Time and Probability based Introduction Information Flow Analysis - - PowerPoint PPT Presentation

SLIDE 1

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Time and Probability based Information Flow Analysis

Angelo Troina

Dipartimento di Informatica, Universit` a di Pisa, Italy

Joint work with:

Ruggero Lanotte (University of Insubria at Como) Andrea Maggiolo Schettini (University of Pisa)

1/23

SLIDE 2

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Outline

◮ Multilevel Security

◮ Non-Interference [Goguen and Meseguer,1982]

◮ The Model

◮ Probabilistic Timed Automata ◮ Weak Bisimulation for Probabilistic Timed Automata

◮ Information Flow Analysis

◮ Probabilistic and/or Timed Security Properties 2/23

SLIDE 3

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Security in Multilevel Systems

◮ General setting: a multilevel system, i.e. a system of

interacting agents where every agent is confined in a bounded security level.

◮ Access rules: can be imposed to control direct

unwanted transmissions from higher levels to lower levels.

◮ Covert channels: information could be transmitted

from higher levels to lower levels by using system side effects.

◮ Aim: to control the whole flow of information ◮ Non-interference: low level agents are not able to

deduce anything about the activity of high level agents.

3/23

SLIDE 4

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Non-deterministic systems

◮ J. A. Goguen, J. Meseguer: Security Policy and Security

• Models. Proc. of Symp. on Research in Security and

Privacy, IEEE CS Press, 11–20, 1982.

◮ D. McCullough: Noninterference and the Composability

• f Security Properties. Proc. of Symp. on Research in

Security and Privacy, IEEE CS Press, 177–186, 1988.

◮ R. Focardi, R. Gorrieri: A Classification of Security

• Properties. Journal of Computer Security 3, 5–33, 1995.

4/23

SLIDE 5

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Timed systems

◮ R. Focardi, R. Gorrieri, F. Martinelli: Information Flow

Analysis in a Discrete-Time Process Algebra. Proc. of 13th CSFW, IEEE CS Press, 170–184, 2000.

◮ N. Evans, S. Schneider: Analysing Time Dependent

Security Properties in CSP Using PVS. Proc. of Symp.

• n Research in Computer Security, Springer LNCS 1895,

222–237, 2000.

◮ R. Barbuti, L. Tesei: A Decidable Notion of Timed

Non-interference. Fundamenta Informaticae 54, 137–150, 2003.

5/23

SLIDE 6

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Probabilistic systems

◮ J. W. Gray III. Toward a Mathematical Foundation for

Information Flow Security. Journal of Computer Security 1, 255–294, 1992.

◮ A. Aldini, M. Bravetti, R. Gorrieri: A Process-algebraic

Approach for the Analysis of Probabilistic Non-interference. Journal of Computer Security 12, 191–245, 2004.

◮ A. Di Pierro, C. Hankin, H. Wiklicky: Approximate

Non-Interference. Journal of Computer Security 12, 37-82, 2004.

6/23

SLIDE 7

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

The Model of PTA

A Probabilistic Timed Automaton (PTA) is A = (Σ, X, Q, q0, δ, π).

✲ ✒✑ ✓✏

q0

✡ ✡ ✡ ✡ ✡ ✢

a, 1

2

x = 5

✒✑ ✓✏

q1

❏ ❏ ❏ ❏ ❏ ❫

b, 1

2

x = 5

✒✑ ✓✏

q2 A configuration of a PTA is a pair s = (q, v), where q ∈ Q is a state, and v is a valuation over X.

7/23

SLIDE 8

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Weak Bisimulation of Probabilistic Timed Automata

A weak bisimulation is a bisimulation which does not take care of internal moves. For a PTA A = (Σ, X, Q, q0, δ, π) a weak bisimulation is an equivalence relation R such that, for all (s, s′) ∈ R and equivalence classes C of R: Prob(s, τ ∗α, C) = Prob(s′, τ ∗α, C) ∀α ∈ Σ∪{τ}∪I R>0 Two configurations s, s′ are weak bisimilar (s ≈ s′) iff (s, s′) ∈ R for some weak bisimulation R.

8/23

SLIDE 9

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Weak Bisimulation of Probabilistic Timed Automata (2)

A1 A2

✲ ✒✑ ✓✏

q0

✡ ✡ ✡ ✡ ✡ ✢

a, 1

2

x = 5

✒✑ ✓✏

q1

❏ ❏ ❏ ❏ ❏ ❫

b, 1

2

x = 5

✒✑ ✓✏

q2

✲ ✒✑ ✓✏

r0 ✠ τ, 1

3

✡ ✡ ✡ ✡ ✡ ✢

a, 1

3

z = 5

✒✑ ✓✏

r1

❏ ❏ ❏ ❏ ❏ ❫

b, 1

3

z = 5

✒✑ ✓✏

r2

Figure: A1 ≈ A2.

9/23

SLIDE 10

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Auxiliary operators for Probabilistic Timed Automata

Given two PTA A1 and A2, L ⊆ Σ set of synchronization actions and p ∈]0, 1[ advancing speed parameter, A1||p

LA2

denotes the parallel composition. The composition is a PTA

• btained by normalizing probabilities and hiding with the τ

label the synchronized actions. The restriction of a PTA A with respect to the set of actions L is A \ L, obtained from A by removing transitions and normalization of probabilities. The hiding of a PTA A with respect to the set of actions L is A/L where each transition label a ∈ L is replaced by label τ.

10/23

SLIDE 11

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Non-interference

A system S satisfies the Non-interference property (S ∈ NI) if high level agents do not interfere with the observable behavior of the system from the low level point of view: S ∈ NI ⇔ S/ΣH ≈ S \ ΣH where ΣH is the set of high level actions. (The observable behavior of the isolated system is bisimilar to the behavior of the system which communicates with high level agents in an invisible manner for the low agent point of view).

• Proposition. It is decidable to check whether a system S

satisfies the NI property.

11/23

SLIDE 12

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Non-deterministic Non-interference

An example of non-deterministic covert channel. A A \ ΣH A/ΣH

✲ ✐

q0

✲

h

✐

q1

❄

l

✐

q3

❄

l′

✐

q2

✲ ✐

q0

❄

l′

✐

q2

✲ ✐

q0

✲

τ

✐

q1

❄

l

✐

q3

❄

l′

✐

q2 The high level action h interferes with the observation of the action l. In A \ ΣH the low level agent observes only the execution of l, whereas, in A/ΣH also action l′ may be

• bserved. A low level agent, observing the event l knows

that action h has occurred.

12/23

SLIDE 13

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Timed Non-interference

An example of timing covert channel. A A \ ΣH A/ΣH

✲ ✐

q0

✲

h

✐

q1

❄

l x = 5

✐

q3

❄

l x = 0

✐

q2

✲ ✐

q0

❄

l x = 0

✐

q2

✲ ✐

q0

✲

τ

✐

q1

❄

l x = 5

✐

q3

❄

l x = 0

✐

q2 The high level action h interferes with the time of observing the action l. In A \ ΣH the low level agent observes l executed immediately, whereas, in A/ΣH l could either be

• bserved immediately or when the clock x reaches value 5.

A low level agent, observing the event l when clock x has value 5 knows that action h has occurred.

13/23

SLIDE 14

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Probabilistic Non-interference

A A \ ΣH A/ΣH

✲ ✐

q0

✻

l, p

✐

q1

❄

l, q

✐

q2

❄

l′

✐

q4

✲

l, r

✐

q3

❄

h

✐

q5

❄

l′

✐

q6

✲ ✐

q0

✻

l, p

✐

q1

❄

l, q

✐

q2

❄

l′

✐

q4

✲

l, r

✐

q3

✲ ✐

q0

✻

l, p

✐

q1

❄

l, q

✐

q2

❄

l′

✐

q4

✲

l, r

✐

q3

❄

τ

✐

q5

❄

l′

✐

q6

A \ ΣH: l is obsevred with probability p + r, ll′ with probability q. A/ΣH: l is observed with probability p, ll′ with probability r + q.

14/23

SLIDE 15

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

A Classification of Quantitative Security Properties

Given NNI, TNI, PNI and PTNI be non-interference properties defined for the models of non-deterministic automata, timed automata, probabilistic automata and probabilistic timed automata, respectively, the following implications hold:

◮ A ∈ PNI ⇒ unprob(A) ∈ NNI ◮ A ∈ TNI ⇒ untime(A) ∈ NNI ◮ A ∈ PTNI ⇒ unprob(A) ∈ TNI ∧ untime(A) ∈ PNI.

15/23

SLIDE 16

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

A Classification of Quantitative Security Properties (2)

∃A : A ∈ PTNI ∧ unprob(A) ∈ TNI ∧ untime(A) ∈ PNI

A A \ ΣH A/ΣH

✲ ❢

q0

✻

τ, 1

3

❢

q1

✛l

x = 3

❢

q3

❄

τ, 1

3

❢

q2

✛l

x = 4

❢

q4

✲

h, 1

3

❢

q5

❄

τ, 1

10

❢

q6 ✲ l x = 4 ❢ q8

✻

τ, 9

10

❢

q7 ✲ l x = 3 ❢ q9

✲ ❢

q0

✻

τ, 1

2

❢

q1

✛l

x = 3

❢

q3

❄

τ, 1

2

❢

q2

✛l

x = 4

❢

q4

✲ ❢

q0

✻

τ, 1

3

❢

q1

✛l

x = 3

❢

q3

❄

τ, 1

3

❢

q2

✛l

x = 4

❢

q4

✲

τ, 1

3 ❢

q5

❄

τ, 1

10

❢

q6 ✲ l x = 4 ❢ q8

✻

τ, 9

10

❢

q7 ✲ l x = 3 ❢ q9

A \ ΣH: l when x = 3 or when x = 4 with probability 1

2.

A/ΣH: l when x = 3 with probability 19

30, l when x = 4 with

probability 11

30.

16/23

SLIDE 17

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

A Classification of Quantitative Security Properties (3)

The following diagram summarizes our results.

NNI PNI TNI PTNI

Figure: Relations among Non-Interference security properties.

17/23

SLIDE 18

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Non Deducibility on Composition

A system S satisfies the Non Deducibility on Composition (NDC) if the system in isolation has not to be altered when considering all the potential interactions with the high level agents of the external environment, formally: S ∈ NDC ⇔ ∀Π ∈ ΓH, ∀p ∈]0, 1[, ∀L ⊆ ΣH S/ΣH ≈ (S||p

LΠ) \ ΣH

where ΓH is the set of high level agents. (The observable behavior of the isolated system is bisimilar to the behavior of the system communicating with the high level agent Π in an invisible manner for the low agent point

• f view).
• Note. Decidability of NDC depends on the possibility of

reducing all the high level automata in ΓH to a finite case for the particular automaton S considered.

18/23

SLIDE 19

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Non Deducibility on Composition (2)

• Theorem. S ∈ mNDC ⇒ S ∈ mNI.

A A \ ΣH A/ΣH Π (A||p

LΠ) \ ΣH

✲ ✐

q0

✲

h, 1

2

✐

q1

✲

h

✐

q3

❄

l

✐

q4

❄

l, 1

2

✐

q2

✲ ✐

q0

❄

l

✐

q2

✲ ✐

q0

✲

τ, 1

2

✐

q1

✲

τ

✐

q3

❄

l

✐

q4

❄

l, 1

2

✐

q2

✲ ✐

r0

✲

h

✐

r1

✲ ✐

r0

✲

τ, 3

4

✐

r1

❄

l, 1

4

✐

r2

A is PTNI secure, since A/ΣH ≈ A \ ΣH. But A is not PTNDC secure as (A||p

LΠ) \ ΣH reaches with probability 3 4 a

state where it cannot perform any visible action.

19/23

SLIDE 20

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

A Classification of Quantitative Security Properties(4)

Given NNDC, TNDC, PNDC and PTNDC be non-deducibility on composition properties defined for the models of non-deterministic automata, timed automata, probabilistic automata and probabilistic timed automata, respectively, the following implication holds: A ∈ PTNDC (PNDC, TNDC, NNDC) ⇒ A ∈ PTNI (PNI, TNI, NNI). Moreover, as for the NI properties, we have that:

◮ A ∈ PNDC ⇒ unprob(A) ∈ NNDC; ◮ A ∈ TNDC ⇒ untime(A) ∈ NNDC; ◮ A ∈ PTNDC ⇒ unprob(A) ∈ TNDC ∧untime(A) ∈

PNDC. and that ∃A : A ∈ PTNDC ∧ unprob(A) ∈ TNDC ∧ untime(A) ∈ PNDC.

20/23

SLIDE 21

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

A Classification of Quantitative Security Properties (5)

NNI TNI PNI PTNI

✬ ✫ ✩ ✪

NNDC

✬ ✫ ✩ ✪

PNDC

✬ ✫ ✩ ✪

TNDC

✤ ✣ ✜ ✢

PTNDC

21/23

SLIDE 22

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Observations and Future Work

◮ Introduce an approximated notion of weak bisimulation

for PTA.

◮ We can formulate other well known information flow

security properties within our framework.

◮ Extend the model with cryptographic primitives in order

to analyze security protocols.

◮ Develop an automatic technique to ”adjust” unsecure

systems.

22/23

SLIDE 23

Time and Probability based Information Flow Analysis

• A. Troina

Introduction The Model of PTA Non-interference

Non-deterministic Systems Timed Systems Probabilistic Systems Classifying Properties

Non Deducibility

• n Composition

A Finer Classification

Bibliography

[1] R. Lanotte, A. Maggiolo-Schettini, A. Troina A Classification of Time and/or Probability Dependent Security Properties

• Proc. QAPL’05, Elsevier ENTCS, to appear.

[2] R. Lanotte, A. Maggiolo-Schettini, A. Troina Information Flow Analysis for Probabilistic Timed Automata

• Proc. FAST’04, Springer IFIP series 173, pp. 13–27, 2004.

[3] R. Lanotte, A. Maggiolo-Schettini, A. Troina Weak Bisimulation for Probabilistic Timed Automata and Applications to Security

• Proc. SEFM’03, IEEE Computer Society Press, pp. 34–43,

2003.

23/23