## Information Flow Security in Dynamic Contexts (2002)

### Cached

### Download Links

Citations: | 52 - 20 self |

### BibTeX

@MISC{Focardi02informationflow,

author = {Riccardo Focardi and Sabina Rossi},

title = {Information Flow Security in Dynamic Contexts},

year = {2002}

}

### Years of Citing Articles

### OpenURL

### Abstract

We study a security property for processes in dynamic contexts, i.e., contexts that can be reconfigured at runtime. The security property that we propose in this paper, named Persistent BNDC, is such that a process is "secure" when every state reachable from it satisfies a basic Non-Interference property. We define a suitable bisimulation based equivalence relation among processes, that allows us to express the new property as a single equivalence check, thus avoiding the universal quantifications over all the reachable states (required by Persistent BNDC) and over all the possible hostile environments (implicit in the basic Non-Interference property we adopt). We show that the novel security property is compositional and we discuss how it can be efficiently checked.

### Citations

3217 |
Communication and Concurrency
- MILNER
- 1989
(Show Context)
Citation Context ... how Persistent BNDC can be veried through model checking and give some concluding remarks. 2 The SPA language The Security Process Algebra (SPA, for short) [6] is a slight extension of Milner's CCS [=-=10]-=-, where the set of visible actions is partitioned into high level actions and low level ones in order to specify multilevel systems. SPA syntax is based on the same elements as CCS that is: a set L of... |

995 | D.: A calculus of mobile processes, i
- Milner, Parrow, et al.
- 1992
(Show Context)
Citation Context ...y. For example, in [12, 8] two notions of Non-Interference are defined for Boxed Ambients [9] and Mobile Ambients [11], respectively; in [25, 24, 45], other notions of Non-Interference for π-calculus =-=[39]-=- are studied. All of these approaches aim at defining type systems that can be used to prove Non-Interference properties. Thus, the given proof method is sound but not complete, as there might be syst... |

811 | Mobile Ambients
- Cardelli, Gordon
(Show Context)
Citation Context ...erence properties have already been developed for process calculi that express mobility. For example, in [12, 8] two notions of Non-Interference are defined for Boxed Ambients [9] and Mobile Ambients =-=[11]-=-, respectively; in [25, 24, 45], other notions of Non-Interference for π-calculus [39] are studied. All of these approaches aim at defining type systems that can be used to prove Non-Interference prop... |

728 |
Security policies and security models
- Goguen, Meseguer
- 1990
(Show Context)
Citation Context ... properties (see, for instance, [1, 3, 4, 7, 8, 12, 14-16]) has been proposed in the literature. In this paper we face the problem of dening a security property based on the idea of Non-Interference [=-=9, 13, 16, 19]-=- (formalized as BNDC [6]), which is suitable to analyze processes in completely dynamic hostile environments. The basic idea is to require that every state which is reachable by the system still satis... |

582 | Language-based information-flow security - Sabelfeld, Myers - 2003 |

570 |
Secure Computer Systems: Unified Exposition and Multics Interpretation
- Bell, LaPadula
- 1976
(Show Context)
Citation Context ... wll 0.Objectl 0 + wll 1.Objectl 1 Table 1. The simple multilevel process expressed in SPA. only be updated by low level users via wll(y). This process implements the nowrite-down/no-read-up rules of =-=[3]-=-, since no high level user can write down to the low level cell and no low level user can read from the high level cell. The way value-passing SPA is translated into SPA is fully described in [16, 17]... |

355 |
Three partition refinement algorithms
- Paige, Tarjan
- 1987
(Show Context)
Citation Context ...ifying a strong bisimulation between two transformed processes. Given this transformation, the strong bisimulation test can be performed using efficient algorithms for strong bisimulation (see, e.g., =-=[43, 28, 7, 29, 14]-=-). 33Actually, the compositional security checker (CoSeC) described in [16] may be used to automatically verify P BNDC over finite state processes. This is done by checking the equivalent property SB... |

244 | Secrecy by typing in security protocols
- Abadi
- 1999
(Show Context)
Citation Context ...write requests from high and low level users on two binary objects: a high level variable and a low 12 High Level Users Level Users Low a_r(0,x) put(0,y) a_r(1,x) put(1,y) a_w(0,x,z) a_w(1,x,z) Interf=-=(1)-=- Interf(0) Object(1,y) Object(0,y) r(1,y) w(1,z) w(0,z) r(0,y) access_r(1,1) access_w(1,1,z) access_r(1,0) access_w(1,0,z) access_r(0,1) access_w(0,1,z) access_r(0,0) access_w(0,0,z) val(0,y) val(1,y)... |

200 | Secure information flow in a multi-threaded imperative language
- Smith, Volpano
- 1998
(Show Context)
Citation Context ... properties (see, for instance, [1, 3, 4, 7, 8, 12, 14-16]) has been proposed in the literature. In this paper we face the problem of dening a security property based on the idea of Non-Interference [=-=9, 13, 16, 19]-=- (formalized as BNDC [6]), which is suitable to analyze processes in completely dynamic hostile environments. The basic idea is to require that every state which is reachable by the system still satis... |

193 | Resource Access Control in Systems of Mobile Agents
- Hennessy, Riely
(Show Context)
Citation Context ... However, this is proved at a very high level of abstraction, modelling migrations as context changes not controlled by agents; (ii) we thus consider a more concrete model, inspired from Dpi-calculus =-=[26]-=-, and obtained by adding explicit process mobility to the language. We formally prove that P BNDC implies the natural extension of Non-Interference in this new concrete model of mobile agents. At the ... |

178 | CCS expressions, finite state processes, and three problems of equivalence - Kanellakis, Smolka - 1990 |

153 | A general theory of composition for trace sets closed under selective interleaving functions
- McLean
- 1994
(Show Context)
Citation Context ...high level malicious processes running locally. Persistence is not a typical feature of Non-Interference properties. For example, many properties based on trace models, like generalized non-inference =-=[36]-=-, non inference [42], generalized Non-Interference [33], separability [36], the perfect security property [57], are not persistent. An interesting exception is the variant of BNDC proposed by Lowe in ... |

150 | Proving properties of security protocols by induction - Paulson - 1997 |

125 | Probabilistic noninterference for multi-threaded programs
- Sabelfeld, Sands
- 2000
(Show Context)
Citation Context ... properties (see, for instance, [1, 3, 4, 7, 8, 12, 14-16]) has been proposed in the literature. In this paper we face the problem of dening a security property based on the idea of Non-Interference [=-=9, 13, 16, 19]-=- (formalized as BNDC [6]), which is suitable to analyze processes in completely dynamic hostile environments. The basic idea is to require that every state which is reachable by the system still satis... |

118 |
A model of information
- Sutherland
- 1986
(Show Context)
Citation Context ...ace of the system, i.e., never interfere with the low level users. If such a property holds, one can conclude that no information flow is everpossible from high to low level. Starting from Sutherland =-=[54]-=-, many definitions extending the concept of Non-Interference to non-deterministic systems have been proposed in the literature. They are developed in different settings such as programming languages [... |

113 |
Specifications for multi-level security and a hook-up property
- McCullough
- 1987
(Show Context)
Citation Context ...ence is not a typical feature of Non-Interference properties. For example, many properties based on trace models, like generalized non-inference [36], non inference [42], generalized Non-Interference =-=[33]-=-, separability [36], the perfect security property [57], are not persistent. An interesting exception is the variant of BNDC proposed by Lowe in [30], in order to obtain a property which is persistent... |

112 | Security Models and Information Flow, in - McLean - 1990 |

108 | A classification of security properties for process algebras
- Focardi, Gorrieri
- 1995
(Show Context)
Citation Context ... 23], cryptographic protocols [1, 5, 18].The specific formalization of Non-Interference we consider is Bisimulation-based Non-Deducibility on Compositions (BNDC, for short), which has been studied in =-=[15,17]-=-. Intuitively, BNDC requires that the low level view of a system E is not affected by any (possibly malicious) high level process \Pi . In a process algebraic style, thedefinition has the following fo... |

105 |
Information flow in nondeterministic systems
- Wittbold, Johnson
- 1990
(Show Context)
Citation Context ... the concept of Non-Interference to non-deterministic systems have been proposed in the literature. They are developed in different settings such as programming languages [4, 49, 50, 51], tracemodels =-=[21, 27, 31, 32, 33, 34, 35, 36, 56]-=-, process calculi [10, 17, 25, 30, 46, 47, 48], probabilistic models [2, 13], timed models [19, 23], cryptographic protocols [1, 5, 18].The specific formalization of Non-Interference we consider is Bi... |

97 | Approximate noninterference
- Pierro, Hankin, et al.
- 2002
(Show Context)
Citation Context ...are developed in different settings such as programming languages [4, 49, 50, 51], tracemodels [21, 27, 31, 32, 33, 34, 35, 36, 56], process calculi [10, 17, 25, 30, 46, 47, 48], probabilistic models =-=[2, 13]-=-, timed models [19, 23], cryptographic protocols [1, 5, 18].The specific formalization of Non-Interference we consider is Bisimulation-based Non-Deducibility on Compositions (BNDC, for short), which h... |

91 | Probabilistic noninterference in a concurrent language
- Volpano, Smith
- 1999
(Show Context)
Citation Context |

91 | Noninterference and the composability of security properties - McCullough - 1988 |

89 | Classification of security properties (Part I: Information flow
- Focardi, Gorrieri
- 2001
(Show Context)
Citation Context ...23], cryptographic protocols [1, 5, 18]. The specific formalization of Non-Interference we consider is Bisimulation-based Non-Deducibility on Compositions (BNDC, for short), which has been studied in =-=[15, 17]-=-. Intuitively, BNDC requires that the low level view of a system E is not affected by any (possibly malicious) high level process Π. In a process algebraic style, the definition has the following form... |

82 | Quantifying information flow
- Lowe
- 2002
(Show Context)
Citation Context ..., non inference [42], generalized Non-Interference [33], separability [36], the perfect security property [57], are not persistent. An interesting exception is the variant of BNDC proposed by Lowe in =-=[30]-=-, in order to obtain a property which is persistent with respect to every possible refinement. In that work, persistence is exploited to guarantee that solving the non-deterministic choice, i.e., refi... |

82 | S.: Process algebra and non-interference - Ryan, Schneider |

81 | The compositional security checker: A tool for the verification of information flow security properties
- Focardi, Gorrieri
- 1997
(Show Context)
Citation Context ...ction we show that property P BNDC is equivalent to the already proposed security property SBSNNI (Strong Bisimulation-based SNNI, where SNNI stands for Strong Non-deterministic Non-Interference, see =-=[16, 17]-=-) and we prove that it is compositional with respect to both parallel and prefix operators. The security property SBSNNI was defined in [16, 17] as follows. Definition 9 (SBSNNI). Let E ∈ E. E ∈ SBSNN... |

79 | Boxed ambients
- Bugliesi, Castagna, et al.
- 2001
(Show Context)
Citation Context ...mic property. Non-Interference properties have already been developed for process calculi that express mobility. For example, in [12, 8] two notions of Non-Interference are defined for Boxed Ambients =-=[9]-=- and Mobile Ambients [11], respectively; in [25, 24, 45], other notions of Non-Interference for ss-calculus [39] are studied. All of these approaches aim at defining type systems that can be used to p... |

73 | Verifying authentication protocols in CSP - Schneider - 1998 |

69 | Non Interference for the Analysis of Cryptographic Protocols - Focardi, Gorrieri, et al. - 2000 |

69 | Modal and temporal logics for processes
- Stirling
- 1996
(Show Context)
Citation Context ...ws us to employ model checkers as P BNDC checkers. Indeed, if nAct H is a characteristic formulae for asnite state process E up to nActH , then E 2 P BNDC if and only if E n Act H j= nAct H [17, =-=18]-=-. Actually, the compositional security checker described in [5] provides an automatic tool for verifying P BNDC oversnite state processes: this is done by checking SBSNNI that requires to verify a bis... |

67 | Information flow vs. resource access in the asynchronous pi-calculus
- Hennessy, Riely
(Show Context)
Citation Context ...already been developed for process calculi that express mobility. For example, in [12, 8] two notions of Non-Interference are defined for Boxed Ambients [9] and Mobile Ambients [11], respectively; in =-=[25, 24, 45]-=-, other notions of Non-Interference for ss-calculus [39] are studied. All of these approaches aim at defining type systems that can be used to prove Non-Interference properties. Thus, the given proof ... |

65 | Non-interference through determinism - Roscoe, Woodcock, et al. - 1996 |

63 | A general theory of security properties
- Zakinthinos, Lee
- 1997
(Show Context)
Citation Context ...rties. For example, many properties based on trace models, like generalized non-inference [36], non inference [42], generalized Non-Interference [33], separability [36], the perfect security property =-=[57]-=-, are not persistent. An interesting exception is the variant of BNDC proposed by Lowe in [30], in order to obtain a property which is persistent with respect to every possible refinement. In that wor... |

59 |
Online minimization of transition systems
- Lee, Yannakakis
- 1992
(Show Context)
Citation Context ...ifying a strong bisimulation between two transformed processes. Given this transformation, the strong bisimulation test can be performed using efficient algorithms for strong bisimulation (see, e.g., =-=[43, 28, 7, 29, 14]-=-). 33Actually, the compositional security checker (CoSeC) described in [16] may be used to automatically verify P BNDC over finite state processes. This is done by checking the equivalent property SB... |

55 | Possibilistic definitions of security: An assembly kit - Mantel - 2000 |

42 | V.: Communication interference in mobile boxed ambients - Bugliesi, Crafa, et al. - 2002 |

41 | A uniform approach for the definition of security properties - Focardi, Martinelli - 1999 |

40 | A process-algebraic approach for the analysis of probabilistic noninterference
- Aldini, Bravetti, et al.
(Show Context)
Citation Context ...d in the literature. They are developed in different settings such as programming languages [4, 49–51], trace models [21, 27, 31–36, 56], process calculi [10, 17, 25, 30, 46–48], probabilistic models =-=[2, 13]-=-, timed models [19, 23], cryptographic protocols [1, 5, 18]. The specific formalization of Non-Interference we consider is Bisimulation-based Non-Deducibility on Compositions (BNDC, for short), which ... |

34 |
A calculus of information flow
- O’halloran
- 1990
(Show Context)
Citation Context ...s processes running locally. Persistence is not a typical feature of Non-Interference properties. For example,many properties based on trace models, like generalized non-inference [36], non inference =-=[42]-=-, generalized Non-Interference [33], separability [36], the perfect securityproperty [57], are not persistent. An interesting exception is the variant of BNDC proposed by Lowe in [30], in order to obt... |

34 |
Finite-State Noiseless Covert Channels
- Millen
- 1989
(Show Context)
Citation Context ... be the case that subtle, indirect, information flows are still possible. These unwanted flows can be based, e.g., on some observable system side-effects (giving rise to the so called covert channels =-=[55, 37]-=-), or on some weakness in cryptographic algorithms and protocols. Motivated by this need of controlling information flow as a whole (both direct and indirect), Goguen and Meseguer introduced the notio... |

33 | A compositional logic for protocol correctness - Durgin, Mitchell, et al. - 2001 |

33 | Unwinding possibilistic security properties - Mantel - 2000 |

31 | 2000. Analysis of a fair exchange protocol - Shmatikov, Mitchell - 2000 |

31 |
Security and the composition of machines
- Johnson, Thayer
- 1988
(Show Context)
Citation Context ... the concept of Non-Interference to non-deterministic systems have been proposed in the literature. They are developed in different settings such as programming languages [4, 49, 50, 51], tracemodels =-=[21, 27, 31, 32, 33, 34, 35, 36, 56]-=-, process calculi [10, 17, 25, 30, 46, 47, 48], probabilistic models [2, 13], timed models [19, 23], cryptographic protocols [1, 5, 18].The specific formalization of Non-Interference we consider is Bi... |

29 | A.: A fast bisimulation algorithm
- Dovier, Piazza, et al.
- 2001
(Show Context)
Citation Context ...ifying a strong bisimulation between two transformed processes. Given this transformation, the strong bisimulation test can be performed using efficient algorithms for strong bisimulation (see, e.g., =-=[43, 28, 7, 29, 14]-=-). 33Actually, the compositional security checker (CoSeC) described in [16] may be used to automatically verify P BNDC over finite state processes. This is done by checking the equivalent property SB... |

28 |
Characteristic formulae for processes with divergence. Information and Computation 110:149–163
- Steffen, Ingólfsdóttir
- 1994
(Show Context)
Citation Context ...ws us to employ model checkers as P BNDC checkers. Indeed, if nAct H is a characteristic formulae for asnite state process E up to nActH , then E 2 P BNDC if and only if E n Act H j= nAct H [17, =-=18]-=-. Actually, the compositional security checker described in [5] provides an automatic tool for verifying P BNDC oversnite state processes: this is done by checking SBSNNI that requires to verify a bis... |

24 | Static Analysis for Secrecy and Non-Interference
- Bodei, Degano, et al.
- 2001
(Show Context)
Citation Context ...tings such as programming languages [4, 49–51], trace models [21, 27, 31–36, 56], process calculi [10, 17, 25, 30, 46–48], probabilistic models [2, 13], timed models [19, 23], cryptographic protocols =-=[1, 5, 18]-=-. The specific formalization of Non-Interference we consider is Bisimulation-based Non-Deducibility on Compositions (BNDC, for short), which has been studied in [15, 17]. Intuitively, BNDC requires th... |

22 | A universal theory of information flow - FOLEY - 1987 |

18 |
A simple language for real-time cryptographic protocol analysis
- Gorrieri, Locatelli, et al.
- 2003
(Show Context)
Citation Context ...hey are developed in different settings such as programming languages [4, 49-51], trace models [21, 27, 31-36, 56], process calculi [10, 17, 25, 30, 46-48], probabilistic models [2, 13], timed models =-=[19, 23]-=-, cryptographic protocols [1, 5, 18]. The specific formalization of Non-Interference we consider is Bisimulation-based Non-Deducibility on Compositions (BNDC, for short), which has been studied in [15... |

18 |
On the identification of covert storage channels in secure systems
- Tsai, Gligor, et al.
- 1990
(Show Context)
Citation Context ... be the case that subtle, indirect, information flows are still possible. These unwanted flows can be based, e.g., on some observable system side-effects (giving rise to the so called covert channels =-=[55, 37]-=-), or on some weakness in cryptographic algorithms and protocols. Motivated by this need of controlling information flow as a whole (both direct and indirect), Goguen and Meseguer introduced the notio... |