On Compositional Information Flow Aware Refinement

The concepts of information flow security and refinement are known to have had a troubled relationship ever since the seminal work of McLean. In this work we study refinements that support changes in data representation and semantics, including the addition of state variables that may induce new observational power or side channels. We propose a new epistemic approach to ignorance-preserving refinement where an abstract model is used as a specification of a system’s permitted information flows, that may include the declassification of secret information. The core idea is to require that refinement steps must not induce observer knowledge that is not already available in the abstract model. Our study is set in the context of a class of shared variable multi-agent models similar to interpreted systems in epistemic logic. We demonstrate the expressiveness of our framework through a series of small examples and compare our approach to existing, stricter notions of information-flow secure refinement based on bisimulations and noninterference preservation. Interestingly, noninterference preservation is not supported “out of the box” in our setting, because refinement steps may introduce new secrets that are independent of secrets already present at abstract level. To support verification, we first introduce a “cube-shaped” unwinding condition related to conditions recently studied in the context of value-dependent noninterference, kernel verification, and secure compilation. A fundamental problem with ignorance-preserving refinement, caused by the support for general data and observation refinement, is that sequential composability is lost. We propose a solution based on relational pre- and post-conditions and illustrate its use together with unwinding on the oblivious RAM construction of Chung and Pass

Probabilistic Semantics: Metric and Logical Character¨ations for Nondeterministic Probabilistic Processes

In this thesis we focus on processes with nondeterminism and probability in the PTS model, and we propose novel techniques to study their semantics, in terms of both classic behavioral relations and the more recent behavioral metrics. Firstly, we propose a method for decomposing modal formulae in a probabilistic extension of the Hennessy-Milner logic. This decomposition method allows us to derive the compositional properties of probabilistic (bi)simulations. Then, we propose original notions of metrics measuring the disparities in the behavior of processes with respect to (decorated) trace and testing semantics. To capture the differences in the expressive power of the metrics we order them by the relation `makes processes further than'. Thus, we obtain the first spectrum of behavioral metrics on the PTS model. From this spectrum we derive an analogous one for the kernels of the metrics, ordered by the relation `makes strictly less identification than'. Finally, we introduce a novel technique for the logical characterization of both behavioral metrics and their kernels, based on the notions of mimicking formula and distance on formulae. This kind of characterization allows us to obtain the first example of a spectrum of distances on processes obtained directly from logics. Moreover, we show that the kernels of the metrics can be characterized by simply comparing the mimicking formulae of processes