Quantitative Analysis of Opacity in Cloud Computing Systems

The file attached to this record is the author's final peer reviewed version. The Publisher's final version can be found by following the DOI link.Federated cloud systems increase the reliability and reduce the cost of the computational support. The resulting combination of secure private clouds and less secure public clouds, together with the fact that resources need to be located within different clouds, strongly affects the information flow security of the entire system. In this paper, the clouds as well as entities of a federated cloud system are assigned security levels, and a probabilistic flow sensitive security model for a federated cloud system is proposed. Then the notion of opacity --- a notion capturing the security of information flow --- of a cloud computing systems is introduced, and different variants of quantitative analysis of opacity are presented. As a result, one can track the information flow in a cloud system, and analyze the impact of different resource allocation strategies by quantifying the corresponding opacity characteristics

Non-interference for deterministic interactive programs

We consider the problem of defining an appropriate notion of non-interference (NI) for deterministic interactive programs. Previous work on the security of interactive programs by O'Neill, Clarkson and Chong (CSFW 2006) builds on earlier ideas due to Wittbold and Johnson (Symposium on Security and Privacy 1990), and argues for a notion of NI defined in terms of strategies modelling the behaviour of users. We show that, for deterministic interactive programs, it is not necessary to consider strategies and that a simple stream model of the users' behaviour is sufficient. The key technical result is that, for deterministic programs, stream-based NI implies the apparently more general strategy-based NI (in fact we consider a wider class of strategies than those of O'Neill et al). We give our results in terms of a simple notion of Input-Output Labelled Transition System, thus allowing application of the results to a large class of deterministic interactive programming languages

Neural-Augmented Static Analysis of Android Communication

We address the problem of discovering communication links between applications in the popular Android mobile operating system, an important problem for security and privacy in Android. Any scalable static analysis in this complex setting is bound to produce an excessive amount of false-positives, rendering it impractical. To improve precision, we propose to augment static analysis with a trained neural-network model that estimates the probability that a communication link truly exists. We describe a neural-network architecture that encodes abstractions of communicating objects in two applications and estimates the probability with which a link indeed exists. At the heart of our architecture are type-directed encoders (TDE), a general framework for elegantly constructing encoders of a compound data type by recursively composing encoders for its constituent types. We evaluate our approach on a large corpus of Android applications, and demonstrate that it achieves very high accuracy. Further, we conduct thorough interpretability studies to understand the internals of the learned neural networks.Comment: Appears in Proceedings of the 2018 ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE

Strong Non-Interference and Type-Directed Higher-Order Masking

Differential power analysis (DPA) is a side-channel attack in which an adversary retrieves cryptographic material by measuring and analyzing the power consumption of the device on which the cryptographic algorithm under attack executes. An effective countermeasure against DPA is to mask secrets by probabilistically encoding them over a set of shares, and to run masked algorithms that compute on these encodings. Masked algorithms are often expected to provide, at least, a certain level of probing security. Leveraging the deep connections between probabilistic information flow and probing security, we develop a precise, scalable, and fully automated methodology to verify the probing security of masked algorithms, and generate them from unprotected descriptions of the algorithm. Our methodology relies on several contributions of independent interest, including a stronger notion of probing security that supports compositional reasoning, and a type system for enforcing an expressive class of probing policies. Finally, we validate our methodology on examples that go significantly beyond the state-of-the-art

Securing Databases from Probabilistic Inference

Databases can leak confidential information when users combine query results with probabilistic data dependencies and prior knowledge. Current research offers mechanisms that either handle a limited class of dependencies or lack tractable enforcement algorithms. We propose a foundation for Database Inference Control based on ProbLog, a probabilistic logic programming language. We leverage this foundation to develop Angerona, a provably secure enforcement mechanism that prevents information leakage in the presence of probabilistic dependencies. We then provide a tractable inference algorithm for a practically relevant fragment of ProbLog. We empirically evaluate Angerona's performance showing that it scales to relevant security-critical problems.Comment: A short version of this paper has been accepted at the 30th IEEE Computer Security Foundations Symposium (CSF 2017

Symbolic Bisimulation for Probabilistic Systems

International audienceThe paper introduces symbolic bisimulations for a simple probabilistic π-calculus to overcome the infinite branching problem that still exists in checking ground bisimulations between probabilistic systems. Especially the definition of weak (symbolic) bisimulation does not rely on the random capability of adversaries and sug- gests a solution to the open problem on the axiomati- zation for weak bisimulation in the case of unguarded recursion. Furthermore, we present an efficient char- acterization of symbolic bisimulations for the calculus, which allows the ”on-the-fly” instantiation of bound names and dynamic construction of equivalence rela- tions for quantitative evaluation. This directly results in a local decision algorithm that can explore just a minimal portion of the state spaces of probabilistic pro- cesses in question

Intransitive non-interference for cryptographic purposes. In

Abstrac

Estimating the Maximum Information Leakage

none2noopenAldini, Alessandro; DI PIERRO, A.Aldini, Alessandro; DI PIERRO, A

Specification and Analysis of Information Flow Properties for Distributed Systems

We present a framework for the speci?cation and the analysis of infor- mation ?ow properties in partially speci?ed distributed systems, i.e., sys- tems in which there are several unspeci?ed components located in di?erent places. First we consider the notion of Non Deducibility on Composition (NDC for short) originally proposed for nondeterministic systems and based on trace semantics. We study how this information ?ow property can be extended in order to deal also with distributed partially speci?ed systems. In particular, we develop two di?erent approaches: the cen- tralized NDC (CNDC) and the decentralized NDC (DNDC). According to the former, there is just one unspeci?ed global component that has complete control of the n distributed locations where interaction occurs between the system and the unspeci?ed component. According to DNDC, there is one unspeci?ed component for each distributed location, and the n unspeci?ed components are completely independent, i.e., they cannot coordinate their e?orts or cooperate. Surprisingly enough, we prove that centralized NDC is as discriminating as decentralized NDC. However, when we move to Bisimulation-based Non-Deducibility on Composition, BNDC for short, the situation is completely di?erent. We prove that centralized BNDC (CBNDC for short) is strictly ?ner than decentralizedBNDC (DBNDC for short), hence proving the quite expected fact that a system that can resist to coordinated attacks is also able to resist to simpler attacks performed by independent entities. Hence, by exploiting a variant of the modal ?-calculus that permits to manage tuples of ac- tions, we present a method to analyze when a system is CBNDC and/or DBNDC, that is based on the theory of decomposition of formulas and compositional analysis