Opacity with Orwellian Observers and Intransitive Non-interference

Opacity is a general behavioural security scheme flexible enough to account for several specific properties. Some secret set of behaviors of a system is opaque if a passive attacker can never tell whether the observed behavior is a secret one or not. Instead of considering the case of static observability where the set of observable events is fixed off line or dynamic observability where the set of observable events changes over time depending on the history of the trace, we consider Orwellian partial observability where unobservable events are not revealed unless a downgrading event occurs in the future of the trace. We show how to verify that some regular secret is opaque for a regular language L w.r.t. an Orwellian projection while it has been proved undecidable even for a regular language L w.r.t. a general Orwellian observation function. We finally illustrate relevancy of our results by proving the equivalence between the opacity property of regular secrets w.r.t. Orwellian projection and the intransitive non-interference property

Delayed State Estimation in Discrete Event Systems and Applications to Security Problems

Application of discrete event systems in modeling and analyzing security problems has given rise to applications that require keeping track of (part of the) sequence of states that have been visited so far. Specifically, the notion of opacity requires that the truth of a certain predicate on the system state cannot be determined by an outside observer for the duration of a certain time window (or even at all times). Depending on the notion of opacity that is used, this predicate can be defined for states visited in the past (with no bound on how far into the past) or for states which have been visited a fixed number of observations in the past. In this report, motivated by such questions we introduce the problem of delayed estimation in discrete event systems modeled as a finite automaton with a finite number of states, unknown initial state, and partial event observation (but no state observation). Specifically, we consider two estimation problems: (i) initial state estimation which requires the estimate of the initial state following a sequence of observations and, (ii) K- delayed state estimation which requires the estimate of the state the system was in when it generated the Kth to last output (i.e., the state of the system K observations ago). To solve these two problems we construct appropriate state estimators and show that these delay state estimators can be used to verify opacity notions of interest.National Science Foundation / NSF ECS 04-26831Ope

Quantitative Analysis of Opacity in Cloud Computing Systems

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Federated cloud systems increase the reliability and reduce the cost of the computational support. The resulting combination of secure private clouds and less secure public clouds, together with the fact that resources need to be located within different clouds, strongly affects the information flow security of the entire system. In this paper, the clouds as well as entities of a federated cloud system are assigned security levels, and a probabilistic flow sensitive security model for a federated cloud system is proposed. Then the notion of opacity --- a notion capturing the security of information flow --- of a cloud computing systems is introduced, and different variants of quantitative analysis of opacity are presented. As a result, one can track the information flow in a cloud system, and analyze the impact of different resource allocation strategies by quantifying the corresponding opacity characteristics

Transforming opacity verification to nonblocking verification in modular systems

We consider the verification of current-state and K-step opacity for systems modeled as interacting non-deterministic finite-state automata. We describe a new methodology for compositional opacity verification that employs abstraction, in the form of a notion called opaque observation equivalence, and that leverages existing compositional nonblocking verification algorithms. The compositional approach is based on a transformation of the system, where the transformed system is nonblocking if and only if the original one is current-state opaque. Furthermore, we prove that $K$-step opacity can also be inferred if the transformed system is nonblocking. We provide experimental results where current-state opacity is verified efficiently for a large scaled-up system