Automated Synthesis of Enforcing Mechanisms for Security Properties in a Timed Setting

AbstractIn [Martinelli, F. and I. Matteucci, Modeling security automata with process algebras and related results (2006), presented at the 6th International Workshop on Issues in the Theory of Security (WITS '06) - Informal proceedings; Martinelli, F. and I. Matteucci, Through modeling to synthesis of security automata (2006), accepted to STM06. To appeare in ENTCS] we have presented an approach for enforcing security properties. It is based on the automatic synthesis of controller programs that are able to detect and eventually prevent possible wrong action performed by an external agent. Here, we extend this approach also to a timed setting. Under certain assumptions, we are also able to enforce several information flow properties. We show how to deal with parameterized systems

Information flow properties for cyber-physical systems

In cyber-physical systems, which are the integrations of computational and physical processes, security properties are difficult to enforce. Fundamentally, physically observable behavior leads to violations of confidentiality. This work analyzes certain noninterference based security properties to ensure that interactions between the cyber and physical processes preserve confidentiality. A considerable barrier to this analysis is the representation of physical system interactions at the cyber-level. This thesis presents encoding of these physical system properties into a discrete event system and represents the cyber-physical system using Security Process Algebra (SPA). The model checker, Checker of Persistent Security (CoPS) shows Bisimulation based NonDeducibility on Compositions (BNDC) properties, which are a variant of noninterference properties, to check the system\u27s security against all potential high-level interactions. This work considers a model problem of invariant pipeline flow to examine the BNDC properties and their applicability for cyber-physical systems--Abstract, page iii

Security analysis of a cyber-physical system

Cyber-Physical Systems (CPSs) are an integration of computing and physical processes. Information flow is an inherent property of CPSs and is of particular interest at their cyber-physical boundaries. This thesis focuses on discovering information flow properties and proposes a process to model the information flow in CPSs. A Cooperating FACTS Power System serves as a tangible example to illustrate modeling information flow using the proposed process. The proposed process can be used to model the information flow security, help analyze current information flow security requirements, and aid in the design of further security policies in CPS --Abstract, page iii

Specification and Analysis of Information Flow Properties for Distributed Systems

We present a framework for the speci?cation and the analysis of infor- mation ?ow properties in partially speci?ed distributed systems, i.e., sys- tems in which there are several unspeci?ed components located in di?erent places. First we consider the notion of Non Deducibility on Composition (NDC for short) originally proposed for nondeterministic systems and based on trace semantics. We study how this information ?ow property can be extended in order to deal also with distributed partially speci?ed systems. In particular, we develop two di?erent approaches: the cen- tralized NDC (CNDC) and the decentralized NDC (DNDC). According to the former, there is just one unspeci?ed global component that has complete control of the n distributed locations where interaction occurs between the system and the unspeci?ed component. According to DNDC, there is one unspeci?ed component for each distributed location, and the n unspeci?ed components are completely independent, i.e., they cannot coordinate their e?orts or cooperate. Surprisingly enough, we prove that centralized NDC is as discriminating as decentralized NDC. However, when we move to Bisimulation-based Non-Deducibility on Composition, BNDC for short, the situation is completely di?erent. We prove that centralized BNDC (CBNDC for short) is strictly ?ner than decentralizedBNDC (DBNDC for short), hence proving the quite expected fact that a system that can resist to coordinated attacks is also able to resist to simpler attacks performed by independent entities. Hence, by exploiting a variant of the modal ?-calculus that permits to manage tuples of ac- tions, we present a method to analyze when a system is CBNDC and/or DBNDC, that is based on the theory of decomposition of formulas and compositional analysis

A framework for automatic security controller generation

This paper concerns the study, the development and the synthesis of mechanisms for guaranteeing the security of complex systems, i.e., systems composed by several interactive components. A complex system under analysis is described as an open system, in which a certain component has an unspecified behavior (not fixed in advance). Regardless of the unspecified behavior, the system should work properly, e.g., should satisfy a certain property. Within this formal approach, we propose techniques to enforce properties and synthesize controller programs able to guarantee that, for all possible behaviors of the unspecified component, the overall system results secure. For performing this task, we use techniques able to provide us necessary and sufficient conditions on the behavior of this unspecified component to ensure the whole system is secure. Hence, we automatically synthesize the appropriate controller programs by exploiting satisfiability results for temporal logic. We contribute within the area of the enforcement of security properties by proposing a flexible and automated framework that goes beyond the definition of how a system should behave to work properly. Indeed, while the majority of related work focuses on the definition of monitoring mechanisms, we aid in the synthesis of enforcing techniques. Moreover, we present a tool for the synthesis of secure systems able to generate a controller program directly executable on real devices as smart phones

CEEME: compensating events based execution monitoring enforcement for Cyber-Physical Systems

Fundamentally, inherently observable events in Cyber-Physical Systems with tight coupling between cyber and physical components can result in a confidentiality violation. By observing how the physical elements react to cyber commands, adversaries can identify critical links in the system and force the cyber control algorithm to make erroneous decisions. Thus, there is a propensity for a breach in confidentiality leading to further attacks on availability or integrity. Due to the highly integrated nature of Cyber-Physical Systems, it is also extremely difficult to map the system semantics into a security framework under existing security models. The far-reaching objective of this research is to develop a science of selfobfuscating systems based on the composition of simple building blocks. A model of Nondeducibility composes the building blocks under Information Flow Security Properties. To this end, this work presents fundamental theories on external observability for basic regular networks and the novel concept of event compensation that can enforce Information Flow Security Properties at runtime --Abstract, page iii

Persistent Stochastic Non-Interference

In this paper we present an information flow security property for stochastic, cooperating, processes expressed as terms of the Performance Evaluation Process Algebra (PEPA). We introduce the notion of Persistent Stochastic Non-Interference (PSNI) based on the idea that every state reachable by a process satisfies a basic Stochastic Non-Interference (SNI) property. The structural operational semantics of PEPA allows us to give two characterizations of PSNI: the first involves a single bisimulation-like equivalence check, while the second is formulated in terms of unwinding conditions. The observation equivalence at the base of our definition relies on the notion of lumpability and ensures that, for a secure process P, the steady state probability of observing the system being in a specific state P' is independent from its possible high level interactions.Comment: In Proceedings EXPRESS/SOS 2018, arXiv:1808.0807