207,975 research outputs found
Model-checking Secure Information Flow for Multi-Threaded Programs
Abstract. This paper shows how secure information flow properties of multi-threaded programs can be verified by model checking in a precise and efficient way, by using the idea of self-composition. It discusses two properties that aim to capture secure information flow for multi-threaded programs, and it shows how these properties can be char-acterised in modal ”-calculus. For this characterisation, a self-composed model of the program is constructed. More precisely, this is a model that contains two copies of the labelled transition system induced by the program, so that the program is executed in parallel with itself. The self-composed model allows to compare two program executions in a single temporal formula that characterises a secure information flow property. Both the formula and model are translated into the input language for the Concurrency Workbench model checker. We discuss this encoding, and use it for some practical experiments on several simple examples.
Self-composition by Symbolic Execution
This work is licensed under a CC-BY Creative Commons Attribution 3.0 Unported license (http://creativecommons.org/licenses/by/3.0/)urn: urn:nbn:de:0030-drops-42770urn: urn:nbn:de:0030-drops-42770Self-composition is a logical formulation of non-interference, a high-level security property that guarantees the absence of illicit information leakages through executing programs. In order to capture program executions, self-composition has been expressed in Hoare or modal logic, and has been proved (or refuted) by using theorem provers. These approaches require considerable user interaction, and verification expertise. This paper presents an automated technique to prove self-composition. We reformulate the idea of self-composition into comparing pairs of symbolic paths of the same program; the symbolic paths are given by Symbolic Execution. The result of our analysis is a logical formula expressing self-composition in first-order theories, which can be solved by off-the-shelf Satisfiability Modulo Theories solver
Scheduler-specific Confidentiality for Multi-Threaded Programs and Its Logic-Based Verification
Observational determinism has been proposed in the literature as a way to ensure confidentiality for multi-threaded programs. Intuitively, a program is observationally deterministic if the behavior of the public variables is deterministic, i.e., independent of the private variables and the scheduling policy. Several formal definitions of observational determinism exist, but all of them have shortcomings; for example they accept insecure programs or they reject too many innocuous programs. Besides, the role of schedulers was ignored in all the proposed definitions. A program that is secure under one kind of scheduler might not be secure when executed with a different scheduler. The existing definitions do not ensure that an accepted program behaves securely under the scheduler that is used to deploy the program. Therefore, this paper proposes a new formalization of scheduler-specific observational determinism. It accepts programs that are secure when executed under a specific scheduler. Moreover, it is less restrictive on harmless programs under a particular scheduling policy. In addition, we discuss how compliance with our definition can be verified, using model checking. We use the idea of self-composition and we rephrase the observational determinism property for a single program as a temporal logic formula over the program executed in parallel with an independent copy of itself. Thus two states reachable during the execution of are combined into a reachable program state of the self-composed program. This allows to compare two program executions in a single temporal logic formula. The actual characterization is done in two steps. First we discuss how stuttering equivalence can be characterized as a temporal logic formula. Observational determinism is then expressed in terms of the stuttering equivalence characterization. This results in a conjunction of an LTL and a CTL formula, that are amenable to model checking
Quantitative Information Flow as Safety and Liveness Hyperproperties
We employ Clarkson and Schneider's "hyperproperties" to classify various
verification problems of quantitative information flow. The results of this
paper unify and extend the previous results on the hardness of checking and
inferring quantitative information flow. In particular, we identify a subclass
of liveness hyperproperties, which we call "k-observable hyperproperties", that
can be checked relative to a reachability oracle via self composition.Comment: In Proceedings QAPL 2012, arXiv:1207.055
Threats Management Throughout the Software Service Life-Cycle
Software services are inevitably exposed to a fluctuating threat picture.
Unfortunately, not all threats can be handled only with preventive measures
during design and development, but also require adaptive mitigations at
runtime. In this paper we describe an approach where we model composite
services and threats together, which allows us to create preventive measures at
design-time. At runtime, our specification also allows the service runtime
environment (SRE) to receive alerts about active threats that we have not
handled, and react to these automatically through adaptation of the composite
service. A goal-oriented security requirements modelling tool is used to model
business-level threats and analyse how they may impact goals. A process flow
modelling tool, utilising Business Process Model and Notation (BPMN) and
standard error boundary events, allows us to define how threats should be
responded to during service execution on a technical level. Throughout the
software life-cycle, we maintain threats in a centralised threat repository.
Re-use of these threats extends further into monitoring alerts being
distributed through a cloud-based messaging service. To demonstrate our
approach in practice, we have developed a proof-of-concept service for the Air
Traffic Management (ATM) domain. In addition to the design-time activities, we
show how this composite service duly adapts itself when a service component is
exposed to a threat at runtime.Comment: In Proceedings GraMSec 2014, arXiv:1404.163
Self-Adaptation and Secure Information Flow in Multiparty Structured Communications: A Unified Perspective
We present initial results on a comprehensive model of structured
communications, in which self- adaptation and security concerns are jointly
addressed. More specifically, we propose a model of self-adaptive, multiparty
communications with secure information flow guarantees. In this model, security
violations occur when processes attempt to read or write messages of
inappropriate security levels within directed exchanges. Such violations
trigger adaptation mechanisms that prevent the violations to occur and/or to
propagate their effect in the choreography. Our model is equipped with local
and global mechanisms for reacting to security violations; type soundness
results ensure that global protocols are still correctly executed, while the
system adapts itself to preserve security.Comment: In Proceedings BEAT 2014, arXiv:1408.556
- âŠ