposium on theory of computing - STOC '09, 2009
We present a unied framework for obtaining Universally Composable (UC) protocols by relying on stand-alone secure non-malleable commitments. Essentially all results on con- current secure computation|both in relaxed models (e.g., quasi-polynomial time simulation), or with trusted set-up assumptions (e.g., the CRS model, the imperfect CRS model, or the timing model)|are obtained as special cases of our framework. This not only leads to conceptually simpler so- lutions, but also to improved set-up assumptions, round- complexity, and computational assumptions. Additionally, this framework allows us to consider new re- laxed models of security: we show that UC security where the adversary is a uniform PPT but the simulator is al- lowed to be a non-uniform PPT (i.e., essentially, tradi- tional UC security, but with a non-uniform reduction) is possible without any trusted set-up. This gives the rst
The Complexity of Intransitive Noninterference
2011 IEEE Symposium on Security and Privacy, 2011
The paper considers several definitions of information flow security for intransitive policies from the point of view of the complexity of verifying whether a finite-state system is secure. The results are as follows. Checking (i) P-security (Goguen and Meseguer), (ii) IPsecurity (Haigh and Young), and (iii) TA-security (van der Meyden) are all in PTIME, while checking TO-security (van der Meyden) is undecidable. The most important ingredients in the proofs of the PTIME upper bounds are new characterizations of the respective security notions, which also enable the algorithms to return simple counterexamples demonstrating insecurity. Our results for IPsecurity improve a previous doubly exponential bound of Hadj-Alouane et al.
Abstractions of non-interference security: probabilistic versus possibilistic
Formal Aspects of Computing, 2012
The Shadow Semantics (Morgan, Math Prog Construction, vol 4014, pp 359–378, 2006 ; Morgan, Sci Comput Program 74(8):629–653, 2009 ) is a possibilistic (qualitative) model for noninterference security. Subsequent work (McIver et al., Proceedings of the 37th international colloquium conference on Automata, languages and programming: Part II, 2010 ) presents a similar but more general quantitative model that treats probabilistic information flow. Whilst the latter provides a framework to reason about quantitative security risks, that extra detail entails a significant overhead in the verification effort needed to achieve it. Our first contribution in this paper is to study the relationship between those two models (qualitative and quantitative) in order to understand when qualitative Shadow proofs can be “promoted” to quantitative versions, i.e. in a probabilistic context. In particular we identify a subset of the Shadow’s refinement theorems that, when interpreted in the quantitative ...