Abstract
Non-interference (NI) is a property of systems stating that confidential actions should not cause effects observable by unauthorized users. Several variants of NI have been studied for many types of models but rarely for true concurrency or unbounded models. This work investigates NI for High-level Message Sequence Charts (HMSCs), a scenario language for the description of distributed systems, based on composition of partial orders. We first propose a general definition of security properties in terms of equivalence among observations of behaviors. Observations are naturally captured by partial order automata, a formalism that generalizes HMSCs and permits assembling partial orders. We show that equivalence or inclusion properties for HMSCs (and hence for partial order automata) are undecidable, which means in particular that NI is undecidable for HMSCs. We hence consider decidable subclasses of partial order automata and HMSCs. Finally, we define weaker local properties, describing situations where a system is attacked by a single agent, and show that local NI is decidable. We then refine local NI to a finer notion of causal NI that emphasizes causal dependencies between confidential actions and observations and extend it to causal NI with (selective) declassification of confidential events. Checking whether a system satisfies local and causal NI and their declassified variants are PSPACE-complete problems.
- C. Aiswarya, P. Gastin, and K. Narayan Kumar. 2014. Verifying communicating multi-pushdown systems via split-width. In Proc. of 12th Int. Symposium on Automated Technology for Verification and Analysis (ATVA'14) (LNCS), Vol. 8837. 1--17. Google Scholar
Cross Ref
- R. Alur and M. Yannakakis. 1999. Model checking of message sequence charts. In Proc. of 10th Int. Conf. on Concurrency Theory (CONCUR’99) (LNCS), Vol. 1664. 114--129. Google Scholar
Digital Library
- P. Baldan and A. Carraro. 2014. Non-interference by unfolding. In 35th Int. Conf. on Application and Theory of Petri Nets and Concurrency (PETRI NETS’14) (LNCS), Vol. 8489. 190--209. Google Scholar
Cross Ref
- B. Bérard, L. Hélouët, and J. Mullins. 2015. Non-interference in partial order models. In Proc. of 15th Int. Conf. on Application of Concurrency to System Design (ACSD’15). IEEE Computer Society, 80--89. Google Scholar
Digital Library
- E. Best and P. Darondeau. 2012. Deciding selective declassification of Petri nets. In Proc. of 1st Int. Cong. on Principles of Security and Trust (POST’12) (LNCS), Vol. 7215. 290--308. Google Scholar
Digital Library
- E. Best, P. Darondeau, and R. Gorrieri. 2010. On the decidability of non interference over unbounded Petri nets. In Proc. of 8th International Workshop on Security Issues in Concurrency (SecCo'10), Vol. 51. 16--33.Google Scholar
- B. Bérard and J. Mullins. 2014. Verification of information flow properties under rational observation. In Proc. of 14th Int. Workshop on Automated Verification of Critical Systems (AVoCS'14). ECEASST 70.Google Scholar
- N. Busi and R. Gorrieri. 2009. Structural non-interference in elementary and trace nets. Mathematical Structures in Computer Science 19, 6 (2009), 1065--1090. Google Scholar
Digital Library
- B. Caillaud, P. Darondeau, L. Hélouët, and G. Lesventes. 2000. HMSCs en tant que Spécifications Partielles et Leurs Complétions Dans Les Réseaux de Petri. RR-3970. INRIA.Google Scholar
- D. D’Souza, R. Holla, K. R. Raghavendra, and B. Sprick. 2011. Model-checking trace-based information flow properties. Journal of Computer Security 19, 1 (2011), 101--138. Google Scholar
Digital Library
- R. Focardi and R. Gorrieri. 2001. Classification of security properties (Part I: Information flow). In Foundations of Security Analysis and Design (LNCS), Vol. 2171. Springer-Vale, 331--396. Google Scholar
Digital Library
- B. Genest, L. Hélouët, and A. Muscholl. 2003. High-level message sequence charts and projections. In Proc. of 14th Int. Conf. on Concurrency Theory (CONCUR'03) (LNCS), Vol. 2761. 308--322. Google Scholar
Cross Ref
- J. A. Goguen and J. Meseguer. 1982. Security policies and security models. In Proc. of IEEE Symposium on Security and Privacy. 11--20. Google Scholar
Cross Ref
- R. Gorrieri and M. Vernali. 2011. On intransitive non-interference in some models of concurrency. In Proc. of Foundations of Security Analysis and Design (FOSAD VI), Tutorial Lectures (LNCS), Vol. 6858. 125--151. Google Scholar
Digital Library
- L. Hélouët, H. Marchand, B. Genest, and T. Gazagnaire. 2014. Diagnosis from scenarios. Discrete Event Dynamic Systems 24, 4 (2014), 353--415. Google Scholar
Digital Library
- ITU-T. 2011. Z.120 : Message Sequence Charts (MSC). Technical Report. International Telecommunication Union.Google Scholar
- H. Mantel. 2000. Possibilistic definitions of security - an assembly kit. In Proc. of the 13th IEEE Computer Security Foundations Workshop (CSFW’00). 185--199. Google Scholar
Digital Library
- H. Mantel. 2001. Information flow control and applications - bridging a gap. In Proc. of FME’01 (LNCS), Vol. 2021. 153--172. Google Scholar
Digital Library
- F. Mattern. 1988. Time and global states of distributed systems. In Proc. Int. Workshop on Parallel and Distributed Algorithms. 215--226.Google Scholar
- A. Muscholl and D. Peled. 1999. Message sequence graphs and decision problems on Mazurkiewicz traces. In Proc. of 24th Int. Conf. on Mathematical Foundations of Computer Science (MFCS’99) (LNCS), M. Kutylowski, L. Pacholski, and T. Wierzbicki (Eds.), Vol. 1672. 81--91. Google Scholar
Digital Library
- A. Muscholl and D. Peled. 2000. Analyzing message sequence charts. In Proc. of 2nd Workshop on SDL and MSC (SAM’00). 3--17.Google Scholar
- A. Ray, B. Sengupta, and R. Cleaveland. 2004. Secure requirements elicitation through triggered message sequence charts. In Proc. of 1st int. Conf. on Distributed Computing and Internet Technology (ICDCIT'04) (LNCS), Vol. 3347. 273--282. Google Scholar
Digital Library
- J. Rushby. 1992. Noninterference, Transitivity, and Channel-control Security Policies. Technical Report CSL-92-02. SRI International.Google Scholar
Index Terms
Non-interference in Partial Order Models
Recommendations
Non-interference in Partial Order Models
ACSD '15: Proceedings of the 2015 15th International Conference on Application of Concurrency to System DesignNon-interference (NI) is a property of systems stating that confidential actions should not cause effects observable by unauthorized users. Several variants of NI have been studied for many types of models, but rarely for true concurrency or unbounded ...
Ramsey-Based Inclusion Checking for Visibly Pushdown Automata
Checking whether one formal language is included in another is important in many verification tasks. In this article, we provide solutions for checking the inclusion of languages given by visibly pushdown automata over both finite and infinite words. ...
Efficient SAT solving for non-clausal formulas using DPLL, graphs, and watched cuts
DAC '09: Proceedings of the 46th Annual Design Automation ConferenceBoolean satisfiability (SAT) solvers are used heavily in hardware and software verification tools for checking satisfiability of Boolean formulas. Most state-of-the-art SAT solvers are based on the Davis-Putnam-Logemann-Loveland (DPLL) algorithm and ...






Comments