MGHyper: Checking Satisfiability of HyperLTL Formulas Beyond the ∃∗∀∗\exists^*\forall^* Fragment

Hyperproperties are properties that refer to multiple computation traces. This includes many information-flow security policies, such as observational determinism, (generalized) noninterference, and noninference, and other system properties like symmetry or Hamming distances between in error-resistant codes. We introduce MGHyper, a tool for automatic satisfiability checking and model generation for hyperproperties expressed in HyperLTL. Unlike previous satisfiability checkers, MGHyper is not limited to the decidable $\exists^* \forall^*$ fragment of HyperLTL, but provides a semi-decisionprocedure for the full logic. An important application of MGHyper is to automatically check equivalences between different hyperproperties (and different formalizations of the same hyperproperty) and to build counterexamples that disprove a certain claimed implication. We describe the semi-decisionprocedure implemented in MGHyper and report on experimental results obtained both with typical hyperproperties from the literature and with randomly generated HyperLTL formulas

Persistent Stochastic Non-Interference

In this paper we present an information flow security property for stochastic, cooperating, processes expressed as terms of the Performance Evaluation Process Algebra (PEPA). We introduce the notion of Persistent Stochastic Non-Interference (PSNI) based on the idea that every state reachable by a process satisfies a basic Stochastic Non-Interference (SNI) property. The structural operational semantics of PEPA allows us to give two characterizations of PSNI: the first involves a single bisimulation-like equivalence check, while the second is formulated in terms of unwinding conditions. The observation equivalence at the base of our definition relies on the notion of lumpability and ensures that, for a secure process P, the steady state probability of observing the system being in a specific state P' is independent from its possible high level interactions.Comment: In Proceedings EXPRESS/SOS 2018, arXiv:1808.0807

Action Systems, Determinism and the Development of Secure Systems

This thesis addresses issues arising in the specification and development of secure systems, focusing in particular on aspects of confidentiality. Various confidentiality properties based on limiting the allowed flows of information in a system have previously been proposed. These definitions axe reviewed here and some of the problems inherent in their use axe outlined. Recent work by Roscoe [106] has. provided information flow definitions based on restricting the allowed nondeterminism within the system. These properties axe described in detail, with a range of examples provided to illustrate their use.This thesis is concerned with providing a new, pragmatic approach to the development of secure systems. Action systems axe chosen as a notation which incorporates both direct representation of system state useful for effective system modelling and the succession of events in a system essential for representation of information flow properties. A definition of nondeterminism and formulations of the deterministic security properties axe developed for action systems. These axe shown to correspond to the original CSP event based definitions.The emphasis of this work is on the practical application of theoretical results. This is reflected in the case studies in which the preceding work is applied to realistic development situations. This allows the strengths and weaknesses of both the deterministic security conditions and the use of action systems to be assessed. The first study investigates security constraints applied to a distributed message-passing system. Ways of specifying security conditions and the effects of including them at different levels axe explored. The second case study follows through the specification and refinement of a distributed security kernel. A technique for the simplification of security proofs is introduced

Guess my vote : a study of opacity and information flow in voting systems

With an overall theme of information flow, this thesis has two main strands. In the first part of the thesis, I review existing information flow properties, highlighting a recent definition known as opacity [25]. Intuitively, a predicate cP is opaque if for every run in which cP is true, there exists an indistinguishable run in which it is false, where a run can be regarded as a sequence of events. Hence, the observer is never able to establish the truth of cPo The predicate cP can be defined according to requirements of the system, giving opacity a great deal of flexibility and versatility. Opacity is then studied in relation to several well-known definitions for information flow. As will be shown, several of these properties can be cast as variations of opacity, while others have a relationship by implication with the opacity property [139]. This demonstrates the flexibility of opacity, at the same time establishing its distinct character. In the second part of the thesis, I investigate information flow in voting systems. Pret a Voter [36] is the main exemplar, and is compared to other schemes in the case study. I first analyse information flow in Pret a Voter and the FOO scheme [59], concentrating on the core protocols. The aim is to investigate the security requirements of each scheme, and the extent to which they can be captured using opacity. I then discuss a systems-based analysis of Pret a Voter [163], which adapts and extends an earlier analysis of the Chaum [35] and Neff [131]' [132]' [133] schemes in [92]. Although this analysis has identified several potential vulnerabilities, it cannot be regarded as systematic, and a more rigorous approach may be necessary. It is possible that a combination of the information flow and systems- based analyses might be the answer. The analysis of coercion-resistance, which is performed on Pret a Voter and the FOO scheme, may exemplify this more systematic approach. Receipt-freeness usually means that the voter is unable to construct a proof of her vote. Coercion-resistance is a stronger property in that it accounts for the possibility of interaction between the coercer and the voter during protocol execution. It appears that the opacity property is ideally suited to expressing the requirements for coercion-resistance in each scheme. A formal definition of receipt-freeness cast as a variation of opacity is proposed [138], together with suggestions on how it might be reinforced to capture coercion-resistance. In total, the thesis demonstrates the remarkable flexibility of opacity, both in expressing differing security requirements and as a tool for security analysis. This work lays the groundwork for future enhancement of the opacity framework.EThOS - Electronic Theses Online ServiceDSTL : EPSRCGBUnited Kingdo

The Keys to Decidable HyperLTL Satisfiability: Small Models or Very Simple Formulas

HyperLTL, the extension of Linear Temporal Logic by trace quantifiers, is a uniform framework for expressing information flow policies by relating multiple traces of a security-critical system. HyperLTL has been successfully applied to express fundamental security policies like noninterference and observational determinism, but has also found applications beyond security, e.g., distributed protocols and coding theory. However, HyperLTL satisfiability is undecidable as soon as there are existential quantifiers in the scope of a universal one. To overcome this severe limitation to applicability, we investigate here restricted variants of the satisfiability problem to pinpoint the decidability border. First, we restrict the space of admissible models and show decidability when restricting the search space to models of bounded size or to finitely representable ones. Second, we consider formulas with restricted nesting of temporal operators and show that nesting depth one yields decidability for a slightly larger class of quantifier prefixes. We provide tight complexity bounds in almost all cases

Composable Distributed Access Control and Integrity Policies for Query-Based Wireless Sensor Networks

An expected requirement of wireless sensor networks (WSN) is the support of a vast number of users while permitting limited access privileges. While WSN nodes have severe resource constraints, WSNs will need to restrict access to data, enforcing security policies to protect data within WSNs. To date, WSN security has largely been based on encryption and authentication schemes. WSN Authorization Specification Language (WASL) is specified and implemented using tools coded in JavaTM. WASL is a mechanism{independent policy language that can specify arbitrary, composable security policies. The construction, hybridization, and composition of well{known security models is demonstrated and shown to preserve security while providing for modifications to permit inter{network accesses with no more impact on the WSN nodes than any other policy update. Using WASL and a naive data compression scheme, a multi-level security policy for a 1000-node network requires 66 bytes of memory per node. This can reasonably be distributed throughout a WSN. The compilation of a variety of policy compositions are shown to be feasible using a notebook{class computer like that expected to be performing typical WSN management responsibilities