Huiqun Yu

2012-01-01

Abstract:In characterizing security,the information flow security models capture more essence than the access control security models.Within the unified framework of security process algebra,this paper describes and formally defines six types of information flow security models and analyzes their relationship of logical implication based on trace semantics.Furthermore,both the verification algorithm and the verification tools are developed for the six information flow security models based on security process algebra.Finally,several examples are presented for their utilization.

WANG Jing-ming,YU Hui-qun

DOI: https://doi.org/10.3969/j.issn.1002-137x.2012.02.013

2012-01-01

Computer Science

Abstract:In characterizing security,non-deducibility security model is more essential and accurate than access control security model.This paper described and formally defined non-deducibility information flow security model based on trace semantics and security process algbra.Furthermore,this paper provided the verification algorithm for non-dedu-cibility security model based on security process algebra and offered the verification tools,whose use was illustrated with several examples.

Yong Huang,Lingdi Ping,Shanping Li,Xuezeng Pan

DOI: https://doi.org/10.4304/jsw.4.1.90-97

2009-01-01

Journal of Software

Abstract:Real-time information flow security properties such as timed noninterference provide assurances that some time dependent information flows may not become possible. However, with transitive noninterference formulation, it is difficult to deal with intransitive flow policies like channel control and secure downgrading of information with time constraints. In this paper, we introduce the notion of trust domain into Timed Secure Process Algebra (tSPA), extending intransitive noninterference to real-time systems. Based on weak timed bisimulation equivalence, some security properties for intransitive flow are reformulated in a realtime setting, in particular one property which is persistent, meaning that if a system is secure then all of its reachable states are secure too. Furthermore, we prove that such persistent intransitive timed property is compositional, which is thus possible to alleviate the state space explosion problem caused by the interleaving of all the possible executions of parallel processes. Finally, we provide one case study showing that it is possible to model and analyze the real-time system through our approach.

黄益民,平玲娣,潘雪增

DOI: https://doi.org/10.3785/j.issn.1008-973x.2001.06.005

2001-01-01

Abstract:After study of existing security models; analysis of information flow model, Bell-LaPadula(BLP) access control model and Biba access control model; and collation and comparison of their advantages and disadvantages, an improved model is put forward that satisfies the actual demands of information security. An implementation strategy is put forward that ensures information security, reliability, practicality and compatibility in the designed security system. An implementation scheme of this security system and its components and functions is provided. This system combines the following functions: mandatory access contro1, privilege separation, security audit, identity authentication and self-protection. It achieves the level 3 of national information security standard and level B1 of TCSEC standard. It was implemented in the Windows NT and Linux operating system and has yielded good resultsin application.

Jianwen Sun,Xiang Long,Yongwang Zhao

DOI: https://doi.org/10.1109/access.2018.2815766

IF: 3.9

2018-01-01

IEEE Access

Abstract:Formal verification of information flow security with dynamic policies of security-critical systems is a grand challenge. This paper presents the first effort to formally specify and verify a capability-based system model with dynamic information flow policies. We build a generic security model with dynamic security policies. In the security model, we define a set of information flow security properties and provide an inference framework for them. Based on the security model, we propose a system model for capability-based secure systems. The system model specifies critical events including system initialization, inter-domain communication, and capability management. We prove information flow security of the capability-based model by an unwinding theorem. Formal specification and security proof are carried out in the Isabelle/HOL theorem prover and could be applied to formally develop and verify the security of capability-based secure systems, such as separation kernels and secure hypervisors. To our knowledge, this is the first machine-checked proof of capability-based information security with dynamic policies.

Cong Sun,Ning Xi,Jinku Li,Qingsong Yao,Jianfeng Ma

DOI: https://doi.org/10.1109/APSEC.2014.60

2014-01-01

Abstract:Information flow security has been considered as a critical requirement on software systems, especially when heterogeneous components from different parties cooperate to achieve end-to-end enforcement on data confidentiality. Enforcing the information flow security properties on complicated systems faces a great challenge because the properties cannot be preserved under composition and most of the current approaches are not scalable enough. To address this problem, there have been several recent efforts on the compositional information flow analyses developed for different abstraction levels. But these approaches have rarely been considered to incorporate with the process of system design. Integrating the security enforcement with the model-based development process can provide the designer with ability to verify information flow security in the early stage of system development. We propose a compositional information flow verification which is integrated with model-based system design in Sys ML by an automated model translation from semi-formal behavior and structure models to interface automata. Our compositional approach is general to support the complex security lattices and a variety of in distinguish ability relations. The evaluation results show the usability of our approach on practical system designs and the scalability of the compositional verification.

Mingsheng Ying,Yuan Feng,Nengkun Yu

DOI: https://doi.org/10.1109/csf.2013.16

2013-01-01

Abstract:Quantum cryptography has been extensively studied in the last twenty years, but information-flow security of quantum computing and communication systems has been almost untouched in the previous research. Due to the essential difference between classical and quantum systems, formal methods developed for classical systems, including probabilistic systems, cannot be directly applied to quantum systems. This paper defines an automata model in which we can rigorously reason about information-flow security of quantum systems. The model is a quantum generalisation of Goguen and Meseguer's noninterference. The unwinding proof technique for quantum noninterference is developed, and a certain compositionality of security for quantum systems is established. The proposed formalism is then used to prove security of access control in quantum systems.

程亮,张阳

DOI: https://doi.org/10.3724/sp.j.1016.2009.00699

2009-01-01

Chinese Journal of Computers

Abstract:As the development of security operating system,the formal analysis and verification of the security models has been one of the hottest topics now.A new method to verify the correctness of security models is proposed in this paper based on the study of predecessors' work,which made use of the Unified Modeling Language(UML) and model checking.This approach first used the UML to specify the security model in the form of finite state machine diagrams and the class diagrams,and then translated these UML diagrams to the input language of model checkers.And it used the model checker to verify the model's correctness or the violation of security properties for the last step.The authors demonstrate the violation of confidentiality of the DBLP and SLCF model by the new approach.

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

Chunyan Mu,Guoqiang Li

DOI: https://doi.org/10.1109/prdc53464.2021.00018

2021-01-01

Abstract:This paper presents a formal approach for modelling and reasoning about information flow control in software systems under Hoare and He's Unifying Theories of Programming (UTP). We investigate the problem of integrating information flow control into system design in a unified semantic setting. Our approach can therefore treat information flow analysis and control in various families of specification languages and programming paradigms in a more general way. In addition, we formalise the link between classes of predicates as a paired function which maps set of the predicates from one class into set of the predicates from the other with a concern of flow security preservation. The proposed flow-sensitive combined theories of multiple level classes of predicates can be applied to ensure flow security in different paradigms under stepwise development.

Wang Chunlei,Zhao Gang,Dai Yiqi

DOI: https://doi.org/10.1109/ICCSIT.2009.5234950

2009-01-01

Abstract:This paper proposes a control flow based security analysis approach for binary executables. Through deeply investigating the theory of control flow security, we develop the Control Flow Security Model (CFSM) which includes the formal definitions for program semantics and security properties for control flow. CFSM specifies that program execution dynamically follows only certain paths, in accordance with a statically declared security properties specified as Control Flow Constraint Specification (CFCS). We have proposed an efficient control flow security analysis algorithm for verifying that a particular control flow model satisfies the associated security properties. Our work contributes to bridging the gap between abstract specifications of control flow security properties and actual control flow security analysis for binary executables. The effectiveness and the practical usefulness of the approach are exemplified by an illustrative analysis of heap overflow vulnerability.

Ge Yi,Huang Wenchao,Xiong Yan

DOI: https://doi.org/10.19734/j.issn.1001-3695.2022.08.0446

2023-01-01

Abstract:With the development of formal analysis technology of security protocols, automatic verification using tools has been realized, but modeling still needs to rely on manual modeling by professionals, which is difficult and costly and limits the further spread of formal analysis technology.In order to improve the automation of formal modeling, this paper proposed a scheme of formal assistant modeling based on security protocol code.Firstly, the method used taint analysis to obtain communication processes and record the cryptographic primitive operations.Then, it constructed the protocol communication state machine according to the sequential relationship between communication processes.Finally, it generated a formal model according to the syntax of Tamarin, a mainstream formal analysis tool for security protocols.Experimental results show that this scheme can gene-rate the key parts of the formal model and improves the degree of automation of the formal modeling, which contributes to the spread of formal analysis technology.

Xin-xin Liu,Shao-hua Tang

DOI: https://doi.org/10.3969/j.issn.1000-565X.2013.01.012

2013-01-01

Abstract:In order to implement the formal analysis and verification of the security for automated trust negotiation (ATN), this paper takes the formal analysis methods of security protocols as references and proposes a novel approach to ATN modeling and security verification with the help of the process algebra applied π calculus. In this approach, ATN is formalized as the parallel composition of two processes corresponding to two negotiators, and the process of a negotiator is the static modeling of its certificates and authorization policies. The ATN security is defined as the observational equivalence of the applied π calculus so as to verify not only the security of the authorization policy enforcement but also the privacy of negotiators. With the help of the automatic protocol analyzer ProVerif, the security of ATN is automatically analyzed. Experimental results show that the proposed approach helps to implement automatic security verification with high feasibility and efficiency.

Daniele Bringhenti,Simone Bussa,Riccardo Sisto,Fulvio Valenza

DOI: https://doi.org/10.1109/tnsm.2024.3407159

2024-08-25

IEEE Transactions on Network and Service Management

Abstract:Introducing formal methods in the automatic resolution of network security management problems can guarantee solution correctness, so also boosting human confidence in using automatic techniques. A necessary step to achieve this feature is the definition of formal network models, representing network topology, traffic flows, etc. Each state-of-the-art formal network modeling approach has been proposed and validated only for a specific management problem (e.g., verification of configurations or refinement of policies into configurations). This paper analyzes a possible combination of the most promising state-of-the-art modeling approaches into a unified formal model that can be used by existing automatic resolution algorithms to solve both the verification and the refinement problems, without the need of major changes. The model is flexible enough to allow different aggregation levels of traffic into flows. The paper analyzes two opposite flow aggregation strategies, named Atomic Flows and Maximal Flows, and compares their performance when applied to the two identified security problems.

computer science, information systems

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/uic-atc.2009.44

2009-01-01

Abstract:We propose an approach on model checking information flow for imperative language with procedures. We characterize our model with pushdown system, which has a stack of unbounded length that naturally models the execution of procedural programs. Because the type-based static analysis is sometimes too conservative and rejects safe program as ill-typed, we take a semantic-based approach by self-composing symbolic pushdown system and specifying noninterference with LTL formula. Then we verify this LTL-expressed property via model checker Moped. Except for overcoming the conservative characteristic of type-based approach, our motivation also includes the insufficient state of arts on precise information flow analysis under interprocedural setting. To remedy the inefficiency of model checking compared with type system, we propose both compact form and contracted form of self-composition. According to experimental results, they can greatly increase the efficiency of realistic verification. Our method provides flexibility on separating program abstraction from noninterference verification, thus could be expected to use on different programming languages.

Guoqiang Li,Bochao Liu,Xin Li,Mizuhito Ogawa

2005-01-01

Abstract:Trace analysis, one of the formal methods to verify security protocols, represents every possible runs of the protocols as traces and analyzes whether any unsafe state is reachable. However, the number of states is inflnite because we assume the intruder can generate inflnite messages. In this paper, a typed process calculus inspired by the spi calculus is proposed to model the protocol and the security properties. Then based on the the type information, a parametric system with flnite states is generated and enjoys sound and complete simulation property of the former system.

Katja Tuma,Sven Peldszus,Daniel Strüber,Riccardo Scandariato,Jan Jürjens

DOI: https://doi.org/10.1007/s10270-022-00991-5

2022-03-18

Abstract:Abstract It is challenging to verify that the planned security mechanisms are actually implemented in the software. In the context of model-based development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semi-automatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a design-level model (SecDFD, provided by humans) and a code-level representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence, potential security flaws in the code. These mappings enable an automated , and project-specific static analysis of the implementation with respect to the desired security properties of the design model. We developed two types of security compliance checks and evaluated the entire approach on open source Java projects.

computer science, software engineering

Yonggen Gu,Yuxi Fu,Yang Li,Xiaoju Dong

DOI: https://doi.org/10.1109/CIT.2005.12

2005-01-01

Abstract:Formal methods have proved useful in the analysis of security protocols. In this paper, we propose a generic model for symbolic analyzing security protocols (GSPM for short) that supports message passing semantics and constructs for modelling the behavior of protocol participants. GSPM is simple, but it is expressive enough to express security protocols and properties in a precise and faithful manner. In order to address that the execution of a protocol generates infinitely many paths, we use symbolic method. Based on GSPM, it is shown how security properties such as confidentiality, authentication, non-repudiation, fairness and anonymity can be described.

GUO Jian-dong,QIN Zhi-guang,ZHENG Min

DOI: https://doi.org/10.3969/j.issn.1001-0548.2008.02.035

2008-01-01

Abstract:In order to construct a secure architecture which possesses enough strictness and practicability using mechanisms of password, log auditing, and authority, a model of security for information system including interface logic, business logic, and abnormal activity detection is proposed in this paper. The working flows and functions of main components of the model are described. At the same time the abnormal activities in an information system are analyzed, and the working methods of abnormal activities detector, a practical format of log data, and the protecting method of log file are introduced as well.

Weiguang Wang,Qingkai Zeng,Aditya P. Mathur

DOI: https://doi.org/10.1109/qsic.2012.34

2012-01-01

Abstract:Formal specification is usually employed to avoid ambiguity of security requirements. However, it is hard to assure correctness of this formal model and its conformance with security implementation. In this paper, a framework combining formal verification and security functional testing is proposed to support the correctness and conformance check procedure. Formal requirements are verified following integrated steps and formulae. Verified specification is used as the basis for security functional test and a test criterion called strict schema coverage is developed to derive tests. The framework is supported by Z specification Based Security Assurance Toolkit (ZBSAT). Empirical results on Chinese Wall Model (CWM) policy and its implementation demonstrate its feasibility. In addition, comparison results of mutation test explore the efficiency of this test approach.