Quantitative Analysis of Information Leakage in Probabilistic and Nondeterministic Systems

This thesis addresses the foundational aspects of formal methods for applications in security and in particular in anonymity. More concretely, we develop frameworks for the specification of anonymity properties and propose algorithms for their verification. Since in practice anonymity protocols always leak some information, we focus on quantitative properties, which capture the amount of information leaked by a protocol. The main contribution of this thesis is cpCTL, the first temporal logic that allows for the specification and verification of conditional probabilities (which are the key ingredient of most anonymity properties). In addition, we have considered several prominent definitions of information-leakage and developed the first algorithms allowing us to compute (and even approximate) the information leakage of anonymity protocols according to these definitions. We have also studied a well-known problem in the specification and analysis of distributed anonymity protocols, namely full-information scheduling. To overcome this problem, we have proposed an alternative notion of scheduling and adjusted accordingly several anonymity properties from the literature. Our last major contribution is a debugging technique that helps on the detection of flaws in security protocols.Comment: thesis, ISBN: 978-94-91211-74-

Quantitative Analysis of Opacity in Cloud Computing Systems

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Federated cloud systems increase the reliability and reduce the cost of the computational support. The resulting combination of secure private clouds and less secure public clouds, together with the fact that resources need to be located within different clouds, strongly affects the information flow security of the entire system. In this paper, the clouds as well as entities of a federated cloud system are assigned security levels, and a probabilistic flow sensitive security model for a federated cloud system is proposed. Then the notion of opacity --- a notion capturing the security of information flow --- of a cloud computing systems is introduced, and different variants of quantitative analysis of opacity are presented. As a result, one can track the information flow in a cloud system, and analyze the impact of different resource allocation strategies by quantifying the corresponding opacity characteristics

Opacity in Internet of Things with Cloud Computing

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Internet of Things (IoT) with Cloud Computing (CC) is a new paradigm incorporating a pervasive presence of a wide range of things/objects which can interact with each other and cooperate, creating new services and reaching common goals. This will lead to more intelligent smart environments in a wide range of applications. In this context, protecting the Internet of Things with Cloud Computing (IoTwCC) against interference, including service attacks and viruses, becomes paramount. In this paper, we introduce a transition system representation to capture the information flow in IoTwCCs, and then investigate the opacity of the information flow model. In addition, we introduce a threat model to describe the actions of the system, and propose entropy as a security metrics to quantify the amount of information related to a service that might be exposed to other users or adversaries. It turns out that the opacity of the system is affected by the availability of the services. As a result, the trade-off between opacity and service availability can be analyzed

Effective verification of confidentiality for multi-threaded programs

This paper studies how confidentiality properties of multi-threaded programs can be verified efficiently by a combination of newly developed and existing model checking algorithms. In particular, we study the verification of scheduler-specific observational determinism (SSOD), a property that characterizes secure information flow for multi-threaded programs under a given scheduler. Scheduler-specificness allows us to reason about refinement attacks, an important and tricky class of attacks that are notorious in practice. SSOD imposes two conditions: (SSOD-1)~all individual public variables have to evolve deterministically, expressed by requiring stuttering equivalence between the traces of each individual public variable, and (SSOD-2)~the relative order of updates of public variables is coincidental, i.e., there always exists a matching trace. \ud \ud We verify the first condition by reducing it to the question whether all traces of \ud each public variable are stuttering equivalent. \ud To verify the second condition, we show how\ud the condition can be translated, via a series of steps, \ud into a standard strong bisimulation problem. \ud Our verification techniques can be easily\ud adapted to verify other formalizations of similar information flow properties.\ud \ud We also exploit counter example generation techniques to synthesize attacks for insecure programs that fail either SSOD-1 or SSOD-2, i.e., showing how confidentiality \ud of programs can be broken

Maximizing the Conditional Expected Reward for Reaching the Goal

The paper addresses the problem of computing maximal conditional expected accumulated rewards until reaching a target state (briefly called maximal conditional expectations) in finite-state Markov decision processes where the condition is given as a reachability constraint. Conditional expectations of this type can, e.g., stand for the maximal expected termination time of probabilistic programs with non-determinism, under the condition that the program eventually terminates, or for the worst-case expected penalty to be paid, assuming that at least three deadlines are missed. The main results of the paper are (i) a polynomial-time algorithm to check the finiteness of maximal conditional expectations, (ii) PSPACE-completeness for the threshold problem in acyclic Markov decision processes where the task is to check whether the maximal conditional expectation exceeds a given threshold, (iii) a pseudo-polynomial-time algorithm for the threshold problem in the general (cyclic) case, and (iv) an exponential-time algorithm for computing the maximal conditional expectation and an optimal scheduler.Comment: 103 pages, extended version with appendices of a paper accepted at TACAS 201

Quantitative analysis of distributed systems

PhD ThesisComputing Science addresses the security of real-life systems by using various security-oriented technologies (e.g., access control solutions and resource allocation strategies). These security technologies signficantly increase the operational costs of the organizations in which systems are deployed, due to the highly dynamic, mobile and resource-constrained environments. As a result, the problem of designing user-friendly, secure and high efficiency information systems in such complex environment has become a major challenge for the developers. In this thesis, firstly, new formal models are proposed to analyse the secure information flow in cloud computing systems. Then, the opacity of work flows in cloud computing systems is investigated, a threat model is built for cloud computing systems, and the information leakage in such system is analysed. This study can help cloud service providers and cloud subscribers to analyse the risks they take with the security of their assets and to make security related decision. Secondly, a procedure is established to quantitatively evaluate the costs and benefits of implementing information security technologies. In this study, a formal system model for data resources in a dynamic environment is proposed, which focuses on the location of different classes of data resources as well as the users. Using such a model, the concurrent and probabilistic behaviour of the system can be analysed. Furthermore, efficient solutions are provided for the implementation of information security system based on queueing theory and stochastic Petri nets. This part of research can help information security officers to make well judged information security investment decisions

Information Hiding in Probabilistic Concurrent Systems

Contains fulltext : 84305.pdf (preprint version ) (Open Access)Qest 2010, 15 september 201

Information Hiding in Probabilistic Concurrent Systems

Information hiding is a general concept which refers to the goal of preventing an adversary to infer secret information from the observables. Anonymity and Information Flow are examples of this notion. We study the problem of information hiding in systems characterized by the presence of randomization and concurrency. It is well known that the raising of nondeterminism, due to the possible interleavings and interactions of the parallel components, can cause unintended information leaks. One way to solve this problem is to fix the strategy of the scheduler beforehand. In this work, we propose a milder restriction on the schedulers, and we define the notion of strong (probabilistic) information hiding under various notions of observables. Furthermore, we propose a method, based on the notion of automorphism, to verify that a system satisfies the property of strong information hiding, namely strong anonymity or no-interference, depending on the context