Non-interference Properties for Probabilistic Processes

Non-interference Properties for Probabilistic Processes A Process Algebraic Approach Alessandro Aldini joint work with Mario Bravetti and Roberto Gorrieri

Outline • Information flow analysis • A nondeterministic calculus • Non-interference for nondeterministic processes • A probabilistic calculus • Non-interference for probabilistic processes • Non-interference and probabilities

Formal methods and security • Motivation: • The Internet provides support for the transmission of data over communication networks, but is not designed with the goal of avoiding unauthorized disclosure of such data. • Cryptography is the solution, but… • imported code • mobile agents • malicious non-authenticated accesses • … raise a supplementary, increasing demand for security in computer networks.

Formal methods and security • Formal techniques may help to: • prevent security holes, • provide a generalized, easily verifiable notion of security. Here, we concentrate on the security analysis of information flow in systems and, more precisely, how to characterize the absence of any insecure flow, by applying the classical idea of non-interference.

Non-interference Non-interference checks the absence of information flows through the system, in terms of confidential, high level information illegally revealed to someone without the related access right.

Non-interference • The users of the system are partitioned into high level users and low level users. • High and low users interact with the system through separate interfaces. • Low user cannot directly observe what high users do. • Low users know the exact, complete design of the system, including the high interface. • users interact with the system through input actions (guided by the users) and output actions (guided by the system).

System ? information flow The interactions of low users with the system should not be affected by the behavior of high users [Gougen & Meseguer ’82] Non-interference Low interface High interface HIGH USERS LOW USERS

1 Direct information flow Low user High user System var X = 0 read x read x write x := 1 A high value is directly communicated from the high user to the low user!

Indirect information flow Non-interference seeks to capture also covert channels (indirect information flows from high level to low level) EXAMPLE Sharing of resources (e.g. memory devices). High user Low user shared memory create public file data.txt create private file data.txt data.txt FAIL!

Non-interference: an example High level activity a, b, c: low level activities h a P c b Information flow from H to L!

Non-interference Information flow analysis in process algebras: [Jacob’88, Ryan’91, Focardi & Gorrieri’95, Roscoe’95, Ryan & Schneider’99] • Information flow is analyzed by considering the possibilistic behavior of the system, i.e. what events are possible. • Further aspects are not considered, such as the timing of actions and the probability distribution of events.

Non-interference • In this talk, we take into consideration the influence of the high level behavior upon the probability distribution of the observable, low level events. • The motivation is twofold: • probabilistic covert channels may occur which are not observable in a purely nondeterministic setting; • a quantitative estimate of the information flowing through the system may be given.

Probability & non-interference (1) The frequency of the possible low outcomes derived from several execution runs of the system may change depending on the interaction of the high user with the system. [Gray’92, Sabelfeld & Sands’99, Hankin et al.’00]

1 1 3 2 1 2 2 3 Probability & non-interference (1) High level activity a, b: low level activities h a P b Information flow from H to L!

Probability & non-interference (2) Interactions of high users with the system which affect the interactions of low users may occur with a negligible probability. In such a case, the illegal information flow can be tolerated by the users of the system. [Hankin et al.’02]

a 1 b e Probability & non-interference (2) High level activity a, b: low level activities h - e P Information flow from H to L… quite negligible!

A non-deterministic process algebra • Actions are divided into: • a set I of input actions a* , b* , … • a set O of output actions a, b, … Act = I U O U {t} • Visible action types are partitioned into two disjoint sets: • ATypeL of low level types • ATypeHof high level types AType = ATypeHU ATypeL U {t}

0 P P S Syntax P A P : p.P P + P L where S, L are in P (AType – {t}).

0 0 P P S Syntax P A P : p.P P + P L Null term, denoting a terminated or deadlocked term.

0 P P P S Syntax A P : p.P P + P L p.P Prefix operator: executes action p and then behaves as term P (p is an output action, an input action, or an internal action t).

0 P A P : p.P P + P P P S Syntax L P + Q Alternative choice operator: expresses a non-deterministic choice between a term P and a term Q (CCS-style)

0 P A P : p.P P + P Q P P P S S Syntax L Parallel composition operator: expresses the concurrent execution of processes P and Q (CSP-style)

0 P A P : p.P P + P P P S Syntax L P L Hiding operator: turns the visible action with type in L into internal t actions

0 P P S Syntax P A P : p.P P + P L A Constants are used to define recursive terms A = P

Q P S : synchronization policy a is in S: a* a* .P .Q P Q a* S S a .P .Q P Q a a* S S .P .Q a a S

Q P S : synchronization policy a is in S: ((a* .P .P’) .P’’) .Q a* a* a S S S Q broadcasts the output action a, while all the other processes synchronize on the input action a* (asymmetric multiway synchronization) a (( P P’) P’’) Q S S S

0 P L Restriction The synchronization rule can also express the restriction of actions. a* EXAMPLE .P .Q c (with a = c and a in S) In S the action a*, constrained to synchronize, cannot be executed! P to stand for We use L which cannot execute the actions of P with type in L.

Equivalence • We use equivalence checking to express security properties: a system S is secure if two subsystems, suitably derived from S and from the security definition, are equivalent. • We need a notion of equivalence to relate terms which behave the same from the viewpoint of an external observer. • Since t actions cannot be seen by any external observer, and since the definition of security properties focuses on observable behaviors, we use a notion of equivalence which abstracts from internal actions: weak bisimulation equivalence.

p Equivalence Note: G denotes the set of processes of the calculus p means that a p labeled transitions occurs means that a p labeled transition (with p visible action) occurs possibly preceded and followed by a sequence of internal t transitions t means that zero or more t labeled transitions occur

Weak bisimulation: B • A relation R in G x G is a weak bisimulation iff (P,Q) in R implies for all p in Act: • whenever P P’, then there exists Q’ such that • Q Q’ and (P’,Q’) in R • whenever Q Q’, then there exists P’ such that • P P’ and (P’,Q’) in R p p p p [Milner’89]

Nondeterministic security properties • We rephrase in the context of our nondeterministic calculus some of the security properties defined in [Focardi & Gorrieri’95].

0 + h.b. 0 a. Low user standpoint: High user does not interact High user interacts t a a b

Nondeterministic Non-interference(int) Intuition: a system P is secure iff the behavior of P observable by a low user does not depend on the high interactions. P P Formally: ATypeH ATypeH B For each low behavior observable when the high user does not interact with the system, we have an equivalent low behavior observable when the high user executes high actions, and viceversa.

0 0 0 0 0 0 Examples Low user viewpoint without high interactions with high interactions t.b. + 0 a. a. + h.b. 0 a. B + h. 0 t. a. + 0 a. a. B

0 0 0 0 Examples Low user viewpoint without high interactions with high interactions + h.a. 0 t.a. a. + 0 a. a. B a a P = a.Q t B Q = h.Q + b. b b

0 0 ? + h.h.a. a. Low user standpoint: High user does not interact High user interacts t t a a a Nondeterministic non-interference is not enough!

Nondeducibility on Composition(comp) Intuition: a system P is secure iff the behavior of P observable by a low user is invariant with respect to the interaction of any high user. Formally: ( ( ) ) P P P S ATypeH B ATypeH S for any: high process P and high communication interface S

0 0 0 0 Example interacting with without high interactions + h.h.a. a. h* . 0 h* + h.h.a. 0 ) a. (a. . 0 B h t a a B

0 0 0 + h.a. + b. t.a. Low user standpoint: High user does not interact High user interacts …but the event b informs the low user that the high user did not interact t a b Nondeducibility on Composition is not enough!

Strong Nondeducibility on Composition (scomp) Intuition: the low user should not distinguish which, if any, high level event has occurred at some point in the past. Formally: For any P1derivative of P and for any P2 s.t. p P1 P2 p high action we have P1 P2 ATypeH ATypeH B

0 0 0 0 0 0 0 Example (1) P + h.a. + b. t.a. = h a. P P + b. t.a. a. ATypeH = B P is not scomp-secure

0 0 0 0 0 0 0 0 Example (2) h,k: high k* h* + .b. t.b. + .a. + t.a. a,b: low after a high interaction with action h: a. B t.a. t.b. without high interactions: + B after a high interaction with action k: b.

Inclusion relations int comp scomp

0 P P S A probabilistic process algebra • algebraic operators are enriched with probabilistic information: • a mixture of the classical generative and reactive models of probability is adopted. p p p P A P : p.P P + P a S in P (AType - {t}), a in AType - {t}, and p in ]0,1[

1 2 3 3 Input actions as reactive actions The type a of the action to be performed is chosen by the environment. The system chooses an action a* according to the probability distribution associated to the input actions of type a. • Transitions are divided into type bundles • The choice within a bundle is purely probabilistic • The choice among bundles is nondeterministic (guided by the environment) • The sum of the probabilities within a bundle is to be 1 a* 1 b* b* P Q

1 1 1 3 2 6 Output (and internal) actions as generative actions • The system autonomously decides the action to be performed according to the probability distribution associated to the enabled output actions. a • Transitions are grouped in a single bundle • The sum of the probabilities within the bundle is to be 1 b b

2 1 1 1 1 6 3 3 3 2 A mixed generative/reactive model • A single generative bundle contains all the output transitions which can be executed by the system. • We have several reactive bundles, one for each action type. reactive bundle b b* c* 1 b* a generative bundle b b [Segala’95, Stark et al.’97]

Non-interference Properties for Probabilistic Processes

Non-interference Properties for Probabilistic Processes

Presentation Transcript

Covert Channels Non-interference and Policy Composition

Probabilistic Histograms for Probabilistic Data

Retrofit of Non-Domestic Properties

Interference

Designing for Non-Functional Properties

Non-Parametric Methods for Mitigating Interference in OFDM Receivers

Designing Non-Functional Properties

Non-traditional Machining Processes

Non-Arc Welding Processes Continued

Interference From Non-Aeronautical Systems European Views

Metrics for real time probabilistic processes

Approximate reasoning for probabilistic real-time processes

Ensuring Non-Functional Properties

TECH 320 – Non-Metallic Processes

Distributed Interference Alignment for MIMO Interference Networks

Radiation: Processes and Properties Surface Radiative Properties

Dynamical Systems, Stochastic Processes, and Probabilistic Robotics

Non-Arc Welding Processes

Non-Traditional Manufacturing Processes

Non-diffusive transport processes