Information flow security properties such as noninterference ensure the protection of confidential data by strongly limiting the flow of sensitive information. However, to deal with real applications, it is often necessary to admit mechanisms for downgrading or declassifying information. In this paper we propose a general unwinding framework for formalizing different noninterference properties permitting downgrading, i.e., allowing information to flow from a higher to a lower security level through a downgrader. The framework is parametric with respect to the observation equivalence used to discriminate between different process behaviours. We prove general compositionality properties and provide conditions under which both horizontal and vertical refinements are preserved under all the security properties obtained as instances of the unwinding framework. Finally, we present a decision procedure to check our security properties and prove some complexity results. 1.

Interactive programs allow users to engage in input and output throughout execution. The ubiquity of such programs motivates the development of models for reasoning about their information-flow security, yet no such models seem to exist for imperative programming languages. Further, existing language-based security conditions founded on noninteractive models permit insecure information flows in interactive imperative programs. This paper formulates new strategybased information-flow security conditions for a simple imperative programming language that includes input and output operators. The semantics of the language enables a fine-grained approach to the resolution of nondeterministic choices. The security conditions leverage this approach to prohibit refinement attacks while still permitting observable nondeterminism. Extending the language with probabilistic choice yields a corresponding definition of probabilistic noninterference. A soundness theorem demonstrates the feasibility of statically enforcing the security conditions via a simple type system. These results constitute a step toward understanding and enforcing information-flow security in real-world programming languages, which include similar input and output operators.

Abstract. Language-based and process calculi-based information security are well developed fields of computer security. Although these fields have much in common, it is somewhat surprising that the literature lacks a comprehensive account of a formal link between the two disciplines. This paper develops such a link between a language-based specification of security and a process-algebraic framework for security properties. Encoding imperative programs into a CCSlike process calculus, we show that timing-sensitive security for these programs exactly corresponds to the well understood process-algebraic security property of persistent bisimulation-based nondeducibility on compositions ( § ¨�©��� �). This rigorous connection opens up possibilities for cross-fertilization, leading to both flexible policies when specifying the security of heterogeneous systems and to a synergy of techniques for enforcing security specifications. 1

The systematic development of complex systems usually specification to a more concrete one, that can finally be implemented. The use of refinement operators preserving system properties is clearly essential since it avoids properties to be re-investigated at each development step. In this paper we formalize the notion of refinement for processes described as terms of the Security Process Algebra (SPA). We consider several information flow security properties and provide sufficient conditions under which our refinement operators preserve such security properties. Finally, we study how refinements can be composed still preserving the security of the system. 1.

We study bisimulation-based information ow security properties which are persistent, in the sense that if a system is secure, then all states reachable from it are secure too. We show that such properties can be characterized in terms of bisimulation-like equivalence relations between the system and the system itself prevented from performing con- dential actions. Moreover, we provide a characterization of such properties in terms of unwinding conditions which demand properties of individual actions. These two dierent characterizations naturally lead to ecient methods for the veri cation and construction of secure systems.

Persistent_BNDC (P_BNDC, for short) is an information-flow security property for processes in dynamic contexts, i.e., contexts that can be reconfigured at runtime. Intuitively, P_BNDC requires that high level interactions never interfere with the low level behavior of the system, in every possible state. P_BNDC is verified by checking whether the system interacting with a high level component is bisimilar or not to the system in isolation. In this work we contribute to the verification of information-flow security in two respects: (i) we give an unwinding condition that allows us to express P_BNDC in terms of a local property on high level actions and (it) we exploit this local property in order to define a proof system which provides a very efficient technique for the development and the verification of P_BNDC processes.

Information flow security in a multilevel system aims at guaranteeing that no high level information is revealed to low level users, even in the presence of any possible malicious process. This requirement could be stronger than necessary when some knowledge about the environment (context) in which the process is going to run is available. To relax this requirement we introduce the notion of secure contexts for a class of processes. This notion is parametric with respect to both the observation equivalence and the operation used to characterize the low level view of a process. As observation equivalence we consider the cases of weak bisimulation and trace equivalence. We describe how to build secure contexts in these cases and we show that two well-known security properties, named BNDC and NDC, are just special instances of our general notion. £This work has been partially supported by the EU Contract IST-2001-32617 “Models and Types for

Noninterference is the basic semantical condition used to account for confidentiality and integrity-related properties in programming languages. There appears to be an at least implicit belief in the programming languages community that partial approaches based on type systems or other static analysis techniques are necessary for noninterference analyses to be tractable. In this paper we show that this belief is not necessarily true. We focus on the notion of strong low bisimulation proposed by Sabelfeld and Sands. We show that, relative to a decidable expression theory, strong low bisimulation is decidable for a simple parallel while-language, and we give a sound and relatively complete proof system for deriving noninterference assertions. The completeness proof provides an effective proof search strategy. Moreover, we show that common alternative noninterference relations based on traces or input-output relations are undecidable. The first part of the paper is cast in terms of multi-level security. In the second part of the paper we generalize the setting to accommodate a form of intransitive interference. We discuss the model and show how the decidability and proof system results generalize to this richer setting. Categories and Subject Descriptors D.3.1 [Programming Languages]:

We study how to e#ciently decide if a process is Persistent BNDC (P BNDC, for short). The P BNDC property ensures that a process is "secure" in dynamic contexts, i.e., contexts that can be reconfigured at runtime. We exploit a characterization of P BNDC as Weak Bisimulation up to a set of actions. In the case of finite-state processes, we study two methods for computing the largest weak bisimulation up to a set of actions: (1) via Characteristic Formulae and Model Checking for -calculus and (2) via Closure up to a set of actions and Strong Bisimulation. This second method seems to be particularly appealing: it can be performed using already existing tools at a low time complexity.

Abstract not found