Results 1  10
of
45
H.: Model checking information flow in reactive systems
 In: Proceedings of VMCAI. (2012) 169–185
"... Abstract. Most analysis methods for information flow properties do not consider temporal restrictions. In practice, however, such properties rarely occur statically, but have to consider constraints such as when and under which conditions a variable has to be kept secret. In this paper, we propose ..."
Abstract

Cited by 17 (4 self)
 Add to MetaCart
(Show Context)
Abstract. Most analysis methods for information flow properties do not consider temporal restrictions. In practice, however, such properties rarely occur statically, but have to consider constraints such as when and under which conditions a variable has to be kept secret. In this paper, we propose a natural integration of information flow properties into lineartime temporal logics (LTL). We add a new modal operator, the hide operator, expressing that the observable behavior of a system is independent of the valuations of a secret variable. We provide a complexity analysis for the model checking problem of the resulting logic SecLTL and we identify an expressive fragment for which this question is efficiently decidable. We also show that the path based nature of the hide operator allows for seamless integration into branching time logics. 1
Opacity Enforcing Control Synthesis
, 2008
"... Given a finite transition system and a regular predicate, we address the problem of computing a controller enforcing the opacity of the predicate against an attacker (who partially observes the system), supposedly trying to push the system to reveal the predicate. Assuming that the controller can ..."
Abstract

Cited by 17 (6 self)
 Add to MetaCart
Given a finite transition system and a regular predicate, we address the problem of computing a controller enforcing the opacity of the predicate against an attacker (who partially observes the system), supposedly trying to push the system to reveal the predicate. Assuming that the controller can only control a subset of the events it observes (possibly different from the ones of the attacker), we show that an optimal control always exists and provide sufficient conditions under which it is regular and effectively computable. These conditions rely on the inclusion relationships between the controllable alphabet and the observable alphabets of the attacker and of the controller.
Supervisory Control for Opacity
, 2009
"... In the field of computer security, a problem that received little attention so far is the enforcement of confidentiality properties by supervisory control. Given a critical system G that may leak confidential information, the problem consists in designing a controller C, possibly disabling occurrenc ..."
Abstract

Cited by 17 (5 self)
 Add to MetaCart
In the field of computer security, a problem that received little attention so far is the enforcement of confidentiality properties by supervisory control. Given a critical system G that may leak confidential information, the problem consists in designing a controller C, possibly disabling occurrences of a fixed subset of events of G, so that the closedloop system G/C does not leak confidential information. We consider this problem in the case where G is a finite transition system with set of events Σ and an inquisitive user, called the adversary, observes a subset Σa of Σ. The confidential information is the fact (when it is true) that the trace of the execution of G on Σ ∗ belongs to a regular set S ⊆ Σ ∗ , called the secret. The secret S is said to be opaque w.r.t. G (resp. G/C) and Σa if the adversary cannot safely infer this fact from the trace of the execution of G (resp. G/C) on Σ ∗ a. In the converse case, the secret can be disclosed. We present an effective algorithm for computing the most permissive controller C such that S is opaque w.r.t. G/C and Σa. This algorithm subsumes two earlier algorithms working under the strong assumption that the alphabet Σa of the adversary and the set of events that the controller can disable are comparable.
Model Checking on Trees with Path Equivalences
 TACAS 2007
, 2007
"... For specifying and verifying branchingtime requirements, a reactive system is traditionally modeled as a labeled tree, where a path in the tree encodes a possible execution of the system. We propose to enrich such tree models with “jumpedges” that capture observational indistinguishability: for an ..."
Abstract

Cited by 16 (1 self)
 Add to MetaCart
(Show Context)
For specifying and verifying branchingtime requirements, a reactive system is traditionally modeled as a labeled tree, where a path in the tree encodes a possible execution of the system. We propose to enrich such tree models with “jumpedges” that capture observational indistinguishability: for an agent a, an alabeled edge is added between two nodes if the observable behaviors of the agent a along the paths to these nodes are identical. We show that it is possible to specify information flow properties and partial information games in temporal logics interpreted on this enriched structure. We study complexity and decidability of the model checking problem for these logics. We show that it is PSPACEcomplete and EXPTIMEcomplete respectively for fragments of CTL and μcalculuslike logics. These fragments are expressive enough to allow specifications of information flow properties such as “agent A does not reveal x (a secret) until agent B reveals y (a password)” and of partial information games.
Dynamic Observers for the Synthesis of Opaque Systems.
, 1930
"... Abstract. In this paper, we address the problem of synthesizing opaque systems by selecting the set of observable events. We first investigate the case of static observability where the set of observable events is fixed a priori. In this context, we show that checking whether a system is opaque and ..."
Abstract

Cited by 11 (5 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper, we address the problem of synthesizing opaque systems by selecting the set of observable events. We first investigate the case of static observability where the set of observable events is fixed a priori. In this context, we show that checking whether a system is opaque and computing an optimal static observer ensuring opacity are both PSPACEcomplete problems. Next, we introduce dynamic partial observability where the set of observable events can change over time. We show how to check that a system is opaque w.r.t. a dynamic observer and also address the corresponding synthesis problem: given a system G and secret states S, compute the set of dynamic observers under which S is opaque. Our main result is that the synthesis problem can be solved in EXPTIME.
Synthesis of opaque systems with static and dynamic masks
 FORM METHODS SYST DES
"... Opacity is a security property formalizing the absence of secret information leakage and we address in this paper the problem of synthesizing opaque systems. A secret predicate S over the runs of a system G is opaque to an external user having partial observability over G, if s/he can never infer fr ..."
Abstract

Cited by 9 (2 self)
 Add to MetaCart
Opacity is a security property formalizing the absence of secret information leakage and we address in this paper the problem of synthesizing opaque systems. A secret predicate S over the runs of a system G is opaque to an external user having partial observability over G, if s/he can never infer from the observation of a run of G that the run belongs to S. We choose to control the observability of events by adding a device, called a mask, between the system G and the users. We first investigate the case of static partial observability where the set of events the user can observe is fixed a priori by a static mask. In this context, we show that checking whether a system is opaque is PSPACEcomplete, which implies that computing an optimal static mask ensuring opacity is also a PSPACEcomplete problem. Next, we introduce dynamic partial observability where the set of events the user can observe changes over time and is chosen by a dynamic mask. We show how to check that a system is opaque w.r.t. to a dynamic mask and also address the corresponding synthesis problem: given a system G and secret states S, compute the set of dynamic masks under which S is opaque. Our main result is that the set of such masks can be finitely represented and can be computed in EXPTIME and this is a lower bound. Finally we also address the problem of computing an optimal mask.
Developing security protocols by refinement
 In Proc. 17th ACM Conference on Computer and Communications Security (CCS
, 2010
"... We propose a development method for security protocols based on stepwise refinement. Our refinement strategy guides the transformation of abstract security goals into protocols that are secure when operating over an insecure channel controlled by a DolevYaostyle intruder. The refinement steps succ ..."
Abstract

Cited by 9 (3 self)
 Add to MetaCart
(Show Context)
We propose a development method for security protocols based on stepwise refinement. Our refinement strategy guides the transformation of abstract security goals into protocols that are secure when operating over an insecure channel controlled by a DolevYaostyle intruder. The refinement steps successively introduce local states, an intruder, communication channels with security properties, and cryptographic operations realizing these channels. The abstractions used provide insights on how the protocols work and foster the development of families of protocols sharing a common structure and properties. In contrast to posthoc verification methods, protocols are developed together with their correctness proofs. We have implemented our method in Isabelle/HOL and used it to develop different entity authentication and key transport protocols. Categories and Subject Descriptors C 2.2 [Computercommunication networks]: Network protocols – Protocol verification; D 2.4 [Software engineering]:
On information flow and refinementclosure
"... Abstract. The question of information flow considers whether a highlevel user of a multilevel security system can pass information to a lowlevel user. One family of information flow properties is nondeducibility on compositions: that for all possible highlevel behaviours, the lowlevel user’s vie ..."
Abstract

Cited by 7 (4 self)
 Add to MetaCart
Abstract. The question of information flow considers whether a highlevel user of a multilevel security system can pass information to a lowlevel user. One family of information flow properties is nondeducibility on compositions: that for all possible highlevel behaviours, the lowlevel user’s view is the same. Unfortunately, this family suffers from the refinement paradox: that a process can be classified as secure, yet a refinement can be classified as insecure. In this paper we consider the property that classifies a process as secure if all of its refinements satisfy nondeducibility on compositions. This property correctly classifies all processes for which we have performed thought experiments. The property appears, at first sight, very difficult to test automatically, because of the quantifications over all highlevel behaviours and all refinements. However, we prove that it is equivalent to an operational property, and hence derive a test that can be carried out using a model checker such as FDR. We also compare the property with existing properties. We show that it is stronger than Focardi and Gorrieri’s strong bisimulation nondeducibility on compositions, but weaker than Roscoe’s lazy independence property. Finally we show that the strength of the equivalence is independent of whether the lowlevel user’s ability to distinguish processes is based upon stable failures or bisimulation. 1
Modelling Declassification Policies using Abstract Domain Completeness
 UNDER CONSIDERATION FOR PUBLICATION IN MATH. STRUCT. IN COMP. SCIENCE
, 2010
"... This paper explores a three dimensional characterization of a declassificationbased noninterference policy and its consequences. Two of the dimensions consist in specifying (a) the power of the attacker, that is, what public information an attacker can observe of a program, and (b) what secret info ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
This paper explores a three dimensional characterization of a declassificationbased noninterference policy and its consequences. Two of the dimensions consist in specifying (a) the power of the attacker, that is, what public information an attacker can observe of a program, and (b) what secret information of a program needs to be protected. Both these dimensions are regulated by the third dimension, (c) the choice of program semantics, for example, trace semantics or denotational semantics, or, for instance, any semantics in Cousot’s semantics hierarchy. To check whether a program satisfies a noninterference policy one can compute an abstract domain that overapproximates the information released by the policy and can subsequently check whether program execution may release more information than what is permitted by the policy. Counterexamples to a policy can be generated by using a variant of the PaigeTarjan algorithm for partition refinement. Given the counterexamples the policy can be refined so that the least amount of confidential information necessary for making the program secure is declassified.
Monitoring Confidentiality by Diagnosis Techniques
, 2009
"... We are interested in constructing monitors for the detection of confidential information flow in the context of partially observable discrete event systems. We focus on the case where the secret information is given as a regular language. We first characterize the set of observations allowing an at ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
We are interested in constructing monitors for the detection of confidential information flow in the context of partially observable discrete event systems. We focus on the case where the secret information is given as a regular language. We first characterize the set of observations allowing an attacker to infer the secret information. Further, based on the diagnosis of discrete event systems, we provide necessary and sufficient conditions under which detection and prediction of secret information flow can be ensured, and construct a monitor allowing an administrator to detect it.