Ezio Bartocci,Thomas A. Henzinger,Dejan Nickovic,Ana Oliveira da Costa

2024-06-20

Abstract:Information-flow interfaces is a formalism recently proposed for specifying, composing, and refining system-wide security requirements. In this work, we show how the widely used concept of security lattices provides a natural semantic interpretation for information-flow interfaces.

Formal Languages and Automata Theory

Li Jiang,Lingdi Ping,Xuezeng Pan

DOI: https://doi.org/10.1007/978-3-540-76788-6_6

2007-01-01

Abstract:Information flow and in particular noninterference ensure that sensitive information does not affect public information. But noninterference is too restrictive: real computing systems sometimes need to dynamically release certain amount of sensitive information. In this paper, we propose a new security property that requires the decision to perform information release have high integrity, and permits low integrity data which comes from untrusted sources to dynamically affect information release by upgrading (or endorsing) its integrity. To control such integrity upgrading, we introduce an endorsement mechanism that takes the form of a local integrity endorsing policy declaration. So the programmer can express more precise ways of endorsing, by specifying the integrity levels from which information may be endorsed. In addition, we show a new type system to enforce the security property.

Albert Benveniste,Benoît Caillaud,Dejan Nickovic,Roberto Passerone,Jean-Baptiste Raclet,Philipp Reinkemeier,Alberto Sangiovanni-Vincentelli,Werner Damm,Thomas A. Henzinger,Kim G. Larsen

DOI: https://doi.org/10.1561/1000000053

2018-01-01

Foundations and Trends® in Electronic Design Automation

Abstract:Recently, contract-based design has been proposed as an “orthogonal” approach that complements system design methodologies proposed so far to cope with the complexity of system design. Contract-based design provides a rigorous scaffolding for verification, analysis, abstraction/refinement, and even synthesis. A number of results have been obtained in this domain but a unified treatment of the topic that can help put contract-based design in perspective was missing. This monograph intends to provide such a treatment where contracts are precisely defined and characterized so that they can be used in design methodologies with no ambiguity. In particular, this monograph identifies the essence of complex system design using contracts through a mathematical “meta-theory”, where all the properties of the methodology are derived from a very abstract and generic notion of contract. We show that the meta-theory provides deep and illuminating links with existing contract and interface theories, as well as guidelines for designing new theories. Our study encompasses contracts for both software and systems, with emphasis on the latter. We illustrate the use of contracts with two examples: requirement engineering for a parking garage management, and the development of contracts for timing and scheduling in the context of the AUTOSAR methodology in use in the automotive sector.

Cong Sun,Ning Xi,Jinku Li,Qingsong Yao,Jianfeng Ma

DOI: https://doi.org/10.1109/APSEC.2014.60

2014-01-01

Abstract:Information flow security has been considered as a critical requirement on software systems, especially when heterogeneous components from different parties cooperate to achieve end-to-end enforcement on data confidentiality. Enforcing the information flow security properties on complicated systems faces a great challenge because the properties cannot be preserved under composition and most of the current approaches are not scalable enough. To address this problem, there have been several recent efforts on the compositional information flow analyses developed for different abstraction levels. But these approaches have rarely been considered to incorporate with the process of system design. Integrating the security enforcement with the model-based development process can provide the designer with ability to verify information flow security in the early stage of system development. We propose a compositional information flow verification which is integrated with model-based system design in Sys ML by an automated model translation from semi-formal behavior and structure models to interface automata. Our compositional approach is general to support the complex security lattices and a variety of in distinguish ability relations. The evaluation results show the usability of our approach on practical system designs and the scalability of the compositional verification.

Sebastian S. Bauer,Rolf Hennicker,Stephan Janisch

DOI: https://doi.org/10.48550/arXiv.1101.4731

2011-01-25

Software Engineering

Abstract:Interface specifications play an important role in component-based software development. An interface theory is a formal framework supporting composition, refinement and compatibility of interface specifications. We present different interface theories which use modal I/O-transition systems as their underlying domain for interface specifications: synchronous interface theories, which employ a synchronous communication schema, as well as a novel interface theory for asynchronous communication where components communicate via FIFO-buffers.

Iulia Bastys,Frank Piessens,Andrei Sabelfeld

DOI: https://doi.org/10.1145/3264820.3264824

2018-01-15

Abstract:Recent years have seen a proliferation of research on information flow control. While the progress has been tremendous, it has also given birth to a bewildering breed of concepts, policies, conditions, and enforcement mechanisms. Thus, when designing information flow controls for a new application domain, the designer is confronted with two basic questions: (i) What is the right security characterization for a new application domain? and (ii) What is the right enforcement mechanism for a new application domain? This paper puts forward six informal principles for designing information flow security definitions and enforcement mechanisms: attacker-driven security, trust-aware enforcement, separation of policy annotations and code, language-independence, justified abstraction, and permissiveness. We particularly highlight the core principles of attacker-driven security and trust-aware enforcement, giving us a rationale for deliberating over soundness vs. soundiness. The principles contribute to roadmapping the state of the art in information flow security, weeding out inconsistencies from the folklore, and providing a rationale for designing information flow characterizations and enforcement mechanisms for new application domains.

B. Meyer

DOI: https://doi.org/10.1109/2.161279

1992-10-01

Computer

Abstract:Methodological guidelines for object-oriented software construction that improve the reliability of the resulting software systems are presented. It is shown that the object-oriented techniques rely on the theory of design by contract, which underlies the design of the Eiffel analysis, design, and programming language and of the supporting libraries, from which a number of examples are drawn. The theory of contract design and the role of assertions in that theory are discussed.<>

computer science, software engineering, hardware & architecture

Chunyan Mu,Guoqiang Li

DOI: https://doi.org/10.1109/prdc53464.2021.00018

2021-01-01

Abstract:This paper presents a formal approach for modelling and reasoning about information flow control in software systems under Hoare and He's Unifying Theories of Programming (UTP). We investigate the problem of integrating information flow control into system design in a unified semantic setting. Our approach can therefore treat information flow analysis and control in various families of specification languages and programming paradigms in a more general way. In addition, we formalise the link between classes of predicates as a paired function which maps set of the predicates from one class into set of the predicates from the other with a concern of flow security preservation. The proposed flow-sensitive combined theories of multiple level classes of predicates can be applied to ensure flow security in different paradigms under stepwise development.

Oldrich Faldik,Richard Payne,John Fitzgerald,Barbora Buhnova

DOI: https://doi.org/10.4204/EPTCS.245.1

2017-03-21

Abstract:A key challenge in System of Systems (SoS) engineering is the analysis and maintenance of global properties under SoS evolution, and the integration of new constituent elements. There is a need to model the constituent systems composing a SoS in order to allow the analysis of emergent behaviours at the SoS boundary. The Contract pattern allows the engineer to specify constrained behaviours to which constituent systems are required to conform in order to be a part of the SoS. However, the Contract pattern faces some limitations in terms of its accessibility and suitability for verifying contract compatibility. To address these deficiencies, we propose the enrichment of the Contract pattern, which hitherto has been defined using SysML and the COMPASS Modelling Language (CML), by utilising SysML and Object Constraint Language (OCL). In addition, we examine the potential of interface automata, a notation for improving loose coupling between interfaces of constituent systems defined according to the contract, as a means of enabling the verification of contract compatibility. The approach is demonstrated using a case study in audio/video content streaming.

Software Engineering,Formal Languages and Automata Theory

Sun Cong,Xi Ning,Gao Sheng,Zhang Tao,Li Jinku,Ma Jianfeng

DOI: https://doi.org/10.7544/issn1000-1239.2015.20140306

2015-01-01

Journal of Computer Research and Development

Abstract:In the design and implementation of complicated component‐based softwares ,the security requirements on the whole system are hard to achieve due to the difficulty on enforcing the compositionality of the security properties .The specification and verification of security properties are the critical issues in the development of component‐based softwares .In this paper ,we focus on the generalization on the security lattice over the information flow security properties enforceable on the component‐based softwares .The previous definitions of the information flow security properties in the component‐based design are restricted on the binary security lattice model .In this work ,we extend the interface structure for security to the generalized interface structure for security (GISS ) . We define a refinement relation and use this relation to give a non‐interference definition (SME‐NI) based on the principle of secure multi‐execution .This is the first application of secure multi‐execution on the information flow security verification of component‐based systems . The new definition of non‐interference can be adapted to any finite security lattice models .The Coq proof assistant is used to implement the certified library for interface automata , as well as the decision procedure for the refinement relation .The experimental results show the characteristics of SME‐NI and the validity of decision procedure .

Cong Sun,Ennan Zhai,Zhong Chen,Jianfeng Ma

DOI: https://doi.org/10.1007/978-3-642-25243-3_28

2011-01-01

Abstract:Interactive/Reactive computational model is known to be proper abstraction of many pervasively used systems, such as clientside web-based applications. The critical task of information flow control mechanisms aims to determine whether the interactive program can guarantee the confidentiality of secret data. We propose an efficient and flow-sensitive static analysis to enforce information flow policy on program with interactive I/Os. A reachability analysis is performed on the abstract model after a form of transformation, called multi-composition, to check the conformance with the policy. In the multi-composition we develop a store-match pattern to avoid duplicating the I/O channels in the model, and use the principle of secure multi-execution to generalize the security lattice model which is supported by other approaches based on automated verification. We also extend our approach to support a stronger version of termination-insensitive noninterference. The results of preliminary experiments show that our approach is more precise than existing flow-sensitive analysis and the cost of verification is reduced through the store-match pattern.

Rasmus Carl Rønneberg

2024-01-15

Abstract:Secure software architecture is increasingly important in a data-driven world. When security is neglected sensitive information might leak through unauthorized access. To mitigate this software architects needs tools and methods to quantify security risks in complex systems. This paper presents doctoral research in its early stages concerned with creating constructive methods for building secure component-based systems from a quantitative information flow specification. This research aim at developing a method that allows software architects to develop secure systems from a repository of secure components. Planned contributions are refinement rules for secure development of components from a specification and well-formedness rules for secure composition of said components.

Software Engineering

Axel Legay,Benoît Caillaud

DOI: https://doi.org/10.4204/EPTCS.46

2011-01-22

Abstract:FIT stands for Foundations of Interface Technologies. Component-based design is widely considered as a major approach to developing systems in a time and cost effective way. Central in this approach is the notion of an interface. Interfaces summarize the externally visible properties of a component and are seen as a key to achieving component interoperability and to predict global system behavior based on the component behavior. To capture the intricacy of complex software products, rich interfaces have been proposed. These interfaces do not only specify syntactic properties, such as the signatures of methods and operations, but also take into account behavioral and extra-functional properties, such as quality of service, security and dependability. Rich interfaces have been proposed for describing, e.g., the legal sequences of messages or method calls accepted by components, or the resource and timing constraints in embedded software. The development of a rigorous framework for the specification and analysis of rich interfaces is challenging. The aim of this workshop is to bring together researchers who are interested in the formal underpinnings of interface technologies

Logic in Computer Science,Software Engineering

ZHANG Yan,HU Jun,YU Xiao-Feng,LI Xuan-Dong,ZHENG Guo-Liang

DOI: https://doi.org/10.3969/j.issn.1002-137X.2005.11.059

2005-01-01

Computer Science

Abstract:Interface automata is a new formal system used to specify components and interaction among them in the component-based system. Optimistic approach and game-theoretic foundations that deal with composition are the prom- inent characteristics of interface automata and are distinct from other formal methods. This paper surveys interface au- tomata, timed interface automata, resource interface and game-based idea in them. By contrast with other formal meth- ods, merits and limits of interface automata are summarized. This paper also gives significances of interface automata in theory and in practice, and the future of the application of interface automata.

Yanjing Wang,Floor Sietsma,Jan van Eijck

DOI: https://doi.org/10.1007/978-3-642-20715-0_8

2010-01-01

Abstract:In this paper, we develop an epistemic logic for specifying and reasoning about information flow on the underlying communication channels. By combining ideas from Dynamic Epistemic Logic (DEL) and Interpreted Systems (IS), our semantics offers a natural and neat way of modeling multi-agent communication scenarios with different assumptions about the observational power of agents. We relate our logic to the standard DEL and IS approaches and demonstrate its use by studying a telephone call communication scenario.

Luca Canzian,Yuanzhang Xiao,William Zame,Michele Zorzi,Mihaela van der Schaar

DOI: https://doi.org/10.48550/arXiv.1207.4044

2012-07-17

Computer Science and Game Theory

Abstract:There are many familiar situations in which a manager seeks to design a system in which users share a resource, but outcomes depend on the information held and actions taken by users. If communication is possible, the manager can ask users to report their private information and then, using this information, instruct them on what actions they should take. If the users are compliant, this reduces the manager's optimization problem to a well-studied problem of optimal control. However, if the users are self-interested and not compliant, the problem is much more complicated: when asked to report their private information, the users might lie; upon receiving instructions, the users might disobey. Here we ask whether the manager can design the system to get around both of these difficulties. To do so, the manager must provide for the users the incentives to report truthfully and to follow the instructions, despite the fact that the users are self-interested. For a class of environments that includes many resource allocation games in communication networks, we provide tools for the manager to design an efficient system. In addition to reports and recommendations, the design we employ allows the manager to intervene in the system after the users take actions. In an abstracted environment, we find conditions under which the manager can achieve the same outcome it could if users were compliant, and conditions under which it does not. We then apply our framework and results to design a flow control management system.

Bernd Finkbeiner,Niklas Metzger,Yoram Moses

2024-07-17

Abstract:Information flow guided synthesis is a compositional approach to the automated construction of distributed systems where the assumptions between the components are captured as information-flow requirements. Information-flow requirements are hyperproperties that ensure that if a component needs to act on certain information that is only available in other components, then this information will be passed to the component. We present a new method for the automatic construction of information flow assumptions from specifications given as temporal safety properties. The new method is the first approach to handle situations where the required amount of information is unbounded. For example, we can analyze communication protocols that transmit a stream of messages in a potentially infinite loop. We show that component implementations can then, in principle, be constructed from the information flow requirements using a synthesis tool for hyperproperties. We additionally present a more practical synthesis technique that constructs the components using efficient methods for standard synthesis from trace properties. We have implemented the technique in the prototype tool FlowSy, which outperforms previous approaches to distributed synthesis on several benchmarks.

Logic in Computer Science

Alan Dearle,Graham Kirby,Andrew McCarthy,Juan-Carlos Diaz y Carballo

DOI: https://doi.org/10.48550/arXiv.1006.5940

2010-06-29

Distributed, Parallel, and Cluster Computing

Abstract:In this paper we describe an architecture which: Permits the deployment and execution of components in appropriate geographical locations. Provides security mechanisms that prevent misuse of the architecture. Supports a programming model that is familiar to application programmers. Permits installed components to share data. Permits the deployed components to communicate via communication channels. Provides evolution mechanisms permitting the dynamic rearrangement of inter-connection topologies the components that they connect. Supports the specification and deployment of distributed component deployments.

Weifeng Xu,Glenn A. Fink

DOI: https://doi.org/10.48550/arXiv.1912.04051

2019-12-09

Abstract:Smart contracts are appealing because they are self-executing business agreements between parties with the predefined and immutable obligations and rights. However, as with all software, smart contracts may contain vulnerabilities because of design flaws, which may be exploited by one of the parties to defraud the others. In this paper, we demonstrate a systematic approach to building secure design models for smart contracts using formal methods. To build the secure models, we first model the behaviors of participating parties as state machines, and then, we model the predefined obligations and rights of contracts, which specify the interactions among state machines for achieving the business goal. After that, we illustrate executable secure model design patterns in TLA+ (Temporal Logic of Actions) to against well-known smart contract vulnerabilities in terms of state machines and obligations and rights at the design level. These vulnerabilities are found in Ethereum contracts, including Call to the unknown, Gasless send, Reentrancy, Lost in the transfer, and Unpredictable state. The resultant TLA+ specifications are called secure models. We illustrate our approach to detect the vulnerabilities using a real-estate contract example at the design level.

Software Engineering,Symbolic Computation

Marco Vassena,Alejandro Russo,Deepak Garg,Vineet Rajani,Deian Stefan

DOI: https://doi.org/10.48550/arXiv.2208.13560

2022-08-29

Abstract:This tutorial provides a complete and homogeneous account of the latest advances in fine- and coarse-grained dynamic information-flow control (IFC) security. Since the 70s, the programming language and the operating system communities have proposed different IFC approaches. IFC operating systems track information flows in a coarse-grained fashion, at the granularity of a process. In contrast, traditional language-based approaches to IFC are fine-grained: they track information flows at the granularity of program variables. For decades, researchers believed coarse-grained IFC to be strictly less permissive than fine-grained IFC -- coarse-grained IFC systems seem inherently less precise because they track less information -- and so granularity appeared to be a fundamental feature of IFC systems. We show that the granularity of the tracking system does not fundamentally restrict how precise or permissive dynamic IFC systems can be. To this end, we mechanize two mostly standard languages, one with a fine-grained dynamic IFC system and the other with a coarse-grained dynamic IFC system, and prove a semantics-preserving translation from each language to the other. In addition, we derive the standard security property of non-interference of each language from that of the other via our verified translation. These translations stand to have important implications on the usability of IFC approaches. The coarse- to fine-grained direction can be used to remove the label annotation burden that fine-grained systems impose on developers, while the fine- to coarse-grained translation shows that coarse-grained systems -- which are easier to design and implement -- can track information as precisely as fine-grained systems and provides an algorithm for automatically retrofitting legacy applications to run on existing coarse-grained systems.

Programming Languages,Cryptography and Security