ISA 763 Security Protocol Verification CSP Semantics We thank Professor Csilla Farkas of USC for providing some transparencies that were used to construct

11

ISA 763ISA 763Security Protocol VerificationSecurity Protocol Verification

CSP SemanticsCSP Semantics

We thank Professor Csilla Farkas of USC for providing some We thank Professor Csilla Farkas of USC for providing some transparencies that were used to construct this transparencytransparencies that were used to construct this transparency

22CSP SemanticsCSP Semantics 22

ReferencesReferences The Theory and Practice of Concurrency by A. W. The Theory and Practice of Concurrency by A. W.

Roscoe, available at Roscoe, available at web.comlab.ox.ac.uk/oucl/work/bill.web.comlab.ox.ac.uk/oucl/work/bill.roscoeroscoe/publications/6/publications/68b.pdf 8b.pdf

Chapters 4 and 5 of Modeling and analysis of security Chapters 4 and 5 of Modeling and analysis of security protocols by Peter Ryan and Steve Schneider. protocols by Peter Ryan and Steve Schneider.

The FDR2 User Manual available at The FDR2 User Manual available at http://www.fsel.com/documentation/fdr2/html/fdr2manual.html#SEC_Top

Formal Systems, FDR download, Formal Systems, FDR download, http://www.fsel.com/ M. Morgenthal: Design and Validation of Computer M. Morgenthal: Design and Validation of Computer

Protocols, Protocols, http://wwwtcs.inf.tu-dresden.de/~morgen/sem-ws02.html


CSP Semantics - 1CSP Semantics - 1 Operational SemanticsOperational Semantics

Interprets the language on an (abstract) machine:Interprets the language on an (abstract) machine: such as the ones used in imperative languages using a such as the ones used in imperative languages using a

program counter, next instruction stack etc.program counter, next instruction stack etc. Denotational SemanticsDenotational Semantics

The language is translated to another abstract domain The language is translated to another abstract domain Translate the basic constructsTranslate the basic constructs Translate the combinators to constructs in the target domainTranslate the combinators to constructs in the target domain Use a compositionality principle to construct the denotation of Use a compositionality principle to construct the denotation of

the whole program from translated partsthe whole program from translated parts Algebraic SemanticsAlgebraic Semantics

Translate the language into a Translate the language into a normal fromnormal from by rewriting by rewriting all programs in that formall programs in that form

Describe how to execute the program in normal formDescribe how to execute the program in normal form


CSP Semantics - 2CSP Semantics - 2 Operational SemanticsOperational Semantics

Interprets the language on an (abstract) machine:Interprets the language on an (abstract) machine: Construct a labeled transition system (LTS)Construct a labeled transition system (LTS)

Denotational SemanticsDenotational Semantics The language is translated to another abstract domain The language is translated to another abstract domain Trace semantics, Failure Divergence SemanticsTrace semantics, Failure Divergence Semantics

Algebraic SemanticsAlgebraic Semantics Translate the language into a Translate the language into a normal fromnormal from by rewriting by rewriting

all programs in that formall programs in that form Proof rulesProof rules


Operational SemanticsOperational Semantics

Labeled transition system (LTS)Labeled transition system (LTS)Nodes:Nodes: state of the process state of the processDirected edges:Directed edges: events events

Visible eventsVisible events Internal transitionsInternal transitions

Recall Trace Refinement:Recall Trace Refinement:

S S ⊑⊑TT T T iff iff trace(T) trace(T) trace(S) trace(S)


An example LTSAn example LTS

Image from M. Morgenthal


Another LTS ExampleAnother LTS Example



Connection between LTS ExamplesConnection between LTS Examples

An Implementation of An Implementation of SS as: as:

A ||| BA ||| B where where

AB = a AB = a b b AB and AB and

AC = a AC = a c c AC AC

wherewhere AA corresponds to AA corresponds to AB ||| ACAB ||| AC BA corresponds to BA corresponds to bb→ AB ||| AC→ AB ||| AC AC corresponds to AC corresponds to AB||| (c → AC)AB||| (c → AC) BC corresponds to BC corresponds to b → AB||| (c → AC)b → AB||| (c → AC)


AAAA corresponds corresponds to to AB ||| ACAB ||| ACBABA corresponds corresponds to to b→ AB ||| ACb→ AB ||| ACACAC corresponds corresponds to to AB||| (c → AC)AB||| (c → AC)BCBC corresponds corresponds to to b → AB||| (c → b → AB||| (c → AC)AC)


Traces Refinement CheckTraces Refinement Check



Trace RefinementsTrace Refinements

An implementation An implementation refinesrefines the trace of a the trace of a processprocess

Hence we would like an implementation to Hence we would like an implementation to satisfy the specificationsatisfy the specification

Which properties? Which properties? For his class, those trace properties used to For his class, those trace properties used to

specify security properties.specify security properties.


Denotational SemanticsDenotational Semantics Recall Trace Semantics for CSP processesRecall Trace Semantics for CSP processes Could not reason the difference between Could not reason the difference between

external choice and internal choiceexternal choice and internal choice Example: consider Example: consider ={a,b} and={a,b} andQ1 Q1 ≡(a→STOP) ≡(a→STOP) □ □ (b→STOP) (b→STOP) Q2 Q2 ≡(a→STOP) ≡(a→STOP) ΠΠ (b→STOP)(b→STOP)Q3 Q3 ≡STOP ≡STOP ΠΠ(a→STOP) (a→STOP) □□(b→STOP)(b→STOP) Refusal set of Q1={}Refusal set of Q1={} Q2 can refuse {a} and {b} but not {a,b}Q2 can refuse {a} and {b} but not {a,b} Q3 can refuse any subset of Q3 can refuse any subset of ..


Refusal SetsRefusal SetsP1 {c}

{a, c}

{a, b, c} {a, b, c}

P2 {c}

{b, c}

{a, b, c} {a, b, c}

P3 {c}

{b, c} {a, c}

{a, b, c} {a, b, c}

P4 {c}

{b, c} {a, c}

{a, b, c} {a, b, c}

a b

b a

b

a

a b

c c

a b

{b, c}


Refusal SetsRefusal Sets

P1 P1 ≡ (a → b→ STOP) ≡ (a → b→ STOP) □ □ (b → a → STOP)(b → a → STOP)

≡ ≡ (a → STOP) (a → STOP) ||| ||| (b → STOP)(b → STOP)

Failure Sets = (<>,{}), (<>,c), Failure Sets = (<>,{}), (<>,c),

(<a>, {a,c}), (<ba>,(<a>, {a,c}), (<ba>,{a,b,c}){a,b,c})

P2 ≡ (c→a→STOP)P2 ≡ (c→a→STOP)□□(b→c→STOP)\ c(b→c→STOP)\ cFailure sets ={(<>,X| X Failure sets ={(<>,X| X {b,c}} {b,c}} UU

{(<a>,X),(<b>,X)| {(<a>,X),(<b>,X)| X X {a,b,c}}{a,b,c}} Internal actions introduce nondterminismInternal actions introduce nondterminism


Refusal SetsRefusal Sets P3 P3 ≡ (a → STOP) ≡ (a → STOP) ΠΠ (b → STOP)(b → STOP) Must accept one of {a} or {b} if both Must accept one of {a} or {b} if both

{a,b} are offered{a,b} are offered Different from Different from

P1 - must accept either P1 - must accept either P2 - must accept aP2 - must accept a

P4 ≡ (c→a→STOP)P4 ≡ (c→a→STOP)□□(c→b→STOP)(c→b→STOP) After <c> refuses {X|{a,b}⊈X}After <c> refuses {X|{a,b}⊈X} Failure allows us to distinguish between Failure allows us to distinguish between

internal and external choice –traces could internal and external choice –traces could not do this!not do this!


Failure SemanticsFailure Semantics

failure(P)failure(P) = {(s,X)| s = {(s,X)| s∈∈ΣΣ* and P/s does not * and P/s does not accept any x accept any x∈X}∈X}

Failure Refinement:Failure Refinement: P⊑P⊑FFQQ (read Q (read Q failure refines P) ifffailure refines P) ifftrace(Q) trace(Q) trace(P) andtrace(P) and failure(Q) failure(Q) failure(p)


DivergenceDivergence pp≡(≡(p.a→p)\{a}p.a→p)\{a} Cannot observe Cannot observe aa externally. externally. Diverges – i.e. looks like a Diverges – i.e. looks like a -loop-loop We do not care what happens after a We do not care what happens after a

process divergesprocess diverges

SS

aa

SS


Failure and DivergenceFailure and Divergence

Add extra symbol Add extra symbol ✔✔ to to ΣΣ to indicate that the to indicate that the process has terminatedprocess has terminated

Interpretation:Interpretation: ✔✔ is emitted by the process to is emitted by the process to the environment to indicate normal the environment to indicate normal terminationtermination

P P ⇒⇒ss⇒ Q means process P becomes Q⇒ Q means process P becomes QStable State:Stable State: a state that does not a state that does not

accept accept


Failure and DivergenceFailure and Divergence

trace(P)≡{trace(P)≡{s∈ ∈ ΣΣ*U{*U{✔} | } | ∃Q.∃Q.P P ⇒⇒ss⇒ Q}⇒ Q} tracetrace⊥⊥(P)≡{(P)≡{s: (t,X)∈F} is a prefix closed set∈F} is a prefix closed set diveregnce(P)≡{diveregnce(P)≡{s^t|s∈ s^t|s∈ ΣΣ*,*,t∈ t∈ ΣΣ*U{*U{✔✔} }

∃∃Q.Q.P P ⇒⇒ss⇒ Q, Q div}⇒ Q, Q div}Extension closed sets of traces that has an infinite set of actions

failurefailure⊥⊥(P)(P)={(s,X)| s is a trace and X is set ={(s,X)| s is a trace and X is set of actions that can be refused in a of actions that can be refused in a stable state of P}state of P}


The Failures Divergence ModelThe Failures Divergence Model

⊥⊥ℕℕ=(=(ΣΣ*U{*U{✔}} x ℘( x ℘(ΣΣU{U{✔}), }), ΣΣ*U{*U{✔} )} ) Refers to ( (s, actions: D): Failure, Refers to ( (s, actions: D): Failure,

strings: Divergent string )strings: Divergent string ) Any non-empty subset S of Any non-empty subset S of ℕ has an infimum ℕ has an infimum

given bygiven by ⊓ ⊓ S =S =( {F|(F,D)⋃( {F|(F,D)⋃ ∈S}, ∈S}, {D |(F,D)⋃ {D |(F,D)⋃ ∈S})∈S})

Supremum of aSupremum of a directed set △ is given by directed set △ is given by ⊔⊔S =S =(∩{F|(F,D)(∩{F|(F,D)∈ △}, ∈ △}, ∩{D |(F,D)∩{D |(F,D)∈ △})∈ △})

Theorem:Theorem: If If ΣΣ is finite then is finite then ((ℕ, ⊑ℕ, ⊑FDFD,, ⊓, ⊔) ⊓, ⊔) is a is a complete partial ordercomplete partial order


Computing the FD Semantics-1Computing the FD Semantics-1

failuresfailures⊥(STOP)={(<>,X)|XΣΣ*U{*U{✔}} } } divergences(STOP)={}divergences(STOP)={} failuresfailures⊥(SKIP)={(<>,X)|XΣΣ*U{*U{✔}} } } divergences(SKIP)={}divergences(SKIP)={}

failuresfailures⊥(a→pa→p)={(<>,X)|a∉X} U U

{(<a>^s,X):a∈ ∈ failuresfailures⊥(P)} divergences(divergences(a→pa→p)= )=

{(<a>^s,X):s∈divergence∈divergence(P)}



failuresfailures⊥(?x:A→p→p)={(<>,X)|X∩A={}} U U

{(<a>^s,X):a∈ ∈ failuresfailures⊥(P)} divergences(divergences(?x:A→p?x:A→p)= )=

{(<a>^s,X):s∈∈divergence(P[a/x])} failuresfailures⊥(P⊓Q)=failuresfailures⊥(P) U U failuresfailures⊥(Q) divergences(divergences(P⊓Q)= )=

divergencedivergence(P) U U divergencedivergence(Q)



divergences(divergences(P□Q) ) = =

divergencedivergence(P) U U divergencedivergence(Q) failuresfailures⊥(P□Q)=

{(<>,x)| (<>,x)∈ ∈ failuresfailures⊥(P)∩failuresfailures⊥(Q)}

U {(s,X): s≠<>,(s,X)U {(s,X): s≠<>,(s,X)∈∈failuresfailures⊥(P)UUfailuresfailures⊥(Q)}

U {(s,X):<>U {(s,X):<>∈∈diveregencediveregence(P)UUdiveregencediveregence(Q)}

U {(s,X):X U {(s,X):X XΣΣ, <, <✔> )> )∈∈tracetrace⊥(P)U U tracetrace⊥(Q)}



divergences(divergences(P||XQ) ) ={u^v|={u^v|ss∈ ∈ tracetrace⊥(P),

tt∈∈tracetrace⊥(Q), u∈(s||∈(s||XXt)t)∩ ΣΣ*,*,

ss∈∈divergencedivergence(P) or t t∈∈divergencedivergence(Q) } failuresfailures⊥(P||XQ)={(u,YUZUZ)| u∈ s||∈ s||XXtt

Y\(XU {U {✔})}) = = Z\(XU {U {✔})}) /\ /\

s,t (s,Y)s,t (s,Y)∈failures∈failures⊥(P), (t,Z)(t,Z)∈∈failuresfailures⊥(Q)

{(u,Y)|u{(u,Y)|u∈∈diveregencediveregence(P||XQ)}



divergences(divergences(P\X) ) = =

{(s\X)^t| ss∈∈divergencedivergence(P)} U

{(u\X)^t| u{(u\X)^t| u∈∈ΣΣ /\ (u\x) is finite /\ /\ (u\x) is finite /\

∀∀s< u, s∈traces< u, s∈trace⊥(P)(P)}

failuresfailures⊥(P\X)=

{(s\X,Y)| (s,Y(s,YUXUX))∈failures∈failures⊥(P)} U

{(s,X)|s{(s,X)|s∈∈diveregencediveregence(P\X)}


Deterministic ProcessesDeterministic Processes

A process is said to be A process is said to be deterministicdeterministic if if

1.1. t^<a>t^<a>∈∈tracetrace(P) ⇒ (t,{a})∉(P) ⇒ (t,{a})∉failure(P)failure(P)

2.2. divergence(P) ={}divergence(P) ={} That is, never diverges and do not have the That is, never diverges and do not have the

choice of accepting and refusing an actionchoice of accepting and refusing an action Deterministic processes are the maximal Deterministic processes are the maximal

elements under elements under ⊑⊑FDFD

Example:Example: (a (a→STOP)□(a→a→STOP) is non-→STOP)□(a→a→STOP) is non-deterministicdeterministic


Deterministic Processes and LTSDeterministic Processes and LTS

Two nondeterministic LTS whose behavior Two nondeterministic LTS whose behavior is deterministicis deterministic

aa a

a


Abstraction - 1Abstraction - 1

Abstraction = hide detailsAbstraction = hide detailsExample:Example: many-to-one renamingmany-to-one renaming

[(a[(a→c→→c→STOPSTOP)□(b→d→)□(b→d→STOPSTOP)] [[b/a]])] [[b/a]]= (a→c→STOP) □(a→d→= (a→c→STOP) □(a→d→STOPSTOP)] )] = a→( (c→= a→( (c→STOPSTOP)⊓(d→)⊓(d→STOPSTOP) ) ) ) Eager abstractionEager abstraction: hiding operator: hiding operatorℰℰHH(P)=(P)=p\H – assumes that events in H p\H – assumes that events in H

pass out of sightpass out of sight


Abstraction - 2Abstraction - 2

Lazy abstractionLazy abstraction: Projection of P into L: Projection of P into LℒℒHH(P)= P@L= (P)= P@L=

{(s\H,X)|(s,X∩L)∈ failures{(s\H,X)|(s,X∩L)∈ failures⊥(P)} Example: L={l1,l2}, H={h}

P ≡ (l1→P) □ (l2→h→P) □ (h→P) →P) □ (l2→h→P) □ (h→P)

ℒℒHH(P)= Q (P)= Q ≡ (l1→Q) □ l2→(STOP⊓Q) →Q) □ l2→(STOP⊓Q) Finite traces of Finite traces of ℒℒHH(P) are precisely (P) are precisely

{s\H| s ∈ {s\H| s ∈ tracestraces(P)}


Strong BisimulationStrong Bisimulation

Suppose S is a LTS and the relation R on Suppose S is a LTS and the relation R on the set of nodes S’ the set of nodes S’ S, a set of nodes is S, a set of nodes is said to be a strong bisimulation of S iffsaid to be a strong bisimulation of S iff

∀∀n1,n2,m1n1,n2,m1 S’ x∈ ∀ ∈S’ x∈ ∀ ∈ΣΣU{U{✔}} R(n1,n2) and R(n1,n2) and n1 n1 ⇒⇒xx⇒⇒ n2, n2, m2 m2 S’ n2 ∈S’ n2 ∈ ⇒⇒xx⇒⇒ m2 and m2 and R(m1,m2)R(m1,m2)

∀∀n1,n2,m2n1,n2,m2 S’ x∈ ∀ ∈S’ x∈ ∀ ∈ΣΣU{U{✔}} R(n1,n2) and R(n1,n2) and n1 n1 ⇒⇒xx⇒⇒ n2, n2, m1 m1 S’ n1 ∈S’ n1 ∈ ⇒⇒xx⇒⇒ m1 and m1 and R(m1,m2)R(m1,m2)


CasperCasper

CompilerCompilerEasy to specify protocols and security Easy to specify protocols and security

propertiespropertiesE.g., Yahalom protocolE.g., Yahalom protocol

Input: 1 page protocol and security spec.Input: 1 page protocol and security spec.Output (CSP): 10 pagesOutput (CSP): 10 pages


Casper Casper Protocol Definition: Protocol Definition:

protocol operation, including protocol operation, including messages between the agents, messages between the agents, tests performed by the agents, tests performed by the agents, types of data, types of data, initial knowledge, initial knowledge, specification of the protocol’s goals, specification of the protocol’s goals, algebraic equivalences over the typesalgebraic equivalences over the types

Components:Components: Protocol descriptionProtocol description Free variablesFree variables ProcessesProcesses SpecificationSpecification


Casper Casper

System definition:System definition: actual system to be actual system to be checked, including agents, their roles, checked, including agents, their roles, actual data types, intruder’s abilitiesactual data types, intruder’s abilities

Components:Components:Actual variablesActual variablesFunctionsFunctionsSystemSystem Intruder informationIntruder information


Protocol DescriptionProtocol Description



Free VariablesFree Variables



ProcessesProcesses



SpecificationSpecification



System specs: VariablesSystem specs: Variables



System specs: Functions System specs: Functions



System specs: The System System specs: The System



System specs: The IntruderSystem specs: The Intruder


Non-interferencefreedom from covert channels

4343

References

Bishop’s Book: Chapters 8 and 17CSP and determinism in security modeling

by A. W. Roscoe, IEEE Symposium on Security and Privacy, 1995 114-127.

Extending non-interference properties to the timed world by Jian Huang and A. W. Roscoe, SAC’06, 2006.

4444

Basic Definitions Basic issue: Confidentiality in MLS Information should not flow from system high to

system low Actions are categorizes as H (high) and L (low) Want: if two traces of process P differ only in their

H actions, then the subsequent behavior of P seen from L are identical

P is eagerly trace-invariant w.r.t. L, ℰℰtrINVL(P)

tr,tr’∈Traces(P) /\ tr↾L= tr’↾L (P/tr)\H=(P/tr’)\H

4545

Lazy Trace Invariance

Define RUNH ≡ ?x:H → RUNH

P is lazy-trace invariant w.r.t. H, ℒtrINVℒtrINVLL(P)(P)

tr,tr’∈Traces(P) /\ tr↾L= tr’↾L (P/tr) ||| RUNH = (P/tr) ||| RUNH

What is the difference? All H communications of P are being made ambiguous by mixing them with RUNH

Camouflage communication rather than hide! Note: (P||| RUNA)\A= P\A

4646

Some ExamplesH={a,b,c,d}, L={w,x,y,z}1. P1 ≡ a → x → P1□ b → y → P12. P2 ≡ a → x → P2□ b → x → P23. P3 ≡ a → x → P3□ b → x → x → P34. P4 ≡ a → P4□ b → x → P45. P5 ≡ x → (a → P5□ x → P5 □ → y →

P5) □ y → (b→ P5□ x → P5 □ → y → P5)

6. P6 ≡ w → y → P6 □ x→z → P6 □ a → c → P6 □ b → d → P6

4747

Analyzing Example 1

P1 ≡ a → x → P1□ b → y → P1 Not secure: The event in L directly

depends on an event in H. An event observed by L can be used to deduce the corresponding event in H occurred

Fails ℰℰtrINVL(P) as trace tr1={a,x,b,y}, tr2={x,y} satisfy tr1↾L= tr1↾L={x} but (P/tr1)\H = {<x,y>} and (P/tr1)\H ={}

Fails ℒtrINVℒtrINVLL(P)(P) as (P/tr1)|||RUNH ={<x,y>} and (P/tr1)|||RUNH ={}

4848

Analyzing Examples 2,3,4

P2 ≡ a → x → P2□ b → x → P2 P3 ≡ a → x → P3□ b → x → x → P3 P4 ≡ a → P4□ b → x → P4 Satisfy ℰ ℰtrINVtrINVLL(P)(P) as they satisfy (Pi/tr)\

H = RUN{x} for any trace tr. Fails ℒtrINVℒtrINVLL(P)(P) because every available L

action depends upon a H action. Thus, can derive if an H action occurred.

4949

Analyzing Examples 5 and 6 P5 ≡ x → (a → P5 □ x → P5 □ → y → P5)

□ y → (b → P5 □ x → P5 □ → y → P5) P6 ≡ w → y → P6 □ x → z → P6 □ a → c → P6 □ b → d

→ P6 For UL, P5 always communicates when x or y are

present. For any tr, P5 satisfy P5/tr ||| RUNH = RUN

H∪{x,y} Thus P5 satisfy ℰ ℰtrINVtrINVLL(P) and (P) and ℒtrINVℒtrINVLL(P)(P). P6 satisfy ℰℰtrINVtrINVLL(P) and f(P) and fail ℒtrINVℒtrINVLL(P)(P).

Reason for failure: If {a,b} have occurred then then {c,d} must occur for the system to work. Hence if UL cannot communicate with P6, then she knows that UH has communicated with P6.

Lesson: The failure model matters in deciding what is observable by UL!

5050

Determinism - 1 Semantics matters in deciding what the intruder

can observe! Can define ℰfdℰfdINVINVLL(P) and (P) and

ℒfdINVℒfdINVLL(P)(P). Points: (The FDR model is not capable of

distinguishing between these!) Can an intruder observe what events take place before

and after refusals? Same range of non-determinism, but very different

probabilistic behavior

Recall Determinism: A process is A process is deterministicdeterministic if if 1.1. t^<a>t^<a>∈∈tracetrace(P) ⇒ (t,{a})∉(P) ⇒ (t,{a})∉failure(P)failure(P)

2.2. divergence(P) ={}divergence(P) ={}

5151

Determinism - 2 The Intuitive Idea:The Intuitive Idea: I way to leak information from

UH to UL via using the process P is to behave differently towards UL depending on what UH does. Appears as if UH resolves non-determinism for UL to notice and observe!

Theorem 1:Theorem 1: 1. P\H is deterministic ⇒ ℰℰtrINVtrINVLL(P), (P), ℰℰfdINVfdINVLL(P)(P)

2.2. P|||P|||RUNH deterministic ⇒ ℒtrINVℒtrINVLL(P)(P), ℒfdINVℒfdINVLL(P)(P)

Theorem 2:Theorem 2:1.1. P deterministic, P\H divergence free, P deterministic, P\H divergence free, ℰℰtrINVtrINVLL(P) (P)

⇒ P\H is deterministic

2.2. P deterministic, P deterministic, ℰℰtrINVtrINVLL(P) (P) ⇒ P|||P|||RUNH deterministic

5252

Eager, Lazy, Strong Independence Say that P is eagerly independent,

ℰINDL(P) if P\H is deterministic w.r.t L.

Say that P is lazily independent, ℒINDL(P) if P|||RUNH is deterministic w.r.t. L.

Say P is strongly independent, SINDL(P) if (P|||CHAOSH)\H is deterministic where CHAOSA ≡ STOP Π (?x:A → CHAOSA)

Theorem: A process satisfies SINDL(P) iff it satisfy ℰINDL(P) and ℒINDL(P)

5353

Delay-able H actions and Signals-1

P6 ≡ w → y → P6 □ x → z → P6 □ a → c → P6 □ b → d → P6

if UL cannot communicate with P6, then UL knows that UH has communicated with P6

What if {c, d} are signals – such as output communications whose refusals are not observable before it occurs.

The process is secure! But need to make a distinction between the two kinds of H signals. So H=(D,S)

5454

Delay-able H actions and Signals-2

Divide H into two parts D = delay-ableS = signals (like output)

Mixed conditionsMixed eager invariance MINVL

(D,S)(P) holds if tr,tr’∈Traces(P) /\ tr↾L= tr’↾L (P/tr)\S ||| RUND = (P/tr’)\S ||| RUND

Mixed independence MINDL(D,S)(P) holds if (P\

S) ||| RUND is deterministic

5555

Properties of H=(D,S)

MINDL(D,S)(P) ⇒ MINVL

(D,S)(P) If P is deterministic and P\D is divergence-

free then MINVL(D,S)(P) ⇒ MINDL

(D,S)(P)

5656

Abstract Models of UH - 1

CHAOSA ≡ STOP Π (?x:A → CHAOSA)

CHAOSA is the most non-deterministic UH

All determinism properties can be specified as (P||H U)\H for some U (for eg U = RUNH)

The lazy specifications do not forbid infinite runs of H actions, requiring a different semantics (F,D,I) for CSP

5757

Abstract Models of UH -2

Can choose finite traces by defining a new process FINITEA ≡ Π{Qn | n∈ℕ} with Qn ≡ STOP, and Qn+1 ≡ a: → Qn

FINITEA is a user process U for lazy conditions

Theorem: P satisfyℰINDL(P) iff (P||H FINITEH)\H is deterministicMINDL

(D,S)(P) iff (P||(RUNS||| FINITED)\(DUS) is deterministic

5858

Modeling non-interference

Example: An email system where UH can send mail to UL.

Referred to as conditional non-interferenceGeneral approach: Finite traces of U are H*

Show that if UH communicates within H* no information leaks to UL.

UH can delay only refusalsU is divergent free

5959

A Timed Version

Ht = H U {tock}, Lt = L U {tock}, t = Ht U Lt Events are D (delayable) or S (signals)Maximal Progress Assumption: No tock

occurs when is presentP is timed-deterministic iff ∀s∈t*∀a∈t (s,

{a})∉failures(P) ⇒ s^<a>∈traces(P)P is timed-lazy independent T-L-Ind(P)

iff a∈Lts,s’∈traces(P)/\ s↾Lt= s’↾Lt ⇒ [ (s,{a})∈failures(P) ⇔ (P/s’)o∩{a}={} ]

6060

Timed Abstractions Example:Example: Let H={d} and L={l} and

P ≡ tock → Q □ d → TOCKS Q ≡ tock → Q □ d → l → TOCKS, TOCKS ≡ tock →

TOCKS and CHAOSH ≡ STOP Π (?x:H → CHAOSH) P is not secure because UL can find out when d

occurs by observing l. Un-timed lazy abstraction (P||HCHAOSH)\H=

TOCKS If P↝Q is allowed then the STOP branch of ChaosH

is blocks d and therefore does not change state CHAOSH need to be redefined!

6161

Defining CHAOST

Define a timed version that changes its mind when time passes (tn is a new event)

CHAOST(D) ≡ CHOAST’(D) \ {tn}CHAOST’(D) ≡ ?x:D → CHAOST’(D) ٱٱ

tn → tock → CHAOST’(D) Timed-Lazy abstraction:Timed-Lazy abstraction:

ℒℒtHtH(P)(P) ≡ (P||≡ (P||HHttCHAOSTCHAOSTHH) \ H) \ H

Timed-Mixed abstraction:Timed-Mixed abstraction: MMSStHtH(P)(P)≡≡ℒℒtHtH(P\S)(P\S)

Note: D and S are delayable and signal events

6262

Time Consistency Check

TOCKS ⊑ (P ||DU{tock} CHAOST(D))\ It means that when P is synchronized

with CHOST(D) on events in D U {tock}, only the tock events remain other than those from .

This can check if the timed behavior is consistent

6363

Some Properties

TheoremTheorem

1.1. ℒℒtHtH(P) is time deterministic iff T-L-Ind(P)(P) is time deterministic iff T-L-Ind(P)2.2. Suppose P and Q are processes with Suppose P and Q are processes with

Alphabets A and B. If P and Q are T-L-Alphabets A and B. If P and Q are T-L-Independent then so is P Independent then so is P AA||||BB Q Q

Separability:Separability: 1.1. A process P is separable iff it is a parallel A process P is separable iff it is a parallel

composition of sub-processes A and B composition of sub-processes A and B with disjoint alphabetswith disjoint alphabets

2.2. In the timed world, A and B can In the timed world, A and B can synchronize on synchronize on tocktock

6464

Time Separability - 1

Definition:Definition: Suppose P is process whose non-tock alphabet is partitioned into disjoint subsets H and L. P is time-separable w.r.t {H,L} if there are processes PH and PL with TCC(PH) /\ TCC(PL) satisfying [here TCC=time

consistency check] PH=Ht /\ PL=Lt

P= PH ||{tock} PL Note:Note: equivalence to a structurally secure

process may conceal insecurities. Does not exclude information flow

6565

Time Separability - 2 Definition:Definition: Suppose P is process whose non-

tock alphabet is partitioned into disjoint subsets H and L. P is strongly time-separable w.r.t {H,L} if there are time-deterministic processes PH and PL with [here TCC=time consistency check] TCC(PH) /\ TCC(PL) PH=Ht /\ PL=Lt

P= PH ||{tock} PL Theorem:Theorem: P is strongly time separable w.r.t.

{H,L} iff T-H-Ind(P) and T-L-Ind(P) Definition:Definition: A process P/H has H labels removed

from the LTS. That is, P/H ≡ P ||H STOP

6666

Local non-interferenceLocal non-interference: Low level users

cannot tell the difference between states linked by high level action

R ⊆ Proc X Proc is a weak-bisimulation ≈t iff x∀ ∈Σt,, R(p,q)p⇒x p’, ⇒ q’ q⇒x q’ and R(p’,q’)⇒q⇒x q’, ⇒ p’ p⇒x p’ and R(p’,q’)⇒

P

Q

P’

Q’

X

X

R R

P

Q

P’

Q’

R R

X

X

6767

Timed local non-interference - 1

P satisfies timed strong local non-interference written tSLNIL(P) if for states s1,s2 and h∈H s⇒h s⇒ 1, then s/H ≈t s1/H

P satisfies timed local non-interference written tLNIL(P) if s⇒h s⇒ 1, s⇒h s⇒ 2, …. s⇒h s⇒ n is a complete list of H transforms, then s/H ≈t Π si/H

S

S1/HS1 without

H links

S1h

S/HS without

H links

S/HS without

H links

any low action X

S1/HS1 without

H links

same low action X

6868

Timed local non-interference - 2

P satisfies timed strong FD local non-interference written tFDSLNIL(P) if for all states s1,s2 and all h∈H s⇒h s⇒ 1, then s/H =FD s1/H

P satisfies timed FD local non-interference written tFDLNIL(P) if s⇒h s⇒ 1, s⇒h s⇒ 2, …. s⇒h s⇒ n is a complete list of H transforms, then s/H =FD Π si/H

SS1/H

S1 without H links

S1hS/H

S without H links

same FD semantics

6969

A Theorem

If P does not diverge, then the following are equivalent

tSLNIL(P)

tLNIL(P)

tFDSLNIL(P)

tFDLNIL(P) T-L-Ind(P)

7070

Time-delayed local non-interference-1 S={s1,s2}, L={l1,l2} P≡ s1→tock →l1 → P Q≡ s1→tock→l1→Qٱ s2→tock→l1→Q R≡ s1→tock→l1→R ٱ s2→tock→l2→R For P, UL knows that s1 takes place – not a secret For Q, UL knows that an H event happens, but he

cannot discern which one – want this to be secure For R, UH resolves the non-determinism and UL

knows the choice. But S events are not chosen by UH, but by the environment

P, Q, R do not satisfy the timed local non-interference conditions – need mixed conditions

7171

Time-delayed local non-interference-2

P is said to satisfyTime-delayed strong local non-interference

tDSLNIL(P) if tDSLNIL(P\S) holdsTime-delayed local non-interference

tDLNIL(P) if tDLNIL(P\S) holdsTime-delayed strong FD local non-

interference tDSLNIFDL(P) if tDSLNIFD

L(P\S) holds

Time-delayed FD local non-interference tDLNIFD

L(P) if tDLNIFDL(P\S) holds

7272

Another Theorem

If P does not diverge and (P\S)/H is timed deterministic. Then the following are equivalent

tDSLNIL(P)

tDLNIL(P)

tDSLNIFDL(P)

tDLNIFDL(P)

7373

A Case StudyWill show A timed implementation of a secure un-timed

process may be insecure Developed conditions helps design a secure timed implementation.

Example: 2 users UL, UH and 1 file in the system.

UH reads and UL writes, so information flow: L⇒H Both must request before access UL can write between UH reads in order to make

fresh information available to UH

7474

Case Study: the un-timed version

Sys ≡ reqH → Sys1ٱ reqL→ writeL→ Sys1Sys1 ≡ reqH → Sysٱ reqL→ writeL→ Sys1The system is L-ind and SLNI (i.e. strong

non-local non-interference) secureAdding time: (assumptions)

All actions need one unit of timeA low level request following a high level

request takes an extra time unit.The system may idle until a request is

made.

7575

Case Study: adding time

Sys ≡ tock → sys ٱ reqH → Sys1ٱ reqL→ tock → writeL→ tock → Sys1

Sys1 ≡ tock → ( readH → tock → Sys (reqL→tock→tock→writeL→tock→Sys1 ٱ

UL can notice the existence of 2 tocks between reqL→ and writeL ⇦ leaks!

In state Sys, UL can communicate reqL and not in state Sys1 ⇦ can distinguish using failure semantics!

7676tock

tock

tock

tock

tock

tock

tock

tock

readH reqH

writeL

reqL

reqLwriteL

tock

tock

tock

tock

tock

tocktock

tock

tock

readHreqH

reqL

reqL

writeL

writeL

Sys1

Sys

Q1

Q6

Q5Q4

Q3

Q2

P2

P1

P6

P5P3

P4

The Original Timed VersionThe Original Timed Version The tDSLNIThe tDSLNILL Secure Version Secure Version

7777

A tDSLNIL secure version

readyH is a response to reqH.

Hence S={readyH}, D={reqH}.

Use R to ensure Sys\S/H ≈t Sys1\S/HR={(X\S/H,Y\S/H)| (X,Y)∈R’} whereR’={(Sys,Sys1),(P1,Sys),(Sys,Q1),

(P2,Sys1), (P3,Q1),(P4,Q3),(P5,Q4),(P6,Q5),(Sys,Q6), (P1,Q6),(P2,Q6),(P1,Q2),(P3,Q2),(P3,Sys), (P3,P1), (P3,P2),(P3,P3)

Documents

ISA 763 Security Protocol Verification CSP Semantics We thank Professor Csilla Farkas of USC for providing some transparencies that were used to construct