1,147 research outputs found
Probabilistic Opacity for Markov Decision Processes
Opacity is a generic security property, that has been defined on (non
probabilistic) transition systems and later on Markov chains with labels. For a
secret predicate, given as a subset of runs, and a function describing the view
of an external observer, the value of interest for opacity is a measure of the
set of runs disclosing the secret. We extend this definition to the richer
framework of Markov decision processes, where non deterministic choice is
combined with probabilistic transitions, and we study related decidability
problems with partial or complete observation hypotheses for the schedulers. We
prove that all questions are decidable with complete observation and
-regular secrets. With partial observation, we prove that all
quantitative questions are undecidable but the question whether a system is
almost surely non opaque becomes decidable for a restricted class of
-regular secrets, as well as for all -regular secrets under
finite-memory schedulers
Probabilistic Opacity in Refinement-Based Modeling
Given a probabilistic transition system (PTS) partially observed by
an attacker, and an -regular predicate over the traces of
, measuring the disclosure of the secret in means
computing the probability that an attacker who observes a run of can
ascertain that its trace belongs to . In the context of refinement, we
consider specifications given as Interval-valued Discrete Time Markov Chains
(IDTMCs), which are underspecified Markov chains where probabilities on edges
are only required to belong to intervals. Scheduling an IDTMC produces
a concrete implementation as a PTS and we define the worst case disclosure of
secret in as the maximal disclosure of over all
PTSs thus produced. We compute this value for a subclass of IDTMCs and we prove
that refinement can only improve the opacity of implementations
Probabilistic Disclosure: Maximisation vs. Minimisation
We consider opacity questions where an observation function provides
to an external attacker a view of the states along executions and
secret executions are those visiting some state from a fixed
subset. Disclosure occurs when the observer can deduce from a finite
observation that the execution is secret, the epsilon-disclosure
variant corresponding to the execution being secret with probability
greater than 1 - epsilon. In a probabilistic and non deterministic
setting, where an internal agent can choose between actions, there
are two points of view, depending on the status of this agent: the
successive choices can either help the attacker trying to disclose
the secret, if the system has been corrupted, or they can prevent
disclosure as much as possible if these choices are part of the
system design. In the former situation, corresponding to a worst
case, the disclosure value is the supremum over the strategies of
the probability to disclose the secret (maximisation), whereas in
the latter case, the disclosure is the infimum (minimisation). We
address quantitative problems (comparing the optimal value with a
threshold) and qualitative ones (when the threshold is zero or one)
related to both forms of disclosure for a fixed or finite
horizon. For all problems, we characterise their decidability status
and their complexity. We discover a surprising asymmetry: on the one
hand optimal strategies may be chosen among deterministic ones in
maximisation problems, while it is not the case for minimisation. On
the other hand, for the questions addressed here, more minimisation
problems than maximisation ones are decidable
Opacity for Linear Constraint Markov Chains
On a partially observed system, a secret ϕ is opaque if an observer cannot ascertain that its trace belongs to ϕ. We consider specifications given as Constraint Markov Chains (CMC), which are underspec-ified Markov chains where probabilities on edges are required to belong to some set. The nondeterminism is resolved by a scheduler, and opacity on this model is defined as a worst case measure over all implementations obtained by scheduling. This measures the information obtained by a passive observer when the system is controlled by the smartest sched-uler in coalition with the observer. When restricting to the subclass of Linear CMC, we compute (or approximate) this measure and prove that refinement of a specification can only improve opacity
- …