Security properties based on information flow, such as noninterference, provide strong guarantees that confidentiality is maintained. However, programs often need to leak some amount of confidential information in order to serve their intended purpose, and thus violate noninterference. Real systems that control information flow often include mechanisms for downgrading or declassifying information; however, declassification can easily result in the unexpected release of confidential information.

Unwinding conditions are helpful to prove that deterministic systems fulfill non-interference. In order to generalize non-interference to non-deterministic systems various possibilistic security properties have been proposed. In this paper, we present generic unwinding conditions which are applicable to a large class of such security properties. That these conditions are sufficient to ensure security is demonstrated by unwinding theorems. In certain cases they are also necessary. The practical usefulness of our results is illustrated by instantiating the generic unwinding conditions for well-known security properties. Furthermore, similarities of proving security with proving refinement are identified which results in proof techniques which are correct as well as complete.

Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

This thesis presents a general theory of system composition for possibilistic security properties. It is shown that possibilistic security properties can be viewed as a predicate over the traces that are consistent with a low level observation t low . We provide a uniform framework for analyzing and comparing these properties. We demonstrate how to determine what security property a system satisfies given the security properties satisfied by its constituent components. Also, we show how to construct a system that satisfies a desired security property. This analysis yields a condition that can be used to determine how a property may emerge under composition. We examine the reasons for the failure of feedback composition and provide necessary and sufficient conditions for determining when feedback composition will fail for all properties based on Generalized Noninterference. Unwinding theorems are given for a large class of security properties.

We study bisimulation-based information ow security properties which are persistent, in the sense that if a system is secure, then all states reachable from it are secure too. We show that such properties can be characterized in terms of bisimulation-like equivalence relations between the system and the system itself prevented from performing con- dential actions. Moreover, we provide a characterization of such properties in terms of unwinding conditions which demand properties of individual actions. These two dierent characterizations naturally lead to ecient methods for the veri cation and construction of secure systems.

Persistent_BNDC (P_BNDC, for short) is an information-flow security property for processes in dynamic contexts, i.e., contexts that can be reconfigured at runtime. Intuitively, P_BNDC requires that high level interactions never interfere with the low level behavior of the system, in every possible state. P_BNDC is verified by checking whether the system interacting with a high level component is bisimilar or not to the system in isolation. In this work we contribute to the verification of information-flow security in two respects: (i) we give an unwinding condition that allows us to express P_BNDC in terms of a local property on high level actions and (it) we exploit this local property in order to define a proof system which provides a very efficient technique for the development and the verification of P_BNDC processes.

of formal security policy models

Abstract not found