Upload
ruby-simpson
View
215
Download
0
Embed Size (px)
Citation preview
11
ISA 763ISA 763Security Protocol VerificationSecurity Protocol Verification
CSP SemanticsCSP Semantics
We thank Professor Csilla Farkas of USC for providing some We thank Professor Csilla Farkas of USC for providing some transparencies that were used to construct this transparencytransparencies that were used to construct this transparency
22CSP SemanticsCSP Semantics 22
ReferencesReferences The Theory and Practice of Concurrency by A. W. The Theory and Practice of Concurrency by A. W.
Roscoe, available at Roscoe, available at web.comlab.ox.ac.uk/oucl/work/bill.web.comlab.ox.ac.uk/oucl/work/bill.roscoeroscoe/publications/6/publications/68b.pdf 8b.pdf
Chapters 4 and 5 of Modeling and analysis of security Chapters 4 and 5 of Modeling and analysis of security protocols by Peter Ryan and Steve Schneider. protocols by Peter Ryan and Steve Schneider.
The FDR2 User Manual available at The FDR2 User Manual available at http://www.fsel.com/documentation/fdr2/html/fdr2manual.html#SEC_Top
Formal Systems, FDR download, Formal Systems, FDR download, http://www.fsel.com/ M. Morgenthal: Design and Validation of Computer M. Morgenthal: Design and Validation of Computer
Protocols, Protocols, http://wwwtcs.inf.tu-dresden.de/~morgen/sem-ws02.html
33CSP SemanticsCSP Semantics 33
CSP Semantics - 1CSP Semantics - 1 Operational SemanticsOperational Semantics
Interprets the language on an (abstract) machine:Interprets the language on an (abstract) machine: such as the ones used in imperative languages using a such as the ones used in imperative languages using a
program counter, next instruction stack etc.program counter, next instruction stack etc. Denotational SemanticsDenotational Semantics
The language is translated to another abstract domain The language is translated to another abstract domain Translate the basic constructsTranslate the basic constructs Translate the combinators to constructs in the target domainTranslate the combinators to constructs in the target domain Use a compositionality principle to construct the denotation of Use a compositionality principle to construct the denotation of
the whole program from translated partsthe whole program from translated parts Algebraic SemanticsAlgebraic Semantics
Translate the language into a Translate the language into a normal fromnormal from by rewriting by rewriting all programs in that formall programs in that form
Describe how to execute the program in normal formDescribe how to execute the program in normal form
44CSP SemanticsCSP Semantics 44
CSP Semantics - 2CSP Semantics - 2 Operational SemanticsOperational Semantics
Interprets the language on an (abstract) machine:Interprets the language on an (abstract) machine: Construct a labeled transition system (LTS)Construct a labeled transition system (LTS)
Denotational SemanticsDenotational Semantics The language is translated to another abstract domain The language is translated to another abstract domain Trace semantics, Failure Divergence SemanticsTrace semantics, Failure Divergence Semantics
Algebraic SemanticsAlgebraic Semantics Translate the language into a Translate the language into a normal fromnormal from by rewriting by rewriting
all programs in that formall programs in that form Proof rulesProof rules
55CSP SemanticsCSP Semantics 55
Operational SemanticsOperational Semantics
Labeled transition system (LTS)Labeled transition system (LTS)Nodes:Nodes: state of the process state of the processDirected edges:Directed edges: events events
Visible eventsVisible events Internal transitionsInternal transitions
Recall Trace Refinement:Recall Trace Refinement:
S S ⊑⊑TT T T iff iff trace(T) trace(T) trace(S) trace(S)
66CSP SemanticsCSP Semantics 66
An example LTSAn example LTS
Image from M. Morgenthal
77CSP SemanticsCSP Semantics 77
Another LTS ExampleAnother LTS Example
Image from M. Morgenthal
88CSP SemanticsCSP Semantics 88
Connection between LTS ExamplesConnection between LTS Examples
An Implementation of An Implementation of SS as: as:
A ||| BA ||| B where where
AB = a AB = a b b AB and AB and
AC = a AC = a c c AC AC
wherewhere AA corresponds to AA corresponds to AB ||| ACAB ||| AC BA corresponds to BA corresponds to bb→ AB ||| AC→ AB ||| AC AC corresponds to AC corresponds to AB||| (c → AC)AB||| (c → AC) BC corresponds to BC corresponds to b → AB||| (c → AC)b → AB||| (c → AC)
99CSP SemanticsCSP Semantics 99
AAAA corresponds corresponds to to AB ||| ACAB ||| ACBABA corresponds corresponds to to b→ AB ||| ACb→ AB ||| ACACAC corresponds corresponds to to AB||| (c → AC)AB||| (c → AC)BCBC corresponds corresponds to to b → AB||| (c → b → AB||| (c → AC)AC)
1010CSP SemanticsCSP Semantics 1010
Traces Refinement CheckTraces Refinement Check
Image from M. Morgenthal
1111CSP SemanticsCSP Semantics 1111
Trace RefinementsTrace Refinements
An implementation An implementation refinesrefines the trace of a the trace of a processprocess
Hence we would like an implementation to Hence we would like an implementation to satisfy the specificationsatisfy the specification
Which properties? Which properties? For his class, those trace properties used to For his class, those trace properties used to
specify security properties.specify security properties.
1212CSP SemanticsCSP Semantics 1212
Denotational SemanticsDenotational Semantics Recall Trace Semantics for CSP processesRecall Trace Semantics for CSP processes Could not reason the difference between Could not reason the difference between
external choice and internal choiceexternal choice and internal choice Example: consider Example: consider ={a,b} and={a,b} andQ1 Q1 ≡(a→STOP) ≡(a→STOP) □ □ (b→STOP) (b→STOP) Q2 Q2 ≡(a→STOP) ≡(a→STOP) ΠΠ (b→STOP)(b→STOP)Q3 Q3 ≡STOP ≡STOP ΠΠ(a→STOP) (a→STOP) □□(b→STOP)(b→STOP) Refusal set of Q1={}Refusal set of Q1={} Q2 can refuse {a} and {b} but not {a,b}Q2 can refuse {a} and {b} but not {a,b} Q3 can refuse any subset of Q3 can refuse any subset of ..
1313CSP SemanticsCSP Semantics 1313
Refusal SetsRefusal SetsP1 {c}
{a, c}
{a, b, c} {a, b, c}
P2 {c}
{b, c}
{a, b, c} {a, b, c}
P3 {c}
{b, c} {a, c}
{a, b, c} {a, b, c}
P4 {c}
{b, c} {a, c}
{a, b, c} {a, b, c}
a b
b a
b
a
a b
c c
a b
{b, c}
1414CSP SemanticsCSP Semantics 1414
Refusal SetsRefusal Sets
P1 P1 ≡ (a → b→ STOP) ≡ (a → b→ STOP) □ □ (b → a → STOP)(b → a → STOP)
≡ ≡ (a → STOP) (a → STOP) ||| ||| (b → STOP)(b → STOP)
Failure Sets = (<>,{}), (<>,c), Failure Sets = (<>,{}), (<>,c),
(<a>, {a,c}), (<ba>,(<a>, {a,c}), (<ba>,{a,b,c}){a,b,c})
P2 ≡ (c→a→STOP)P2 ≡ (c→a→STOP)□□(b→c→STOP)\ c(b→c→STOP)\ cFailure sets ={(<>,X| X Failure sets ={(<>,X| X {b,c}} {b,c}} UU
{(<a>,X),(<b>,X)| {(<a>,X),(<b>,X)| X X {a,b,c}}{a,b,c}} Internal actions introduce nondterminismInternal actions introduce nondterminism
1515CSP SemanticsCSP Semantics 1515
Refusal SetsRefusal Sets P3 P3 ≡ (a → STOP) ≡ (a → STOP) ΠΠ (b → STOP)(b → STOP) Must accept one of {a} or {b} if both Must accept one of {a} or {b} if both
{a,b} are offered{a,b} are offered Different from Different from
P1 - must accept either P1 - must accept either P2 - must accept aP2 - must accept a
P4 ≡ (c→a→STOP)P4 ≡ (c→a→STOP)□□(c→b→STOP)(c→b→STOP) After <c> refuses {X|{a,b}⊈X}After <c> refuses {X|{a,b}⊈X} Failure allows us to distinguish between Failure allows us to distinguish between
internal and external choice –traces could internal and external choice –traces could not do this!not do this!
1616CSP SemanticsCSP Semantics 1616
Failure SemanticsFailure Semantics
failure(P)failure(P) = {(s,X)| s = {(s,X)| s∈∈ΣΣ* and P/s does not * and P/s does not accept any x accept any x∈X}∈X}
Failure Refinement:Failure Refinement: P⊑P⊑FFQQ (read Q (read Q failure refines P) ifffailure refines P) ifftrace(Q) trace(Q) trace(P) andtrace(P) and failure(Q) failure(Q) failure(p)
1717CSP SemanticsCSP Semantics 1717
DivergenceDivergence pp≡(≡(p.a→p)\{a}p.a→p)\{a} Cannot observe Cannot observe aa externally. externally. Diverges – i.e. looks like a Diverges – i.e. looks like a -loop-loop We do not care what happens after a We do not care what happens after a
process divergesprocess diverges
SS
aa
SS
1818CSP SemanticsCSP Semantics 1818
Failure and DivergenceFailure and Divergence
Add extra symbol Add extra symbol ✔✔ to to ΣΣ to indicate that the to indicate that the process has terminatedprocess has terminated
Interpretation:Interpretation: ✔✔ is emitted by the process to is emitted by the process to the environment to indicate normal the environment to indicate normal terminationtermination
P P ⇒⇒ss⇒ Q means process P becomes Q⇒ Q means process P becomes QStable State:Stable State: a state that does not a state that does not
accept accept
1919CSP SemanticsCSP Semantics 1919
Failure and DivergenceFailure and Divergence
trace(P)≡{trace(P)≡{s∈ ∈ ΣΣ*U{*U{✔} | } | ∃Q.∃Q.P P ⇒⇒ss⇒ Q}⇒ Q} tracetrace⊥⊥(P)≡{(P)≡{s: (t,X)∈F} is a prefix closed set∈F} is a prefix closed set diveregnce(P)≡{diveregnce(P)≡{s^t|s∈ s^t|s∈ ΣΣ*,*,t∈ t∈ ΣΣ*U{*U{✔✔} }
∃∃Q.Q.P P ⇒⇒ss⇒ Q, Q div}⇒ Q, Q div}Extension closed sets of traces that has an infinite set of actions
failurefailure⊥⊥(P)(P)={(s,X)| s is a trace and X is set ={(s,X)| s is a trace and X is set of actions that can be refused in a of actions that can be refused in a stable state of P}state of P}
2020CSP SemanticsCSP Semantics 2020
The Failures Divergence ModelThe Failures Divergence Model
⊥⊥ℕℕ=(=(ΣΣ*U{*U{✔}} x ℘( x ℘(ΣΣU{U{✔}), }), ΣΣ*U{*U{✔} )} ) Refers to ( (s, actions: D): Failure, Refers to ( (s, actions: D): Failure,
strings: Divergent string )strings: Divergent string ) Any non-empty subset S of Any non-empty subset S of ℕ has an infimum ℕ has an infimum
given bygiven by ⊓ ⊓ S =S =( {F|(F,D)⋃( {F|(F,D)⋃ ∈S}, ∈S}, {D |(F,D)⋃ {D |(F,D)⋃ ∈S})∈S})
Supremum of aSupremum of a directed set △ is given by directed set △ is given by ⊔⊔S =S =(∩{F|(F,D)(∩{F|(F,D)∈ △}, ∈ △}, ∩{D |(F,D)∩{D |(F,D)∈ △})∈ △})
Theorem:Theorem: If If ΣΣ is finite then is finite then ((ℕ, ⊑ℕ, ⊑FDFD,, ⊓, ⊔) ⊓, ⊔) is a is a complete partial ordercomplete partial order
2121CSP SemanticsCSP Semantics 2121
Computing the FD Semantics-1Computing the FD Semantics-1
failuresfailures⊥(STOP)={(<>,X)|XΣΣ*U{*U{✔}} } } divergences(STOP)={}divergences(STOP)={} failuresfailures⊥(SKIP)={(<>,X)|XΣΣ*U{*U{✔}} } } divergences(SKIP)={}divergences(SKIP)={}
failuresfailures⊥(a→pa→p)={(<>,X)|a∉X} U U
{(<a>^s,X):a∈ ∈ failuresfailures⊥(P)} divergences(divergences(a→pa→p)= )=
{(<a>^s,X):s∈divergence∈divergence(P)}
2222CSP SemanticsCSP Semantics 2222
Computing the FD Semantics-2Computing the FD Semantics-2
failuresfailures⊥(?x:A→p→p)={(<>,X)|X∩A={}} U U
{(<a>^s,X):a∈ ∈ failuresfailures⊥(P)} divergences(divergences(?x:A→p?x:A→p)= )=
{(<a>^s,X):s∈∈divergence(P[a/x])} failuresfailures⊥(P⊓Q)=failuresfailures⊥(P) U U failuresfailures⊥(Q) divergences(divergences(P⊓Q)= )=
divergencedivergence(P) U U divergencedivergence(Q)
2323CSP SemanticsCSP Semantics 2323
Computing the FD Semantics-3Computing the FD Semantics-3
divergences(divergences(P□Q) ) = =
divergencedivergence(P) U U divergencedivergence(Q) failuresfailures⊥(P□Q)=
{(<>,x)| (<>,x)∈ ∈ failuresfailures⊥(P)∩failuresfailures⊥(Q)}
U {(s,X): s≠<>,(s,X)U {(s,X): s≠<>,(s,X)∈∈failuresfailures⊥(P)UUfailuresfailures⊥(Q)}
U {(s,X):<>U {(s,X):<>∈∈diveregencediveregence(P)UUdiveregencediveregence(Q)}
U {(s,X):X U {(s,X):X XΣΣ, <, <✔> )> )∈∈tracetrace⊥(P)U U tracetrace⊥(Q)}
2424CSP SemanticsCSP Semantics 2424
Computing the FD Semantics-4Computing the FD Semantics-4
divergences(divergences(P||XQ) ) ={u^v|={u^v|ss∈ ∈ tracetrace⊥(P),
tt∈∈tracetrace⊥(Q), u∈(s||∈(s||XXt)t)∩ ΣΣ*,*,
ss∈∈divergencedivergence(P) or t t∈∈divergencedivergence(Q) } failuresfailures⊥(P||XQ)={(u,YUZUZ)| u∈ s||∈ s||XXtt
Y\(XU {U {✔})}) = = Z\(XU {U {✔})}) /\ /\
s,t (s,Y)s,t (s,Y)∈failures∈failures⊥(P), (t,Z)(t,Z)∈∈failuresfailures⊥(Q)
{(u,Y)|u{(u,Y)|u∈∈diveregencediveregence(P||XQ)}
2525CSP SemanticsCSP Semantics 2525
Computing the FD Semantics-5Computing the FD Semantics-5
divergences(divergences(P\X) ) = =
{(s\X)^t| ss∈∈divergencedivergence(P)} U
{(u\X)^t| u{(u\X)^t| u∈∈ΣΣ /\ (u\x) is finite /\ /\ (u\x) is finite /\
∀∀s< u, s∈traces< u, s∈trace⊥(P)(P)}
failuresfailures⊥(P\X)=
{(s\X,Y)| (s,Y(s,YUXUX))∈failures∈failures⊥(P)} U
{(s,X)|s{(s,X)|s∈∈diveregencediveregence(P\X)}
2626CSP SemanticsCSP Semantics 2626
Deterministic ProcessesDeterministic Processes
A process is said to be A process is said to be deterministicdeterministic if if
1.1. t^<a>t^<a>∈∈tracetrace(P) ⇒ (t,{a})∉(P) ⇒ (t,{a})∉failure(P)failure(P)
2.2. divergence(P) ={}divergence(P) ={} That is, never diverges and do not have the That is, never diverges and do not have the
choice of accepting and refusing an actionchoice of accepting and refusing an action Deterministic processes are the maximal Deterministic processes are the maximal
elements under elements under ⊑⊑FDFD
Example:Example: (a (a→STOP)□(a→a→STOP) is non-→STOP)□(a→a→STOP) is non-deterministicdeterministic
2727CSP SemanticsCSP Semantics 2727
Deterministic Processes and LTSDeterministic Processes and LTS
Two nondeterministic LTS whose behavior Two nondeterministic LTS whose behavior is deterministicis deterministic
aa a
a
2828CSP SemanticsCSP Semantics 2828
Abstraction - 1Abstraction - 1
Abstraction = hide detailsAbstraction = hide detailsExample:Example: many-to-one renamingmany-to-one renaming
[(a[(a→c→→c→STOPSTOP)□(b→d→)□(b→d→STOPSTOP)] [[b/a]])] [[b/a]]= (a→c→STOP) □(a→d→= (a→c→STOP) □(a→d→STOPSTOP)] )] = a→( (c→= a→( (c→STOPSTOP)⊓(d→)⊓(d→STOPSTOP) ) ) ) Eager abstractionEager abstraction: hiding operator: hiding operatorℰℰHH(P)=(P)=p\H – assumes that events in H p\H – assumes that events in H
pass out of sightpass out of sight
2929CSP SemanticsCSP Semantics 2929
Abstraction - 2Abstraction - 2
Lazy abstractionLazy abstraction: Projection of P into L: Projection of P into LℒℒHH(P)= P@L= (P)= P@L=
{(s\H,X)|(s,X∩L)∈ failures{(s\H,X)|(s,X∩L)∈ failures⊥(P)} Example: L={l1,l2}, H={h}
P ≡ (l1→P) □ (l2→h→P) □ (h→P) →P) □ (l2→h→P) □ (h→P)
ℒℒHH(P)= Q (P)= Q ≡ (l1→Q) □ l2→(STOP⊓Q) →Q) □ l2→(STOP⊓Q) Finite traces of Finite traces of ℒℒHH(P) are precisely (P) are precisely
{s\H| s ∈ {s\H| s ∈ tracestraces(P)}
3030CSP SemanticsCSP Semantics 3030
Strong BisimulationStrong Bisimulation
Suppose S is a LTS and the relation R on Suppose S is a LTS and the relation R on the set of nodes S’ the set of nodes S’ S, a set of nodes is S, a set of nodes is said to be a strong bisimulation of S iffsaid to be a strong bisimulation of S iff
∀∀n1,n2,m1n1,n2,m1 S’ x∈ ∀ ∈S’ x∈ ∀ ∈ΣΣU{U{✔}} R(n1,n2) and R(n1,n2) and n1 n1 ⇒⇒xx⇒⇒ n2, n2, m2 m2 S’ n2 ∈S’ n2 ∈ ⇒⇒xx⇒⇒ m2 and m2 and R(m1,m2)R(m1,m2)
∀∀n1,n2,m2n1,n2,m2 S’ x∈ ∀ ∈S’ x∈ ∀ ∈ΣΣU{U{✔}} R(n1,n2) and R(n1,n2) and n1 n1 ⇒⇒xx⇒⇒ n2, n2, m1 m1 S’ n1 ∈S’ n1 ∈ ⇒⇒xx⇒⇒ m1 and m1 and R(m1,m2)R(m1,m2)
3131CSP SemanticsCSP Semantics 3131
CasperCasper
CompilerCompilerEasy to specify protocols and security Easy to specify protocols and security
propertiespropertiesE.g., Yahalom protocolE.g., Yahalom protocol
Input: 1 page protocol and security spec.Input: 1 page protocol and security spec.Output (CSP): 10 pagesOutput (CSP): 10 pages
3232CSP SemanticsCSP Semantics 3232
Casper Casper Protocol Definition: Protocol Definition:
protocol operation, including protocol operation, including messages between the agents, messages between the agents, tests performed by the agents, tests performed by the agents, types of data, types of data, initial knowledge, initial knowledge, specification of the protocol’s goals, specification of the protocol’s goals, algebraic equivalences over the typesalgebraic equivalences over the types
Components:Components: Protocol descriptionProtocol description Free variablesFree variables ProcessesProcesses SpecificationSpecification
3333CSP SemanticsCSP Semantics 3333
Casper Casper
System definition:System definition: actual system to be actual system to be checked, including agents, their roles, checked, including agents, their roles, actual data types, intruder’s abilitiesactual data types, intruder’s abilities
Components:Components:Actual variablesActual variablesFunctionsFunctionsSystemSystem Intruder informationIntruder information
3434CSP SemanticsCSP Semantics 3434
Protocol DescriptionProtocol Description
Image from M. Morgenthal
3535CSP SemanticsCSP Semantics 3535
Free VariablesFree Variables
Image from M. Morgenthal
3636CSP SemanticsCSP Semantics 3636
ProcessesProcesses
Image from M. Morgenthal
3737CSP SemanticsCSP Semantics 3737
SpecificationSpecification
Image from M. Morgenthal
3838CSP SemanticsCSP Semantics 3838
System specs: VariablesSystem specs: Variables
Image from M. Morgenthal
3939CSP SemanticsCSP Semantics 3939
System specs: Functions System specs: Functions
Image from M. Morgenthal
4040CSP SemanticsCSP Semantics 4040
System specs: The System System specs: The System
Image from M. Morgenthal
4141CSP SemanticsCSP Semantics 4141
System specs: The IntruderSystem specs: The Intruder
Image from M. Morgenthal
Non-interferencefreedom from covert channels
4343
References
Bishop’s Book: Chapters 8 and 17CSP and determinism in security modeling
by A. W. Roscoe, IEEE Symposium on Security and Privacy, 1995 114-127.
Extending non-interference properties to the timed world by Jian Huang and A. W. Roscoe, SAC’06, 2006.
4444
Basic Definitions Basic issue: Confidentiality in MLS Information should not flow from system high to
system low Actions are categorizes as H (high) and L (low) Want: if two traces of process P differ only in their
H actions, then the subsequent behavior of P seen from L are identical
P is eagerly trace-invariant w.r.t. L, ℰℰtrINVL(P)
tr,tr’∈Traces(P) /\ tr↾L= tr’↾L (P/tr)\H=(P/tr’)\H
4545
Lazy Trace Invariance
Define RUNH ≡ ?x:H → RUNH
P is lazy-trace invariant w.r.t. H, ℒtrINVℒtrINVLL(P)(P)
tr,tr’∈Traces(P) /\ tr↾L= tr’↾L (P/tr) ||| RUNH = (P/tr) ||| RUNH
What is the difference? All H communications of P are being made ambiguous by mixing them with RUNH
Camouflage communication rather than hide! Note: (P||| RUNA)\A= P\A
4646
Some ExamplesH={a,b,c,d}, L={w,x,y,z}1. P1 ≡ a → x → P1□ b → y → P12. P2 ≡ a → x → P2□ b → x → P23. P3 ≡ a → x → P3□ b → x → x → P34. P4 ≡ a → P4□ b → x → P45. P5 ≡ x → (a → P5□ x → P5 □ → y →
P5) □ y → (b→ P5□ x → P5 □ → y → P5)
6. P6 ≡ w → y → P6 □ x→z → P6 □ a → c → P6 □ b → d → P6
4747
Analyzing Example 1
P1 ≡ a → x → P1□ b → y → P1 Not secure: The event in L directly
depends on an event in H. An event observed by L can be used to deduce the corresponding event in H occurred
Fails ℰℰtrINVL(P) as trace tr1={a,x,b,y}, tr2={x,y} satisfy tr1↾L= tr1↾L={x} but (P/tr1)\H = {<x,y>} and (P/tr1)\H ={}
Fails ℒtrINVℒtrINVLL(P)(P) as (P/tr1)|||RUNH ={<x,y>} and (P/tr1)|||RUNH ={}
4848
Analyzing Examples 2,3,4
P2 ≡ a → x → P2□ b → x → P2 P3 ≡ a → x → P3□ b → x → x → P3 P4 ≡ a → P4□ b → x → P4 Satisfy ℰ ℰtrINVtrINVLL(P)(P) as they satisfy (Pi/tr)\
H = RUN{x} for any trace tr. Fails ℒtrINVℒtrINVLL(P)(P) because every available L
action depends upon a H action. Thus, can derive if an H action occurred.
4949
Analyzing Examples 5 and 6 P5 ≡ x → (a → P5 □ x → P5 □ → y → P5)
□ y → (b → P5 □ x → P5 □ → y → P5) P6 ≡ w → y → P6 □ x → z → P6 □ a → c → P6 □ b → d
→ P6 For UL, P5 always communicates when x or y are
present. For any tr, P5 satisfy P5/tr ||| RUNH = RUN
H∪{x,y} Thus P5 satisfy ℰ ℰtrINVtrINVLL(P) and (P) and ℒtrINVℒtrINVLL(P)(P). P6 satisfy ℰℰtrINVtrINVLL(P) and f(P) and fail ℒtrINVℒtrINVLL(P)(P).
Reason for failure: If {a,b} have occurred then then {c,d} must occur for the system to work. Hence if UL cannot communicate with P6, then she knows that UH has communicated with P6.
Lesson: The failure model matters in deciding what is observable by UL!
5050
Determinism - 1 Semantics matters in deciding what the intruder
can observe! Can define ℰfdℰfdINVINVLL(P) and (P) and
ℒfdINVℒfdINVLL(P)(P). Points: (The FDR model is not capable of
distinguishing between these!) Can an intruder observe what events take place before
and after refusals? Same range of non-determinism, but very different
probabilistic behavior
Recall Determinism: A process is A process is deterministicdeterministic if if 1.1. t^<a>t^<a>∈∈tracetrace(P) ⇒ (t,{a})∉(P) ⇒ (t,{a})∉failure(P)failure(P)
2.2. divergence(P) ={}divergence(P) ={}
5151
Determinism - 2 The Intuitive Idea:The Intuitive Idea: I way to leak information from
UH to UL via using the process P is to behave differently towards UL depending on what UH does. Appears as if UH resolves non-determinism for UL to notice and observe!
Theorem 1:Theorem 1: 1. P\H is deterministic ⇒ ℰℰtrINVtrINVLL(P), (P), ℰℰfdINVfdINVLL(P)(P)
2.2. P|||P|||RUNH deterministic ⇒ ℒtrINVℒtrINVLL(P)(P), ℒfdINVℒfdINVLL(P)(P)
Theorem 2:Theorem 2:1.1. P deterministic, P\H divergence free, P deterministic, P\H divergence free, ℰℰtrINVtrINVLL(P) (P)
⇒ P\H is deterministic
2.2. P deterministic, P deterministic, ℰℰtrINVtrINVLL(P) (P) ⇒ P|||P|||RUNH deterministic
5252
Eager, Lazy, Strong Independence Say that P is eagerly independent,
ℰINDL(P) if P\H is deterministic w.r.t L.
Say that P is lazily independent, ℒINDL(P) if P|||RUNH is deterministic w.r.t. L.
Say P is strongly independent, SINDL(P) if (P|||CHAOSH)\H is deterministic where CHAOSA ≡ STOP Π (?x:A → CHAOSA)
Theorem: A process satisfies SINDL(P) iff it satisfy ℰINDL(P) and ℒINDL(P)
5353
Delay-able H actions and Signals-1
P6 ≡ w → y → P6 □ x → z → P6 □ a → c → P6 □ b → d → P6
if UL cannot communicate with P6, then UL knows that UH has communicated with P6
What if {c, d} are signals – such as output communications whose refusals are not observable before it occurs.
The process is secure! But need to make a distinction between the two kinds of H signals. So H=(D,S)
5454
Delay-able H actions and Signals-2
Divide H into two parts D = delay-ableS = signals (like output)
Mixed conditionsMixed eager invariance MINVL
(D,S)(P) holds if tr,tr’∈Traces(P) /\ tr↾L= tr’↾L (P/tr)\S ||| RUND = (P/tr’)\S ||| RUND
Mixed independence MINDL(D,S)(P) holds if (P\
S) ||| RUND is deterministic
5555
Properties of H=(D,S)
MINDL(D,S)(P) ⇒ MINVL
(D,S)(P) If P is deterministic and P\D is divergence-
free then MINVL(D,S)(P) ⇒ MINDL
(D,S)(P)
5656
Abstract Models of UH - 1
CHAOSA ≡ STOP Π (?x:A → CHAOSA)
CHAOSA is the most non-deterministic UH
All determinism properties can be specified as (P||H U)\H for some U (for eg U = RUNH)
The lazy specifications do not forbid infinite runs of H actions, requiring a different semantics (F,D,I) for CSP
5757
Abstract Models of UH -2
Can choose finite traces by defining a new process FINITEA ≡ Π{Qn | n∈ℕ} with Qn ≡ STOP, and Qn+1 ≡ a: → Qn
FINITEA is a user process U for lazy conditions
Theorem: P satisfyℰINDL(P) iff (P||H FINITEH)\H is deterministicMINDL
(D,S)(P) iff (P||(RUNS||| FINITED)\(DUS) is deterministic
5858
Modeling non-interference
Example: An email system where UH can send mail to UL.
Referred to as conditional non-interferenceGeneral approach: Finite traces of U are H*
Show that if UH communicates within H* no information leaks to UL.
UH can delay only refusalsU is divergent free
5959
A Timed Version
Ht = H U {tock}, Lt = L U {tock}, t = Ht U Lt Events are D (delayable) or S (signals)Maximal Progress Assumption: No tock
occurs when is presentP is timed-deterministic iff ∀s∈t*∀a∈t (s,
{a})∉failures(P) ⇒ s^<a>∈traces(P)P is timed-lazy independent T-L-Ind(P)
iff a∈Lts,s’∈traces(P)/\ s↾Lt= s’↾Lt ⇒ [ (s,{a})∈failures(P) ⇔ (P/s’)o∩{a}={} ]
6060
Timed Abstractions Example:Example: Let H={d} and L={l} and
P ≡ tock → Q □ d → TOCKS Q ≡ tock → Q □ d → l → TOCKS, TOCKS ≡ tock →
TOCKS and CHAOSH ≡ STOP Π (?x:H → CHAOSH) P is not secure because UL can find out when d
occurs by observing l. Un-timed lazy abstraction (P||HCHAOSH)\H=
TOCKS If P↝Q is allowed then the STOP branch of ChaosH
is blocks d and therefore does not change state CHAOSH need to be redefined!
6161
Defining CHAOST
Define a timed version that changes its mind when time passes (tn is a new event)
CHAOST(D) ≡ CHOAST’(D) \ {tn}CHAOST’(D) ≡ ?x:D → CHAOST’(D) ٱٱ
tn → tock → CHAOST’(D) Timed-Lazy abstraction:Timed-Lazy abstraction:
ℒℒtHtH(P)(P) ≡ (P||≡ (P||HHttCHAOSTCHAOSTHH) \ H) \ H
Timed-Mixed abstraction:Timed-Mixed abstraction: MMSStHtH(P)(P)≡≡ℒℒtHtH(P\S)(P\S)
Note: D and S are delayable and signal events
6262
Time Consistency Check
TOCKS ⊑ (P ||DU{tock} CHAOST(D))\ It means that when P is synchronized
with CHOST(D) on events in D U {tock}, only the tock events remain other than those from .
This can check if the timed behavior is consistent
6363
Some Properties
TheoremTheorem
1.1. ℒℒtHtH(P) is time deterministic iff T-L-Ind(P)(P) is time deterministic iff T-L-Ind(P)2.2. Suppose P and Q are processes with Suppose P and Q are processes with
Alphabets A and B. If P and Q are T-L-Alphabets A and B. If P and Q are T-L-Independent then so is P Independent then so is P AA||||BB Q Q
Separability:Separability: 1.1. A process P is separable iff it is a parallel A process P is separable iff it is a parallel
composition of sub-processes A and B composition of sub-processes A and B with disjoint alphabetswith disjoint alphabets
2.2. In the timed world, A and B can In the timed world, A and B can synchronize on synchronize on tocktock
6464
Time Separability - 1
Definition:Definition: Suppose P is process whose non-tock alphabet is partitioned into disjoint subsets H and L. P is time-separable w.r.t {H,L} if there are processes PH and PL with TCC(PH) /\ TCC(PL) satisfying [here TCC=time
consistency check] PH=Ht /\ PL=Lt
P= PH ||{tock} PL Note:Note: equivalence to a structurally secure
process may conceal insecurities. Does not exclude information flow
6565
Time Separability - 2 Definition:Definition: Suppose P is process whose non-
tock alphabet is partitioned into disjoint subsets H and L. P is strongly time-separable w.r.t {H,L} if there are time-deterministic processes PH and PL with [here TCC=time consistency check] TCC(PH) /\ TCC(PL) PH=Ht /\ PL=Lt
P= PH ||{tock} PL Theorem:Theorem: P is strongly time separable w.r.t.
{H,L} iff T-H-Ind(P) and T-L-Ind(P) Definition:Definition: A process P/H has H labels removed
from the LTS. That is, P/H ≡ P ||H STOP
6666
Local non-interferenceLocal non-interference: Low level users
cannot tell the difference between states linked by high level action
R ⊆ Proc X Proc is a weak-bisimulation ≈t iff x∀ ∈Σt,, R(p,q)p⇒x p’, ⇒ q’ q⇒x q’ and R(p’,q’)⇒q⇒x q’, ⇒ p’ p⇒x p’ and R(p’,q’)⇒
P
Q
P’
Q’
X
X
R R
P
Q
P’
Q’
R R
X
X
6767
Timed local non-interference - 1
P satisfies timed strong local non-interference written tSLNIL(P) if for states s1,s2 and h∈H s⇒h s⇒ 1, then s/H ≈t s1/H
P satisfies timed local non-interference written tLNIL(P) if s⇒h s⇒ 1, s⇒h s⇒ 2, …. s⇒h s⇒ n is a complete list of H transforms, then s/H ≈t Π si/H
S
S1/HS1 without
H links
S1h
S/HS without
H links
S/HS without
H links
any low action X
S1/HS1 without
H links
same low action X
6868
Timed local non-interference - 2
P satisfies timed strong FD local non-interference written tFDSLNIL(P) if for all states s1,s2 and all h∈H s⇒h s⇒ 1, then s/H =FD s1/H
P satisfies timed FD local non-interference written tFDLNIL(P) if s⇒h s⇒ 1, s⇒h s⇒ 2, …. s⇒h s⇒ n is a complete list of H transforms, then s/H =FD Π si/H
SS1/H
S1 without H links
S1hS/H
S without H links
same FD semantics
6969
A Theorem
If P does not diverge, then the following are equivalent
tSLNIL(P)
tLNIL(P)
tFDSLNIL(P)
tFDLNIL(P) T-L-Ind(P)
7070
Time-delayed local non-interference-1 S={s1,s2}, L={l1,l2} P≡ s1→tock →l1 → P Q≡ s1→tock→l1→Qٱ s2→tock→l1→Q R≡ s1→tock→l1→R ٱ s2→tock→l2→R For P, UL knows that s1 takes place – not a secret For Q, UL knows that an H event happens, but he
cannot discern which one – want this to be secure For R, UH resolves the non-determinism and UL
knows the choice. But S events are not chosen by UH, but by the environment
P, Q, R do not satisfy the timed local non-interference conditions – need mixed conditions
7171
Time-delayed local non-interference-2
P is said to satisfyTime-delayed strong local non-interference
tDSLNIL(P) if tDSLNIL(P\S) holdsTime-delayed local non-interference
tDLNIL(P) if tDLNIL(P\S) holdsTime-delayed strong FD local non-
interference tDSLNIFDL(P) if tDSLNIFD
L(P\S) holds
Time-delayed FD local non-interference tDLNIFD
L(P) if tDLNIFDL(P\S) holds
7272
Another Theorem
If P does not diverge and (P\S)/H is timed deterministic. Then the following are equivalent
tDSLNIL(P)
tDLNIL(P)
tDSLNIFDL(P)
tDLNIFDL(P)
7373
A Case StudyWill show A timed implementation of a secure un-timed
process may be insecure Developed conditions helps design a secure timed implementation.
Example: 2 users UL, UH and 1 file in the system.
UH reads and UL writes, so information flow: L⇒H Both must request before access UL can write between UH reads in order to make
fresh information available to UH
7474
Case Study: the un-timed version
Sys ≡ reqH → Sys1ٱ reqL→ writeL→ Sys1Sys1 ≡ reqH → Sysٱ reqL→ writeL→ Sys1The system is L-ind and SLNI (i.e. strong
non-local non-interference) secureAdding time: (assumptions)
All actions need one unit of timeA low level request following a high level
request takes an extra time unit.The system may idle until a request is
made.
7575
Case Study: adding time
Sys ≡ tock → sys ٱ reqH → Sys1ٱ reqL→ tock → writeL→ tock → Sys1
Sys1 ≡ tock → ( readH → tock → Sys (reqL→tock→tock→writeL→tock→Sys1 ٱ
UL can notice the existence of 2 tocks between reqL→ and writeL ⇦ leaks!
In state Sys, UL can communicate reqL and not in state Sys1 ⇦ can distinguish using failure semantics!
7676tock
tock
tock
tock
tock
tock
tock
tock
readH reqH
writeL
reqL
reqLwriteL
tock
tock
tock
tock
tock
tocktock
tock
tock
readHreqH
reqL
reqL
writeL
writeL
Sys1
Sys
Q1
Q6
Q5Q4
Q3
Q2
P2
P1
P6
P5P3
P4
The Original Timed VersionThe Original Timed Version The tDSLNIThe tDSLNILL Secure Version Secure Version
7777
A tDSLNIL secure version
readyH is a response to reqH.
Hence S={readyH}, D={reqH}.
Use R to ensure Sys\S/H ≈t Sys1\S/HR={(X\S/H,Y\S/H)| (X,Y)∈R’} whereR’={(Sys,Sys1),(P1,Sys),(Sys,Q1),
(P2,Sys1), (P3,Q1),(P4,Q3),(P5,Q4),(P6,Q5),(Sys,Q6), (P1,Q6),(P2,Q6),(P1,Q2),(P3,Q2),(P3,Sys), (P3,P1), (P3,P2),(P3,P3)