54 research outputs found
Quantitative Analysis of Opacity in Cloud Computing Systems
The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Federated cloud systems increase the reliability and reduce the cost of the computational support.
The resulting combination of secure private clouds and less secure public clouds, together with the fact that resources need to be located within different clouds, strongly affects the information flow security of the entire system. In this paper, the clouds as well as entities of a federated cloud system are
assigned security levels, and a probabilistic flow sensitive security model for a federated cloud system is proposed. Then the notion of opacity --- a notion capturing the security of information flow ---
of a cloud computing systems is introduced, and different variants of quantitative analysis of opacity are presented. As a result, one can track the information flow in a cloud system, and analyze the impact of different resource allocation strategies by quantifying the corresponding opacity characteristics
Non-interference for deterministic interactive programs
We consider the problem of defining an appropriate notion of non-interference (NI) for deterministic interactive programs. Previous work on the security of interactive programs by O'Neill, Clarkson and Chong (CSFW 2006) builds on earlier ideas due to Wittbold and Johnson (Symposium on Security and Privacy 1990), and argues for a notion of NI defined in terms of strategies modelling the behaviour of users. We show that, for deterministic interactive programs, it is not necessary to consider strategies and that a simple stream model of the users' behaviour is sufficient. The key technical result is that, for deterministic programs, stream-based NI implies the apparently more general strategy-based NI (in fact we consider a wider class of strategies than those of O'Neill et al). We give our results in terms of a simple notion of Input-Output Labelled Transition System, thus allowing application of the results to a large class of deterministic interactive programming languages
Neural-Augmented Static Analysis of Android Communication
We address the problem of discovering communication links between
applications in the popular Android mobile operating system, an important
problem for security and privacy in Android. Any scalable static analysis in
this complex setting is bound to produce an excessive amount of
false-positives, rendering it impractical. To improve precision, we propose to
augment static analysis with a trained neural-network model that estimates the
probability that a communication link truly exists. We describe a
neural-network architecture that encodes abstractions of communicating objects
in two applications and estimates the probability with which a link indeed
exists. At the heart of our architecture are type-directed encoders (TDE), a
general framework for elegantly constructing encoders of a compound data type
by recursively composing encoders for its constituent types. We evaluate our
approach on a large corpus of Android applications, and demonstrate that it
achieves very high accuracy. Further, we conduct thorough interpretability
studies to understand the internals of the learned neural networks.Comment: Appears in Proceedings of the 2018 ACM Joint European Software
Engineering Conference and Symposium on the Foundations of Software
Engineering (ESEC/FSE
Strong Non-Interference and Type-Directed Higher-Order Masking
Differential power analysis (DPA) is a side-channel attack in which an adversary retrieves cryptographic material by measuring and analyzing the power consumption of the device on which the cryptographic algorithm under attack executes. An effective countermeasure against DPA is to mask secrets by probabilistically encoding them over a set of shares, and to run masked algorithms that compute on these encodings. Masked algorithms are often expected to provide, at least, a certain level of probing security.
Leveraging the deep connections between probabilistic information flow and probing security, we develop a precise, scalable, and fully automated methodology to verify the probing security of masked algorithms, and generate them from unprotected descriptions of the algorithm. Our methodology relies on several contributions of independent interest, including a stronger notion of probing security that supports compositional reasoning, and a type system for enforcing an expressive class of probing policies. Finally, we validate our methodology on examples that go significantly beyond the state-of-the-art
Securing Databases from Probabilistic Inference
Databases can leak confidential information when users combine query results
with probabilistic data dependencies and prior knowledge. Current research
offers mechanisms that either handle a limited class of dependencies or lack
tractable enforcement algorithms. We propose a foundation for Database
Inference Control based on ProbLog, a probabilistic logic programming language.
We leverage this foundation to develop Angerona, a provably secure enforcement
mechanism that prevents information leakage in the presence of probabilistic
dependencies. We then provide a tractable inference algorithm for a practically
relevant fragment of ProbLog. We empirically evaluate Angerona's performance
showing that it scales to relevant security-critical problems.Comment: A short version of this paper has been accepted at the 30th IEEE
Computer Security Foundations Symposium (CSF 2017
Symbolic Bisimulation for Probabilistic Systems
International audienceThe paper introduces symbolic bisimulations for a simple probabilistic Ï-calculus to overcome the infinite branching problem that still exists in checking ground bisimulations between probabilistic systems. Especially the definition of weak (symbolic) bisimulation does not rely on the random capability of adversaries and sug- gests a solution to the open problem on the axiomati- zation for weak bisimulation in the case of unguarded recursion. Furthermore, we present an efficient char- acterization of symbolic bisimulations for the calculus, which allows the âon-the-flyâ instantiation of bound names and dynamic construction of equivalence rela- tions for quantitative evaluation. This directly results in a local decision algorithm that can explore just a minimal portion of the state spaces of probabilistic pro- cesses in question
Estimating the Maximum Information Leakage
none2noopenAldini, Alessandro; DI PIERRO, A.Aldini, Alessandro; DI PIERRO, A
Specification and Analysis of Information Flow Properties for Distributed Systems
We present a framework for the speci?cation and the analysis of infor- mation ?ow properties in partially speci?ed distributed systems, i.e., sys- tems in which there are several unspeci?ed components located in di?erent places. First we consider the notion of Non Deducibility on Composition (NDC for short) originally proposed for nondeterministic systems and based on trace semantics. We study how this information ?ow property can be extended in order to deal also with distributed partially speci?ed systems. In particular, we develop two di?erent approaches: the cen- tralized NDC (CNDC) and the decentralized NDC (DNDC). According to the former, there is just one unspeci?ed global component that has complete control of the n distributed locations where interaction occurs between the system and the unspeci?ed component. According to DNDC, there is one unspeci?ed component for each distributed location, and the n unspeci?ed components are completely independent, i.e., they cannot coordinate their e?orts or cooperate. Surprisingly enough, we prove that centralized NDC is as discriminating as decentralized NDC. However, when we move to Bisimulation-based Non-Deducibility on Composition, BNDC for short, the situation is completely di?erent. We prove that centralized BNDC (CBNDC for short) is strictly ?ner than decentralizedBNDC (DBNDC for short), hence proving the quite expected fact that a system that can resist to coordinated attacks is also able to resist to simpler attacks performed by independent entities. Hence, by exploiting a variant of the modal ?-calculus that permits to manage tuples of ac- tions, we present a method to analyze when a system is CBNDC and/or DBNDC, that is based on the theory of decomposition of formulas and compositional analysis
- âŠ