Results 1  10
of
17
Synthesis of opaque systems with static and dynamic masks
 FORM METHODS SYST DES
"... Opacity is a security property formalizing the absence of secret information leakage and we address in this paper the problem of synthesizing opaque systems. A secret predicate S over the runs of a system G is opaque to an external user having partial observability over G, if s/he can never infer fr ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Opacity is a security property formalizing the absence of secret information leakage and we address in this paper the problem of synthesizing opaque systems. A secret predicate S over the runs of a system G is opaque to an external user having partial observability over G, if s/he can never infer from the observation of a run of G that the run belongs to S. We choose to control the observability of events by adding a device, called a mask, between the system G and the users. We first investigate the case of static partial observability where the set of events the user can observe is fixed a priori by a static mask. In this context, we show that checking whether a system is opaque is PSPACEcomplete, which implies that computing an optimal static mask ensuring opacity is also a PSPACEcomplete problem. Next, we introduce dynamic partial observability where the set of events the user can observe changes over time and is chosen by a dynamic mask. We show how to check that a system is opaque w.r.t. to a dynamic mask and also address the corresponding synthesis problem: given a system G and secret states S, compute the set of dynamic masks under which S is opaque. Our main result is that the set of such masks can be finitely represented and can be computed in EXPTIME and this is a lower bound. Finally we also address the problem of computing an optimal mask.
Supervisory control for modal specifications of services
 IN PROCEEDINGS OF WODES 2010, AUGUST 30–SEPTEMBER 1, 2010
, 2010
"... ..."
Safe Equivalences for Security Properties
, 2010
"... In the field of Security, process equivalences have been used to characterize various informationhiding properties (for instance secrecy, anonymity and noninterference) based on the principle that a protocol P with a variable x satisfies such property if and only if, for every pair of secrets s1 ..."
Abstract

Cited by 5 (3 self)
 Add to MetaCart
(Show Context)
In the field of Security, process equivalences have been used to characterize various informationhiding properties (for instance secrecy, anonymity and noninterference) based on the principle that a protocol P with a variable x satisfies such property if and only if, for every pair of secrets s1 and s2, P [ s1 /x] is equivalent to P [ s2 /x]. We argue that, in the presence of nondeterminism, the above principle relies on the assumption that the scheduler “works for the benefit of the protocol”, and this is usually not a safe assumption. Nonsafe equivalences, in this sense, include completetrace equivalence and bisimulation. We present a formalism in which we can specify admissible schedulers and, correspondingly, safe versions of these equivalences. We prove that safe bisimulation is still a congruence. Finally, we show that safe equivalences can be used to establish informationhiding properties.
Various Notions of Opacity Verified and Enforced at Runtime
, 2010
"... apport de recherche ..."
(Show Context)
Automatic Testing of Access Control for Security Properties
, 2009
"... In this work, we investigate the combination of controller synthesis and test generation techniques for the testing of open, partially observable systems with respect to security policies. We consider two kinds of properties: integrity properties and confidentiality properties. We assume that the b ..."
Abstract

Cited by 3 (1 self)
 Add to MetaCart
In this work, we investigate the combination of controller synthesis and test generation techniques for the testing of open, partially observable systems with respect to security policies. We consider two kinds of properties: integrity properties and confidentiality properties. We assume that the behavior of the system is modeled by a labeled transition system and assume the existence of a blackbox implementation. We first outline a method allowing to automatically compute an ideal access control ensuring these two kinds of properties. Then, we show how to derive testers that test the conformance of the implementation with respect to its specification, the correctness of the real access control that has been composed with the implementation in order to ensure a security property, and the security property itself.
Opacity with Orwellian Observers and Intransitive Noninterference
 In 12th IFAC  IEEE International Workshop on Discrete Event Systems (WODES’14). Pp
, 2014
"... ar ..."
(Show Context)
Measuring the robustness Livrable du projet ImpRo (ANR2010BLAN0317)
"... This document present two works realized in the framework of the ImpRo project and in relation with the task Quantifying robustness and implementability. One of the goal of this task is to propose methods to qualify inwhich manner a system is robust to some properties. The first work presented in th ..."
Abstract
 Add to MetaCart
(Show Context)
This document present two works realized in the framework of the ImpRo project and in relation with the task Quantifying robustness and implementability. One of the goal of this task is to propose methods to qualify inwhich manner a system is robust to some properties. The first work presented in this document studies the opacity of purely probabilistic systems. i.e. systems in which the nondeterministic choices have been replaced by probabilistic distribution over the set of states. The notion of opacity has been previously studied in the case of nondeterministic transition systems to determine whether a system respects some security properties. The idea is the following: an external passive attacker tries to gain information on a secret property through observation of the system executions and the system is considered opaque if secret and non secret executions cannot bedistinguished by the attacker. Hence, by instantiating the secret predicate and the observation function, one is able to show several interesting security properties on the modeled systems like for instance anonymity or noninterference.
ProjectTeam VerTeCs Verification models and techniques applied to the Testing and Control of reactive Systems
"... c t i v it y e p o r t 2009 Table of contents ..."
(Show Context)
1On Decentralized Observability of Discrete Event Systems
, 2012
"... In this paper we deal with the problem of decentralized observability of discrete event systems. We consider a set of sites that observe a subset of events. Each site transmits its own observation to a coordinator that decides if the word observed belongs to a legal behavior or not. We study two dif ..."
Abstract
 Add to MetaCart
(Show Context)
In this paper we deal with the problem of decentralized observability of discrete event systems. We consider a set of sites that observe a subset of events. Each site transmits its own observation to a coordinator that decides if the word observed belongs to a legal behavior or not. We study two different properties: uniform q−observability and q−diagnosability. Then, we prove that both properties are decidable for regular languages. Finally, we give an algorithm to compute starting from a given initial state, the time instants at which the synchronization has to be done so as to guarantee that if an illegal word has occurred it is immediately detected. Published as: