Keywords

1 Introduction

An information system is usually composed of trusted and untrusted components. Therefore, it is crucial to protect information from flowing from trusted components (with a high security level) to untrusted components (with a low security level) so as to maintain the confidentiality of the trusted components. Among the different technologies applied, “noninterference” is one of the most important approaches to achieving this requirement. Informally, noninterference addresses an information-flow attack, in which an adversary obtains secrets that he is not authorized to occupy, by observing the running of an information system and making subtle deductions.

The first definition of noninterference was given by Goguen and Meseguer [1], who presented the formalization of an information flow and its causal relationships in the context of transitive information flow policies. However, it was subsequently noted that transitive policies are insufficient to characterize system architectures, and intransitive policies have often been required. For example, consider a security system with three processes, i.e., \( P_{1} \) receives a plaintext from a keyboard, \( P_{2} \) encrypts the information coming from \( P_{1} \), and \( P_{3} \) sends the encrypted information to the network. In this case, the high-level domain (\( P_{1} \)) apparently cannot directly interfere with the low-level domain (\( P_{3} \)); otherwise, confidential information would be leaked. To address this issue, an intermediate downgrader (\( P_{2} \)) is needed. Information is permitted to first flow from the high-level domain to the downgrader domain, and then from the downgrader domain to the low-level domain (\( P_{1} \, { \rightsquigarrow } \, P_{2} \wedge P_{2} \, { \rightsquigarrow } \, P_{3} \)), but not directly from the high-level domain to the low-level domain (), thereby motivating the use of intransitive policies.

Although Haigh and Young introduced a formal model for intransitive policies in [2], their formalization was found questionable [3]. Rushby [3] then presented the first perfect formalization by refining Haigh and Young’s work. Note that it is essential to establish verification techniques to guarantee that a designed system indeed satisfies noninterference, and thus, Rushby introduced the “unwinding theorem” in [3]. “Unwinding technology” was the first effort at building a theoretical base for verification of the noninterference property, but it requires significant human ingenuity to define the unwinding relations between security domains. Engineers apparently prefer fully automated verification techniques, rather than techniques requiring highly specialized expertise. After Rushby, another breakthrough was the work of Hadj-Alouane et al. [4], who were the first to propose a necessary and sufficient condition -based noninterference verification algorithm. Nevertheless, the time complexity of their algorithm is the double exponential \( O(2^{{|S|*2^{|D|} }} ) \), which is too high for practical use. In 2011, Eggert et al. investigated the time- and space-complexities of several noninterference definitions, including P-Security (Transitive-Policy Security), IP-Security (Intransitive-Policy Security), TA-Security, and TO-Security [5]. However, they merely analyzed the time- and space-complexities without presenting any detailed algorithms. More importantly, their definition of IP-Security was actually different from that of Rushby. Specifically, Eggert et al. focused on the occurrences of high-level actions and their order of occurrence [5], whereas Rushby focused on the system states and their equivalence relations on the security domains [3]. Therefore, although Eggert et al. claimed that IP-Security can be verified in polynomial time [5], it is still unknown of time- and space-complexity boundaries for Rushby’s definition of intransitive noninterference.

Actually, to date, significantly few studies have been conducted on automated verification techniques for the intransitive noninterference property [5], and constructing a practical and automated algorithm for verifying the intransitive noninterference property remains an open problem. This paper attempts to address the above issues, and our contributions are as follows:

  1. (1)

    We propose a necessary and sufficient condition of intransitive noninterference based on the state-equivalence relation of two automata in a recursive manner.

To the best of our knowledge, we are the first to propose the recursive form of necessary and sufficient condition of intransitive noninterference.

  1. (2)

    We present an automated noninterference verification algorithm.

The time complexity of our algorithm is the best among existing studies. Moreover, if a verification fails, our algorithm can precisely point out the exact reason why the system does not satisfy noninterference, which is helpful for security-bug repairs.

2 Problem Statement

For a clearer understanding, herein we use an example to state the problem at hand.

In a noninterference model, there are two key elements: an automaton modeling an information system M whose security is to be investigated, as well as interference/noninterference relations (also equivalently called security policies) indicating how information is allowed to flow between security domains within M [3].

With respect to the automaton, a noninterference model does not specify how an information system M should be modeled an as an automaton (in fact, there are many standard methods, and researchers can choose whatever method they want), but simply assumes the automaton has been obtained. Without loss of generality, suppose Fig. 1 is the automaton that M is modeled as. In Fig. 1, \( s_{0} \) (oval rectangle) is the initial state, \( s_{1} ,s_{2} , \ldots ,s_{12} \) (single circles) are the intermediate states, and \( s_{f0} ,s_{f1} , \ldots ,s_{f4} \) (double circles) are the terminal states. The directed arrows between states indicate how the system transforms from one state into another, and the letters over the directed arrows, i.e., \( a,b, \ldots ,g \), are the actions that trigger the state transformations.

Fig. 1.
figure 1

The automaton of information system M

Full size image

With respect to the interference/noninterference relations (i.e., security policies), they determine how information can flow between security domains within M. Without loss of generality, suppose the interference relations are \( u_{a} { \rightsquigarrow }u_{b} { \rightsquigarrow }u_{c} { \rightsquigarrow }u_{d} { \rightsquigarrow }w \), \( u_{e} { \rightsquigarrow }u_{c} { \rightsquigarrow }u_{f} { \rightsquigarrow }w \), and \( u_{g} { \rightsquigarrow }w \). Any other two security domains are of noninterference with each other except for the above interference relations. The meaning of security policies is straightforward, for example, \( u_{e} { \rightsquigarrow }u_{c} { \rightsquigarrow }u_{f} { \rightsquigarrow }w \) means that information can flow starting from \( u_{e} \), in turn passing through \( u_{c} \) and \( u_{f} \), and finally ending at \( w \). Figure 2 shows the security policies.

Fig. 2.
figure 2

Intransitive security policies

Full size image

In a noninterference model, any action must belong to a security domain. Therefore, in Fig. 2 we use \( u_{k(k = a,b, \ldots ,g)} \) to refer to the security domain that action \( k \) belongs to. Note that \( w \) in Fig. 2 is a special security domain, because from \( w \) Low-lever observers (i.e., attackers) can issue actions to observe results of paired-runs of M (specifically, one is the actual run, the other is the ideal run under the protection of security policies. see definition 11), try to find differences between the paired-runs, and thereby deduce something that they are not authorized to know. Hence, in order to prevent Low-level observers from learning anything confidential from the information flowing to \( w \), we must ensure that Low-level observers cannot observe any difference between paired-runs of M, no matter how they observe M (by choosing actions from \( w \)). This is the nature of noninterference, and the formal definition please refer to definition 10.

Now the challenge is, if given the automaton and security policies (for example, akin to Figs. 1 and 2) of an information system M, how can we determine whether M is secure (i.e., no confidential information is leaked to Low-lever observers) in an automated and efficient way? Unfortunately, however, this is still an open problem thus far.

In the following, we will present our approach to address this issue.

3 Basic Definitions of Noninterference

Note that a transitive policy is simply a special case of an intransitive policy [3], and we hereafter refer to intransitive policy-based noninterference as simply “noninterference.”

Definition 1.

A system (or machine) M consists of the following: (1) a set \( S \) of states, where \( s_{0} \in S \) is the sole initial state; (2) a set \( A \) of actions, where actions could be “inputs,” “commands,” or “instructions” to be performed by M; (3) a set \( B \) of behaviors, where behaviors are sequences of actions concatenated by \( \circ \); (4) a set \( O \) of outputs, where \( O \) is composed of all storage locations that can be observed by users; (5) a set \( D \) of domains, where \( D \) comprises all security domains in M; (6) a function \( dom:A \to D \), which returns the domain that an action \( a \in A \) is associated with, where each action \( a \) belongs only to a unique domain \( dom(a) \); (7) a function \( step:S \times A \to S \), which describes how M transforms from the pre-state \( s_{i} \in S \), after performing an action \( a \), to the post-state \( s_{i + 1} \in S \); (8) a function \( behcon:S \times A \to O \), which returns outputs when using an action \( a \) to observe M in a state \( s \); (9) a function \( exec:S \times B \to S \), which describes how M transforms from the pre-state \( s_{i} \), after performing a behavior \( \alpha = a_{i} \circ \ldots \circ a_{j} \in B \), to the post-state \( s_{j} \). If we use \( \Lambda \) to denote an empty behavior, \( exec \) can be defined in a right recursive manner, i.e.,\( \left\{ {\begin{array}{*{20}l} {\;\;\;exec(s,\Lambda )\; = \;s,} \hfill \\ {exec(s,a \circ \alpha ) = \;exec(step(s,a),\alpha )} \hfill \\ \end{array} } \right. \); (10) direct interference relation \( { \rightsquigarrow } \) and direct noninterference relation . \( { \rightsquigarrow } \) and are two complement relations, where \( p{ \rightsquigarrow }q \) denotes information can directly flow from domain \( p \) to domain \( q \), whereas denotes information cannot directly flow from \( p \) to \( q \); (11) Indirect interference relation \( \mathop { \rightsquigarrow }\limits^{ \approx } \). In practice, we sometimes encounter the situation that information can not directly flow from \( p \) to \( q \), but indirectly flow from \( p \) to \( q \). With respect to this situation, we say \( p\mathop { \rightsquigarrow }\limits^{ \approx } q \) . For example, consider a scenario where a confidential military plan is sent out over a network. The standard workflow is, firstly, the military plan is input through a keyboard (domain \( u_{m} \)), then the plaintext of the plan is encrypted by an encryption machine (domain \( u_{e} \)), and finally the encrypted plan is sent out over a network (domain \( u_{n} \)). The military plan must not be sent out over the network without being encrypted. Therefore, the security policies of the above scenario is . In this scenario, though information cannot directly flow from \( u_{m} \) to \( u_{n} \) (), it can still indirectly flow to \( u_{n} \) via the intermediate downgrader \( u_{e} \) (\( u_{m} { \rightsquigarrow }u_{e} { \rightsquigarrow }u_{n} \)). Formally, for \( \mathop { \rightsquigarrow }\limits^{ \approx } \) we have: .

In general, we use letters \( \ldots s,t, \ldots \) to denote states, letters \( a,b,c, \ldots \) to denote actions, and Greek letters \( \alpha ,\beta , \ldots \) to denote behaviors.

To depict a system state, internal structures are needed. Definition 2 introduces the notations of structured state.

Definition 2.

A machine M has a structured state if the following exist: (1) a set \( N \) of names that comprises all of the object names; (2) a set \( V \) of values; (3) a content function \( contents:S \times N \to V \), which returns the value \( v \in V \) of object \( n \in N \) in the system state \( s \); (4) an observation function \( observe:D \to {\mathcal{P}}(N) \) and an alteration function \( alter:D \to {\mathcal{P}}(N) \), which return object names that can be observed and altered, respectively, where \( {\mathcal{P}} \) denotes a power set.

Definition 3.

Reference Monitor Assumptions (RMAs). An access control policy is enforced accurately if the following three conditions are satisfied. Note that in this paper, we follow [3] to use \( \supset \) instead of \( \to \) to denote an implication.

  • Rule 1: Two states \( s \) and \( t \) are said to satisfy the state-equivalence relation \( \mathop \sim\limits^{u} \) if and only if their object names are observed to have identical values. Formally,

    $$ s\mathop \sim\limits^{u} t\; \, {\mathbf{iff}} \, \forall n \in observe(u). \, contents(s,n) = contents(t,n). $$

  • Rule 2: When an action \( a \) transforms the system from a pre-state to a post-state, the new value of every changed object must depend solely on the values that can be observed by domain \( dom(a) \). Formally,

    $$ s\mathop \sim\limits^{dom(a)} t\; \wedge \left[ {contents(step(s,a),n) \ne contents(s,n) \vee contents(step(t,a),n) \ne contents(t,n)} \right] $$
    $$ \supset \;contents(step(s,a),n) = contents(step(t,a),n) $$

  • Rule 3: \( dom(a) \) must be authorized the alter access before an action \( a \) can change the value of an object \( n \). Formally,

    $$ contents(step(s,a),n)\not = contents(s,n) \supset n \in alter(dom(a)). $$

Definition 4.

output consistent and step consistent.

output consistent: \( s\mathop \sim\limits^{dom(a)} t \supset behcon(s,a) = behcon(t,a) \),

step consistent: \( s\mathop \sim\limits^{u} t \supset step(s,a)\mathop \sim\limits^{u} step(t,a) \).

Definition 5.

Interference Source set and function \( IS:B \times D \to {\mathcal{P}}(D) \), where \( {\mathcal{P}} \) is the power set. \( IS \) can be formally defined in a right recursive manner, i.e., \( IS(\Lambda ,w) = \{ w\} \), where \( \Lambda \) is the empty sequence, and

$$ IS(a \circ \alpha ,w) = \left\{ {\begin{array}{*{20}l} {\{ dom(a)\} \cup IS(\alpha ,w)} \hfill & {\,{\mathbf{if}}\,\,\,\,\,\,\,\exists v. \, v \in IS(\alpha ,w) \wedge \;dom(a){ \rightsquigarrow }v} \hfill \\ { \, IS(\alpha ,w)} \hfill & {{\mathbf{otherwise}}} \hfill \\ \end{array} } \right.. $$

Intuitively, \( IS \) returns all security domains that can directly or indirectly interfere with domain \( w \), so we call the resulting set \( IS(\alpha ,w) \)Interference Source set”.

Definition 6.

Function \( wexpected:B \times D \to B \). For any behavior \( \alpha \in B \), function \( wexpected \) maintains all actions whose domains can directly or indirectly interfere with domain \( w \), and meanwhile deletes all otherwise actions, thus forming an expected behavior. Formally, we have \( wexpected(\Lambda ,w) =\Lambda \), and

$$ wexpected(a \circ \alpha ,w) = \left\{ {\begin{array}{*{20}l} {a \circ wexpected(\alpha ,w)} \hfill & {{\mathbf{if}}\,\,\,\,\,\,\,dom(a) \in IS(a \circ \alpha ,w)} \hfill \\ {\Lambda \circ wexpected(\alpha ,w) \, } \hfill & {{\mathbf{otherwise}}} \hfill \\ \end{array} } \right. $$

Definition 7.

Domain set equivalence relation \( \mathop \approx \limits^{C} \). \( s\mathop \approx \limits^{C} t \, \;{\mathbf{iff}} \, \;\forall u \in C. \, s\mathop \sim\limits^{u} t \).

Definition 8.

Weakly step consistent. Formally,

$$ dom(a){ \rightsquigarrow }u \wedge s\mathop \sim\limits^{dom(a)} t \wedge s\mathop \sim\limits^{u} t \supset step(s,a)\mathop \sim\limits^{u} step(t,a). $$

Intuitively, when an action \( a \) interferes with a domain \( u \) (\( dom(a){ \rightsquigarrow }u \)), those names visible to \( u \) change in a way that depends on those same names, plus those names visible to \( dom(a) \). Since all of the aforementioned names have the identical values (\( s\mathop \sim\limits^{u} t \wedge s\mathop \sim\limits^{dom(a)} t \)), those names visible to \( u \) will be altered by \( a \) to the identical values as well, i.e., \( step(s,a)\mathop \sim\limits^{u} step(t,a) \) (By rule 1 of Definition 3).

Definition 9.

Locally respects \( { \rightsquigarrow } \). .

Intuitively, if the security domain that an action \( a \) belongs to is of noninterference with a domain \( u \)(), then action \( a \) does not alter any of names visible to \( u \), i.e., \( s\mathop \sim\limits^{u} step(s,a) \).

4 Automated Verification of Noninterference Property

Definition 10.

[3] A system M satisfies noninterference if and only if

$$ \forall \gamma \forall a. \, behcon(exec(s_{0} ,\gamma ),a) = behcon(exec(s_{0} ,wexpected(\gamma ,w)),a) $$
(1)

where \( \gamma \in B \), \( a \in A \), \( w = dom(a) \).

Rushby regarded the whole Eq. (1) as a automaton, and proposed the “unwinding theorem” by induction on the length of \( \gamma \). Different from Rushby, we regard the left and right sides of Eq. (1) as two automata, i.e., “EA” and “WEA” (see Definition 11), respectively. EA depicts the actual runs of M, and WEA depicts the ideal runs of M under the protection of security policies. Attackers observe the paired-runs of EA and WEA, and compare them (function \( behcon \) returns what attackers can observe) to find differences so as to deduce something that they are not allowed to know. If paired-runs of M are always indistinguishable, then attackers can learn nothing, and thus M is said to satisfy noninterference [3].

Note that Rushby pointed out that \( \gamma \) and \( a \) in Eq. (1) are read as universally quantified (Definition 2 of [3]), i.e., \( \forall \gamma \) and \( \forall a \). Here we need to simply explain the essence of “universally quantified”. Initially, we believe it is impossible in the real world to determine all possible attack actions issued by attackers. For example, taking the “Row Hammer” attack (shorted for “RH” hereafter) as an example, before the “RH” attack is discovered, what is the action \( a \) corresponding to “RH”? Specifically, since no one knows details of the “RH”, then no one knows how to alter the structured states of M (i.e., names, values, and so on, see Definition 2) so as to launch “RH”. In other words, the action \( a \) corresponding to “RH” cannot be constructed, which means \( a \) is in fact unknown to humans. More generally, any attack that has not yet been discovered by humans is not in the action set \( A \), even if these attacks do exist. Therefore, for \( \forall a \in A \), a is limited to attacks that have already been known to humans.

In the following, we present in detail how to automatically verify the noninterference property based on Eq. (1). For ease of understanding, we use Fig. 3, a simple automaton which has only one single behavior \( \alpha = a \circ b \circ c \circ b \circ d \), to explain intuitions of definitions in this section, before presenting our technology. Note that in reality, an automaton modeled from an information system M is far more complicated than the example in Fig. 3. However, Fig. 3 is sufficient to demonstrate the nature of noninterference and explain intuitions of our definitions. Without loss of generality, suppose in Fig. 3 the security policy is \( u_{a} { \rightsquigarrow }u_{b} { \rightsquigarrow }u_{c} { \rightsquigarrow }u_{d} { \rightsquigarrow }w \), and any other two security domains are of noninterference with each other except for the aforementioned interference relations.

Fig. 3.
figure 3

Example for the explanation of our technology

Full size image

In the following, we give intuitions of our technology based on Fig. 3.

  1. (1)

    Intuitions for EA and WEA.

In a noninterference model, an information system M is modeled as an automaton. This automaton corresponds to the left side of Eqs. (1), and describes the actual runs of M, hence we call it “EA (Equivalent Automaton, see definition 11)”.

For every behavior \( \alpha \) in EA, we can correspondingly calculate its theoretically expected behavior \( \beta = wexpected(\alpha ,w) \), thus forming another automaton. This automaton corresponds to the right side of Eq. (1), and describes the ideal runs of M under the protection of security policies, hence we call it “WEA(Weakly Equivalent Automaton, see definition 11)”.

For example, in Fig. 3, EA has a single behavior \( \alpha = a \circ b \circ c \circ b \circ d \). According to \( u_{a} { \rightsquigarrow }u_{b} { \rightsquigarrow }u_{c} { \rightsquigarrow }u_{d} { \rightsquigarrow }w \), we have \( \beta = wexpected(\alpha ,w) = a \circ b \circ c \circ\Lambda \circ d \) and obtain WEA.

  1. (2)

    Intuition for the nature of noninterference property.

Let us return to Eq. (1). Attackers perform an action \( a \) from \( w \) to observe the paired-runs of EA and WEA, trying to find differences so as to deduce confidential information. Consequently, as long as all names visible to \( w \) (i.e., visible to attackers) always have the same values in EA and WEA, then attackers can find nothing different. Furthermore, as we mentioned before, values of names visible to \( w \) change in a way that depends on those same names, plus names visible to domains that directly/indirectly interfere with \( w \). Note that EA and WEA start operations from the same initial state \( s_{0} = t_{0} \), and thus names visible to \( w \) must be identical in the initial state. Therefore, intuitively, as long as EA and WEA always guarantee values of names visible to domains that directly/indirectly interfere with \( w \) are identical (i.e., EA and WEA always maintain state-equivalence on domains that directly/indirectly interfere with \( w \), see Rule 1 of Definition 3), then values of names visible to \( w \) are sure to be always identical as well. In other words, what observed from EA and WEA by attackers are always the same, and thus nothing can be learned. M is secure. This is the intuition of Theorem 1, Detailed proof please refer to Lemmas 2, 3, and Theorem 1.

Let us go back to Fig. 3. We simulate the paired-runs of EA and WEA to illustrate the above intuition. The simulation consists of six steps.

(6.0) Initially, EA and WEA starts runs from the same initial state \( s_{0} = t_{0} \).

With respect to EA, calculate domains that in the future interference with \( w \). EA has a single behavior \( \alpha_{0} = \alpha = a \circ b \circ c \circ b \circ d \). According to \( u_{a} { \rightsquigarrow }u_{b} { \rightsquigarrow }u_{c} { \rightsquigarrow }u_{d} { \rightsquigarrow }w \) and the definition of \( IS \), we have \( IS(\alpha_{0} ,w) = \{ u_{a} ,u_{b} ,u_{c} ,u_{d} \} \), which contains all the domains that in the future interfere with \( w \). Since \( s_{0} = t_{0} \), then \( s_{0} \mathop \approx \limits^{{IS(\alpha_{0} ,w)}} t_{0} \).

(6.1) The EA performs an action \( a \) to transform its state from \( s_{0} \) to \( s_{1} = step(s_{0} ,a) \). Correspondingly, the WEA also performs the action \( a \) to transform its state from \( t_{0} \) to \( t_{1} = step(t_{0} ,a) \).

With respect to EA, the rest sub-behavior to be performed is \( \alpha_{1} = b \circ c \circ b \circ d \). Similarly, we can calculate \( IS(\alpha_{1} ,w) = \{ u_{b} ,u_{c} ,u_{d} \} \), which contains all the domains that in the future interfere with \( w \). Therefore, EA and WEA must maintain state equivalence on these domains, i.e., \( s_{1} \mathop \approx \limits^{{IS(\alpha_{1} ,w)}} t_{1} \), so as to protect the security of M.

(6.2) The EA performs an action \( b \) to transform its state from \( s_{1} \) to \( s_{2} = step(s_{1} ,b) \). Correspondingly, the WEA also performs the action \( b \) to transform its state from \( t_{1} \) to \( t_{2} = step(t_{1} ,b) \).

With respect to EA, the rest sub-behavior to perform is \( \alpha_{2} = c \circ b \circ d \). Similarly, we have \( IS(\alpha_{2} ,w) = \{ u_{c} ,u_{d} \} \) . Therefore, EA and WEA must maintain state equivalence on \( IS(\alpha_{2} ,w) \), i.e., \( s_{2} \mathop \approx \limits^{{IS(\alpha_{2} ,w)}} t_{2} \), so as to protect the security of M.

(6.3) The EA performs an action \( c \) to transform its state from \( s_{2} \) to \( s_{3} = step(s_{2} ,c) \). Correspondingly, the WEA also performs the action \( c \) to transform its state from \( t_{2} \) to \( t_{3} = step(t_{2} ,c) \).

With respect to EA, the rest sub-behavior to perform is \( \alpha_{3} = b \circ d \). Similarly, we have \( IS(\alpha_{3} ,w) = \{ u_{d} \} \). Therefore, EA and WEA must maintain state equivalence on \( IS(\alpha_{3} ,w) \), i.e., \( s_{3} \mathop \approx \limits^{{IS(\alpha_{3} ,w)}} t_{3} \), so as to protect the security of M.

(6.4) The EA performs an action \( b \) to transform its state from \( s_{3} \) to \( s_{4} = step(s_{3} ,b) \). Correspondingly, the WEA performs \( \Lambda \) to transform its state from \( t_{3} \) to \( t_{4} = step(t_{3} ,\Lambda ) = t_{3} \).

With respect to EA, the rest sub-behavior to perform is \( \alpha_{4} = d \) . Similarly, we have \( IS(\alpha_{4} ,w) = \{ u_{d} \} \). Therefore, EA and WEA must maintain state equivalence on \( IS(\alpha_{4} ,w) \), i.e., \( s_{4} \mathop \approx \limits^{{IS(\alpha_{4} ,w)}} t_{4} \), so as to protect the security of M.

(6.5) The EA performs an action \( d \) to transform its state from \( s_{4} \) to the final state \( s_{5} = step(s_{4} ,d) \). Correspondingly, the WEA performs \( d \) to transform its state from \( t_{4} \) to \( t_{5} = step(t_{4} ,d) \).

With respect to EA, the rest sub-behavior to perform is \( \alpha_{5} =\Lambda \). According to definition of \( IS \), we have \( IS(\alpha_{5} ,w) = \{ w\} \). Therefore, EA and WEA must maintain state equivalence on \( IS(\alpha_{5} ,w) \), i.e., \( s_{5} \mathop \approx \limits^{{IS(\alpha_{5} ,w)}} t_{5} \), so as to protect the security of M.

The simulation of paired-runs of EA and WEA ends. From the above simulation we can see that without loss of generality, suppose EA reaches any state \( s_{i} \), then WEA must correspondingly reach to a state \( t_{i} \). We call \( (s_{i} ,t_{i} ) \) the “paired-states”. Then an information system M is secure, if and only if for any paired-states \( (s_{i} ,t_{i} ) \), \( (s_{i} ,t_{i} ) \) maintains state-equivalence on domains that in the future directly/indirectly interfere with \( w \). This is the essence of Theorem 1.

Definition 11.

EA, WEA, and buddy automata. The left side of Eq. (1) can be abstracted as an automaton, which denotes how an information system M performs behavior \( \gamma \) and correspondingly transforms its states. We call this automaton the Equivalent Automaton (EA). Similarly, the right side of Eq. (1) can be abstracted as another automaton, which denotes how M, under the control of intransitive security policies, performs the expected behavior \( wexpected(\gamma ,dom(a)) \) and correspondingly transforms its states. We call this automaton the Weakly Equivalent Automaton (WEA). EA and WEA are collectively called the buddy automata.

We stress that our approach is not a bi-simulation analysis between EA and WEA, and give the detailed discussion in Sect. 7.

Lemma 1.

For any information system M, construct its EA and WEA. Then, for any behavior \( \alpha \) in EA, and the corresponding expected behavior \( \beta = wexpected(\alpha ,w) \) in WEA, we have \( IS(\alpha ,w) = IS(\beta ,w) \).

Proof.

We can prove \( IS(\alpha ,w) \subseteq IS(\beta ,w) \) and \( IS(\alpha ,w) \supseteq IS(\beta ,w) \) based on the definition of \( IS \) and \( wexpected \), and thus \( IS(\alpha ,w) = IS(\beta ,w) \).

Lemma 1 shows that for any information system M, any behavior \( \alpha \) in the EA (and correspondingly \( \beta = wexpected(\alpha ,w) \) in the WEA), \( \alpha \) and \( \beta \) must have the identical interference source set \( IS(\alpha ,w) = IS(\beta ,w) \). This is an important conclusion, because in the following we need to consider the state-equivalence relation between EA and WEA only on these identical set.

Definition 12.

Execution Sub-sequence. For \( \forall \gamma = a_{0} \circ a_{1} \circ \ldots \circ a_{n} \), EA will in turn perform actions \( a_{0} ,\;a_{1} ,\; \ldots ,\;a_{n} \). Each time after EA performs an action \( a_{i(0 \leqslant i \leqslant n)} \), we call the remaining part an execution sub-sequence. In addition, we use \( ||\gamma || \) to denote the number of execution sub-sequences.

Taking the behavior \( \forall \gamma = a_{0} \circ a_{1} \circ \ldots \circ a_{n} \) in Definition 12 as an example, with the EA’s performing of actions \( a_{0} ,\;a_{1} ,\; \ldots ,\;a_{n} \), the execution sub-sequences of \( \gamma \) are, respectively, \( \gamma_{0} = \gamma = a_{0} \circ \underline{{a_{1} \circ \ldots \circ a_{n} }} = a_{0} \circ \underline{{\gamma_{1} }} \), \( \gamma_{1} = a_{1} \circ \underline{{a_{2} \circ \ldots \circ a_{n} }} = a_{1} \circ \underline{{\gamma_{2} }} \), …, \( \gamma_{n - 1} = a_{n - 1} \circ \underline{{a_{n} }} = a_{n - 1} \circ \underline{{\gamma_{n} }} \), \( \gamma_{n} = a_{n} = a_{n}^\circ \underline{{\Uplambda }} = a_{n}^\circ \underline{{\gamma_{n + 1} }} \), and \( \gamma_{n + 1} =\Lambda \). Therefore, \( ||\gamma ||{ = }n{ + }2 \).

Lemma 2.

Let M be a system with a structured state that satisfies the reference monitor assumption. For any behavior \( \forall \gamma \) of M and any observation action \( \forall a \) \( (dom(a) = w) \), without loss of generality, supposing \( \forall \gamma = a_{0} \circ a_{1} \circ \ldots \circ a_{n} \), we construct all of the execution sub-sequences of \( \gamma \), i.e., \( \gamma_{0} ,\;\gamma_{1} ,\; \ldots ,\;\gamma_{n} ,\;\gamma_{n + 1} \), where \( \gamma_{0} = \gamma \), \( \gamma_{n + 1} =\Lambda \) and \( ||\gamma ||{ = }n{ + }2 \). Let \( N{ = }||\gamma || - 2 \), then we have: \( \forall i_{(0 \leqslant i \leqslant N)} .s_{i} \mathop \approx \limits^{{IS(\gamma_{i} ,w)}} t_{i} \supset s_{i + 1} \mathop \approx \limits^{{IS(\gamma_{i + 1} ,w)}} t_{i + 1} \) is a sufficient condition for M to satisfy noninterference.

In \( \forall i_{(0 \leqslant i \leqslant N)} .s_{i} \mathop \approx \limits^{{IS(\gamma_{i} ,w)}} t_{i} \supset s_{i + 1} \mathop \approx \limits^{{IS(\gamma_{i + 1} ,w)}} t_{i + 1} \), \( \gamma \) denotes the behavior sequence to be performed by EA, and \( \gamma_{i(0 \leqslant i \leqslant N + 1)} \) are the execution sub-sequences of \( \gamma \). In addition, \( s_{i} \) and \( t_{i} \) denote the current state of EA and WEA, respectively. Because EA and WEA start from the same initial state, we have \( s_{0} = t_{0} \). Without loss of generality, let \( \gamma_{i} = a_{i} \circ \gamma_{{{i + 1}(0 \leqslant i \leqslant N)}} \), then \( s_{i + 1} \) denotes the post-state \( s_{i + 1} = step(s_{i} ,a_{i} ) \) that EA will transform into after it performs \( a_{i} \) from the pre-state \( s_{i} \); \( t_{i + 1} \) denotes the post-state that WEA will transform into after it synchronously performs \( a_{i} \) (in this case, \( dom(a_{i} ) \in IS(\gamma_{i} ,w) \) and \( t_{i + 1} = step(t_{i} ,a_{i} ) \)) or \( \Lambda \) (in this case, \( dom(a_{i} )\not \in IS(\gamma_{i} ,w) \) and \( t_{i + 1} = t_{i} \)) from the pre-state \( t_{i} \) .

Proof.

Recursively invoking the condition of Lemma 2 \( \forall i_{(0 \leqslant i \leqslant N)} .s_{i} \mathop \approx \limits^{{IS(\gamma_{i} ,w)}} t_{i} \supset s_{i + 1} \mathop \approx \limits^{{IS(\gamma_{i + 1} ,w)}} t_{i + 1} \), we can prove that Eq. (1) holds.

  1. (1)

    Initially, EA and WEA start from the same initial state \( s_{0} = t_{0} \). Thus, we have \( s_{0} \mathop \approx \limits^{{IS(\gamma_{0} ,w)}} t_{0} \).

  2. (2)

    Next, recursively invoking the condition in Lemma 2, we obtain

    $$ s_{0} \mathop \approx \limits^{{IS(\gamma_{0} ,w)}} t_{0} \supset s_{1} \mathop \approx \limits^{{IS(\gamma_{1} ,w)}} t_{1} \supset s_{2} \mathop \approx \limits^{{IS(\gamma_{2} ,w)}} t_{2} \supset \ldots \ldots \supset \;s_{N + 1} \mathop \approx \limits^{{IS(\gamma_{N + 1} ,w)}} t_{N + 1} $$
    (2)

Note that \( N = ||\gamma || - 2 = n \), and \( \gamma_{N + 1} = \gamma_{n + 1} =\Lambda \) . From the definition of function \( IS \), the following is provided:

$$ IS(\gamma_{N + 1} ,w) = IS(\Lambda ,w) = \{ w\} $$
(3)

Substituting \( N = n \) and \( IS(\gamma_{N + 1} ,w) = \{ w\} \) (Eq. (3)) into \( s_{N + 1} \mathop \approx \limits^{{IS(\gamma_{N + 1} ,w)}} t_{N + 1} \) (formula (2)), we have \( s_{n + 1} \mathop \approx \limits^{{\{ w\} }} t_{n + 1} \), which is equivalent to

$$ s_{n + 1} \mathop \sim\limits^{w} t_{n + 1} $$
(4)

Note that system M satisfies the reference monitor assumption, and thus, by invoking “output consistent” and \( s_{n + 1} \mathop \sim\limits^{w} t_{n + 1} \) (formula (4)), we have the following

$$ behcon(s_{n + 1} ,a) = behcon(t_{n + 1} ,a)\;(dom(a) = w) $$
(5)

The definitions of EA and WEA give \( s_{n + 1} = exec(s_{0} ,\gamma ) \) and \( t_{n + 1} = exec(t_{0} ,wexpected(\gamma ,w)) \), respectively. Substituting \( s_{0} = t_{0} \), \( s_{n + 1} \) and \( t_{n + 1} \) into Eq. (5), and note that the behavior sequence \( \gamma \) and the observation action \( a \)\( (dom(a) = w) \) are arbitrary, we can immediately determine that Eq. (1) holds.

Lemma 3.

Let M be a system with a structured state that satisfies the reference monitor assumption. For any behavior \( \forall \gamma \) of M and any observation action \( \forall a \) \( (dom(a) = w) \), without loss of generality, supposing \( \forall \gamma = a_{0} \circ a_{1} \circ \ldots \circ a_{n} \), we construct all of the execution sub-sequences of \( \gamma \), i.e., \( \gamma_{0} ,\;\gamma_{1} ,\; \ldots ,\;\gamma_{n} ,\;\gamma_{n + 1} \), where \( \gamma_{0} = \gamma \), \( \gamma_{n + 1} =\Lambda \) and \( ||\gamma ||{ = }n{ + }2 \) . Let \( N{ = }||\gamma || - 2 \), then we have: \( \forall i_{(0 \leqslant i \leqslant N)} .s_{i} \mathop \approx \limits^{{IS(\gamma_{i} ,w)}} t_{i} \supset s_{i + 1} \mathop \approx \limits^{{IS(\gamma_{i + 1} ,w)}} t_{i + 1} \) is a necessary condition for M to satisfy noninterference.

The meanings of the notations in Lemma 3 are the same as those in Lemma 2.

Lemma 3 can be proved by a reduction to absurdity. The basic idea is as follows:

Assume \( \exists i_{(0 \leqslant i \leqslant N)} . \, s_{i} \mathop \approx \limits^{{IS(\gamma_{i} ,w)}} t_{i} \not \supset s_{i + 1} \mathop \approx \limits^{{IS(\gamma_{i + 1} ,w)}} t_{i + 1} \), which can be equally written as \( \exists i_{(0 \leqslant i \leqslant N)} . \, s_{i} \mathop \approx \limits^{{IS(\gamma_{i} ,w)}} t_{i} \supset s_{i + 1} \mathop {\not \approx }\limits^{{IS(\gamma_{i + 1} ,w)}} t_{i + 1} \) . Based on the definition of \( \mathop \approx \limits^{C} \), we immediately have . In other words, EA and WEA are non-equivalent on the security domain \( v_{j} \).

Next, according to the definition of execution sub-sequence, EA will perform \( \gamma_{i + 1} = a_{i + 1} \circ \gamma_{i + 2} \). Note that we must be able to “design” a new behavior \( \gamma_{i + 1}^{'} \) based on \( \gamma_{i + 1} \), such that after EA performs \( \gamma_{i + 1}^{'} \) (and meanwhile WEA synchronously performs \( wexpected(\gamma_{i + 1}^{'} ,w) \)), we have the following:

  1. (a)

    The non-equivalent relation (suppose on domain \( v_{j} \), see formula (6)) between EA and WEA can never be corrected.

  2. (b)

    Worse, the non-equivalent relation between EA and WEA can be spread from \( v_{j} \) to other domains that can directly or indirectly interfere with \( w \), based on the intransitive security policies.

  3. (c)

    Until finally EA and WEA reach terminal states that are non-equivalent on domain \( w \), which means system M does not satisfy noninterference. This contradicts the premise of Lemma 3. Therefore, our assumption is wrong, and Lemma 3 holds.

Proof.

Proof by contradiction.

Assume at some point that EA and WEA respectively transform their states to \( s_{i + 1} \) and \( t_{i + 1} \), such that \( \exists i_{(0 \leqslant i \leqslant N)} .s_{i} \mathop \approx \limits^{{IS(\gamma_{i} ,w)}} t_{i} \supset s_{i + 1} \mathop {\not \approx }\limits^{{IS(\gamma_{i + 1} ,w)}} t_{i + 1} \) . This can be equally written as

(6)

According to the definition of execution sub-sequence, EA will now perform \( \gamma_{i + 1} = a_{i + 1} \circ \gamma_{i + 2} \) . In the following, we will then prove that we must be able to “design” a new behavior \( \gamma_{i + 1}^{'} \), such that after system M performs \( \gamma_{i + 1}^{'} \), M does not satisfy noninterference, thus inducing the contradiction. Generally, the proof comprises three main steps as follows: note that \( \gamma_{i + 1} = a_{i + 1} \circ \gamma_{i + 2} \), then

STEP 1. Firstly, we can prove that once (formula (6)), we can design a new action \( a_{i + 1}^{'} \) to replace \( a_{i + 1} \), such that EA and WEA maintain non-equivalent relation on \( v_{j} \) after they both execute \( a_{i + 1}^{'} \).

STEP 2. Furthermore, for every action in \( \gamma_{i + 2} \), we can also correspondingly design a new action, forming \( \gamma_{i + 2}^{'} \). When system M performs the newly designed \( \gamma_{i + 2}^{'} \), the non-equivalent relation between EA and WEA can be passed from \( v_{j} \) to other domains (in \( \gamma_{i + 2}^{'} \)) that can directly or indirectly interfere with \( w \), according to the intransitive security policies.

STEP 3. Finally, when the system finishes executing \( \gamma_{i + 2}^{'} \), EA and WEA will reach terminal states that are non-equivalent on \( w \), and thus Eq. (1) does not hold. This means that there must be at least one behavior that makes system M NOT satisfy noninterference, which is contradictory to the precondition of Lemma 3. Therefore, our assumption (formula (6)) is wrong, and Lemma 3 holds.

Owing to a limited amount of space, the detailed proof is not presented here.

Theorem 1.

Let M be a system with a structured state that satisfies the reference monitor assumption. For any behavior \( \forall \gamma \) of M and any observation action \( \forall a \)\( (dom(a) = w) \), without loss of generality, supposing \( \forall \gamma = a_{0} \circ a_{1} \circ \ldots \circ a_{n} \), we construct all of the execution sub-sequences of \( \gamma \), i.e., \( \gamma_{0} ,\;\gamma_{1} ,\; \ldots ,\;\gamma_{n} ,\;\gamma_{n + 1} \), where \( \gamma_{0} = \gamma \),\( \gamma_{n + 1} =\Lambda \) and \( ||\gamma ||\,{ = }\,n{ + }2 \). Let \( N\,{ = }\,||\gamma || - 2 \), then we have: \( \forall i_{(0 \leqslant i \leqslant N)} .s_{i} \mathop \approx \limits^{{IS(\gamma_{i} ,w)}} t_{i} \supset s_{i + 1} \mathop \approx \limits^{{IS(\gamma_{i + 1} ,w)}} t_{i + 1} \) is a necessary and sufficient condition for M to satisfy noninterference.

Proof.

By invoking Lemmas 2 and 3, Theorem 1 immediately holds.

A running example please refer to the simulation of paired-runs of EA and WEA in Fig. 3.

figure lfigure l

5 Time Complexity

Theorem 2.

Regardless of whether a deterministic or nondeterministic system, the time complexity of algorithm 1 is \( O(|S|^{2} * { |}D|) \).

Proof.

Note that the nature of noninterference is as follows: The buddy automata always maintain state-equivalent on the interference source sets of the execution sub-sequences. Based on this observation, we provide a review of the time complexity analysis in the following:

For the time complexity, we first need to calculate the total amount of all possible state-pairs \( (s,t) \) of EA and WEA. Because EA has \( |S| \) states, then WEA has \( |T| \leqslant |S| \) states according to the definitions of \( wexpected \) and WEA. Thus, under the worst condition, the total amount of state-pairs \( (s,t) \) is \( |S| \times \, |T| \leqslant \, |S|^{2} \). Second, we need to determine the state-equivalence relation \( \mathop \sim\limits^{u} \) of the \( |S|^{2} \) state-pairs \( (s,t) \) on all of the \( |D| \) domains, which requires a total of \( |S|^{2} *|D| \) comparisons. Therefore, the time complexity is \( O(|S|^{2} * { |}D|) \). This result is better than \( O(|S|^{3} * \, |A|^{2} * \, |D|) \) (S&P’11, [5]) and \( O(2^{{|S|*2^{|D|} }} ) \) (IEEE TSMC’05, [4]).

6 Related Work

Table 1 shows the comparisons of our approach with related work.

Table 1. Comparisons with related work
Full size table

To establish a formal model of noninterference, researchers have conducted in-depth studies using various security scenarios based on distinct modeling tools, and have proposed abundant noninterference models [8,9,10,11,12,13,14,15]. Among these models, the State Machine-Based Model (SMBM) and the Process Algebra-Based Model (PABM) are two representatives. Rushby was the first to establish a perfect SMBM of noninterference [3], and Focardi [8] and Ryan [9] were the first to systematically present a PABM of noninterference based on CCS (Calculus of Communicating System) and CSP (Communication Sequential Process), respectively. It should be noted that the semantics of SMBM and PABM are not consistent. In particular, SMBM focuses on the state transition of a system, as well as the state-equivalence relation after each state transition, whereas PABM focuses on the bi-simulation relation between the behavior sequences of a system and target security behavior specifications. Both SMBM and PABM are widely applied in practice [16,17,18,19,20].

Unfortunately, although extensive research has been conducted on the modeling of noninterference, there has been less work on the verification of noninterference [5]. To verify the noninterference property, Rushby [3] was the first to propose the “unwinding theorem”, which laid a solid foundation for the subsequent work of other researchers. However, unwinding theorem requires significant human ingenuity to define equivalence relations between domains, making it difficult to construct an automated verification algorithm. After Rushby, Hadj-Alouane et al. [4] proposed the first necessary and sufficient verification algorithm based on the observability of DES(Discrete Event System). The problem of [4] is that the time complexity is too high (double exponential) to be practical. In 2011, Eggert et al. [5] for the first time explored the time- and space-complexities of different noninterference definitions, including P-, IP-, TA-, and TO-Security. In [5], the authors reduced the verification of intransitive noninterference (which they call IP-Security) to the reachability problem in directed graphs, and claimed that the time complexity is \( O(|S|^{3} * \, |A|^{2} * \, |D|) \). However, IP-Security is not consistent with Rushby’s original definition of noninterference but a variant, so the time complexity of Rushby’s definition of intransitive noninterference is still unknown. Moreover, they did not present a concrete verification algorithm. For any given deterministic system M, Meyden et al. [6] introduced the concept of doubling construction \( M^{2} \), and then reduced the noninterference property to the safety property based on \( M^{2} \), which finally enables the noninterference property to be checked by using standard model checking technology. The time complexity of their work seems comparable to ours; however, their work can handle no more than three security domains, \( H,L,D \), whereas our approach can deal with any finite number of security domains. Souza et al. [7] boiled down the noninterference verification problem to the set containing problem of regular language. In [7], they first defined some language-theoretic operations on a regular language, and then established the connections between basic security predicates (BSPs) and language-theoretic operations. Thus, the verification of the noninterference property can be reduced to check whether \( L_{1} \subseteq L_{2} \), where \( L_{1} \) is the regular language used to describe the system, and \( L_{1} \) is the regular language for a given BSP. Nevertheless, their approach is trace-set based, rather than the stronger structure-based notion [3, 7]. Worse, [7] has to face state explosions under the worst conditions.

With respect to process algebra-based models, Focardi et al. implemented a compositional security checker called CoSeC [8, 21] on the basis of the Concurrency Workbench (CW), which can automatically check the observation equivalence relations between information flow security properties and CCS-based security specifications. Nonetheless, CoSec cannot avoid state explosions caused by the parallel composition operator. Ryan [9] proposed verifying the noninterference property by using model checking and theorem provers, but this requires highly specialized expertise, and hence it is difficult to build automated verification tools for common engineers. On the other hand, [9] cannot avoid state explosion problem, either.

7 Discussion

We stress that our work is completely different from bi-simulation based approaches. (1) Firstly, all existing bi-simulation based approaches adopt process algebra (i.e., CCS or CSP) as a tool for mathematical modeling [8, 9]. Note that process algebra studies behaviors, rather than states. Specifically, process algebra explorers the bi-simulation relation between behaviors, rather than the equivalence relation between system states. Due to this observation, process algebra may not be suitable as a mathematical modeling tool for SMBM. In fact, no process algebra (and hence no bi-simulation) is used for SMBM at all [3,4,5,6,7]. (2) Secondly, the semantics of PABM and SMBM are difference from each other (As we mentioned before, PABM focuses on behavior bi-simulation, whereas SMBM focuses on state equivalence), leading that bi-simulation approach used by PABM cannot tackle the SMBM issue of intransitive noninterference introduced by Rushby [9]. Furthermore, all verification algorithms and tools developed for PABM cannot be applied by SMBM, either. (3) Finally, a bi-simulation based approach only deals with two levels of actions, i.e., High and Low (though there may be multilevel of actions, these actions are grouped into two clusters [8]). Instead, however, our work needs to handle any number of security levels (i.e., security domains). Therefore, traditional bi-simulation approaches cannot be used by our work at all.

8 Conclusion

In this paper, we for the first time established the recursive necessary and sufficient condition of noninterference (Theorem 1), and based on which proposed a noninterference property verification algorithm. A theoretical analysis showed that the time-complexity of our algorithm is the best among existing studies.

Our work can be a step toward bridging the gap between the theoretical analysis and the practical application of the noninterference model. In the future, we will demonstrate how to put algorithm 1 into practice, for example, by using algorithm 1 to formally verify software security, to mine software vulnerability, and to construct a real-time software trust measurement framework.