Presentation is loading. Please wait.

Presentation is loading. Please wait.

Non Interference, Open Systems, Information flows quantification Loïc HélouëtINRIA Rennes.

Published byYvonne Vant Modified over 8 years ago

Similar presentations

Presentation on theme: "Non Interference, Open Systems, Information flows quantification Loïc HélouëtINRIA Rennes."— Presentation transcript:

1 Non Interference, Open Systems, Information flows quantification Loïc HélouëtINRIA Rennes

2 2 Non Interference [Goguen&Messeguer82] A system S, with n users U 1, …U n U 1 intereferes with U 2 through S iff what U 1 does affects what U 2 can do or observe

3 3 U 1 (high) U 2(low) Low high S S Inheritance from 70’s Information systems Several levels of security (high,low) Users granted up to certain level. Can U 2 infer something about U 1 ’s actions or high values from his enabled actions and observation of all low values ?

4 4 More formally ( U1 || S ) || U2  S || U2 q1q2 U1:o1 U2:o2 U2:o3 q3 q4 q5 U2:o2

5 5 More formally ( U1 || S ) || U2  S || U2 q1q2 U1:o1 U2:o2q3 q4 U2:o2

6 6 h1, h2 l1, l2 h1,  h2 l1, l2 h1, h2 l1, l2 h1, h2 l1, l2 h1,  h2 l1, l2 h1,  h2 l1,  l2 U1:o1 U2:o2 U1:o1U2:o2

7 7 Non Interference, variations n Models for U 1,U 2, S (Automata, CSP, …) n Semantics of || n Notion of equivalence  –(Bisimulation,trace equivalence + Input/output) [Lowe][Ryan] [Focardi&Gorrieri 00] …

8 8 Non interference with typing [Volpano & Smith] Typing programs of the form: p::= e | c e ::= x | l | n | e+e’ | e – e’ | e=e’ | e<e’ C::= e:= e’ | c; c’ | if e then c else c’ | while e do c | letvar x:=e in c | try x= e op e’ in c

9 9 Some typing rules e :  c: , c’ :  If e then c else c’ If h then l := false else l=true A well-typed program Is non-interferent Reject programs such as :

10 10 Idem for a Pseudo language with threads [Volpano98] Idem for probabilistic non-interference [Volpano98] [Boudol &Catellani] Concurrent language Non-interference problems: coarse grain semantics, Interference depends on reachability of some statements While e>e’ do e’:= f(e,e’) If e’ mod y = 0 then e’’:=0 Done If e’’ = 0 then l:=h else l:= l’

11 11 Games & covert Channels Confinement Zone User Spy Security (Monitoring, firewall,…)

12 Message Sequence Charts 12 HMSC M1 M2 M3 M4M5 n n0n0 n1n1 n2n2 n3n3 Chose two processes p,q Build an arena : choices of p vs Rest of the system Observations of q : w i w1w1 w2w2 w3w3 w4w4 w5w5 w6w6

13 Message Sequence Charts 13 AB m(v) C p bMSC M1 bMSC M2 Choices AB n C q M1 M2 Events observed on instance C events executed on instance A ?p=>!m(v) ?q=>!n 01

14 14 n0n0 n1n1 w1w1 w2w2 w3w3 w4w4 w5w5 w6w6 n2n2 n3n3 w7w7 Identify positions where p can pass information to q

15 15 n0n0 n1n1 w1w1 w2w2 w3w3 w4w4 w5w5 w6w6 n2n2 n3n3 w7w7 Pass infinitely often through Covert channel = Winning strategy in a game (Muller or Buchi winning condition)

16 16 Master Aldric Diamond Automata + ATL

17 17 ATL A set of players  n Propositions p, labeling states ,  1   2 ATL formulas >   >   >  1 U  2, 

18 18 ATL (Semantics) q ╞ >   iff –players in A have strategies such that in any computation staring from q,  holds at next stage [1] ╞  q ╞ >   iff –players in A have strategies such that in any computation statring from q, f holds along  i, l[i] ╞  >  1 U  2,  iff –players in A have strategies such that in any computation starting from q,  i, [i] ╞   and  0  j <i, [j] ╞  

19 19 Covert flows in ATL  interf : A |=  interf iff  An interference in the system  covert : A |=  covert iff  A covert channel in the system  covert = « always eventually »  interf

20 20 Concurrent Secrets [Darondeau06] A set of observers/users 1,..n A finite sate system A, with language L A  (  1,…,  n )* Some secret trajectories in the system S i  L A, shall never be known from user i Can users deduce that a trajectory belong to a secret ? The system must be opaque, i.e  w  S i,  w’  L A \ S i,  i (w)=  i (w’)

21 21 Quantification [Lowe] n Classical Interference in timed CSP n + quantification of number of bits leaked per second a o1 o2 b o1 P: Q: o2

22 22 Information Theory [Moskowitz 94] Relation between random variables of the system X, Y n Discrete Memoryless channels

23 23 [Palamidessi] n Voting Systems, Loss of anonymity i1i1 i2i2 i3i3 o1o1 o2o2 VOTE

24 24 Quantified Interference n [Denning] : Information Leak if –H(h s |l s’ ) < H(h s |l s ) – moving from s to s’ provides information on high values. –No analysis technique n [McLean] : Safe system if at time t –p(L t |L s ) =p(L t |(H s,L s )) n L s= L 1.L 2 … L t-1, n H s = H 1.H 2 … H t-1, sequences of values taken by H, L before t. n [Gray] :idem but I(H s ;L t |L s ) =0

25 25 n [Clark] –Simple programming language –Quantify the information learned from the observation of inputs/outputs of a program. –Deterministic language : while,if, x:=f(y) –Leakage into a set of variables X L(X) = I(H i ;X  | L i ) n H i initial high (hidden)values n L i initial low (known) values X  Final values of X

26 26 Aline, Eric, Loic HMSC M1 M2 M3 M4M5 n n0n0 n1n1 n2n2 n3n3 w1w1 w2w2 w3w3 w4w4 w5w5 w6w6 w7w7 w8w8

27 27 Aline, Eric, Loic n0n0 n1n1 n2n2 n3n3 w1w1 w2w2 w3w3 w4w4 w5w5 w6w6 w7w7 w8w8 X1X1 X2X2 Y1Y1 Y2Y2 Y3Y3 I(X 1 …X n | Y 1 …Y q )

28 28 Problems n Some information lost during concatenation: –abba.a = ab.baa=ab.ba.a n Y 1 =w 1 & Y 2 =w 2 n or Y 1 =w 3 & Y 2 = w 3 n or Y 1 =w 3 & Y 2 = w 4 & Y 3 = w 5 –Solution: w 1, …,w k form a code (unique decomposition). n No « nice form » for

29 29 n The amount of information sent at n th use of the channel depends on the n-1 previous ones. n Special channel model –With memory –Stuttering n0n0 n1n1 n3n3 w1w1 w2w2 w3w3 w3w3 w5w5 w4w4

30 30 Around AXML n Secret, interference –Where are the opponents –What should be kept secret n Coarse grain typing ? n Information theory ?

Download ppt "Non Interference, Open Systems, Information flows quantification Loïc HélouëtINRIA Rennes."

Similar presentations

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.

Recognising Languages We will tackle the problem of defining languages by considering how we could recognise them. Problem: Is there a method of recognising.
CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.
Models of Concurrency Manna, Pnueli.

Models of Concurrency Manna, Pnueli.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.

SECURITY AND VERIFICATION Lecture 4: Cryptography proofs in context Tamara Rezk INDES TEAM, INRIA January 24 th, 2012.
1 Decomposition of Message Sequence Charts Loïc Hélouët, Pierre Le Maigat SAM 2000.

1 Decomposition of Message Sequence Charts Loïc Hélouët, Pierre Le Maigat SAM 2000.
CS6133 Software Specification and Verification

CS6133 Software Specification and Verification
1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.

1 Temporal Claims A temporal claim is defined in Promela by the syntax: never { … body … } never is a keyword, like proctype. The body is the same as for.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi

Probabilistic Methods in Concurrency Lecture 9 Other uses of randomization: a randomized protocol for anonymity Catuscia Palamidessi
1 Towards formal manipulations of scenarios represented by High-level Message Sequence Charts Loïc Hélouet Claude Jard Benoît Caillaud IRISA/PAMPA (INRIA/CNRS/Univ.

1 Towards formal manipulations of scenarios represented by High-level Message Sequence Charts Loïc Hélouet Claude Jard Benoît Caillaud IRISA/PAMPA (INRIA/CNRS/Univ.
S NAPSHOT A LGORITHM. W HAT IS A S NAPSHOT - INTUITION Given a system of processors and communication channels between them, we want each processor to.

S NAPSHOT A LGORITHM. W HAT IS A S NAPSHOT - INTUITION Given a system of processors and communication channels between them, we want each processor to.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Introduction to Computability Theory

Introduction to Computability Theory
Ordering and Consistent Cuts Presented By Biswanath Panda.

Ordering and Consistent Cuts Presented By Biswanath Panda.
Games, Times, and Probabilities: Value Iteration in Verification and Control Krishnendu Chatterjee Tom Henzinger.

Games, Times, and Probabilities: Value Iteration in Verification and Control Krishnendu Chatterjee Tom Henzinger.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.

Information Flow, Security and Programming Languages Steve Steve Zdancewic.
CS 490: Automata and Language Theory Daniel Firpo Spring 2003.

CS 490: Automata and Language Theory Daniel Firpo Spring 2003.
CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

CS 711 Fall 2002 Programming Languages Seminar Andrew Myers 2. Noninterference 4 Sept 2002.

Similar presentations

Ads by Google