An Automata Based Approach for Verification of Information Flow - - PowerPoint PPT Presentation
An Automata Based Approach for Verification of Information Flow Properties Deepak DSouza, Raghavendra K.R., Barbara Sprick Indian Institute of Science, Bangalore, India An Automata Based Approach for Verification of Information Flow
Deepak D’Souza, Raghavendra K.R., Barbara Sprick Indian Institute of Science, Bangalore, India
An Automata Based Approach for Verification of Information Flow Properties – p.1/14
An Automata Based Approach for Verification of Information Flow Properties – p.2/14
Trace: finite sequence of events
An Automata Based Approach for Verification of Information Flow Properties – p.2/14
Trace: finite sequence of events System: sets of traces
An Automata Based Approach for Verification of Information Flow Properties – p.2/14
Trace: finite sequence of events System: sets of traces Information flow properties for all x in L with some conditions ⇒ there exists y in L with some conditions
An Automata Based Approach for Verification of Information Flow Properties – p.2/14
Trace: finite sequence of events System: sets of traces Information flow properties for all x in L with some conditions ⇒ there exists y in L with some conditions Non-Inference(NF) ∀τ ∈ L ⇒ τ
An Automata Based Approach for Verification of Information Flow Properties – p.2/14
gen-new-pin snd-enc-new rcv-enc-acc gen-new-pin e e f snd-enc-old
An Automata Based Approach for Verification of Information Flow Properties – p.3/14
gen-new-pin snd-enc-new rcv-enc-acc gen-new-pin e e f snd-enc-old
V = {e, f} C = {gen-new-pin} N = φ
An Automata Based Approach for Verification of Information Flow Properties – p.3/14
gen-new-pin snd-enc-new rcv-enc-acc gen-new-pin e e f snd-enc-old
V = {e, f} C = {gen-new-pin} N = φ Tr = { gen-new-pin e f, e } + prefixes
An Automata Based Approach for Verification of Information Flow Properties – p.3/14
gen-new-pin snd-enc-new rcv-enc-acc gen-new-pin e e f snd-enc-old
V = {e, f} C = {gen-new-pin} N = φ Tr = { gen-new-pin e f, e } + prefixes Confidentiality compromised. Noninference fails
An Automata Based Approach for Verification of Information Flow Properties – p.3/14
snd-enc-new snd-enc-old rcv-enc-acc rcv-enc-rej gen-new-pin e f f e gen-new-pin
An Automata Based Approach for Verification of Information Flow Properties – p.4/14
snd-enc-new snd-enc-old rcv-enc-acc rcv-enc-rej gen-new-pin e f f e gen-new-pin
V = {e, f} C = {gen-new-pin} N = φ
An Automata Based Approach for Verification of Information Flow Properties – p.4/14
snd-enc-new snd-enc-old rcv-enc-acc rcv-enc-rej gen-new-pin e f f e gen-new-pin
V = {e, f} C = {gen-new-pin} N = φ Tr = { gen-new-pin e f, e f } + prefixes
An Automata Based Approach for Verification of Information Flow Properties – p.4/14
snd-enc-new snd-enc-old rcv-enc-acc rcv-enc-rej gen-new-pin e f f e gen-new-pin
V = {e, f} C = {gen-new-pin} N = φ Tr = { gen-new-pin e f, e f } + prefixes Confidentiality maintained. Noninference holds
An Automata Based Approach for Verification of Information Flow Properties – p.4/14
Non−Interference Generalized Separability Non−Deducibility Noninference Non−Interference
Goguen, Meseguer − 82
An Automata Based Approach for Verification of Information Flow Properties – p.5/14
Goguen, Meseguer − 82
Mantel − BSPs I Non−Interference Noninference Separability Generalized Non−Interference Non−Deducibility BSD FCI IA BSIA BSI D FCD R FCIA An Automata Based Approach for Verification of Information Flow Properties – p.5/14
Trace based information flow properties in BSPs
An Automata Based Approach for Verification of Information Flow Properties – p.6/14
Trace based information flow properties in BSPs BSP Removal (R)
new N events
An Automata Based Approach for Verification of Information Flow Properties – p.6/14
Trace based information flow properties in BSPs BSP Deletion (D)
new N events α′ β′ α β c
An Automata Based Approach for Verification of Information Flow Properties – p.6/14
Trace based information flow properties in BSPs BSP Insertion (I)
α β α′ β′ new C
An Automata Based Approach for Verification of Information Flow Properties – p.6/14
Trace based information flow properties in BSPs BSP Insert-X Admissable (IA)
α β α′ β′ new C
γc in L with γ
An Automata Based Approach for Verification of Information Flow Properties – p.6/14
Trace based information flow properties in BSPs BSP Insert-X Admissable (IA)
α β α′ β′ new C
γc in L with γ
Generalized Non-Interference - I and D Noninference - R
An Automata Based Approach for Verification of Information Flow Properties – p.6/14
Can we automate Verification of Information Flow properties?
An Automata Based Approach for Verification of Information Flow Properties – p.7/14
Can we automate Verification of Information Flow properties? Properties of sets of traces, Classical Model-checking techniques like LTL, CTL cannot be used
An Automata Based Approach for Verification of Information Flow Properties – p.7/14
Can we automate Verification of Information Flow properties? Properties of sets of traces, Classical Model-checking techniques like LTL, CTL cannot be used Unwinding verification technique - Not complete
An Automata Based Approach for Verification of Information Flow Properties – p.7/14
Can we automate Verification of Information Flow properties? Properties of sets of traces, Classical Model-checking techniques like LTL, CTL cannot be used Unwinding verification technique - Not complete Good News. For finite systems, Yes
An Automata Based Approach for Verification of Information Flow Properties – p.7/14
Can we automate Verification of Information Flow properties? Properties of sets of traces, Classical Model-checking techniques like LTL, CTL cannot be used Unwinding verification technique - Not complete Good News. For finite systems, Yes Model Check - BSP on Finite State Automaton
An Automata Based Approach for Verification of Information Flow Properties – p.7/14
L be a language over Σ, X subset of Σ
An Automata Based Approach for Verification of Information Flow Properties – p.8/14
L be a language over Σ, X subset of Σ L
τ
An Automata Based Approach for Verification of Information Flow Properties – p.8/14
L be a language over Σ, X subset of Σ L
τ
l-del(L) := {αβ | αcβ in L, no C events in β} deletes the last occuring C-event
An Automata Based Approach for Verification of Information Flow Properties – p.8/14
L be a language over Σ, X subset of Σ L
τ
l-del(L) := {αβ | αcβ in L, no C events in β} deletes the last occuring C-event l-ins(L) := {αcβ | αβ in L, no C events in β} inserts a C-event in a position after which no C-events occur
An Automata Based Approach for Verification of Information Flow Properties – p.8/14
L be a language over Σ, X subset of Σ L
τ
l-del(L) := {αβ | αcβ in L, no C events in β} deletes the last occuring C-event l-ins(L) := {αcβ | αβ in L, no C events in β} inserts a C-event in a position after which no C-events occur l-ins-admX(L):= {αcβ | αβ in L, no C events in β, there exists γc in L, γ
inserts a C-event in a position after which no C-events occur subject to a condition
An Automata Based Approach for Verification of Information Flow Properties – p.8/14
L be a language over Σ, X subset of Σ L
τ
l-del(L) := {αβ | αcβ in L, no C events in β} deletes the last occuring C-event l-ins(L) := {αcβ | αβ in L, no C events in β} inserts a C-event in a position after which no C-events occur l-ins-admX(L):= {αcβ | αβ in L, no C events in β, there exists γc in L, γ
inserts a C-event in a position after which no C-events occur subject to a condition . . .
An Automata Based Approach for Verification of Information Flow Properties – p.8/14
"L satisfies a BSP P" is reduced to "op1(L) ⊆ op2(L)"
An Automata Based Approach for Verification of Information Flow Properties – p.9/14
"L satisfies a BSP P" is reduced to "op1(L) ⊆ op2(L)"
An Automata Based Approach for Verification of Information Flow Properties – p.9/14
L satisfies BSP D l-del(L) ⊆N L
An Automata Based Approach for Verification of Information Flow Properties – p.10/14
L satisfies BSP D Any τ in l-del(L) l-del(L) ⊆N L
An Automata Based Approach for Verification of Information Flow Properties – p.10/14
L satisfies BSP D Any τ in l-del(L) τ − αβ, no C events in β, αcβ in L l-del(L) ⊆N L
An Automata Based Approach for Verification of Information Flow Properties – p.10/14
L satisfies BSP D Any τ in l-del(L) τ − αβ, no C events in β, αcβ in L Since L sat D, there exists τ ′ = α′β′ in L such that α =N α′ and β =N β′ l-del(L) ⊆N L
An Automata Based Approach for Verification of Information Flow Properties – p.10/14
L satisfies BSP D Any τ in l-del(L) τ − αβ, no C events in β, αcβ in L Since L sat D, there exists τ ′ = α′β′ in L such that α =N α′ and β =N β′ τ ′ equivalent to τ modulo N-corrections l-del(L) ⊆N L
An Automata Based Approach for Verification of Information Flow Properties – p.10/14
l-del(L) ⊆N L L satisfies BSP D
An Automata Based Approach for Verification of Information Flow Properties – p.11/14
l-del(L) ⊆N L Any τ of form αcβ in L, no C-events in β L satisfies BSP D
An Automata Based Approach for Verification of Information Flow Properties – p.11/14
l-del(L) ⊆N L Any τ of form αcβ in L, no C-events in β αβ belongs to l-del(L) L satisfies BSP D
An Automata Based Approach for Verification of Information Flow Properties – p.11/14
l-del(L) ⊆N L Any τ of form αcβ in L, no C-events in β αβ belongs to l-del(L) Since l-del(L) ⊆N L, there exists τ ′ =N τ L satisfies BSP D
An Automata Based Approach for Verification of Information Flow Properties – p.11/14
l-del(L) ⊆N L Any τ of form αcβ in L, no C-events in β αβ belongs to l-del(L) Since l-del(L) ⊆N L, there exists τ ′ =N τ τ ′ as α′β′ L satisfies BSP D
An Automata Based Approach for Verification of Information Flow Properties – p.11/14
How to automate the checking of Language Inclusion?
An Automata Based Approach for Verification of Information Flow Properties – p.12/14
How to automate the checking of Language Inclusion? L(A1) ⊆ L(A2)
An Automata Based Approach for Verification of Information Flow Properties – p.12/14
How to automate the checking of Language Inclusion? L(A1) ⊆ L(A2) Given automata for L, algorithm for constructing automata for op(L)?
An Automata Based Approach for Verification of Information Flow Properties – p.12/14
How to automate the checking of Language Inclusion? L(A1) ⊆ L(A2) Given automata for L, algorithm for constructing automata for op(L)? L
by replacing transitions p
a
− → q, with a ∈ X, in A, by an ǫ-transition p
ǫ
− → q
An Automata Based Approach for Verification of Information Flow Properties – p.12/14
How to automate the checking of Language Inclusion? L(A1) ⊆ L(A2) Given automata for L, algorithm for constructing automata for op(L)? l-del(L) ǫ a a c
An Automata Based Approach for Verification of Information Flow Properties – p.12/14
How to automate the checking of Language Inclusion? L(A1) ⊆ L(A2) Given automata for L, algorithm for constructing automata for op(L)? l-ins(L) c a a c
An Automata Based Approach for Verification of Information Flow Properties – p.12/14
How to automate the checking of Language Inclusion? L(A1) ⊆ L(A2) Given automata for L, algorithm for constructing automata for op(L)? l-ins-admX(L) c
An Automata Based Approach for Verification of Information Flow Properties – p.12/14
Running time is exponential in the number of states of the given finite state transition system 2O(n)
An Automata Based Approach for Verification of Information Flow Properties – p.13/14
Running time is exponential in the number of states of the given finite state transition system 2O(n) Sound and Complete characterisation of Security properties in terms of Language-theoretic Operations
An Automata Based Approach for Verification of Information Flow Properties – p.13/14
Running time is exponential in the number of states of the given finite state transition system 2O(n) Sound and Complete characterisation of Security properties in terms of Language-theoretic Operations Automatically verify trace based information flow properties for finite state systems
An Automata Based Approach for Verification of Information Flow Properties – p.13/14
Running time is exponential in the number of states of the given finite state transition system 2O(n) Sound and Complete characterisation of Security properties in terms of Language-theoretic Operations Automatically verify trace based information flow properties for finite state systems For infinite state systems?
An Automata Based Approach for Verification of Information Flow Properties – p.13/14
Running time is exponential in the number of states of the given finite state transition system 2O(n) Sound and Complete characterisation of Security properties in terms of Language-theoretic Operations Automatically verify trace based information flow properties for finite state systems For infinite state systems? BSPs - Special case of First Order Logic? Decidability?
An Automata Based Approach for Verification of Information Flow Properties – p.13/14
An Automata Based Approach for Verification of Information Flow Properties – p.14/14