姜励,平玲娣,陈小平,潘雪增,李善平

DOI: https://doi.org/10.3785/j.issn.1008-973x.2008.12.010

2008-01-01

Abstract:The concept of trust domain was introduced into probabilistic secure process algebra(PSPA),and the intransitive noninterference information flow security model was extended to probabilistic systems to implement many important security policies such as secure downgrading of probabilistic information and channel control.Intransitive probabilistic information flow security properties were analyzed based on the probabilistic weak bisimulation equivalence.Intransitive bisimulation strong probabilistic noninterference(I_BSPNI) and intransitive probabilistic bisimulation-based nondeducibility on composition(I_PBNDC) were presented.To expose the potential secure problem that I_PBNDC cannot discover in dynamic context,the persistent I_PBNDC property was proposed,which required that every reachable state of the system must satisfy I_PBNDC.The properties like bisimulation-based nondeducibility on composition are difficult to prove.To overcome this shortcoming,strong I_PBNDC property was defined in terms of unwinding conditions demanding properties of individual actions.Finally,the relations between these properties were given and proved.

Yong Huang,Lingdi Ping,Shanping Li,Xuezeng Pan

DOI: https://doi.org/10.4304/jsw.4.1.90-97

2009-01-01

Journal of Software

Abstract:Real-time information flow security properties such as timed noninterference provide assurances that some time dependent information flows may not become possible. However, with transitive noninterference formulation, it is difficult to deal with intransitive flow policies like channel control and secure downgrading of information with time constraints. In this paper, we introduce the notion of trust domain into Timed Secure Process Algebra (tSPA), extending intransitive noninterference to real-time systems. Based on weak timed bisimulation equivalence, some security properties for intransitive flow are reformulated in a realtime setting, in particular one property which is persistent, meaning that if a system is secure then all of its reachable states are secure too. Furthermore, we prove that such persistent intransitive timed property is compositional, which is thus possible to alleviate the state space explosion problem caused by the interleaving of all the possible executions of parallel processes. Finally, we provide one case study showing that it is possible to model and analyze the real-time system through our approach.

Li Jiang,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1007/978-3-540-76788-6_6

2007-01-01

Abstract:Information flow and in particular noninterference ensure that sensitive information does not affect public information. But noninterference is too restrictive: real computing systems sometimes need to dynamically release certain amount of sensitive information. In this paper, we propose a new security property that requires the decision to perform information release have high integrity, and permits low integrity data which comes from untrusted sources to dynamically affect information release by upgrading (or endorsing) its integrity. To control such integrity upgrading, we introduce an endorsement mechanism that takes the form of a local integrity endorsing policy declaration. So the programmer can express more precise ways of endorsing, by specifying the integrity levels from which information may be endorsed. In addition, we show a new type system to enforce the security property.

Jane Hillston,Carla Piazza,Sabina Rossi

DOI: https://doi.org/10.4204/EPTCS.276.6

2018-08-27

Abstract:In this paper we present an information flow security property for stochastic, cooperating, processes expressed as terms of the Performance Evaluation Process Algebra (PEPA). We introduce the notion of Persistent Stochastic Non-Interference (PSNI) based on the idea that every state reachable by a process satisfies a basic Stochastic Non-Interference (SNI) property. The structural operational semantics of PEPA allows us to give two characterizations of PSNI: the first involves a single bisimulation-like equivalence check, while the second is formulated in terms of unwinding conditions. The observation equivalence at the base of our definition relies on the notion of lumpability and ensures that, for a secure process P, the steady state probability of observing the system being in a specific state P' is independent from its possible high level interactions.

Performance,Cryptography and Security

Jianwen Sun,Xiang Long,Yongwang Zhao

DOI: https://doi.org/10.1109/access.2018.2815766

IF: 3.9

2018-01-01

IEEE Access

Abstract:Formal verification of information flow security with dynamic policies of security-critical systems is a grand challenge. This paper presents the first effort to formally specify and verify a capability-based system model with dynamic information flow policies. We build a generic security model with dynamic security policies. In the security model, we define a set of information flow security properties and provide an inference framework for them. Based on the security model, we propose a system model for capability-based secure systems. The system model specifies critical events including system initialization, inter-domain communication, and capability management. We prove information flow security of the capability-based model by an unwinding theorem. Formal specification and security proof are carried out in the Isabelle/HOL theorem prover and could be applied to formally develop and verify the security of capability-based secure systems, such as separation kernels and secure hypervisors. To our knowledge, this is the first machine-checked proof of capability-based information security with dynamic policies.

Yang Liu,Jinde Cao,Liqing Wang,Zheng-Guang Wu

DOI: https://doi.org/10.1007/s11432-018-9575-4

2019-01-01

Science China Information Sciences

Abstract:Dear editor, Boolean networks (BNs) were introduced by Kauffman [1] to model complex and nonlinear biological systems.They have become a powerful tool for describing, analyzing, and simulating gene regulatory networks [2].Probabilistic Boolean networks (PBNs) were proposed by Shmulevich et al.[3] as an extension of BNs.A PBN is a family of BNs, where at each discrete time point, the gene state transitions with respect to the rule of one BN.The rule for updating each gene is chosen randomly among several possible rules according to a fixed probability distribution.Semi-tensor product matrices have a wide range of applications in many subjects, for example, singular feedback shift registers [4], game theory [5], and PBNs (PBCNs) [6-8].

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

Spandan Das,Pavithra Prabhakar

2023-03-29

Abstract:In this paper, we consider the problem of probabilistic stability analysis of a subclass of Stochastic Hybrid Systems, namely, Polyhedral Probabilistic Hybrid Systems (PPHS), where the flow dynamics is given by a polyhedral inclusion, the discrete switching between modes happens probabilistically at the boundaries of their invariant regions and the continuous state is not reset during switching. We present an abstraction-based analysis framework that consists of constructing a finite Markov Decision Processes (MDP) such that verification of certain property on the finite MDP ensures the satisfaction of probabilistic stability on the PPHS. Further, we present a polynomial-time algorithm for verifying the corresponding property on the MDP. Our experimental analysis demonstrates the feasibility of the approach in successfully verifying probabilistic stability on PPHS of various dimensions and sizes.

Artificial Intelligence,Systems and Control

Tjitze Rienstra,Matthias Thimm,Beishui Liao,Leendert van der Torre

2018-01-01

Abstract:In this paper we introduce a new set of general principles for probabilistic abstract argumentation. The main principle is a probabilistic analogue of SCC decomposability, which ensures that the probabilistic evaluation of an argumentation framework complies with the probabilistic (in)dependencies implied by the graph topology. We introduce various examples of probabilistic semantics and determine which principles they satisfy. Our work also provides new insights into the relationship between abstract argumentation and the theory of Bayesian networks.

Sean Weerakkody,Bruno Sinopoli,Soummya Kar,Anupam Datta

DOI: https://doi.org/10.48550/arXiv.1603.05710

2016-03-18

Abstract:This paper considers the development of information flow analyses to support resilient design and active detection of adversaries in cyber physical systems (CPS). The area of CPS security, though well studied, suffers from fragmentation. In this paper, we consider control systems as an abstraction of CPS. Here, we extend the notion of information flow analysis, a well established set of methods developed in software security, to obtain a unified framework that captures and extends system theoretic results in control system security. In particular, we propose the Kullback Liebler (KL) divergence as a causal measure of information flow, which quantifies the effect of adversarial inputs on sensor outputs. We show that the proposed measure characterizes the resilience of control systems to specific attack strategies by relating the KL divergence to optimal detection techniques. We then relate information flows to stealthy attack scenarios where an adversary can bypass detection. Finally, this article examines active detection mechanisms where a defender intelligently manipulates control inputs or the system itself in order to elicit information flows from an attacker's malicious behavior. In all previous cases, we demonstrate an ability to investigate and extend existing results by utilizing the proposed information flow analyses.

Systems and Control

Bas van den Heuvel,Farzaneh Derakhshan,Stephanie Balzer

2024-07-02

Abstract:Protection of confidential data is an important security consideration of today's applications. Of particular concern is to guard against unintentional leakage to a (malicious) observer, who may interact with the program and draw inference from made observations. Information flow control (IFC) type systems address this concern by statically ruling out such leakage. This paper contributes an IFC type system for message-passing concurrent programs, the computational model of choice for many of today's applications such as cloud computing and IoT applications. Such applications typically either implicitly or explicitly codify protocols according to which message exchange must happen, and to statically ensure protocol safety, behavioral type systems such as session types can be used. This paper marries IFC with session typing and contributes over prior work in the following regards: (1) support of realistic cyclic process networks as opposed to the restriction to tree-shaped networks, (2) more permissive, yet entirely secure, IFC control, exploiting cyclic process networks, and (3) considering deadlocks as another form of side channel, and asserting deadlock-sensitive noninterference (DSNI) for well-typed programs. To prove DSNI, the paper develops a novel logical relation that accounts for cyclic process networks. The logical relation is rooted in linear logic, but drops the tree-topology restriction imposed by prior work.

Logic in Computer Science

R. U. I. LI,Q. Zhang,T. I. A. N. G. U. A. N. G. Chu

DOI: https://doi.org/10.1137/21m1463471

IF: 2.2

2022-01-01

SIAM Journal on Control and Optimization

Abstract:A probabilistic Boolean network (PBN) is a collection of Boolean networks endowed with a probability structure describing the likelihood with which a constituent network is active at each time step. This paper proposes a definition of bisimulation for PBNs. The notion is inspired by the analogous notions for probabilistic chains and for stochastic linear systems. Necessary and sufficient conditions to check the proposed notion are derived, model reduction of PBNs via bisimula-tion is addressed, and a discussion on the use of probabilistic bisimulation for optimal control design is given. The present results extend the theory of bisimulation known for deterministic Boolean networks to a stochastic setting.

Ashish Kapoor,Debadeepta Dey,Shital Shah

DOI: https://doi.org/10.48550/arXiv.1610.05376

2016-10-18

Abstract:Achieving safe control under uncertainty is a key problem that needs to be tackled for enabling real-world autonomous robots and cyber-physical systems. This paper introduces Probabilistic Safety Programs (PSP) that embed both the uncertainty in the environment as well as invariants that determine safety parameters. The goal of these PSPs is to evaluate future actions or trajectories and determine how likely it is that the system will stay safe under uncertainty. We propose to perform these evaluations by first compiling the PSP to a graphical model then using a fast variational inference algorithm. We highlight the efficacy of the framework on the task of safe control of quadrotors and autonomous vehicles in dynamic environments.

Robotics

Marco Eilers,Thibault Dardinier,Peter Müller

DOI: https://doi.org/10.48550/arXiv.2211.08459

2023-04-12

Abstract:Information flow security ensures that the secret data manipulated by a program does not influence its observable output. Proving information flow security is especially challenging for concurrent programs, where operations on secret data may influence the execution time of a thread and, thereby, the interleaving between different threads. Such internal timing channels may affect the observable outcome of a program even if an attacker does not observe execution times. Existing verification techniques for information flow security in concurrent programs attempt to prove that secret data does not influence the relative timing of threads. However, these techniques are often restrictive (for instance because they disallow branching on secret data) and make strong assumptions about the execution platform (ignoring caching, processor instructions with data-dependent runtime, and other common features that affect execution time). In this paper, we present a novel verification technique for secure information flow in concurrent programs that lifts these restrictions and does not make any assumptions about timing behavior. The key idea is to prove that all mutating operations performed on shared data commute, such that different thread interleavings do not influence its final value. Crucially, commutativity is required only for an abstraction of the shared data that contains the information that will be leaked to a public output. Abstract commutativity is satisfied by many more operations than standard commutativity, which makes our technique widely applicable. We formalize our technique in CommCSL, a relational concurrent separation logic with support for commutativity-based reasoning, and prove its soundness in Isabelle/HOL. We implemented CommCSL in HyperViper, an automated verifier based on the Viper verification infrastructure, and demonstrate its ability to verify challenging examples.

Cryptography and Security,Programming Languages

Ethan Cecchetti,Andrew C. Myers,Owen Arden

DOI: https://doi.org/10.1145/3133956.3134054

2017-09-01

Abstract:Noninterference is a popular semantic security condition because it offers strong end-to-end guarantees, it is inherently compositional, and it can be enforced using a simple security type system. Unfortunately, it is too restrictive for real systems. Mechanisms for downgrading information are needed to capture real-world security requirements, but downgrading eliminates the strong compositional security guarantees of noninterference. We introduce nonmalleable information flow, a new formal security condition that generalizes noninterference to permit controlled downgrading of both confidentiality and integrity. While previous work on robust declassification prevents adversaries from exploiting the downgrading of confidentiality, our key insight is transparent endorsement, a mechanism for downgrading integrity while defending against adversarial exploitation. Robust declassification appeared to break the duality of confidentiality and integrity by making confidentiality depend on integrity, but transparent endorsement makes integrity depend on confidentiality, restoring this duality. We show how to extend a security-typed programming language with transparent endorsement and prove that this static type system enforces nonmalleable information flow, a new security property that subsumes robust declassification and transparent endorsement. Finally, we describe an implementation of this type system in the context of Flame, a flow-limited authorization plugin for the Glasgow Haskell Compiler.

Cryptography and Security,Programming Languages

Sari Haj Hussein

DOI: https://doi.org/10.48550/arXiv.1206.5487

2012-06-24

Cryptography and Security

Abstract:Dempster-Shafer theory of imprecise probabilities has proved useful to incorporate both nonspecificity and conflict uncertainties in an inference mechanism. The traditional Bayesian approach cannot differentiate between the two, and is unable to handle non-specific, ambiguous, and conflicting information without making strong assumptions. This paper presents a generalization of a recent Bayesian-based method of quantifying information flow in Dempster-Shafer theory. The generalization concretely enhances the original method removing all its weaknesses that are highlighted in this paper. In so many words, our generalized method can handle any number of secret inputs to a program, it enables the capturing of an attacker's beliefs in all kinds of sets (singleton or not), and it supports a new and precise quantitative information flow measure whose reported flow results are plausible in that they are bounded by the size of a program's secret input, and can be easily associated with the exhaustive search effort needed to uncover a program's secret information, unlike the results reported by the original metric.

Martín Ochoa,Sebastian Banescu,Cynthia Disenfeld,Gilles Barthe,Vijay Ganesh

DOI: https://doi.org/10.48550/arXiv.1701.06743

2017-02-17

Abstract:Despite numerous countermeasures proposed by practitioners and researchers, remote control-flow alteration of programs with memory-safety vulnerabilities continues to be a realistic threat. Guaranteeing that complex software is completely free of memory-safety vulnerabilities is extremely expensive. Probabilistic countermeasures that depend on random secret keys are interesting, because they are an inexpensive way to raise the bar for attackers who aim to exploit memory-safety vulnerabilities. Moreover, some countermeasures even support legacy systems. However, it is unclear how to quantify and compare the effectiveness of different probabilistic countermeasures or combinations of such countermeasures. In this paper we propose a methodology to rigorously derive security bounds for probabilistic countermeasures. We argue that by representing security notions in this setting as events in probabilistic games, similarly as done with cryptographic security definitions, concrete and asymptotic guarantees can be obtained against realistic attackers. These guarantees shed light on the effectiveness of single countermeasures and their composition and allow practitioners to more precisely gauge the risk of an attack.

Cryptography and Security

Borzoo Bonakdarpour,Yu Wang,S. Nalluri,Miroslav Pajic

DOI: https://doi.org/10.1109/CSF51468.2021.00009

2019-10-27

Abstract:Hyperproperties have shown to be a powerful tool for expressing and reasoning about information-flow security policies. In this paper, we investigate the problem of statistical model checking (SMC) for hyperproperties. Unlike exhaustive model checking, SMC works based on drawing samples from the system at hand and evaluate the specification with statistical confidence. The main benefit of applying SMC over exhaustive techniques is its efficiency and scalability. To reason about probabilistic hyperproperties, we first propose the temporal logic HyperPCTL* that extends PCTL* and HyperPCTL. We show that HyperPCTL* can express important probabilistic information-flow security policies that cannot be expressed with HyperPCTL. Then, we introduce SMC algorithms for verifying HyperPCTL* formulas on discrete-time Markov chains, based on sequential probability ratio tests (SPRT) with a new notion of multidimensional indifference region. Our SMC algorithms can handle both non-nested and nested probability operators for any desired significance level. To show the effectiveness of our technique, we evaluate our SMC algorithms on four case studies focused on information security: timing side-channel vulnerability in encryption, probabilistic anonymity in dining cryptographers, probabilistic noninterference of parallel programs, and the performance of a randomized cache replacement policy that acts as a countermeasure against cache flush attacks.

Mathematics,Computer Science

Mingsheng Ying,Yuan Feng,Nengkun Yu

DOI: https://doi.org/10.1109/csf.2013.16

2013-01-01

Abstract:Quantum cryptography has been extensively studied in the last twenty years, but information-flow security of quantum computing and communication systems has been almost untouched in the previous research. Due to the essential difference between classical and quantum systems, formal methods developed for classical systems, including probabilistic systems, cannot be directly applied to quantum systems. This paper defines an automata model in which we can rigorously reason about information-flow security of quantum systems. The model is a quantum generalisation of Goguen and Meseguer's noninterference. The unwinding proof technique for quantum noninterference is developed, and a certain compositionality of security for quantum systems is established. The proposed formalism is then used to prove security of access control in quantum systems.

Rui Li,Qi Zhang,Jianlei Zhang,Tianguang Chu

DOI: https://doi.org/10.1016/j.sysconle.2021.105001

IF: 2.742

2021-01-01

Systems & Control Letters

Abstract:A probabilistic Boolean network (PBN) is a discrete network composed of a family of Boolean networks together with a set of probabilities governing the selection of a Boolean network at each time step. We introduce in this paper a novel observability problem for PBNs. Specifically, we assume that the values of the initial state of the PBN are not known with certainty, but can be described by probability distributions. We ask ourselves under which conditions it is possible to uniquely determine the probability distribution of initial states when giving only knowledge of the evolution of the probability distributions of network outputs. We propose a complete answer to this problem using a linear algebra approach. Several examples, both artificial and real-world, are given and illustrate the viability of the proposed theoretical results.