Automatic analysis of DIFC systems using noninterference with declassification

Abstract

Information flow control (IFC) can effectively resist Trojans and viruses that steal information from systems, and is usually adopted to protect the confidentiality of systems with a high security level. However, covert channel attacks can bypass IFC by exploiting its implementation defects. Thus, it is crucial to verify the system security and identify potential covert channels. Decentralized IFC (DIFC) is a key innovation that provides new flexible mechanisms, including decentralized declassification and taint tracking. However, the flexibility of DIFC systems also brings security risks. At present, there is a lack of a systematic and automatic security analysis approach for complex DIFC systems. In this paper, we propose a formal and automatic method to analyze the security of DIFC systems by using the FDR2 tool. We provide a new definition of noninterference, based on which the security analysis is performed. The analysis results indicate that our approach can both effectively detect covert channels in DIFC systems and accommodate conditional declassification information. The proposed method is more efficient and accurate than existing manual methods of covert channel detection.

Appendix

1.1 A: The language of CSP

Communicating Sequential Processes (CSP) is a process algebra used in specifying systems as a set of parallel state machines that sometimes synchronize on events. We offer a brief review of it here, borrowing heavily from Hoare’s book. Among the most basic CSP examples is Hoare’s vending machine:

$$ VMS = in25 \to choc \to VMS $$

This vending machine waits for the event in25, which corresponds to the input of a quarter into the machine. Next, it accepts the event choc, which corresponds to a chocolate falling out of the machine. Then it returns to the original state, with a recursive call to itself. The basic operator at use here is the prefix operator. If x is an event, and P is a process, then (x → P), pronounced “x then P,” represents a process that engages in event x and then behaves like process P. For a process P, the notation αP describes the “alphabet” of P. It is a set of all of the events that P is ever willing to engage in. For example, αVMS = {in25, choc}. For any CSP process P, we can discuss a trace of events that P may accept. For the VMS example, various traces include: < in25 > , < in25, choc > , < in25, choc, in25 > , < in25, choc, in25, choc > ,….

For two traces tr and tr_, define tr^tr_ as their concatenation.

The next important operator is “external choice,” denoted by “[]”. If x and y are distinct events, then: (x → P [] y → Q) denotes a process that accepts x and then behaves like P or accepts y and then behaves like Q. For example, a new vending machine can accept either a coin and output a chocolate, or accept a bill and output an ice cream cone:

$$ VMS2 = \, (bill \to cone \to VMS2[]in25 \to choc \to VMS2) $$

A related operator is internal (nondeterministic) choice, denoted by “Π”. In simple choice, the machine reacts exactly to events it fields from the machine’s user. In nondeterministic choice, the machine behaves unpredictably from the perspective of the user, maybe because the machine’s description is underspecified, or maybe because the machine is picking from a random number generator. For instance, a change machine might return coins in any order, depending on how the machine provide services:

$$ CHNG = \, (in25 \to (out10 \to out10 \to out5 \to CHNG\ O out10 \to out5 \to out10 \to CHNG)) $$

That is, the machine takes a quarter as input, and returns two dimes and a nickel in one of two orderings.

CSP provides useful predefined processes like STOP, the process that accepts no events, and SKIP, the process that shows a successful termination and then behaves like STOP, and RUN_A, the process that accepts any event of alphabet A. Other processes like DIV and CHAOS are standard in the literature, but are not required here.

The next class of operators relate to parallelism. The notation:\(P\mathop {||}\limits_{A} Q\) denotes P running in parallel with Q, synchronizing on events in A. This means a stream of incoming events can be arbitrarily assigned to either P or Q, assuming those events are not in A. However, for events in A, both P and Q must accept them in synchrony. As an example, consider the vending machine and the change machine running in parallel, synchronizing on the event in25:

FREELUNCH = VMS \(\mathop {||}\limits_{{\{ in25\} }}\) CHNG.

Possible traces for this new process are the various interleavings of the traces for the two component machines that agree on the event in25. For instance: < in25, choc, out10, out10, out5, … > , < in25, out10, choc, out10, out5,… > , < in25, out10, out10, choc, out5, … > , < in25, choc, out10, out5, out10,… > , < in25, out10, out5, out10, choc, … > are possible execution paths for FREELUNCH.

Another variation on parallel composition is arbitrary interleaving, denoted: P||| Q. In interleaving, P and Q never synchronize, operating independently of one another. P |||Q is therefore equivalent to P \(\mathop {||}\limits_{{\{ \} }}\) Q, which means P and Q run in parallel and synchronize on the empty set. In the tool FDR2 for CSP, for concise expression, the process P = ((Q₁ ||| Q₂ |||Q₃|||…|||Q_n) can be notated as P = (|||i:{1..n}@Q_i). We adopt this form in the descriptions of GTPM specifications.

Processes that run in parallel can communicate with one another over channels. A typical channel c can carry various values v, denoted c.v. This is represented as the sending process accepting the event c!v while the receiving process accepts the event c?x (where x is thus far unbound) and sets x to v. Communication on a channel is possible only when the sender and receiver processes are in the respective states simultaneously. If one process is at the suitable state

and the other is not, the ready process waits until its partner becomes ready. If the channel has a compound name like i.c, its values are, respectively, denoted i.c.v. Channel names are prefix-free so this is never ambiguous. Our GTPM specifications use channels extensively.

The next important CSP feature is concealment or hiding. For a process P and a set of symbols C, the process P\C is P with symbols in C hidden or concealed. The events in C become internal transitions that cannot be observed by other processes through synchronization or channel communication. Concealment can induce divergence—an infinite sequence of internal transitions. For instance, the process P = (c → P)\{c} diverges immediately, never to be useful again.

Other operators like renaming are standard in the literature, but are not required here.

1.2 B: CSP models and process equivalence

The theory of CSP has classically been based on mathematical models. These models have been based on observable behaviors of processes such as traces, failures and divergences, rather than attempt to capture a full operational picture of how the process progresses. These models\*MERGEFORMAT [24] are as follows.

The traces model: a process is represented by the set of finite sequences of communications it can perform. The set of P’s (finite) traces is given by traces(P).

The stable failures model: a process is represented by its traces as above and also by its failures. A failure is a pair (s,X), where s is a finite trace of the process (i.e., in traces(P)) and X is a set of events it can refuse after s. This means (operationally) that after trace s, the process P has come into a state where it can do no internal action and no action from the set X. The set of P’s failures is given by failures (P).

The failures/divergences model: a process is represented by its failures as above, together with its divergences. A divergence is a finite trace during or after which the process can perform an infinite sequence of consecutive internal actions. The set of P’s failures is given by divergences (P). Formally, after a divergence we consider a process to be acting chaotically and able to do or refuse anything. This means that processes are considered to be identical after they have diverged.

All three of these models have the obvious congruence theorem with the standard operational semantics of CSP. Depending on these semantic models, equivalence relations can be defined for systems described in CSP in several ways.

A process Q is a trace equivalence of another, P, if traces(Q) = traces(P).

A process Q is a stable-failures equivalence of another, P, if failures (Q) = failures (P).

A process Q is a failures/divergences equivalence of another, P, if failures (Q) = failures (P) and divergences (Q) = divergences (P).

These equivalences can be used for proving safety properties.