Partial mode checking, process algebra operators and satisfiability procedures for (automatically) enforcing security properties

In this paper we show how the partial model checking approach for the analysis of secure systems may be also useful for enforcing security properties. We define a set of process algebra operators that act as programmable controllers of possibly insecure components. The program of these controllers may be automatically obtained through the usage of satisfiability procedures for a variant of mu-calculus

Action Refinement for Security Properties Enforcement

In this paper we propose an application of the action refinement theory for enforcing security policies at different levels of abstraction by using process algebra controller operators. Let us consider a system that cooperates with a possible untrusted component managed by a programmable controller operator in such a way that the considered composed system is secure, i.e., the composed system works as expected. Firstly, the considered system is specified at a high level of abstraction. Successively, we refine it by applying a refinement function in such a way that we pass through different abstraction levels. Here we investigate on the set of features a refinement function needs to have for guaranteeing that a considered system, which is secure at high level, once refined is still secure regardless the behaviour of the implementation of the untrusted component. Indeed, by applying an action refinement function, it is possible to refine the system, the controller program and the possible untrusted component as if they were three independent entities, in such a way that their implementation does not depend on each other. Hence the capability of the controller operator to make the system secure regardless the behaviour of the untrusted component at high level, is also preserved at a lower level

Model and Synthesize Security Automata

We define a set of process algebra operators (controllers) that mimic the security automata introduced by Schneider in [18] and by Ligatti and al. in [4], respectively. We also show how to automatically build these controllers for given security policies

A framework for automatic security controller generation

This paper concerns the study, the development and the synthesis of mechanisms for guaranteeing the security of complex systems, i.e., systems composed by several interactive components. A complex system under analysis is described as an open system, in which a certain component has an unspecified behavior (not fixed in advance). Regardless of the unspecified behavior, the system should work properly, e.g., should satisfy a certain property. Within this formal approach, we propose techniques to enforce properties and synthesize controller programs able to guarantee that, for all possible behaviors of the unspecified component, the overall system results secure. For performing this task, we use techniques able to provide us necessary and sufficient conditions on the behavior of this unspecified component to ensure the whole system is secure. Hence, we automatically synthesize the appropriate controller programs by exploiting satisfiability results for temporal logic. We contribute within the area of the enforcement of security properties by proposing a flexible and automated framework that goes beyond the definition of how a system should behave to work properly. Indeed, while the majority of related work focuses on the definition of monitoring mechanisms, we aid in the synthesis of enforcing techniques. Moreover, we present a tool for the synthesis of secure systems able to generate a controller program directly executable on real devices as smart phones

Semiring-based Specification Approaches for Quantitative Security

Our goal is to provide different semiring-based formal tools for the specification of security requirements: we quantitatively enhance the open-system approach, according to which a system is partially specified. Therefore, we suppose the existence of an unknown and possibly malicious agent that interacts in parallel with the system. Two specification frameworks are designed along two different (but still related) lines. First, by comparing the behaviour of a system with the expected one, or by checking if such system satisfies some security requirements: we investigate a novel approximate behavioural-equivalence for comparing processes behaviour, thus extending the Generalised Non Deducibility on Composition (GNDC) approach with scores. As a second result, we equip a modal logic with semiring values with the purpose to have a weight related to the satisfaction of a formula that specifies some requested property. Finally, we generalise the classical partial model-checking function, and we name it as quantitative partial model-checking in such a way to point out the necessary and sufficient conditions that a system has to satisfy in order to be considered as secure, with respect to a fixed security/functionality threshold-value

There are Two Sides to Every Question - Controller Versus Attacker.

We investigate security enforcement mechanisms that run in parallel with a system; the aim is to check and modify the run-time behaviour of a possible attacker in order to guarantee that the system satisfies some security policies. We focus on a CSP-like quantitative process-algebra to model such processes. Weights on actions are modelled with semirings, which represent a parametric structure where to cast different metrics. The basic tools are represented by a quantitative logic and a model checking function. First, the behaviour of the system is removed from the parallel computation with respect to some security property to be satisfied. Secondly, what remains is refined in two formulas with respect to the given operator executed by a controller. The result describes what a controller has to do to prevent a given attack

Specification and Analysis of Information Flow Properties for Distributed Systems

We present a framework for the speci?cation and the analysis of infor- mation ?ow properties in partially speci?ed distributed systems, i.e., sys- tems in which there are several unspeci?ed components located in di?erent places. First we consider the notion of Non Deducibility on Composition (NDC for short) originally proposed for nondeterministic systems and based on trace semantics. We study how this information ?ow property can be extended in order to deal also with distributed partially speci?ed systems. In particular, we develop two di?erent approaches: the cen- tralized NDC (CNDC) and the decentralized NDC (DNDC). According to the former, there is just one unspeci?ed global component that has complete control of the n distributed locations where interaction occurs between the system and the unspeci?ed component. According to DNDC, there is one unspeci?ed component for each distributed location, and the n unspeci?ed components are completely independent, i.e., they cannot coordinate their e?orts or cooperate. Surprisingly enough, we prove that centralized NDC is as discriminating as decentralized NDC. However, when we move to Bisimulation-based Non-Deducibility on Composition, BNDC for short, the situation is completely di?erent. We prove that centralized BNDC (CBNDC for short) is strictly ?ner than decentralizedBNDC (DBNDC for short), hence proving the quite expected fact that a system that can resist to coordinated attacks is also able to resist to simpler attacks performed by independent entities. Hence, by exploiting a variant of the modal ?-calculus that permits to manage tuples of ac- tions, we present a method to analyze when a system is CBNDC and/or DBNDC, that is based on the theory of decomposition of formulas and compositional analysis

Context-Aware Analysis of Data Sharing Agreements

A Data Sharing Agreement is an agreement among contracting parties regulating how they share data under certain contextual conditions. Upon the definition phase, where the parties negotiate the respective authorizations on data covered by the agreement, the resulting policy may be analysed in order to identify possible conflicts or incompatibilities among authorizations clauses. In this paper, we propose a formal framework for Data Sharing Agreement analysis. Our proposal is built on a process algebra formalism dealing with contextual data, encoded into the Maude engine to make it executable. The effectiveness of the analysis is shown through a sensitive data sharing test bed. Furthermore, we present an implementation of the analyser exposed as a Web Service built on top of Maude. The Web Service technology allows the modularity of the whole architecture with respect to the analysis tool

The Innovation of the Cashierless Store: A Preliminary Analysis in Italy

The retail sector, under the pressure of digitalization and technological innovation, has experienced profound changes in the last decade, and retailers have had to cope with these changes by implementing new business models and competitive strategies with the aim of satisfying the consumers\u2019 needs. In the last few decades, the sector has been affected by different new trends, from the birth of supermarkets to the advent of e-commerce, up to the introduction of cashierless stores. The latter represents a new category of store that is totally computer-based and digitalized, in which the use of cameras, sensors and self-shelves minimizes human interaction. Amazon pioneered this emerging concept, with the launch of Amazon Go, but other start-up companies are rapidly entering the cashierless retail market and embracing the challenge. The purpose of this paper is to analyze the knowledge of Italian consumers of cashierless shops, and the relevance of different factors related to this new kind of shops. A questionnaire was sent to a sample of more than 1000 consumers to identify and evaluate the actual situation and knowledge of this phenomenon, which is not yet diffuse in Italy. A statistical analysis, regarding both their knowledge about cashierless stores and the customer experience, is provided to discuss the most relevant factors affecting the customers\u2019 perceptions and attitudes, with a comparison per gender and type of users. The results of the provided analysis reveal that the phenomenon is very little known, and this is certainly influenced by the lack of these stores in Italy