Verifying persistent security properties

doi:10.1016/j.cl.2004.02.005

Computer Languages, Systems & Structures

Volume 30, Issues 3–4, October–December 2004, Pages 231-258

https://doi.org/10.1016/j.cl.2004.02.005 Get rights and content

Abstract

We study bisimulation-based information flow security properties which are persistent, in the sense that if a system is secure then all of its reachable states are secure too. We show that such properties can be characterized in terms of bisimulation-like equivalence relations, between the full system and the system prevented from performing confidential actions. Moreover, we provide a characterization of such properties in terms of unwinding conditions which demand properties of individual actions. These two different characterizations naturally lead to efficient methods for the verification and construction of secure systems. We also prove several compositionality results, that allow us to check the security of a system by only verifying the security of its subcomponents.

Introduction

The protection of confidential data from undesired accesses is a typical security issue concerning both systems and networks. Inside a system, information is typically protected via some access control policy, limiting accesses of entities (such as users or processes) to data. There are different levels of flexibility of access control policies depending on the possibility for one entity to change the access rights of its own data. As an example, UNIX gives users complete control on the policy, i.e., every user may decide to make her own information either secret or public. On the other hand, there are mandatory policies in which entities have no control on the access rights. For example, Multilevel Security [2] imposes that entities and data are associated to (ordered) security levels and no access to data at higher levels is ever possible, even if the owner of the data is willing to reveal them. These strong mandatory security policies have been designed to avoid internal attacks performed by the so called Trojan Horse programs, i.e., malicious software that, once executed by a user, modifies the access rights of the data belonging to such a user. Unfortunately, even when direct access to data is forbidden by (strong) security policies, it might be the case that data are indirectly leaked by Trojan Horses which might exploit some observable system side-effects like, e.g., the CPU load or, more in general, the space/time availability of shared resources. (see, e.g., [3], [4]).

The necessity of controlling information flow as a whole (both direct and indirect) motivated Goguen and Meseguer in introducing the notion of Non-interference [5], [6]. Non-Interference formalizes the absence of information flow within deterministic systems. Given a system in which confidential (i.e., high level) and public (i.e., low level) information may coexist, non-interference requires that confidential inputs never affect the outputs on the public interface of the system, i.e., never interfere with the low level users. If such a property holds, one can conclude that no information flow is ever possible from high to low level.

A possibilistic security property can be regarded as an extension of non-interference to non-deterministic systems. Starting from Sutherland [7], various such extensions have been proposed, e.g., [8], [9], [10], [11], [12], [13], [14], [15], [16], [17], [18]. Most of these properties are based on traces, i.e., the behavior of systems is modelled through the set of their execution sequences. Examples are non-inference [15], generalized non-interference [11], restrictiveness [11], and the perfect security property [18].

In [8], Focardi and Gorrieri express the concept of non-interference in the Security Process Algebra (SPA) language, in terms of bisimulation semantics. In particular, inspired by [17], they introduce the notion of Bisimulation-based non Deducibility on Compositions (BNDC): a system E is BNDC if what a low level user sees of the system is not modified (in the sense of the bisimulation semantics) by composing any high level process Π with E. The main advantage of BNDC with respect to trace-based properties is that it is powerful enough to detect information flows due to the possibility, for a high level malicious process, to block or unblock a system. In particular, in [8], [19], it is shown that a malicious process may build a channel from high to low, by suitably blocking and unblocking some system services accessible by low level users. The system used to build this covert channel turns out to be secure for trace-based properties. This motivates the use of more discriminating equivalences such as bisimulation.

Non-interference properties, like BNDC, provide formal definitions of information flow security and, as a consequence, are useful in order to well understand and reason about system and network security. In this paper we also approach the problem of automatically checking BNDC-like properties, which is useful in many respects. First, as discussed in [20], having efficient automated checkers is useful to test a property against non-trivial system specifications. It is important to check on many examples that what is intuitively considered insecure is correctly rejected by the property. It is also crucial to verify that the property is not stronger than expected, and accepts as secure what is intuitively so. An automated tool is a good way for observing properties at work.

Moreover, there are some cases in which it is possible to analyze specifications that are strictly related to the “real world”. An interesting example is the analysis of security protocols, i.e., simple distributed algorithms based on cryptography. They are simple to specify using process calculi like SPA, since they are characterized by little local computation and some message exchanges. In [21] it is shown how to use BNDC-like properties to check many different network security properties like, e.g., secrecy and authentication. The main idea is that BNDC allows us to check whether or not a malicious enemy is able to interfere on the correct (expected) protocol execution. In this setting, the automated verification of BNDC allows to either discover flaws on protocol or validate (finite instances of) them.

Although Martinelli [22] has shown that a class of BNDC-like properties is decidable over finite state processes, the problem of efficiently verifying BNDC is still open. Indeed, decidability of BNDC is still an open problem. The main difficulty consists of getting rid of the universal quantification on high level processes Π. A way to overcome this problems is to adopt sufficient conditions for BNDC. We recall from [19], [23] two of them, named Strong BNDC (SBNDC, for short) and Persistent_BNDC (P_BNDC, for short)¹. Indeed, P_BNDC is interesting per se, since it has been proposed for analysing systems in dynamic contexts. Intuitively, P_BNDC is a persistent version of BNDC in which every reachable state is (BNDC) secure. In [23] it is shown that this property is suitable when some abstract form of mobility is considered. If a process moves to a different execution environment (e.g., a different host) in the middle of its computation, then we have to be guaranteed that such an intermediate state is still secure. Requiring, from the beginning, that every reachable state is secure trivially guarantees that every possible migration will be done in a secure state.

In the literature there are two different characterizations of security properties that do not require the universal quantification over high level processes Π. They allow us to exploit two different verification techniques:

(i)
Bisimulation-based characterizations are based on a bisimulation-like equivalence relation between the system E to be analysed and the low level view of the system itself, denoted by E⧹H, i.e., the system E prevented from performing confidential actions. These characterizations allow us to exploit very efficient techniques for verifying the properties over finite-state processes, by using existing algorithms for the verification of strong bisimulation.
(ii)
Unwinding conditions demand properties of individual actions. They aim at “distilling” the local effect of performing high level actions and are useful to define both proof systems (see, e.g., [24]) and refinement operators that preserve security properties, as done in [25]. Proof systems allow to incrementally build systems which are secure by construction. Similarly, refinement operators are useful in a stepwise development process, since properties which have already been investigated in some phase need not be re-investigated in later phases.

In this paper, we start by considering the two characterizations above for P_BNDC, given in [24]. By studying the relation between two such characterizations, we generalize them to a parametric security property called s_BNDC, where parameter s specifies the way high level actions and internal actions are treated in the underlying bisimulation relation. We show that the SBNDC property, which was originally defined through unwinding conditions, is an instance of s_BNDC. This directly gives a new bisimulation-based characterization for SBNDC property. As a next step, we investigate the compositionality of P_BNDC and SBNDC. Compositionality is useful for both verification and synthesis: if a property is preserved when systems are composed, then the analysis may be performed on subsystems and, in case of success, the system as a whole can be proved to satisfy the desired property. We notice that both P_BNDC and SBNDC are compositional with respect to the parallel operator, but they are not fully compositional, since they are not preserved by the non-deterministic choice operator. In particular, when we build a system that may (non-deterministically) choose to behave as one of two secure subsystems, we could obtain an insecure system. As also observed in [26], this seems to be counterintuitive. We approach this issue by introducing a new security property, named Progressing P_BNDC (PP_BNDC), strictly stronger than P_BNDC, which is fully compositional, i.e., it is compositional also with respect to the non-deterministic choice. We show that PP_BNDC is an instance of the parametric property s_BNDC and can be thus expressed both in terms of a bisimulation-like equivalence and through unwinding conditions.

We also consider the specific problem of automatically checking our persistent security properties. In particular, we describe two methods for determining whether a system is P_BNDC, SBNDC or PP_BNDC. The first method is based on the derivation of Characteristic Formulae [27], [28] in the language of modal μ-calculus [29] (see Section 6.1). The characteristic formulae can be automatically verified using model checkers for μ-calculus, such as NCSU Concurrency Workbench [30]. Even if in the worst case this method has an exponential time complexity in the number of states of the process, it is still usable in many cases, and has the advantage of reducing the check of security properties to the standard problem of verifying a μ-calculus formula. The second method (see Section 6.2) is in the spirit of [28]: it is based on the computation of a sort of transitive closure (Closure up to high level actions) of the system and on the verification of a Strong Bisimulation. This allows us to use existing verification tools, since many different algorithms for computing the largest strong bisimulation between two processes (e.g, [31], [32], [33], [34]) have been integrated in model checkers, such as NCSU Concurrency Workbench, XEVE [35], FDR2 [36]. In particular, this second approach improves on the polynomial time complexity of the Compositional Security Checker (CoSeC) presented in [20], since only one bisimulation test is necessary.

The paper is organized as follows. In Section 2, we introduce some basic notions on the SPA language and the security properties BNDC and P_BNDC. We recall the two characterizations of P_BNDC in terms of a bisimulation-like equivalence relation and an unwinding condition. In Section 3 we introduce a parametric security property named s_BNDC in terms of bisimulation and we prove that it can be equivalently characterized in terms of a parametric unwinding condition. P_BNDC is just an instance of s_BNDC. In Section 4, we show that property SBNDC is an instance of s_BNDC and provide a bisimulation-based characterization of it. In Section 5, we introduce the class of PP_BNDC processes, which is again an instance of s_BNDC, and prove that it is fully compositional. In Section 6, we propose two methods to prove our persistent security properties and we demonstrate some complexity results. Finally, in Section 7 we discuss related works and draw some conclusions.

Section snippets

Basic notions

In this section we report the syntax and semantics of the Security Process Algebra (SPA, for short) [19] and the definition of the security properties BNDC [8] and P_BNDC [23] together with some main results [24].

A generalization

In this section we generalize both the notion of weak bisimulation up to high level actions of Definition 2.7 and the unwinding condition expressed by Theorem 2.9, by making them parametric with respect to a parameter $s∈{∗,0,+}$ . Then, we introduce a parametric security property, named s_BNDC, by generalizing the quantification-free characterization given by Theorem 2.8 for P_BNDC processes. Finally, we prove that s_BNDC processes can be equivalently defined by means of the generalized unwinding

Strong BNDC

The property Strong BNDC (SBNDC, for short) has been introduced in [8] as a sufficient condition for verifying BNDC. It just requires that before and after every high step, the system appears to be the same, from a low level perspective. It has been proved to be stronger than SBSNNI (and thus P_BNDC) and it has been defined as follows.

Definition 4.1 SBNDC [8]

Let $E∈ E$ . E∈SBNDC iff for all E′ reachable from E, if $E′ → h E″$ , then E′⧹H≈E″⧹H.

As a consequence of Proposition 3.7 item (4), we can immediately recognize that SBNDC

Progressing P_BNDC

It is well-known that security properties are, in general, not preserved under composition [11]. We have seen in the previous sections that P_BNDC and SBNDC are both non-compositional with respect to the nondeterministic choice operator. However, compositionality results are crucial for making the development of large and complex systems feasible [13], [39], [40]. In this section we show that by instantiating s to + in Definition 3.4 one obtains a property which is fully compositional (i.e., it

Automatic verification and its complexity

In this section we present two methods to determine whether E≈_⧹H^sE⧹H, in the case that E is a finite-state process. Specifically, we tackle the problem of proving E≈_⧹H^sF, when E and F are finite-state processes. The first method consists of associating to any process E a modal μ-calculus formula φ^{≈_⧹H^s}_E such that F satisfies φ^{≈_⧹H^s}_E, if and only if, E≈_⧹H^sF. This method is obtained by applying the technique presented in [27]. The second method consists of transforming the LTS's of E and F into two

Related works and conclusions

In this paper we study three persistent information flow security properties based on the bisimulation semantics model. For these properties we provide two characterizations: one in terms of a bisimulation-like equivalence relation and another one in terms of unwinding conditions.

The first characterization allows us to perform the verification of the properties for finite state processes in polynomial time with respect to the number of states of the system, also improving on the polynomial time

References (54)

B. Steffen et al.
Characteristic formulae for Processes with divergence
Information and Computation
(1994)
D. Kozen
Results on the propositional μ-calculus
Theoretical Computer Science
(1983)
A. Bossi et al.
Bisimulation and unwinding for verifying possibilistic security properties
Bell DE, Padula LJJ, Secure Computer Systems: Unified Exposition and Multics Interpretation, ESD-TR-75-306, MITRE...
Tsai CR, Gligor VD, Chandersekaran CS. On the identification of covert storage channels in secure systems. IEEE...
Millen JK. Finite-state noiseless covert channels., In: Proceedings of the Computer Security Foundations Workshop II,...
Goguen JA, Meseguer J. Security policies and security models. In: Proceedings of the IEEE Symposium on Security and...
Goguen JA, Meseguer J. Inference control and unwinding. In: Proceedings of the IEEE Symposium on Security and Privacy...
Sutherland D. A model of information. In: Proceedings of the Ninth National Computer Security Conference. 1986. p....
R. Focardi et al.
A classification of security properties for process algebras
Journal of Computer Security
(19941995)

Foley SN. A universal theory of information flow. In: Proceedings of the IEEE Symposium on Security and Privacy...

Mantel H. Possibilistic definitions of security—an assembly kit—In: Proceedings of the IEEE Symposium on Security and...

McCullough D. Specifications for multi-level security and a hook-up property. In: Proceedings of the IEEE Symposium on...

McLean J. Security models and information flow. In: Proceedings of the IEEE Symposium on Security and Privacy (SSP’90)....

McLean J. A general theory of composition for trace sets closed under selective interleaving functions. In: Proceedings...

McLean J. Security models. Encyclopedia of Software Engineering. Wiley & Sons, Inc.,...

O'Halloran C. A calculus of information flow. In: Proceedings of the European Symposium on Research in Security and...

Schneider S. May testing, non-interference, and compositionality. Electronic Notes in Theoretical Computer Science...

Wittbold JT, Johnson DM. Information flow in nondeterministic systems. In: Proceedings of the 1990 IEEE Symposium on...

Zakinthinos A, Lee ES. A general theory of security properties. In: Proceedings of the IEEE Symposium on Security and...

R. Focardi et al.

Classification of security properties (part I: information flow)

R. Focardi et al.

The compositional security checkera tool for the verification of information flow security properties

IEEE Transactions on Software Engineering

(1997)

A. Durante et al.

A compiler for analysing cryptographic protocols using non-interference

ACM Transactions on Software Engineering and Methodology (TOSEM)

(2000)

Martinelli F. Partial model checking and theorem proving for ensuring security properties. In: Proceedings of the IEEE...

Focardi R, Rossi S. Information flow security in dynamic contexts. In: Proceedings of the 15th IEEE Computer Security...

A. Bossi et al.

A proof system for information flow security

Mantel H. Unwinding possibilistic security properties. In: Proceedings of the European Symposium on Research in...

Cited by (33)

D_PSNI: Delimited persistent stochastic non-interference
2021, Theoretical Computer Science
Non-Interference is an information flow security property which aims to protect confidential data by ensuring the complete absence of any information flow from high level entities to low level ones. However, this requirement is too demanding when dealing with real applications: indeed, no real policy ever guarantees a total absence of information flow. In order to deal with real applications, it is often necessary to allow mechanisms for downgrading or declassifying information such as information filters and channel control.
In this paper we introduce the notion of Delimited Persistent Stochastic Non-Interference (D_PSNI) that allows information to flow from a higher to a lower security level through a downgrader. We provide two algebraic characterizations of D_PSNI and prove some compositionality properties. Finally, we present a decision algorithm and discuss its time complexity.
The complexity of synchronous notions of information flow security
2016, Theoretical Computer Science
Citation Excerpt :
Two variants of BNDC, that restrict the quantification over the High attacker to finite or only “regularly divergent” processes, are shown in [33] to be decidable, by reduction to an EXPTIME problem, but exact complexity bounds are not provided. A general framework for asynchronous unwinding definitions is proposed in [7,8], and it is shown in [7] that the resulting security notions are PTIME decidable. This framework has been extended to a range of settings and applied to a variety of applications [11,15,21].
The paper considers the complexity of verifying that a finite state system satisfies a number of definitions of information flow security. The systems model considered is one in which agents operate synchronously with awareness of the global clock. This enables timing based attacks to be captured, whereas previous work on this topic has dealt primarily with asynchronous systems. Versions of the notions of nondeducibility on inputs, nondeducibility on strategies, and an unwinding based notion are formulated for this model. All three notions are shown to be decidable, and their computational complexity is characterised.
Combining behavioural types with security analysis
2015, Journal of Logical and Algebraic Methods in Programming
Citation Excerpt :
Static and dynamic techniques for ensuring access control and secure information flow were originally conceived for operating systems. In the last two decades, spurred by the pioneering work of [33] and [93] on static analysis for secure information flow, type systems targeting security properties have been gradually introduced both into specification languages such as process calculi [19,31,43,55,56,59,60,66,77,80] and into full-fledged programming languages [6,27,53,81,84]. Classical data types are an abstract specification of what programs compute (i.e., the outcome of computations).
Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties.
Typing access control and secure information flow in sessions
2014, Information and Computation
Citation Excerpt :
Such an information flow is considered insecure since by observing the latter objects one could potentially reconstruct information about the former. We are looking for a security property which is persistent in the sense of [5], namely which holds in any reachable state of a process, assuming the process may be restarted with fresh Q-sets at each step. This means that we view processes as evolving in a dynamic and potentially hostile environment, where at each step an attacker may change the high context by adding or subtracting messages, or changing their content.
We consider a calculus for multiparty sessions with delegation, enriched with security levels for session participants and data. We propose a type system that guarantees both session safety and a form of access control. Moreover, this type system ensures secure information flow, including controlled forms of declassification. In particular, it prevents information leaks due to the specific control constructs of the calculus, such as session opening, selection, branching and delegation. We illustrate the use of our type system with a number of examples, which reveal an interesting interplay between the constraints of security type systems and those used in session types to ensure properties like communication safety and session fidelity.
Integration of a security type system into a program logic
2008, Theoretical Computer Science
Type systems and program logics are often thought to be at opposing ends of the spectrum of formal software analyses. In this paper we show that a flow-sensitive type system ensuring non-interference in a simple while-language can be expressed through specialised rules of a program logic. In our framework, the structure of non-interference proofs resembles the corresponding derivations in a state-of-the-art security type system, meaning that the algorithmic version of the type system can be used as a proof procedure for the logic. We argue that this is important for obtaining uniform proof certificates in a proof-carrying code framework. We discuss in which cases the interleaving of approximative and precise reasoning allows us to deal with delimited information release. Finally, we present ideas on how our results can be extended to encompass features of realistic programming languages such as Java.
State-oriented Noninterference for CCS
2007, Electronic Notes in Theoretical Computer Science
We address the question of typing noninterference (NI) in the calculus CCS, in such a way that Milner's translation into CCS of a standard parallel imperative language preserves both an existing NI property and the associated type system. Recently, Focardi, Rossi and Sabelfeld have shown that a variant of Milner's translation, restricted to the sequential fragment of the language, maps a time-sensitive NI property to that of Persistent Bisimulation-based Non Deducibility on Compositions (PBNDC) on CCS. However, since CCS was not equipped with a type system, the question of whether the translation preserves types could not be addressed. We extend Focardi, Rossi and Sabelfeld's result by showing that a slightly simpler variant of Milner's translation preserves a time-insensitive NI property on the full parallel language, by mapping it again to PBNDC. As a by-product, we formalise a folklore result, namely that Milner's translation preserves a behavioural equivalence on programs. We present a simple type system ensuring PBNDC on CCS, inspired by existing type systems for the π-calculus. Unfortunately, this type system as it stands is too restrictive to grant the expected type preservation result. We sketch a solution to overcome this problem.

View all citing articles on Scopus

^☆: This work is a revised and extended version of [1], and has been partially supported by MIUR project “Modelli formali per la sicurezza”, the EU project MyThS (IST-2001-32617) and the FIRB project (RBAU018RCZ) “Interpretazione astratta e model checking per la verifica di sistemi embedded”.

View full text

Verifying persistent security properties☆