Yong Huang,Lingdi Ping,Shanping Li,Xuezeng Pan

DOI: https://doi.org/10.4304/jsw.4.1.90-97

2009-01-01

Journal of Software

Abstract:Real-time information flow security properties such as timed noninterference provide assurances that some time dependent information flows may not become possible. However, with transitive noninterference formulation, it is difficult to deal with intransitive flow policies like channel control and secure downgrading of information with time constraints. In this paper, we introduce the notion of trust domain into Timed Secure Process Algebra (tSPA), extending intransitive noninterference to real-time systems. Based on weak timed bisimulation equivalence, some security properties for intransitive flow are reformulated in a realtime setting, in particular one property which is persistent, meaning that if a system is secure then all of its reachable states are secure too. Furthermore, we prove that such persistent intransitive timed property is compositional, which is thus possible to alleviate the state space explosion problem caused by the interleaving of all the possible executions of parallel processes. Finally, we provide one case study showing that it is possible to model and analyze the real-time system through our approach.

Li Jiang,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1007/978-3-540-76788-6_6

2007-01-01

Abstract:Information flow and in particular noninterference ensure that sensitive information does not affect public information. But noninterference is too restrictive: real computing systems sometimes need to dynamically release certain amount of sensitive information. In this paper, we propose a new security property that requires the decision to perform information release have high integrity, and permits low integrity data which comes from untrusted sources to dynamically affect information release by upgrading (or endorsing) its integrity. To control such integrity upgrading, we introduce an endorsement mechanism that takes the form of a local integrity endorsing policy declaration. So the programmer can express more precise ways of endorsing, by specifying the integrity levels from which information may be endorsed. In addition, we show a new type system to enforce the security property.

Lì Jiāng,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1109/cis.2007.58

2007-01-01

Abstract:Language-based information flow security proper- ties such as noninterference ensure confidential data cannot interfere with public data. But in real comput- ing systems sensitive information sometimes needs to be released or to become more confidential. In this paper, we propose a new security property including support for both information release and erasure. Since the property is in the style of strong bisimulation equivalence, it is applicable to multi-threaded pro- grams. To ensure that declassification cannot be ex- ploited to reveal more secret data than intended, our property addresses what information may be released. Moreover, the property guarantees that dynamic up- grading the security label of data due to erasure re- quirement cannot affect the publicly visible behavior.

JIANG Li,CHEN Jian,PING Ling-di,CHEN Xiao-ping

DOI: https://doi.org/10.3785/j.issn.1008-973x.2010.05.004

2010-01-01

Abstract:In multithreaded environment,sensitive information is often deliberately released by many real applications and sometimes information needs to become more confidential. In order to address this situation,a security policy was defined in the style of strong bisimulation equivalence,which can handle both information leaking and erasing. The policy controls what information is released and guarantees that attackers cannot exploit information releasing mechanisms to reveal more sensitive data than intended. Moreover,it ensures that public data after erasing cannot be abused by attackers. Then a secure transforming type system was proposed to enforce the security policy by using the cross-copying technique,which can eliminate internal timing covert channels resulting from the interplay between different threads. The transforming type system can transform an insecure program into a secure one,trying to close information leaks. The secure program has the same structure as the original program and models the same timing behavior. Finally,the soundness of the type system was proved with respect to the operational semantics. Results indicate that if a program can be transformed according to typing rules,the resulting program satisfies the security policy.

Andrea Esposito,Alessandro Aldini,Marco Bernardo,Sabina Rossi

2024-07-18

Abstract:The theory of noninterference supports the analysis of information leakage and the execution of secure computations in multi-level security systems. Classical equivalence-based approaches to noninterference mainly rely on weak bisimulation semantics. We show that this approach is not sufficient to identify potential covert channels in the presence of reversible computations. As illustrated via a database management system example, the activation of backward computations may trigger information flows that are not observable when proceeding in the standard forward direction. To capture the effects of back-and-forth computations, it is necessary to switch to a more expressive semantics, which has been proven to be branching bisimilarity in a previous work by De Nicola, Montanari, and Vaandrager. In this paper we investigate a taxonomy of noninterference properties based on branching bisimilarity along with their preservation and compositionality features, then we compare it with the taxonomy of Focardi and Gorrieri based on weak bisimilarity.

Cryptography and Security

Jane Hillston,Carla Piazza,Sabina Rossi

DOI: https://doi.org/10.4204/EPTCS.276.6

2018-08-27

Abstract:In this paper we present an information flow security property for stochastic, cooperating, processes expressed as terms of the Performance Evaluation Process Algebra (PEPA). We introduce the notion of Persistent Stochastic Non-Interference (PSNI) based on the idea that every state reachable by a process satisfies a basic Stochastic Non-Interference (SNI) property. The structural operational semantics of PEPA allows us to give two characterizations of PSNI: the first involves a single bisimulation-like equivalence check, while the second is formulated in terms of unwinding conditions. The observation equivalence at the base of our definition relies on the notion of lumpability and ensures that, for a secure process P, the steady state probability of observing the system being in a specific state P' is independent from its possible high level interactions.

Performance,Cryptography and Security

Yong Xu,Zheng-Guang Wu,Jian Sun

DOI: https://doi.org/10.1109/tcyb.2021.3090398

IF: 11.8

2023-01-01

IEEE Transactions on Cybernetics

Abstract:This article considers the security-based passivity problem for a class of discrete-time Markov jump systems in the presence of deception attacks, where the deception attacks aim to change the transmitted signal. Considering the impact of deception attacks on network disruption, it causes the existence of time-varying delays in signal transmission inevitably, which makes the controlled system and the controller work asynchronously. The asynchronous control method is employed to overcome the nonsynchronous phenomenon between the system mode and controller mode. On the other hand, to reduce the frequency of data transmission, a resilient asynchronous event-triggered control scheme taking deception attacks into account is designed to save communication resources, and the proposed controller can cover some existing ones as special examples. Moreover, different triggering conditions corresponding to different jumping modes are developed to decide whether state signals should be transferred. A new stability criterion is derived to ensure the passivity of the resultant system although there exist deception attacks. Finally, a simulation example is given to verify the theoretical analysis.

Bruno Montalto

DOI: https://doi.org/10.3929/ethz-a-010349801

Abstract:Security protocols are distributed programs designed to ensure secure communication in a network controlled by an adversary. They are widely used today for securing on-line services such as personal communication and electronic voting. Their design is notoriously error-prone, and a great deal of research has been devoted to their analysis. In this thesis we provide two main contributions towards the automated analysis of such protocols: algorithms for the symbolic analysis of equivalence properties, and a symbolic probabilistic framework for security protocol analysis. We consider the problem of verifying two equivalence properties relevant in protocol analysis: static equivalence and trace equivalence. Both notions model the property that an attacker cannot distinguish between two protocol executions, and they have been used to model security goals such as off-line guessing, electronic voting anonymity, and RFID untraceability. Static equivalence is concerned with an attacker who passively eavesdrop on a network and then tries to distinguish between possible executions by performing off-line computations. Trace equivalence is used in the analysis of security properties against an attacker who may participate actively in protocol execution. We present an efficient decision procedure for static equivalence under equational theories generated by subterm convergent rewriting systems. This class of theories encompasses the most common cryptographic primitives, including symmetric and asymmetric encryption and decryption, hash functions and digital signatures. Our algorithm achieves a better asymptotic complexity than competing algorithms, albeit with a narrower scope. We discuss its implementation in the FAST tool and show that it indeed performs much more efficiently than other existing tools for the same task. We also present a procedure for deciding the trace equivalence of bounded simple processes under equational theories generated by convergent rewriting systems and for which a finitary unification algorithm exists. Although we do not have a termination result, our procedure is correct for the largest class of equational theories handled by any existing procedure for deciding trace equivalence and, together with the work by Cheval et. al [64], it is the only one to handle non-trivial else branches. Finally, we introduce a symbolic probabilistic framework for the analysis of security protocols. Our framework provides a general method for expressing weak-

Computer Science

Taoran Wu,Yiqing Yu,Bican Xia,Ji Wang,Bai Xue

2024-08-03

Abstract:Ensuring safety through set invariance has proven to be a valuable method in various robotics and control applications. This paper introduces a comprehensive framework for the safe probabilistic invariance verification of both discrete- and continuous-time stochastic dynamical systems over an infinite time horizon. The objective is to ascertain the lower and upper bounds of liveness probabilities for a given safe set and set of initial states. The liveness probability signifies the likelihood of the system remaining within the safe set indefinitely, starting from a state in the initial set. To address this problem, we propose optimizations for verifying safe probabilistic invariance in discrete-time and continuous-time stochastic dynamical systems. These optimizations are constructed via either using the Doob's nonnegative supermartingale inequality-based method or relaxing the equations described in [30,32], which can precisely characterize the probability of reaching a target set while avoiding unsafe states. Finally, we demonstrate the effectiveness of these optimizations through several examples using semi-definite programming tools.

Systems and Control

XIE Jun,HUANG Hao

DOI: https://doi.org/10.1360/jos171601

2006-01-01

Journal of Software

Abstract:The noninterference concept for actions of system to information domains is proposed.On the basis of this concept, the noninterference model is extended to nondeterministic systems.The noninterference concept based on actions of system simplifies the "purge" of the action sequence of the system.As a result, this model has concise unwinding conditions which are easy to understand and use.The extended model can be used to verify not only static but also dynamic information flow policies.Finally, a dynamic label based access control model is designed, in which the concrete semantic of the actions such as read, write and execute are defined, and its security is verified by the noninterference model.

Cong Sun,Liyong Tang,Zhong Chen

DOI: https://doi.org/10.1109/infcomw.2011.5928777

2011-01-01

Abstract:Language-based information flow security aims to decide whether an action-observable program can unintentionally leak confidential information if it has the authority to access confidential data. Recent concerns about declassification polices have provided many choices for practical intended information release, but more precise enforcement mechanism for these policies is insufficiently studied. In this paper, we propose a security property on the where-dimension of declassification and present an enforcement based on automated verification. The approach automatically transforms the abstract model with a variant of self-composition, and checks the reachability of illegal-flow state of the model after transformation. The self-composition is equipped with a store-match pattern to reduce the state space and to model the equivalence of declassified expressions in the premise of property. The evaluation shows that our approach is more precise than type-based enforcement.

Yiqing Yu,Taoran Wu,Bican Xia,Ji Wang,Bai Xue

DOI: https://doi.org/10.1109/cdc49753.2023.10383410

2023-01-01

Abstract:Ensuring safety through set invariance has proven a useful method in a variety of applications in robotics and control. In this paper, we focus on the safe probabilistic invariance verification problem for discrete-time dynamical systems subject to stochastic disturbances over the infinite time horizon. Our goal is to compute the lower and upper bounds of the liveness probability for a given safe set and set of initial states. This probability represents the likelihood that the system will remain within the safe set for all time. To address this problem, we draw inspiration from stochastic barrier certificates for safety verification and build upon the findings in [21], where an equation was presented for exact probability analysis. We present two sets of optimizations and demonstrate their effectiveness through two examples, using semi-definite programming tools.

Liu Zhifeng,Zhou Conghua,Ge Yun,Zhang Dong

DOI: https://doi.org/10.12785/amis/070521

2013-01-01

Applied Mathematics & Information Sciences

Abstract:In this paper we propose an automated verification approach to checking intransitive noninterference for deterministic finite state systems. Our approach is based on the counterexamples search verification strategy, and is conducted in gradual manner. It produces counterexamples of minimal length. Further, we reduce the counterexamples search to propositional satisfiability. For the case that there are no counterexamples, we also introduce the window induction proof method in order to avoid considering unnecessary iterations, and show that the induction proof can be performed by the boolean decision procedure. In addition, based on graph-theoretic properties of systems we propose an over-approximation to the length of the smallest counterexample, and the over-approximation can also be checked by the boolean decision procedure.

Jean Quilbeuf,Georgeta Igna,Denis Bytschkow,Harald Ruess

DOI: https://doi.org/10.48550/arXiv.1310.3723

2013-10-14

Abstract:A security policy specifies a security property as the maximal information flow. A distributed system composed of interacting processes implicitly defines an intransitive security policy by repudiating direct information flow between processes that do not exchange messages directly. We show that implicitly defined security policies in distributed systems are enforced, provided that processes run in separation, and possible process communication on a technical platform is restricted to specified message paths of the system. Furthermore, we propose to further restrict the allowable information flow by adding filter functions for controlling which messages may be transmitted between processes, and we prove that locally checking filter functions is sufficient for ensuring global security policies. Altogether, global intransitive security policies are established by means of local verification conditions for the (trusted) processes of the distributed system. Moreover, security policies may be implemented securely on distributed integration platforms which ensure partitioning. We illustrate our results with a smart grid case study, where we use CTL model checking for discharging local verification conditions for each process under consideration.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Bohan Cui,Ziyue Ma,Shaoyuan Li,Xiang Yin

2024-09-10

Abstract:In this paper, we investigate the property verification problem for partially-observed DES from a new perspective. Specifically, we consider the problem setting where the system is observed by two agents independently, each with its own observation. The purpose of the first agent, referred to as the low-level observer, is to infer the actual behavior of the system, while the second, referred to as the high-level observer, aims to infer the knowledge of Agent 1 regarding the system. We present a general notion called the epistemic property capturing the inference from the high-level observer to the low-level observer. A typical instance of this definition is the notion of high-order opacity, which specifies that the intruder does not know that the system knows some critical information. This formalization is very general and supports any user-defined information-state-based knowledge between the two observers. We demonstrate how the general definition of epistemic properties can be applied in different problem settings such as information leakage diagnosis or tactical cooperation without explicit communications. Finally, we provide a systematic approach for the verification of epistemic properties. Particularly, we identify some fragments of epistemic properties that can be verified more efficiently.

Systems and Control

Meriel Stein,Sebastian Elbaum,Lu Feng,Shili Sheng

DOI: https://doi.org/10.48550/arXiv.2012.06615

2020-12-12

Abstract:Invariants are a set of properties over program attributes that are expected to be true during the execution of a program. Since developing those invariants manually can be costly and challenging, there are a myriad of approaches that support automated mining of likely invariants from sources such as program traces. Existing approaches, however, are not equipped to capture the rich states that condition the behavior of autonomous mobile robots, or to manage the uncertainty associated with many variables in these systems. This means that valuable invariants that appear only under specific states remain uncovered. In this work we introduce an approach to infer conditional probabilistic invariants to assist in the characterization of the behavior of such rich stateful, stochastic systems. These probabilistic invariants can encode a family of conditional patterns, are generated using Bayesian inference to leverage observed trace data against priors gleaned from previous experience and expert knowledge, and are ranked based on their surprise value and information content. Our studies on two semi-autonomous mobile robotic systems show how the proposed approach is able to generate valuable and previously hidden stateful invariants.

Robotics,Software Engineering

Tian-ge SI,Zhi-yong TAN,Duo LIU,Yi-qi DAI

DOI: https://doi.org/10.3321/j.issn:0372-2112.2008.11.022

2008-01-01

Tien Tzu Hsueh Pao/Acta Electronica Sinica

Abstract:A noninterference model based on actions for nondeterministic systems was developed to enforce information confidentiality. With redefined noninterference relationship on system actions, information flows depend on actions of both initiators and observers, and can be stopped by allowing actions of initiators and denying the following ones of observers. To show usability of new noninterference relationship and model, an example multilevel security system was designed and a new method was provided to excluding covert channels.

Jianwen Sun,Xiang Long,Yongwang Zhao

DOI: https://doi.org/10.1109/access.2018.2815766

IF: 3.9

2018-01-01

IEEE Access

Abstract:Formal verification of information flow security with dynamic policies of security-critical systems is a grand challenge. This paper presents the first effort to formally specify and verify a capability-based system model with dynamic information flow policies. We build a generic security model with dynamic security policies. In the security model, we define a set of information flow security properties and provide an inference framework for them. Based on the security model, we propose a system model for capability-based secure systems. The system model specifies critical events including system initialization, inter-domain communication, and capability management. We prove information flow security of the capability-based model by an unwinding theorem. Formal specification and security proof are carried out in the Isabelle/HOL theorem prover and could be applied to formally develop and verify the security of capability-based secure systems, such as separation kernels and secure hypervisors. To our knowledge, this is the first machine-checked proof of capability-based information security with dynamic policies.

Rémi Bonnet,Stefan Kiefer,Anthony W. Lin

DOI: https://doi.org/10.48550/arXiv.1401.4130

2014-01-17

Abstract:Basic Parallel Processes (BPPs) are a well-known subclass of Petri Nets. They are the simplest common model of concurrent programs that allows unbounded spawning of processes. In the probabilistic version of BPPs, every process generates other processes according to a probability distribution. We study the decidability and complexity of fundamental qualitative problems over probabilistic BPPs -- in particular reachability with probability 1 of different classes of target sets (e.g. upward-closed sets). Our results concern both the Markov-chain model, where processes are scheduled randomly, and the MDP model, where processes are picked by a scheduler.

Logic in Computer Science

Zhaoqi Wu,Shao-Ming Fei,Xianqing Li-Jost,Lin Zhang

DOI: https://doi.org/10.1007/s10773-019-04228-y

2019-12-09

Abstract:Information transfer in generalized probabilistic theories (GPT) is an important problem. We have dealt with the problem based on repeatability postulate, which generalizes Zurek's result to the GPT framework [Phys. Lett. A \textbf{379} (2015) 2694]. A natural question arises: can we deduce the information transfer result under weaker assumptions? In this paper, we generalize Zurek's result to the framework of GPT using weak repeatability postulate. We show that if distinguishable information can be transferred from a physical system to a series of apparatuses under the weak repeatability postulate in GPT, then the initial states of the physical system must be completely distinguishable. Moreover, after each step of invertible transformation, the composite states of the composite system composed of the physical systems and the apparatuses must also be completely distinguishable.

Quantum Physics