Information flow safety in multiparty sessions Sara Capecchi, Ilaria - - PowerPoint PPT Presentation

information flow safety in multiparty sessions
SMART_READER_LITE
LIVE PREVIEW

Information flow safety in multiparty sessions Sara Capecchi, Ilaria - - PowerPoint PPT Presentation

Nov 02, 2023 127 likes •434 views

Information flow safety in multiparty sessions Sara Capecchi, Ilaria Castellani and Mariangiola Dezani-Ciancaglini (TORINO University and INRIA Sophia Antipolis Mditerrane) Behavioural Types Workshop Lisbon, 19-21 April 2011 T

slide-1
SLIDE 1

Information flow safety in multiparty sessions

Sara Capecchi, Ilaria Castellani and Mariangiola Dezani-Ciancaglini

(TORINO University and INRIA Sophia Antipolis Méditerranée)

Behavioural Types Workshop Lisbon, 19-21 April 2011

slide-2
SLIDE 2

General goal

Information flow control in multiparty sessions where data may have different security levels.

A finite lattice of security levels :

T

l l’

... ... Secure information flow: the send or receive of a value can only depend on a receive or test of a value with l ≤ l

l

v vl0

levels assigned to variables and values

slide-3
SLIDE 3

General goal

Information flow control in multiparty sessions, to preserve confidentiality of participant data.

  • Security (detection): behavioural property based on
  • Typing (prevention): session type system with security

How to prevent / detect information leaks ?

  • bservational equivalence / bisimulation
slide-4
SLIDE 4

Goal (past)

Information flow control in multiparty sessions, to preserve confidentiality of participant data.

  • Security (detection): behavioural property based on
  • Typing (prevention): session type system with security

How to prevent / detect information leaks ?

  • bservational equivalence / bisimulation

done in previous work [CCD & Rezk, CONCUR’10]

slide-5
SLIDE 5

Goal (present)

Information flow control in multiparty sessions, to preserve confidentiality of participant data.

  • Security (detection): behavioural property based on
  • Typing (prevention): session type system with security

How to prevent / detect information leaks ?

  • bservational equivalence / bisimulation
  • Safety (detection): induced by a monitored semantics
slide-6
SLIDE 6

Tracking information leaks

3 ways to prevent / detect information leaks:

s[1]?(2, x⊤).s[1]!2, true⊥

  • Safety (local detection): any “semantic leak” is bad
  • Security (global detection): any “global semantic leak”,
  • Typability (prevention): any “syntactic leak” is bad

detectable by observing the overall process, is bad typical leak:

slide-7
SLIDE 7

Tracking information leaks

3 ways to prevent / detect information leaks:

s[1]?(2, x⊤).s[1]!2, true⊥

  • Safety (local detection): any “semantic leak” is bad
  • Security (global detection): any “global semantic leak”,
  • Typability (prevention): any “syntactic leak” is bad

detectable by observing the overall process, is bad

ν(a)(a[1](α).

)

slide-8
SLIDE 8

Tracking information leaks

Another typical information leak:

  • Safety (local detection): any “semantic leak” is bad
  • Security (global detection): any “global semantic leak”,
  • Typability (prevention): any “syntactic leak” is bad

detectable by observing the overall process, is bad

if x⊤ then s[1]!2, true⊥ else s[1]!2, false⊥

s[1]?(2, x⊤).

slide-9
SLIDE 9

Tracking information leaks

Another typical information leak:

  • Safety (local detection): any “semantic leak” is bad
  • Security (global detection): any “global semantic leak”,
  • Typability (prevention): any “syntactic leak” is bad

detectable by observing the overall process, is bad

if x⊤ then s[1]!2, true⊥ else s[1]!2, true⊥

s[1]?(2, x⊤).

slide-10
SLIDE 10

Relating the three properties

Relationship between the three properties ? detectable by observing the overall process, is bad

  • Safety (local detection): any “semantic leak” is bad
  • Security (global detection): any “global semantic leak”,
  • Typability (prevention): any “syntactic leak” is bad

⇓ ⇓ ?

?

slide-11
SLIDE 11

Relating the three properties

Relationship between the three properties ? detectable by observing the overall process, is bad

  • Safety (local detection): any “semantic leak” is bad
  • Security (global detection): any “global semantic leak”,
  • Typability (prevention): any “syntactic leak” is bad

slide-12
SLIDE 12

Multiparty sessions

a

initiator : starts a new session on service

when there are n suitable participants

¯ a[n]

Multiparty session: activation of an n-ary service arity roles

| a[1](α1).P1 | · · · | a[n](αn).Pn

¯ a[n]

[Honda, Yoshida, Carbone POPL

’08]

a

slide-13
SLIDE 13

Security session calculus

slide-14
SLIDE 14

Syntax: processes

slide-15
SLIDE 15

Runtime syntax: queues

Text

slide-16
SLIDE 16

Semantics: configurations

slide-17
SLIDE 17

Semantics: computational rules

slide-18
SLIDE 18

Semantics: choice

slide-19
SLIDE 19

Online medical service

slide-20
SLIDE 20

Online medical service (ctd)

slide-21
SLIDE 21

Monitored semantics

slide-22
SLIDE 22

Monitored semantics rules

slide-23
SLIDE 23

Monitored semantics rules (ctd)

slide-24
SLIDE 24

Safety: 1st attempt

slide-25
SLIDE 25

Safety: definition

slide-26
SLIDE 26

Security

slide-27
SLIDE 27

Security (ctd)

slide-28
SLIDE 28

Main results

slide-29
SLIDE 29

Main results (ctd)

slide-30
SLIDE 30

Conclusion and future work

  • Complete the picture by showing typability => safety

[Submitted, full version soon on our web pages]

  • Attach reputation and trust to participants, and
  • Explore monitored semantics with labelled transitions,

possibly use them to refine delegation. to return informative error messages to the programmer.