Describing Secure Interfaces with Interface Automata Matias Lee - - PowerPoint PPT Presentation

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works

Describing Secure Interfaces with Interface Automata

Matias Lee Pedro R. D’Argenio

FaMAF - UNC CONICET

FESCA Workshop

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works

Outline

1

Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference

2

Deriving secure ISS Checking BSNNI Synthesizing Secure ISS The algorithm - Example

3

Preserving BSNNI after Composition Preserving BSNNI after Composition

4

Contribution and future works

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Outline

1

Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference

2

Deriving secure ISS Checking BSNNI Synthesizing Secure ISS The algorithm - Example

3

Preserving BSNNI after Composition Preserving BSNNI after Composition

4

Contribution and future works

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Interface Automata (IA):

We use Interface Automata [De Alfaro, Hezinger 2001,2005] to represent interfaces. E.g.:

s1 s2 s3 s4 s5 s6 s7

• newT?

startT! endT?

• newT?

startT! endT?

• logM!
• startM?
• endM?
• acceptT?

IA has three different sorts of actions: input, output and hidden. As usual, input are suffixed by ? and output by !. We indicate hidden actions by suffixing ;.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Interface Structure for Security (ISS)

Extends IA to cope with security. Visible actions are separated in two classes:

public or low: can be observed/manipulated by any user private or high: only for users with appropiate clearance. s1 s2 s3 s4 s5 s6 s7

• newT?

startT! endT?

• newT?

startT! endT?

• logM!
• startM?
• endM?
• acceptT?

High actions are underlined

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Why IA and ISS?

Component Based Development and Design has become main approach for software development. Example: web services. We need good interface description that allows us to analyze interaction between components. In this way, we can predict if the composed system can satisfy our requirements. IA captures temporal aspects of the component interface. This framework requires that the communication is properly carried out by the interfaces. ISS inherits the properties of IA and also allows us to study properties related with secure data flow.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Example:

A distributed transaction processing system (DTPS): a main server (Transaction Service) that provides a service a remote transaction process unit (Trans. Processing Unit) a supervisor module (Supervisor).

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

s1 s2 s3 s4 s5 s6 s7

Transaction Service

• newT?

startT! endT?

• newT?

startT! endT?

• logM!
• startM?
• endM?
• acceptT?

t1 t2 t4 t3

• Trans. Processing Unit
• startT?
• k!
• nOk!

logF!

• endT!
• u1

u2 u3 u4 u5

Supervisor

• logF?

mOn? startM!

• logM?

logF?

• logM?
• endM!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

We are interested in studying how the components work together. Therefore, we need a concept of composition.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Outline

1

Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference

2

Deriving secure ISS Checking BSNNI Synthesizing Secure ISS The algorithm - Example

3

Preserving BSNNI after Composition Preserving BSNNI after Composition

4

Contribution and future works

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Composition

CSP likes parallel composition in IA: the state space is the product of the set of states of the components, synchronization through shared action, i.e. both component should perform a transition with the same synchronizing label (one input, and the other output), and transitions with non-shared actions are interleaved. Besides, shared actions are hidden in the product.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

s1t1u1 s1t1u2 s4t1u3 s3t3u1 s2t1u1 s4t1u5 s7t1u3 s5t1u3 s3t4u1 s3t2u1 s7t1u4 s6t3u3 s6t2u3 s6t3u4 s6t4u3 s2t1u2 s3t3u2 s3t4u2

• acceptT?
• acceptT?
• newT?
• startT;
• k!
• nOk!
• logF;
• endT;
• mOn?
• startM;
• newT?
• startT;
• k!
• endT;
• logM;
• nOk!
• logF;
• endT;
• logM;
• endM;
• newT?
• startT;
• nOk!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Error, Incompatible and Compatible states

In state s3t4u2, the TP unit sends a message (LogF!) to the Supervisor, which is not ready to receive it. We call this

• miscommunication. The state s3t4u2 is an error state.

States s3t3u2 and s2t1u2 are incompatibles states because they reach an error/incompatible state autonomously (i.e. using only output and/or hidden actions). A state that is not incompatible is called compatible. For example, s1t1u2 is compatible. If the initial state of the product is compatible, then the interfaces are compatible.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

s1t1u1 s1t1u2 s4t1u3 s3t3u1 s2t1u1 s4t1u5 s7t1u3 s5t1u3 s3t4u1 s3t2u1 s7t1u4 s6t3u3 s6t2u3 s6t3u4 s6t4u3 s2t1u2 s3t3u2 s3t4u2

• acceptT?
• acceptT?
• newT?
• startT;
• k!
• nOk!
• logF;
• endT;
• mOn?
• startM;
• newT?
• startT;
• k!
• endT;
• logM;
• nOk!
• logF;
• endT;
• logM;
• endM;
• newT?
• startT;
• nOk!
• logF!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

2nd Step: Avoid reaching incompatibles states

If a set of interfaces are compatible, reaching incompatibles states in the composition can be avoided by not allowing certain inputs. In this way, we finally obtain the composition of the interface.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

s1t1u1 s1t1u2 s4t1u3 s3t3u1 s2t1u1 s4t1u5 s7t1u3 s5t1u3 s3t4u1 s3t2u1 s7t1u4 s6t3u3 s6t2u3 s6t3u4 s6t4u3 s2t1u2 s3t3u2 s3t4u2

• acceptT?
• acceptT?
• newT?
• startT;
• k!
• nOk!
• logF;
• endT;
• mOn?
• startM;
• newT?
• startT;
• k!
• endT;
• logM;
• nOk!
• logF;
• endT;
• logM;
• endM;
• newT?
• startT;
• nOk!
• logF!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

s1t1u1 s1t1u2 s4t1u3 s3t3u1 s2t1u1 s4t1u5 s7t1u3 s5t1u3 s3t4u1 s3t2u1 s7t1u4 s6t3u3 s6t2u3 s6t3u4 s6t4u3

• acceptT?
• acceptT?
• newT?
• startT;
• k!
• nOk!
• logF;
• endT;
• mOn?
• startM;
• newT?
• startT;
• k!
• endT;
• logM;
• nOk!
• logF;
• endT;
• logM;
• endM;
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Outline

1

Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference

2

Deriving secure ISS Checking BSNNI Synthesizing Secure ISS The algorithm - Example

3

Preserving BSNNI after Composition Preserving BSNNI after Composition

4

Contribution and future works

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Motivation

In the previous example, low-level users should not be allowed to know whether they are under supervision I.e. they should not distinguish the occurrence of high actions. Therefore, for a low-level user, the system should behave in the same way regardless whether high actions are performed or not. ⇒ non-interference. In our setting, the concept of non-interference is formalized by bisimulation-based strong non-deterministic non-interference (BSNNI) and bisimulation-based non-deterministic non-interference (BNNI).

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

BSNNI and BNNI (Focardi, Gorrieri 2001)

S ≈ S′ denotes weak bisimulation between S and S′. S/X represents the hiding of actions X in S S\X represents the restriction of actions X in S Definition (i) S is bisimulation-based strong non-deterministic non-interference (BSNNI) if S\Ah ≈ S/Ah. (ii) S is bisimulation-based non-deterministic non-interference (BNNI) if S\AI,h/AO,h ≈ S/Ah.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

Example: S is BSNNI

u1 u2 u3 u4 u5 S

• logF?

mOn? startM!

• logM?

logF?

• logM?
• endM!
• u1

S\Ah

• logF?
• u1

u2 u3 u4 u5 S/Ah

• logF?

mOn; startM;

• logM;

logF?

• logM;
• endM;
• S\Ah ≈ S/Ah

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Interfaces Automata and Interface Structure For Security Why IA and ISS? Composition Bisimulation-based (Strong) Non-deterministic Non-interference

BSNNI and Composition

Every single ISS component of our example is BSNNI but... ... the composed system is not! :’(

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Outline

1

Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference

2

Deriving secure ISS Checking BSNNI Synthesizing Secure ISS The algorithm - Example

3

Preserving BSNNI after Composition Preserving BSNNI after Composition

4

Contribution and future works

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Algorithm for Checking Bisimulation

A variation of Fernandez and Mounier’s algorithm to check bisimulation on the fly. Roughly, it works as follows: the IA are saturated adding all weak transitions a full synchronous product is constructed where transitions synchronize whenever they have the same label; whenever there is a mismatching transition, a new transition is added on the product leading to a special fail state; if reaching a fail state is inevitable (we later define this properly) the IA are not bisimilar; if there is always a way to avoid reaching a fail state, the IA are bisimilar.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Consider a simplified version of the composed DTPS

s1 s2 s3 s4 s5 S

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• mOn?
• startM;
• newT?
• k!
• nOk!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Checking the simplified DTPS

We first construct the restriction and hiding of the system s1 s4 S\Ah

• acceptT?
• newT?
• k!,nOk!
• s1

s2 s3 s4 s5 S/Ah

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• mOn;
• startM;

newT?

• k!
• nOk!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Saturation marking set B (with B = {mOn?})

s1 s2 s3 s4 s5 S/Ah

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• mOn;
• startM;
• newT?
• k!
• nOk!
• Actions in B will be replaced by ε′, to record that these actions are

high inputs actions that can be pruned. Other hidden actions are replaced by ε. Saturation adds to all state a self loop with ε and ε′ (not depicted) Actions added by the saturation are overlined.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Saturation marking set B with B = {mOn?}

After the saturation we obtain this interface: s1 s2 s3 s4 s5 S/Ah

Ah,I

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• ε′
• ε
• newT?
• k!
• nOk!
• acceptT?
• acceptT?
• acceptT?
• newT?
• Note: In the next slides we will omit some actions added by the saturation process that are redundant.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Synchronous Product: S\Ah

∅ × S/Ah Ah,I

The saturated interfaces (with some transitions omitted):

s1 s4

• acceptT?
• newT?
• k!,nOk!
• s1

s2 s3 s4 s5

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• ε
• ε′
• newT?
• k!
• nOk!
• newT?
• After saturating both interfaces, we can construct the synchronous

product: s1, s1

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Synchronous Product: S\Ah

∅ × S/Ah Ah,I s1 s4

• acceptT?
• newT?
• k!,nOk!
• s1

s2 s3 s4 s5

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• ε
• ε′
• newT?
• k!
• nOk!
• newT?
• The product synchronizes using common actions:

s1, s1 s1, s2 s4, s4

• newT?
• ε′
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Synchronous Product: S\Ah

∅ × S/Ah Ah,I s1 s4

• acceptT?
• newT?
• k!,nOk!
• s1

s2 s3 s4 s5

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• ε
• ε′
• newT?
• k!
• nOk!
• newT?
• The process continue adding transitions and new states:

s1, s1 s1, s2 s4, s4 s4, s5

• newT?
• ε′
• newT?
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Synchronous Product: S\Ah

∅ × S/Ah Ah,I s1 s4

• acceptT?
• newT?
• k!,nOk!
• s1

s2 s3 s4 s5

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• ε
• ε′
• newT?
• k!
• nOk!
• newT?
• Notice that s1

accept?

− − − − → s1 but s3

accept?

− − − − →

• .

s1, s1 s1, s2 s1, s3 s4, s4 s4, s5

• acceptT?
• acceptT?
• newT?
• k!
• ε′
• ε
• newT?
• k!
• newT?
• nOk!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Synchronous Product: S\Ah

∅ × S/Ah Ah,I s1 s4

• acceptT?
• newT?
• k!,nOk!
• s1

s2 s3 s4 s5

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• ε
• ε′
• newT?
• k!
• nOk!
• newT?
• Therefore, we add a transition to a special state fail

s1, s1 s1, s2 s1, s3 s4, s4 s4, s5 fail

• acceptT?
• acceptT?
• newT?
• k!
• ε′
• ε
• newT?
• k!
• acceptT?
• newT?
• nOk!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Synchronous Product: S\Ah

∅ × S/Ah Ah,I

s1s3 contains a pair of state that are not bisimilar. In this case, we say the state s1s3 does not pass the bisimulation test We let NoPass be the set of pair of states not passing the bisimulation test. The definition of NoPass is inductive. Under some restrictions, it propagates the condition “does not pass the bisimulation test” to predecessor states in the synchronous product.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Synchronous Product: S\Ah

∅ × S/Ah Ah,I s1, s1 s1, s2 s1, s3 s4, s4 s4, s5 fail

• acceptT?
• acceptT?
• newT?
• k!
• ε′
• ε
• newT?
• k!
• acceptT?
• newT?
• nOk!
• If the initial state does not pass the bisimulation test, the

interfaces are not bisimilar. Otherwise, the interfaces are bisimilar, and then, the system is secure. In the example, the interfaces are not bisimilar and hence the system is not secure.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Outline

1

Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference

2

Deriving secure ISS Checking BSNNI Synthesizing Secure ISS The algorithm - Example

3

Preserving BSNNI after Composition Preserving BSNNI after Composition

4

Contribution and future works

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Synthesizing Secure ISS

If the system does not pass a the bisimulation test, we divide all the pairs of states of the synchronous product that does not pass the bisimulation test in 3 disjoint sets: May State: contains all pairs that may become bisimilar if some particular low input transition is not executed. Fail State: contains all pairs that cannot be turned into bisimilar by avoiding input transitions. Undetermined state: Contains all undetermined pairs. This is consequence that they may become bisimilar if a high input transitions is not executed.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

May State Example:

s0 s1 s2 s3 s4

a! h!

• a!
• b?
• S

s0 s1

a!

S\Ah s0 s1 s2 s3 s4

a! ε

• a!
• b?
• a!
• S/Ah

s0, s0 s1, s1 s0, s2 s0, s3 fail

a! ε a!

• a!
• b?
• S\Ah × S/Ah

The interface is not secure as a consequence of transition s3

b?

− → s4. If this transition is forbidden/pruned (i.e., the interface provides fewer services), the resulting ISS is secure. This is the same approach used to avoid miscommunication.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Fail state Example:

s0 s1 s2 s3 s4

a! h!

• a!
• b!
• S

s0 s1

a!

S\Ah s0 s1 s2 s3 s4

a! ε

• a!
• b!
• a!
• S/Ah

s0, s0 s1, s1 s0, s2 s0, s3 fail

a! ε a!

• a!
• b!
• S\Ah × S/Ah

A similar example to the previous one, but now transition b is an

• utput action.

Then, the transition cannot be pruned (since it is not controllable), and hence the interface is not “recoverable”.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Undetermined states (example 1):

s0 s1 s2 s3 s4

a! h!

• h’?
• a!
• b!
• S

s0 s1

a!

S\Ah

∅

s0 s1 s2 s3 s4

a!,a! ε

• ε′
• a!
• b!
• a!
• b!
• S/Ah

{h′?}

s0, s0 s1, s1 s0, s2 s0, s3 fail

a!,a! ε ε′

• a!
• b!
• a!
• S\Ah

∅ × S/Ah {h′?}

S is not secure. The only option to recover is the elimination of transition s2

h′?

− − → s3. Then, we obtain the next interface, which is not secure: s0 s1 s2

a! h!

• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Undetermined states (example 2):

s0 s1 s2 s3 s4

a! h!

• a!
• h’?
• a!
• b!
• S

s0 s1

a!

S\Ah

∅

s0 s1 s2 s3 s4

a!,a! ε

• ε′
• a!
• b!
• a,a!
• b!
• S/Ah

{h′?}

s0, s0 s1, s1 s0, s2 s0, s3 fail

a!,a! ε ε′

• a!
• b!
• a!,a!
• S\Ah

∅ × S/Ah {h′?}

If transition s2

h′?

− − → s3 is eliminated, the resulting interface is secure. Notice: this example is the previous one with the new transition: s2

a!

− → s1. s0 s1 s2

a! h!

• a!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

May/Fail/Undetermined ISS

The definitions of May/Fail/Undetermined state are inductive. Under some restrictions the property propagates to predecessor states in the synchronous product. If the initial state of the sync. product is a may (fail, undetermined) state, we say that interface may pass (fail, is undetermined w.r.t.) the bisimulation test. s0, s0 s1, s1 s0, s2 s0, s3 fail

a! ε a!

• a!
• b?
• s0, s0

s1, s1 s0, s2 s0, s3 fail

a! ε a!

• a!
• b!
• s0, s0

s1, s1 s0, s2 s0, s3 fail

a!,a! ε ε′

• a!
• b!
• a!,a!
• Matias Lee, Pedro R. D’Argenio

Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Main result:

Theorem If S\Ah

∅ × S/Ah Ah,I may pass the bisimulation test, then there is

a set − →χ of low input transitions s.t. the ISS obtained from S by removing all transitions in − →χ is BSNNI. The set − →χ is obtained by calculating a succession sets EC(S) of eliminable candidates EC(S) contains all (low input) transitions that go from May states to Fail or Undetermined states. The proof is constructive and it defines the algorithm.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Outline

1

Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference

2

Deriving secure ISS Checking BSNNI Synthesizing Secure ISS The algorithm - Example

3

Preserving BSNNI after Composition Preserving BSNNI after Composition

4

Contribution and future works

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Iteration 1

s1 s4

• acceptT?
• newT?
• k!,nOk!
• s1

s2 s3 s4 s5

• acceptT?
• acceptT?
• newT?
• k!,nOk!
• ε
• ε′
• newT?
• k!
• nOk!
• newT?
• s1, s1

s1, s2 s1, s3 s4, s4 s4, s5 fail

• acceptT?
• acceptT?
• newT?
• k!
• ε′
• ε
• newT?
• k!
• acceptT?
• newT?
• nOk!
• EC(S) = {s1

acceptT?

− − − − − → s1}

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Iteration 2

s1 s4

• newT?
• k!,nOk!
• s1

s2 s3 s4 s5

• acceptT?
• newT?
• k!,nOk!
• ε
• ε′
• newT?
• k!
• nOk!
• newT?
• s1, s1

s1, s2 s1, s3 s4, s4 s4, s5 fail

• acceptT?
• newT?
• k!
• ε′
• ε
• newT?
• k!
• newT?
• nOk!
• EC(S) = {s2

acceptT?

− − − − − → s2}

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Checking BSNNI Synthesizing Secure ISS The algorithm - Example

Iteration 3

s1 s4

• newT?
• k!,nOk!
• s1

s2 s3 s4 s5

• newT?
• k!,nOk!
• ε
• ε′
• newT?
• k!
• nOk!
• newT?
• s1, s1

s1, s2 s1, s3 s4, s4 s4, s5

• newT?
• k!
• ε′
• ε
• newT?
• k!
• newT?
• nOk!
• We obtain a secure interface!

and − →χ= {s1

acceptT?

− − − − − → s1, s2

acceptT?

− − − − − → s2}

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Preserving BSNNI after Composition

Outline

1

Interfaces Structure for Security Interfaces Automata and Interface Structure For Security Composition Bisimulation-based (Strong) Non-deterministic Non-interference

2

Deriving secure ISS Checking BSNNI Synthesizing Secure ISS The algorithm - Example

3

Preserving BSNNI after Composition Preserving BSNNI after Composition

4

Contribution and future works

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works Preserving BSNNI after Composition

The following lemma give sufficient conditions to ensure that composition leads to secure systems. Lemma Let S = S, Ah

S, Al S and T = T, Ah T, Al T be two composable

• ISS. Define

S′ = S, Ah

S − shared(S, T), Al S ∪ shared(S, T)

T ′ = T, Ah

T − shared(S, T), Al T ∪ shared(S, T)

If S′ and T ′ are BSNNI/BNNI and S ⊗ T has not error states, then S T is BSNNI/BNNI.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works

Contributions

We extended Interface Automata to cope with security and adapted the definition of no interference to this context. We design an algorithm to synthesis a secure interface from a non-secure one whenever possible. The algorithm proceeds by controlling the permitted low input transitions. We give sufficient conditions to ensure that the composition of ISS results in a non-interferent ISS.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security

Interfaces Structure for Security Deriving secure ISS Preserving BSNNI after Composition Contribution and future works

Future Work

Relax the necessary conditions to preserve no interference under composition. Adapt the concept of refinement of IA to ISS and studying its relation to BSNNI and BNNI. Define new concepts of “security” to ISS and adapt the results of this work to the new definitions.

Matias Lee, Pedro R. D’Argenio Interface Structure for Security