Confidentiality Annotations for Circus Michael J. Banks 20th - - PowerPoint PPT Presentation

Confidentiality Annotations for Circus

Michael J. Banks 20th October 2011

Stepwise software development

FuncR

Stepwise software development

FuncR P0

Stepwise software development

FuncR P0

verifyF

Stepwise software development

FuncR P0

verifyF

Pi Pn (abstract design) (concrete design)

Stepwise software development

FuncR P0

verifyF

Pi Pn (abstract design) (concrete design) ⊑F ⊑F ⊑F = better functionality (more defined behaviour)

Stepwise software development

FuncR P0

verifyF

Pi Pn ⊑F ⊑F Code

transF

⊑F = better functionality (more defined behaviour)

Stepwise software development

FuncR P0

verifyF

Pi Pn ⊑F ⊑F Code

transF

ConfR ⊑F = better functionality (more defined behaviour)

Working example

Consider a sealed bid auction between Alice and Bob Functionality requirements

◮ Each person submits a single bid to the system ◮ The person with the larger bid is the winner ◮ If bids are tied, the system chooses the winner

Formalising the example: functionality

using Circus (Woodcock and Cavalcanti, 2002; Oliveira et al., 2009)

BIDDER ::= Alice | Bob channel bidAlice, bidBob : N1 channel winner : BIDDER process Auction begin state ST [a, b : N] BidAlice bidAlice?n → a := n? BidBob bidBob?n → b := n? Submit (BidAlice ; BidBob) ⊓ (BidBob ; BidAlice) Declare     a > b & winner!Alice → Stop ✷ a < b & winner!Bob → Stop ✷ a = b &

• winner!Alice → Stop

⊓ winner!Bob → Stop

• 

  

• Submit ; Declare

end

Confidentiality

Inference user’s knowledge of process design + user’s interaction with process ↓ all process behaviours consistent with interaction Security Must not reveal secret information

• what?

to untrusted users

• who?

Working example

Recall the Auction process Confidentiality requirements

◮ Values of Bob’s bid over £100 are secret ◮ Identity of first bidder is secret

Does Auction satisfy these requirements?

Working example

Recall the Auction process Confidentiality requirements

◮ Values of Bob’s bid over £100 are secret ◮ Identity of first bidder is secret

Does Auction satisfy these requirements?

◮ Informal interpretation is unsatisfactory!

Confidentiality annotations

Specify an upper bound on user’s inferences about the state Values of Bob’s bid over £100 are secret BidBob′ bidBob?n → b := n?; b > 100 ⇒ b ≤ 100 Identity of first bidder is secret Submit′′

• BidAlice ; BidBob ; f := Alice

⊓ BidBob ; BidAlice ; f := Bob

• ;
• (f = Alice ⇒

f = Bob) ∧ (f = Bob ⇒ f = Alice)

Confidentiality annotations

Specify an upper bound on user’s inferences about the state Values of Bob’s bid over £100 are secret BidBob′ bidBob?n → b := n?; b > 100 ⇒ b ≤ 100 Identity of first bidder is secret Submit′′

• BidAlice ; BidBob ; f := Alice

⊓ BidBob ; BidAlice ; f := Bob

• ;
• (f = Alice ⇒

f = Bob) ∧ (f = Bob ⇒ f = Alice)

Verification

Question How can we verify that a process is secure? Problem

◮ Confidentiality annotations are specified locally ◮ But apply to the whole of a process

Solution Distribute confidentiality annotations throughout a process

Verifying the example: by intuition

Assume Alice observes bidAlice and winner channels Bob’s bids over £100 are secret:

◮ Suppose Alice bids > £100, but Bob wins auction ◮ Alice can infer that Bob’s bid > £100 ◮ Alice learns the secret

Verifying the example: by intuition

Assume Alice observes bidAlice and winner channels Bob’s bids over £100 are secret:

◮ Suppose Alice bids > £100, but Bob wins auction ◮ Alice can infer that Bob’s bid > £100 ◮ Alice learns the secret

Verifying the example: by intuition

Assume Alice observes bidAlice and winner channels Bob’s bids over £100 are secret:

◮ Suppose Alice bids > £100, but Bob wins auction ◮ Alice can infer that Bob’s bid > £100 ◮ Alice learns the secret

Verifying the example: formally

Bob’s bids over £100 are secret: Q =   a = a ∧ (a ≥ b ⇒ a ≥ b) ∧ (a ≤ b ⇒ a ≤ b) ∧ b > 100 ⇒ b ≤ 100   Suppose a > 100 and a < b: (a > 100 ∧ a < b) ⇒ Q = (a > 100 ∧ a < b) ⇒ (a = a ∧ a ≤ b ∧ b ≤ 100) = (a > 100 ∧ a < b) ⇒ (a = a ∧ a ≤ b ∧ b ≤ 100 ∧ a ≤ 100) = (a > 100 ∧ a < b) ⇒ false An inconsistency between functionality and confidentiality!

Verifying the example: formally

Bob’s bids over £100 are secret: Q =   a = a ∧ (a ≥ b ⇒ a ≥ b) ∧ (a ≤ b ⇒ a ≤ b) ∧ b > 100 ⇒ b ≤ 100   Suppose a > 100 and a < b: (a > 100 ∧ a < b) ⇒ Q = (a > 100 ∧ a < b) ⇒ (a = a ∧ a ≤ b ∧ b ≤ 100) = (a > 100 ∧ a < b) ⇒ (a = a ∧ a ≤ b ∧ b ≤ 100 ∧ a ≤ 100) = (a > 100 ∧ a < b) ⇒ false An inconsistency between functionality and confidentiality!

Secure software development

FuncR P0 Pi Pn Code

verifyF

⊑F ⊑F

transF

Secure software development

FuncR P0 Pi Pn Code

verifyF

⊑F ⊑F

transF

ConfR

Secure software development

FuncR P0 Pi Pn Code

verifyF

⊑F ⊑F

transF

ConfR

verifyC

Secure software development

FuncR P0 Pi Pn Code

verifyF

⊑F ConfR

verifyC

⊑FC transFC

Conclusion

Contributions

◮ A novel construct for specifying confidentiality ◮ A method for verifying confidentiality

In the paper

◮ Integrating confidentiality with the Circus semantics ◮ More examples!

That’s all. . .

Questions?

Semantics

Confidentiality annotations make a process secure. . . a := 1; a = 0 ⇒ a > 0 = ? a := 0; a = 0 ⇒ a > 0 = ?

Semantics

Confidentiality annotations make a process secure. . . a := 1; a = 0 ⇒ a > 0 = a := 1 a := 0; a = 0 ⇒ a > 0 = ?

Semantics

Confidentiality annotations make a process secure. . . a := 1; a = 0 ⇒ a > 0 = a := 1 a := 0; a = 0 ⇒ a > 0 = a := 0; false = false . . . but may make the process impossible to implement

References

Marcel Oliveira, Ana Cavalcanti, and Jim Woodcock. A UTP semantics for Circus. Formal Aspects of Computing, 21(1):3–32, February 2009. doi: 10.1007/s00165-007-0052-5. Jim Woodcock and Ana Cavalcanti. The semantics of Circus. In ZB 2002: Formal Specification and Development in Z and B, volume 2272 of Lecture Notes in Computer Science, chapter 10, pages 184–203. Springer Berlin / Heidelberg, 2002. doi: 10.1007/3-540-45648-1 10.