1. 1 Non-interference Properties for Probabilistic Processes A Process Algebraic Approach Alessandro Aldini joint work with Mario Bravetti and Roberto Gorrieri

2. 2 Outline  Information flow analysis  A nondeterministic calculus  Non-interference for nondeterministic processes  A probabilistic calculus  Non-interference for probabilistic processes  Non-interference and probabilities

3. 3 Formal methods and security  Motivation: –The Internet provides support for the transmission of data over communication networks, but is not designed with the goal of avoiding unauthorized disclosure of such data. –Cryptography is the solution, but… imported code mobile agents malicious non-authenticated accesses … raise a supplementary, increasing demand for security in computer networks.

4. 4 Formal methods and security  Formal techniques may help to: –prevent security holes, –provide a generalized, easily verifiable notion of security. Here, we concentrate on the security analysis of information flow in systems and, more precisely, how to characterize the absence of any insecure flow, by applying the classical idea of non-interference.

5. 5 Non- interference Non-interference checks the absence of information flows through the system, in terms of confidential, high level information illegally revealed to someone without the related access right.

6. 6 Non-interference  The users of the system are partitioned into high level users and low level users.  High and low users interact with the system through separate interfaces.  Low user cannot directly observe what high users do.  Low users know the exact, complete design of the system, including the high interface.  users interact with the system through input actions (guided by the users) and output actions (guided by the system).

7. 7 Non-interference The interactions of low users with the system should not be affected by the behavior of high users [Gougen & Meseguer ’82] System Low interface LOW USERS High interface HIGH USERS ? information flow

8. 8 Direct information flow var X = 0 System write x := 1 High user Low user read x 1 A high value is directly communicated from the high user to the low user!

9. 9 Indirect information flow Non-interference seeks to capture also EXAMPLE Sharing of resources (e.g. memory devices). shared memory High userLow user create private file data.txt create public file data.txt FAIL! covert channels (indirect information flows from high level to low level)

10. 10 Non-interference: an example P a b High level activity c a, b, c: low level activities Information flow from H to L! h

11. 11 Non-interference Information flow analysis in process algebras: [Jacob’88, Ryan’91, Focardi & Gorrieri’95, Roscoe’95, Ryan & Schneider’99] –Information flow is analyzed by considering the possibilistic behavior of the system, i.e. what events are possible. –Further aspects are not considered, such as the timing of actions and the probability distribution of events.

12. 12 Non-interference –In this talk, we take into consideration the influence of the high level behavior upon the probability distribution of the observable, low level events. –The motivation is twofold: probabilistic covert channels may occur which are not observable in a purely nondeterministic setting; a quantitative estimate of the information flowing through the system may be given.

13. 13 Probability & non-interference (1) The frequency of the possible low outcomes derived from several execution runs of the system may change depending on the interaction of the high user with the system. [Gray’92, Sabelfeld & Sands’99, Hankin et al.’00]

14. 14 Probability & non-interference (1) P a b High level activity a, b: low level activities Information flow from H to L! h        

15. 15 Probability & non-interference (2) Interactions of high users with the system which affect the interactions of low users may occur with a negligible probability. In such a case, the illegal information flow can be tolerated by the users of the system. [Hankin et al.’02]

16. 16 Probability & non-interference (2) P High level activity a, b: low level activities Information flow from H to L… quite negligible! h a  b  

17. 17 Outline Information flow analysis  A nondeterministic calculus  Non-interference for nondeterministic processes  A probabilistic calculus  Non-interference for probabilistic processes  Non-interference and probabilities

18. 18 A non-deterministic process algebra  Actions are divided into: –a set I of input actions a *, b *, … –a set O of output actions a, b, … Act = I U O U   Visible action types are partitioned into two disjoint sets: –AType L of low level types – AType H of high level types AType = AType H U AType L U 

19. 19 Syntax P :0  P P + P P P S P L A where S, L are in P (AType – {  }).

20. 20 Syntax P :0  P P + P P P S P A 0 Null term, denoting a terminated or deadlocked term. L

21. 21 Syntax P :0  P P + P P P S P A  P Prefix operator: executes action  and then behaves as term P (  is an output action, an input action, or an internal action  L

22. 22 Syntax P :0  P P + PP P S P A P + Q Alternative choice operator: expresses a non-deterministic choice between a term P and a term Q (CCS-style) L

23. 23 L Syntax P :0  P P + PP P S P A P Q S Parallel composition operator: expresses the concurrent execution of processes P and Q (CSP-style)

24. 24 L Syntax P :0  P P + PP P S P A P L Hiding operator: turns the visible action with type in L into internal  actions

25. 25 L Syntax P :0  P P + P P P S P A A Constants are used to define recursive terms A = P

26. 26 : synchronization policy a*a* P Q S.P S a*a*.Q P S Q a.P S a*a*.Q P S Q a*a* a a.P S a.Q a is in S:

27. 27 : synchronization policy (( a * P Q S.P S a*a*.P’) S a a is in S: a*a*.P’’) S a.Q (( P S P’) S P’’) S Q Q broadcasts the output action a, while all the other processes synchronize on the input action a * (asymmetric multiway synchronization)

28. 28 Restriction P L 0 which cannot execute the actions of P with type in L. P L to stand for a*a*.P S c.Q EXAMPLE (with a = c and a in S) The synchronization rule can also express the restriction of actions. In the action a *, constrained to synchronize, cannot be executed! We use

29. 29 Equivalence  We use equivalence checking to express security properties: a system S is secure if two subsystems, suitably derived from S and from the security definition, are equivalent.  We need a notion of equivalence to relate terms which behave the same from the viewpoint of an external observer.  Since  actions cannot be seen by any external observer, and since the definition of security properties focuses on observable behaviors, we use a notion of equivalence which abstracts from internal actions: weak bisimulation equivalence.

30. 30 Equivalence Note: G denotes the set of processes of the calculus  means that a  labeled transition (with  visible action) occurs possibly preceded and followed by a sequence of internal  transitions  means that a  labeled transitions occurs  means that zero or more  labeled transitions occur

31. 31 Weak bisimulation:   A relation R in G x G is a weak bisimulation iff (P,Q) in R implies for all  in Act: whenever P P’, then there exists Q’ such that Q Q’ and (P’,Q’) in R whenever Q Q’, then there exists P’ such that P P’ and (P’,Q’) in R   B [Milner’89]

32. 32 Outline Information flow analysis A nondeterministic calculus  Non-interference for nondeterministic processes  A probabilistic calculus  Non-interference for probabilistic processes  Non-interference and probabilities

33. 33 Nondeterministic security properties  We rephrase in the context of our nondeterministic calculus some of the security properties defined in [Focardi & Gorrieri’95].

34. 34 00h.b. a. + Low user standpoint: High user does not interact High user interacts aa  b

35. 35 Nondeterministic Non-interference (int) Intuition: a system P is secure iff the behavior of P observable by a low user does not depend on the high interactions. Formally: P AType H P For each low behavior observable when the high user does not interact with the system, we have an equivalent low behavior observable when the high user executes high actions, and viceversa. B

36. 36 Examples 00h.b. a. + 0 00 .b. a. + 00h. a. + 0 00 .. + B B Low user viewpoint without high interactions with high interactions

37. 37 Examples Low user viewpoint without high interactions with high interactions 00h.a. a. + 0 00 .a. a. + B 0 P = a.Q B Q = h.Q + b. a b a b 

38. 38 0h.h.a. a. + Low user standpoint: High user does not interact High user interacts aa  a 0  ? Nondeterministic non-interference is not enough!

39. 39 Nondeducibility on Composition (comp) Intuition: a system P is secure iff the behavior of P observable by a low user is invariant with respect to the interaction of any high user. Formally: P AType H P S S  ()() for any: high process  and high communication interface S B

40. 40 Example 0h.h.a. a. + 0 0 h h*h*. 00h.h.a. (a. + aa  ) B 0 without high interactions interacting with 0 h*h*. B

41. 41 0h.a. .a. + Low user standpoint: High user does not interact High user interacts b 0 Nondeducibility on Composition is not enough! b.0+  a …but the event b informs the low user that the high user did not interact

42. 42 Strong Nondeducibility on Composition (scomp) Intuition: the low user should not distinguish which, if any, high level event has occurred at some point in the past. Formally: P1P1 AType H For any P 1 derivative of P and for any P 2 s.t. P1P1 P2P2   high action we have P2P2 AType H B

43. 43 Example (1) 0 a. 0h.a. .a. +0b.0+ 0 .a. +b.0 B P h P 0 a. = AType H P = is not scomp-secure P

44. 44 Example (2) 0.a. .a. +0+ h*h* 0.b. .b. +0 k*k* h,k: high a,b: low 0 .a. + 0 .b. 0 b. 0 a. B B without high interactions: after a high interaction with action h: after a high interaction with action k:

45. 45 Inclusion relations scomp comp int

46. 46 Outline Information flow analysis A nondeterministic calculus Non-interference for nondeterministic processes  A probabilistic calculus  Non-interference for probabilistic processes  Non-interference and probabilities

47. 47 A probabilistic process algebra  algebraic operators are enriched with probabilistic information:  a mixture of the classical generative and reactive models of probability is adopted. P :0  P P + P P P S P a A ppp S in P (AType -  ), a in AType - , and p in ]0,1[

48. 48 Input actions as reactive actions 1. The type a of the action to be performed is chosen by the environment. 2. The system chooses an action a * according to the probability distribution associated to the input actions of type a. b*b* a*a*   b*b*   Transitions are divided into type bundles The choice within a bundle is purely probabilistic The choice among bundles is nondeterministic (guided by the environment) The sum of the probabilities within a bundle is to be 1  PQ

49. 49 Output (and internal) actions as generative actions  The system autonomously decides the action to be performed according to the probability distribution associated to the enabled output actions. b a   b   Transitions are grouped in a single bundle The sum of the probabilities within the bundle is to be 1  

50. 50 A mixed generative/reactive model  A single generative bundle contains all the output transitions which can be executed by the system.  We have several reactive bundles, one for each action type. b a   b     generative bundle b*b*   b*b*   c*c* reactive bundle b  [Segala’95, Stark et al.’97]

51. 51 Probabilistic choice a + b p expresses a probabilistic choice between two output actions: a is chosen with probability p while b is chosen with probability 1-p. a * + a * p the same! a * + b * p the choice is nondeterministic: p is not considered (usually we omit it). a + b * p

52. 52 Example: mixed choice + a + b * p c + b * r q ( ) () b*b* b*b* q 1 - q a q c  parameters p and r are not used because they are attached to operators which refer to nondeterministic choices  parameter q guides the probabilistic choice between the two generative actions a and c and between the two reactive actions of type b

53. 53 Probabilistic parallel composition S || p P Q performs the actions of P and Q by following: 1.the synchronization policy described in the nondeterministic case, 2.the probabilistic mechanism described for the choice operator, as in ACP [Baeten et al.’95] Note: the probabilities of the actions which can be executed by the composed system are normalized [van Glabbeek et al.’95].

54. 54 Probabilistic parallel composition S || p (a + b) q c if a,b,c are not in S, then the system can execute the output action a with probability pq, the action b with probability p(1-q), or the action c with probability 1-p. if a and b are not in S and c is in S, then the system can execute output actions of the lefthand process only, i.e. a with probability q or b with probability 1-q. if a and c are not in S and b is in S, then the system can execute the action a of the lefthand process with probability p or the action b of the righthand process with probability 1-p.

55. 55 Probabilistic parallel composition L || p (a + b) q All the actions of the lefthand process which belong to the synchronization set L cannot be executed! Parameter p is not used. The probabilities of the remaining executable actions are redistributed so that the overall probability of each bundle is still 1. Example: if a is in L, then the system can execute the action b only with probability 1. 0 P L 0 P L to stand for We use p for any p

56. 56 Probabilistic hiding P = a + b q P a p  + b q Case 1 (probabilistic choice between two visible actions) (probabilistic choice between an internal action and a visible action) The choice is already probabilistic, therefore parameter p of the hiding operator is not considered! =

57. 57 Probabilistic hiding P = a + b q P a p =  + b p Case 2 (nondeterministic choice between two visible actions – parameter q is not considered) (probabilistic choice between an internal action and a visible action) A nondeterministic choice becomes a probabilistic choice: parameter p of the hiding operator is needed! *

58. 58 Probabilistic hiding  Parameter p is used to turn nondeterministic choices between reactive actions of type a and generative actions into probabilistic choices between internal actions  and generative actions.  This corresponds to the execution of a synchronization between a * and an action a performed by the environment that gives rise to an internal action    In this way, the hiding operator turns open systems, which can interact with the environment, into closed systems, which are fully specified. P a p

59. 59 Equivalence  We introduce a notion of probabilistic weak bisimulation.  The classical weak transition is replaced by the probability of reaching classes of equivalent states. Note: G denotes the set of processes of the calculus *a*a denotes the set of sequences  * a if a is a generative visible action and the set of sequences  * if a =  GAct denotes the set of generative actions RAct denotes the set of reactive actions

60. 60 Probabilistic weak bisimulation: A relation R in G x G is a probabilistic weak bisimulation iff whenever (P,Q) is in R then for all C in G / R : PB Prob(P,  * a,C) = Prob(Q,  * a,C) for all a in GAct Prob(P,a *,C) = Prob(Q,a *,C) for all a * in RAct [Baier & Hermanns’97]

61. 61 : an example PB   b, 1/2 a, 1/2 b, 1/3 a, 1/3 The two systems are equivalent.

62. 62 Outline Information flow analysis A nondeterministic calculus Non-interference for nondeterministic processes A probabilistic calculus  Non-interference for probabilistic processes  Non-interference and probabilities

63. 63 Security analysis and probability  We extend the definition of the nondeterministic security properties in our probabilistic setting.  NOTE: we consider probabilistic processes which are well defined, i.e. the probability of observing, at some point in the future, a visible action cannot tend to zero.

64. 64 Probabilistic Non-interference (int pr ) Intuition: a system P is secure iff the probabilistic low view of P is not altered by the probabilistic behavior of the high users. Formally (denoted h 1 …h P the high level action types which syntactically occur within P): P AType H P PB h1h1 p1p1 … hPhP pPpP for any sequence of probabilities p 1 …p P in ]0,1[

65. 65 An Example P = .( .a + h.b) +  b.5 b    a  b   a  b hiding high events restricting high events.5 B PB a,b: low h: high

66. 66 Probabilistic Non-interference the universal quantification over all possible probability distributions of the hidden reactive high actions is needed to verify the influence of the high activities upon the low view. P = h.a + ( .a + b) * EXAMPLE In the probabilistic setting, the nondeterministic choice can be probabilistically resolved by the high user which interacts with the system, thus altering the probability of observing the low event a ( b ). ( .a + b) q PB .a + ( .a + b) qp for any choice of p in ]0,1[ The nondeterministic process P is int-secure P AType H P PB h1h1 … hPhP p 1 …p P in ]0,1[ A In q p1p1p

67. 67 Probabilistic Non-interference P = h.a + a * EXAMPLE a PB .a + a p for any choice of p in ]0,1[ The low view of P is represented by the execution of the low action a with probability 1. The high user which solves the nondeterministic choice in P cannot alter such a view.

68. 68 Probabilistic Non-interference P = (a + a.b) + a.h.b EXAMPLE a, pq pq a, (1-p)q a, (1-q) b, 1 h, 1  The nondeterministic version of P is int-secure  If the high user interacts, then the probability of observing the sequence a.b is 1-pq.  If the high user does not interact, then the probability of observing the sequence a.b is (1-p)q.  P is not int pr -secure!

69. 69 Probabilistic Non-interference A pure probabilistic covert channel [Sabelfeld & Sands’00] low variable l := high variable h OR random value High values and random values belong to the same domain:  In a nondeterministic setting, since the choice between the two different assignments is left underspecified and since the set of low outputs does not change with or without high interactions, the system is considered to be secure.  In a probabilistic setting, if we observe the frequency of the possible low outcomes of the low level variable, then we may infer the high behavior: EXAMPLE l := h +.7 random value(and we assume h=1) may give rise, after repeated executions of the system, to the sequence of outcomes: 0,1,1,1,3,1,2,1,1,1,1,4,0,1,1,1,3,1,1,1

70. 70 Probabilistic Non-interference P = (a + b) + h.(a + b) Similarly, in our process algebraic setting we may consider the following system: pq r  If the high user interacts, then the probabilistic choice between the low actions a and b is guided by parameter q.  If the high user does not interact, then the probabilistic choice between the low actions a and b is guided by parameter p.  The system is int-secure iff p = q.  NOTE: the nondeterministic version of process P is S- secure (with S in {int,comp,scomp}).

71. 71 Probabilistic Non-deducibility on Composition (comp pr ) P AType H P {h 1,…,h k }  AType H ()() for any: high user  high communication interface PB p h1h1 p1p1 … hkhk pkpk {h 1,…,h k }, probabilities p,p 1,…,p k in ]0,1[

72. 72 comp pr : example P = ( .(a + h) + .(a +  )) + k.a h,k: high level types – a: low level type P is int pr -secure Intuitively, the high user can: 1.block the execution of the action k 2.wait for the internal probabilistic choice 3.accept (block) the execution of the action h Formally, by taking the high user  = h. and the synchronization set { h,k }, it turns out that P is not comp pr -secure pp1-pp * 0

73. 73 Strong comp pr (scomp pr ) As in the nondeterministic case, a stronger formulation of the comp pr property is given in order to avoid the universal quantification over all possible high level users. P1P1 AType H For any P 1 derivative of P and for any P 2 s.t. P1P1 P2P2  p  in AType H we have P2P2 AType H B, p in ]0,1]

74. 74 Inclusion Relations scomp pr comp pr int pr

75. 75 Inclusion Relations Given a nondeterministic security property SP and its probabilistic counterpart SP pr then we have SP pr C SP meaning that if P is SP pr -secure, then the nondeterministic version of P is SP-secure.

76. 76 Inclusion Relations scomp pr comp pr int pr scomp int comp P. Q.

77. 77 Outline Information flow analysis A nondeterministic calculus Non-interference for nondeterministic processes A probabilistic calculus Non-interference for probabilistic processes  Non-interference and probabilities

78. 78 Probability & Non-interference P High level activity a, b: low level activities Information flow from H to L… quite negligible! h a  b  

79. 79 Probability & Non-interference  Probabilistic information can be employed to quantify the probability associated to each information flow, thus allowing the modeler to estimate the probability of observing insecure behaviors.  Weak bisimulation is too sensitive and does not allow to relate probabilistic processes which behave almost the same.  Relaxed notions of security properties may allow to consider as secure systems those systems where the probability of observing an information flow is negligible.

80. 80 We pass to a relaxed definition of bisimulation which is able to tolerate small  -fluctuations. A relation R in G x G is a probabilistic weak bisimulation with  -precision iff whenever (P,Q) is in R then for all C in G / R : |Prob(P,  * a,C) - Prob(Q,  * a,C)| <  for all a in GAct |Prob(P,a *,C) - Prob(Q,a *,C)| <  for all a * in RAct Bisimulation with  -precision ( ) PB 

81. 81 PB  : example P = (a + a.b) + a.h.b pq As we have seen, the system is not int pr -secure. However, if q is a value close to 0, then the low level outcome of repeated executions of the system changes according to negligible fluctuations with or without the interaction of the high user. Formally, P is int pr -secure if we employ as the notion of equivalence the PB 

82. 82 PB  : example (2) P = h.a + .(b + h.b) pq h, p , 1-p b, 1 h, q b, 1-q a, 1 secure component Q insecure component

83. 83 PB  : example (2) P = h.a + .(b + h.b) pq  The probability of reaching the secure component Q is 1-p  The probability of reaching the insecure component is p P AType H PB  P r h for any r in ]0,1[ Given  p, we have: ,  , 1-  a, 1 PB  , 1 QQ for any Q In particular:

84. 84 Quantifying information flows Systems which need an estimation of the illegal information flows:  PROBABILISTIC ALGORITHMS. Among the possible behaviors of the algorithm we also have an unwanted, insecure behavior which usually is executed with a probability close to 0. EXAMPLES:  probabilistic non-repudiation  asynchronous Byzantine agreement

85. 85 Conclusion 1.The process algebraic approach to probabilistic non-interference is a natural, conservative extension of the nondeterministic non- interference theory. 2.Probabilistic information can be employed to quantify information flow.

86. 86 Conclusion Future work Analysis of probabilistic cryptographic protocols: generalized, easily verifiable notion of security Extension of the calculus with message handling and cryptography: relaxation of the assumption of perfect cryptography

87. 87 References 1.Aldini, M. Bravetti "An Asynchronous Calculus for Generative-Reactive Probabilistic Systems" in Proc. of the 8th Int. Workshop on Process Algebra and Performance Modeling (PAPM’00), Rolim et al. Ed., pp. 591-605, Carleton Scientific, Geneve, 2000"An Asynchronous Calculus for Generative-Reactive Probabilistic Systems" 2.A. Aldini "Probabilistic Information Flow in a Process Algebra " in Proc. of the 12th Int. Conference on Concurrency Theory (CONCUR'01), Springer LNCS 2154, pp. 152-168, Aalborg, 2001"Probabilistic Information Flow in a Process Algebra " 3.A. Aldini "On the Extension of Non-interference with Probabilities" in the 2nd ACM SIGPLAN and IFIP WG 1.7 Workshop on Issues in the Theory of Security (WITS'02), Portland, Oregon, 2002"On the Extension of Non-interference with Probabilities" 4.A. Aldini, R. Gorrieri "Security Analysis of a Probabilistic Non- repudiation Protocol" in Proc. of the 2nd Joint Int. Workshop on Process Algebra and Performance Modelling, Probabilistic Methods in Verification (PAPM-PROBMIV'02), Springer LNCS 2399, pp. 17-36, Copenhagen, 2002"Security Analysis of a Probabilistic Non- repudiation Protocol" 5.A. Aldini, M. Bravetti, R. Gorrieri "A Process Algebraic Approach for the Analysis of Probabilistic Non-interference" Tech. Rep. UBLCS-2002-02, University of Bologna (Italy), 2002"A Process Algebraic Approach for the Analysis of Probabilistic Non-interference"

88. 88 Thank you! http://www.cs.unibo.it/~aldini ~bravetti ~gorrieri {aldini,bravetti,gorrieri}@cs.unibo.it