Calculated Secure Processes Michael J. Banks Jeremy L. Jacob York - - PowerPoint PPT Presentation

Calculated Secure Processes

Michael J. Banks Jeremy L. Jacob York Doctoral Symposium 4 November 2010

What’s this talk about?

Formal methods are used in software development when the behavioural correctness of systems is paramount. Specification What properties should a system possess? Verification Does a system satisfy its specification? How can we use formal methods to construct secure software?

◮ Confidential (sensitive or valuable) information must be

protected from being disclosed to untrusted users

◮ We aim to guarantee information flow security

Communicating Sequential Processes (CSP)

Background

CSP is a well-known process algebra for specifying systems:

◮ originally due to Hoare; revised by Hoare, Brooks, Roscoe ◮ a process interacts with environment by performing events ◮ process semantics given by a model (traces, failures, . . . )

CSP Notation

a → S engage in event ‘a’, then behave as process S S ⊓ T non-deterministic choice between S and T S ✷ T deterministic choice between S and T S ; T behave as S until it terminates, then behave as T

Users, Observations and Information Flow

A motivational example

Consider the process specification: M (h → l → M) ⊓ (k → Stop) Suppose that:

◮ user Low can observe ‘l’ events only; ◮ Low has complete knowledge of M’s structure; and ◮ Low must be unable to establish if ‘h’ occurs

Question: is M secure?

Users, Observations and Information Flow

A motivational example

Consider the process specification: M (h → l → M) ⊓ (k → Stop)

Question: is M secure?

If Low observes l, it can calculate that M’s trace must be in:

{h, l, h, l, h, h, l, k}

and so Low can infer that (at least one) ‘h’ must have occurred!

The <P, Q> operator

We limit the flow of information to Low by inserting alternative “cover story” behaviours consistent with Low’s observations.

◮ Cover stories represent non-confidential behaviours ◮ Idea: If Low cannot rule out all cover stories, it cannot

establish that any confidential activity has taken place We write <P, Q>, where:

◮ P is a process specifying confidential behaviours ◮ Q is a process specifying cover story behaviours ◮ and Low must be unable to distinguish P from Q

Applying <P, Q> to Processes

The semantics of <P, Q>(S) are defined by algebraic laws.

Law 3 (carry prefix; confidential not applicable)

provided P cannot perform an ‘a’ event:

<P, Q>(a → S) a → <P, Q>(S) Law 4 (extension by cover story)

provided S can behave as X:

<a → X, b → Y>(a → S)

• a → <a → X, b → Y>(S)

✷

b → Y ; <a → X, b → Y>(S “after” X)

Securing M

Continuing the example

Low cannot deduce the occurrence of ‘h’ immediately before ‘l’: P h → l → Skip Q l → Skip Applying the algebraic laws, we calculate M′ = <P, Q>(M): M′ = <P, Q>((h → l → M) ⊓ (k → Stop))

=

• h → l → M′ ✷ l → M′ ⊓ k → Stop

Is M′ secure?

If Low observes l, the trace of M′ must be a member of:

{h, l, h, l, h, h, l, k, l, l, k}

and Low can no longer infer that ‘h’ has occurred.

Verifying Security

with respect to <P, Q>

Applying <P, Q> to a process S yields a secure process with respect to the confidentiality property encoded by P, Q.

Theorem

Given any Low-observation of <P, Q>(S), Low can never establish (with certainty) that a P activity has taken place.

Definition

S is secure (with respect to P, Q) provided <P, Q>(S) = S But adding cover stories may violate functional requirements.

Related Work

Classical notion of information flow security is noninterference:

◮ Low can learn nothing about high-level user’s activities ◮ Often too strong for practical software development! ◮ Our notion of confidentiality is weaker than noninterference

We have not considered factors outside the model:

◮ probability of confidential behaviours, relative to cover stories ◮ timing of events ◮ power consumption

(We need a richer CSP semantic model to reason about these.)

Conclusion

Contribution

◮ An operator for rewriting CSP processes to ensure they

satisfy confidentiality properties

◮ Encoding confidentiality properties via processes is original

Future work

◮ How can application of the operator be automated? ◮ Refinement reduces non-determinism within processes, but

doing so may introduce new sources of information flow!

• Finally. . .

Thanks for listening!

Slides and paper are available at: http://www-users.cs.york.ac.uk/~mbanks/