1. ISA 763 Security Protocol Verification CSP Semantics We thank Professor Csilla Farkas of USC for providing some transparencies that were used to construct this transparency

2. 2CSP Semantics2 References The Theory and Practice of Concurrency by A. W. Roscoe, available at web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/ 68b.pdf The Theory and Practice of Concurrency by A. W. Roscoe, available at web.comlab.ox.ac.uk/oucl/work/bill.roscoe/publications/ 68b.pdf Chapters 4 and 5 of Modeling and analysis of security protocols by Peter Ryan and Steve Schneider. Chapters 4 and 5 of Modeling and analysis of security protocols by Peter Ryan and Steve Schneider. The FDR2 User Manual available at http://www.fsel.com/documentation/fdr2/html/fdr2manual. html#SEC_Top The FDR2 User Manual available at http://www.fsel.com/documentation/fdr2/html/fdr2manual. html#SEC_Top http://www.fsel.com/documentation/fdr2/html/fdr2manual. html#SEC_Top http://www.fsel.com/documentation/fdr2/html/fdr2manual. html#SEC_Top Formal Systems, FDR download, http://www.fsel.com/ Formal Systems, FDR download, http://www.fsel.com/http://www.fsel.com/ M. Morgenthal: Design and Validation of Computer Protocols, http://wwwtcs.inf.tu-dresden.de/~morgen/sem- ws02.html M. Morgenthal: Design and Validation of Computer Protocols, http://wwwtcs.inf.tu-dresden.de/~morgen/sem- ws02.htmlhttp://wwwtcs.inf.tu-dresden.de/~morgen/sem- ws02.htmlhttp://wwwtcs.inf.tu-dresden.de/~morgen/sem- ws02.html

3. 3CSP Semantics3 CSP Semantics - 1 Operational Semantics Operational Semantics Interprets the language on an (abstract) machine: Interprets the language on an (abstract) machine: such as the ones used in imperative languages using a program counter, next instruction stack etc. such as the ones used in imperative languages using a program counter, next instruction stack etc. Denotational Semantics Denotational Semantics The language is translated to another abstract domain The language is translated to another abstract domain Translate the basic constructs Translate the basic constructs Translate the combinators to constructs in the target domain Translate the combinators to constructs in the target domain Use a compositionality principle to construct the denotation of the whole program from translated parts Use a compositionality principle to construct the denotation of the whole program from translated parts Algebraic Semantics Algebraic Semantics Translate the language into a normal from by rewriting all programs in that form Translate the language into a normal from by rewriting all programs in that form Describe how to execute the program in normal form Describe how to execute the program in normal form

4. 4CSP Semantics4 CSP Semantics - 2 Operational Semantics Operational Semantics Interprets the language on an (abstract) machine: Interprets the language on an (abstract) machine: Construct a labeled transition system (LTS) Construct a labeled transition system (LTS) Denotational Semantics Denotational Semantics The language is translated to another abstract domain The language is translated to another abstract domain Trace semantics, Failure Divergence Semantics Trace semantics, Failure Divergence Semantics Algebraic Semantics Algebraic Semantics Translate the language into a normal from by rewriting all programs in that form Translate the language into a normal from by rewriting all programs in that form Proof rules Proof rules

5. 5CSP Semantics5 Operational Semantics Labeled transition system (LTS) Labeled transition system (LTS) Nodes: state of the process Nodes: state of the process Directed edges: events Directed edges: events Visible events Visible events Internal transitions Internal transitions Recall Trace Refinement: Recall Trace Refinement: S ⊑ T T iff trace(T)  trace(S)

6. 6CSP Semantics6 An example LTS Image from M. Morgenthal

7. 7CSP Semantics7 Another LTS Example Image from M. Morgenthal

8. 8CSP Semantics8 Connection between LTS Examples An Implementation of S as: An Implementation of S as: A ||| B where AB = a  b  AB and AC = a  c  AC where AA corresponds to AB ||| AC AA corresponds to AB ||| AC BA corresponds to b → AB ||| AC BA corresponds to b → AB ||| AC AC corresponds to AB||| (c → AC) AC corresponds to AB||| (c → AC) BC corresponds to b → AB||| (c → AC) BC corresponds to b → AB||| (c → AC)

9. 9CSP Semantics9 AA corresponds to AB ||| AC BA corresponds to b→ AB ||| AC AC corresponds to AB||| (c → AC) BC corresponds to b → AB||| (c → AC)

10. 10CSP Semantics10 Traces Refinement Check Image from M. Morgenthal

11. 11CSP Semantics11 Trace Refinements An implementation refines the trace of a process An implementation refines the trace of a process Hence we would like an implementation to satisfy the specification Hence we would like an implementation to satisfy the specification Which properties? Which properties? For his class, those trace properties used to specify security properties. For his class, those trace properties used to specify security properties.

12. 12CSP Semantics12 Denotational Semantics Recall Trace Semantics for CSP processes Recall Trace Semantics for CSP processes Could not reason the difference between external choice and internal choice Could not reason the difference between external choice and internal choice Example: consider  ={a,b} and Example: consider  ={a,b} and Q1 ≡(a→STOP) □ (b→STOP) Q2 ≡(a→STOP) Π (b→STOP) Q3 ≡STOP Π (a→STOP) □(b→STOP) Refusal set of Q1={} Refusal set of Q1={} Q2 can refuse {a} and {b} but not {a,b} Q2 can refuse {a} and {b} but not {a,b} Q3 can refuse any subset of . Q3 can refuse any subset of .

13. 13CSP Semantics13 Refusal Sets P1 {c} {a, c} {a, b, c} P2 {c} {b, c} {a, b, c} P3 {c} {b, c} {a, c} {a, b, c} P4 {c} {b, c} {a, c} {a, b, c} a b ba  b a    ab cc ab {b, c}

14. 14CSP Semantics14 Refusal Sets P1 ≡ (a → b→ STOP) □ (b → a → STOP) P1 ≡ (a → b→ STOP) □ (b → a → STOP) ≡ (a → STOP) ||| (b → STOP) Failure Sets = (<>,{}), (<>,c), (, {a,c}), (,{a,b,c}) (, {a,c}), (,{a,b,c}) P2 ≡ (c→a→STOP)□(b→c→STOP)\ c P2 ≡ (c→a→STOP)□(b→c→STOP)\ c Failure sets ={(<>,X| X  {b,c}} U Failure sets ={(<>,X| X  {b,c}} U {(,X),(,X)| X  {a,b,c}} Internal actions introduce nondterminism Internal actions introduce nondterminism

15. 15CSP Semantics15 Refusal Sets P3 ≡ (a → STOP) Π (b → STOP) P3 ≡ (a → STOP) Π (b → STOP) Must accept one of {a} or {b} if both {a,b} are offered Must accept one of {a} or {b} if both {a,b} are offered Different from Different from P1 - must accept either P1 - must accept either P2 - must accept a P2 - must accept a P4 ≡ (c→a→STOP)□(c→b→STOP) P4 ≡ (c→a→STOP)□(c→b→STOP) After refuses {X|{a,b}⊈X} After refuses {X|{a,b}⊈X} Failure allows us to distinguish between internal and external choice –traces could not do this! Failure allows us to distinguish between internal and external choice –traces could not do this!

16. 16CSP Semantics16 Failure Semantics failure(P) = {(s,X)| s ∈ Σ* and P/s does not accept any x ∈X} failure(P) = {(s,X)| s ∈ Σ* and P/s does not accept any x ∈X} Failure Refinement: P⊑ F Q (read Q failure refines P) iff Failure Refinement: P⊑ F Q (read Q failure refines P) iff trace(Q)  trace(P) and trace(Q)  trace(P) and failure(Q)  failure(Q)  failure(p)

17. 17CSP Semantics17 Divergence p ≡(  p.a→p)\{a} p ≡(  p.a→p)\{a} Cannot observe a externally. Cannot observe a externally. Diverges – i.e. looks like a  -loop Diverges – i.e. looks like a  -loop We do not care what happens after a process diverges We do not care what happens after a process diverges S a S 

18. 18CSP Semantics18 Failure and Divergence Add extra symbol ✔ to Σ to indicate that the process has terminated Add extra symbol ✔ to Σ to indicate that the process has terminated Interpretation: ✔ is emitted by the process to the environment to indicate normal termination Interpretation: ✔ is emitted by the process to the environment to indicate normal termination P ⇒ s ⇒ Q means process P becomes Q P ⇒ s ⇒ Q means process P becomes Q Stable State: a state that does not accept  Stable State: a state that does not accept 

19. 19CSP Semantics19 Failure and Divergence trace(P)≡{∈ Σ*U{} | ∃Q. P ⇒ s ⇒ Q} trace(P)≡{s∈ Σ*U{ ✔ } | ∃Q. P ⇒ s ⇒ Q} trace ⊥ (P)≡{∈F} is a prefix closed set trace ⊥ (P)≡{s: (t,X)∈F} is a prefix closed set diveregnce(P)≡{s^t|s∈ Σ*, t∈ Σ*U{ ✔ } diveregnce(P)≡{s^t|s∈ Σ*, t∈ Σ*U{ ✔ } ∃Q. P ⇒ s ⇒ Q, Q div} Extension closed sets of traces that has an infinite set of  actions failure ⊥ (P)={(s,X)| s is a trace and X is set of actions that can be refused in a state of P} failure ⊥ (P)={(s,X)| s is a trace and X is set of actions that can be refused in a stable state of P}

20. 20CSP Semantics20 The Failures Divergence Model ⊥ ℕ =( Σ*U{} x ℘( ΣU{}), Σ*U{} ) ⊥ ℕ =( Σ*U{ ✔ } x ℘( ΣU{ ✔ }), Σ*U{ ✔ } ) Refers to ( (s, actions: D): Failure, Refers to ( (s, actions: D): Failure, strings: Divergent string ) strings: Divergent string ) Any non-empty subset S of ℕ has an infimum given by Any non-empty subset S of ℕ has an infimum given by ⊓ S = ( ⋃ {F|(F,D) ∈S}, ⋃ {D |(F,D) ∈S}) ⊓ S = ( ⋃ {F|(F,D) ∈S}, ⋃ {D |(F,D) ∈S}) Supremum of a directed set △ is given by Supremum of a directed set △ is given by ⊔S = (∩{F|(F,D) ∈ △}, ∩{D |(F,D) ∈ △}) Theorem: If Σ is finite then ( ℕ, ⊑ FD, ⊓, ⊔) is a complete partial order Theorem: If Σ is finite then ( ℕ, ⊑ FD, ⊓, ⊔) is a complete partial order

21. 21CSP Semantics21 Computing the FD Semantics-1 failures  Σ*U{} } failures ⊥ (STOP)={(<>,X)|X  Σ*U{ ✔ } } divergences(STOP)={} divergences(STOP)={} failures  Σ*U{} } failures ⊥ (SKIP)={(<>,X)|X  Σ*U{ ✔ } } divergences(SKIP)={} divergences(SKIP)={} failures a→p U failures ⊥ (a→p)={(<>,X)|a∉X} U ∈ failures {( ^s,X):a ∈ failures ⊥ ( P) } divergences( a→p )= ∈divergence divergences( a→p )= {( ^s,X):s ∈divergence( P) }

22. 22CSP Semantics22 Computing the FD Semantics-2 failures →p U failures ⊥ (?x:A→p)={(<>,X)|X∩A={}} U ∈ failures {( ^s,X):a ∈ failures ⊥ ( P) } divergences( ?x:A→p )= ∈ divergences( ?x:A→p )= {( ^s,X):s ∈divergence( P[a/x]) } failuresfailuresU failures failures ⊥ (P⊓Q)= failures ⊥ ( P) U failures ⊥ ( Q) divergences()= divergences( P⊓Q )= divergenceU divergence divergence ( P) U divergence ( Q)

23. 23CSP Semantics23 Computing the FD Semantics-3 divergences() = divergences( P□Q ) = divergenceU divergence divergence ( P) U divergence ( Q) failures failures ⊥ (P□Q)= ∈ failuresfailures {(<>,x)| (<>,x)∈ failures ⊥ ( P) ∩ failures ⊥ ( Q)} U {(s,X): s≠<>,(s,X) ∈ failuresUfailures U {(s,X): s≠<>,(s,X) ∈ failures ⊥ ( P)Ufailures ⊥ ( Q)} U {(s,X):<> ∈ diveregenceUdiveregence U {(s,X):<> ∈ diveregence ( P)Udiveregence ( Q)} U {(s,X):X  Σ, <> ) ∈ traceU trace U {(s,X):X X  Σ, ) ∈ trace ⊥ ( P)U trace ⊥ ( Q)}

24. 24CSP Semantics24 Computing the FD Semantics-4 divergences() ={u^v|  s ∈ trace  t ∈ trace ∈(s|| X t) Σ*, divergences( P|| X Q ) ={u^v|  s ∈ trace ⊥ ( P),  t ∈ trace ⊥ ( Q), u ∈(s|| X t) ∩ Σ*, s ∈ divergence t ∈ divergence s ∈ divergence ( P) or t ∈ divergence ( Q) } failuresUZ ∈ s|| X t failures ⊥ (P|| X Q)={(u,Y UZ )| u∈ s|| X t U {}) = U {}) /\ Y\(X U { ✔ }) = Z\(X U { ✔ }) /\  s,t (s,Y) ∈failures (t,Z) ∈ failures  s,t (s,Y) ∈failures ⊥ ( P), (t,Z) ∈ failures ⊥ ( Q) {(u,Y)|u ∈ diveregence {(u,Y)|u ∈ diveregence ( P|| X Q)}

25. 25CSP Semantics25 Computing the FD Semantics-5 divergences() = divergences( P\X ) = s ∈ divergence {(s\X)^t| s ∈ divergence ( P)} U {(u\X)^t| u ∈ Σ  /\ (u\x) is finite /\ ∀s< u, s∈trace(P) ∀s< u, s∈trace ⊥ (P) } failures failures ⊥ (P\X)= (s,Y UX ) ∈failures {(s\X,Y)| (s,Y UX ) ∈failures ⊥ ( P)} U {(s,X)|s ∈ diveregence {(s,X)|s ∈ diveregence ( P\X)}

26. 26CSP Semantics26 Deterministic Processes A process is said to be deterministic if A process is said to be deterministic if 1. t^ ∈ trace (P) ⇒ (t,{a})∉ failure(P) 2. divergence(P) ={} That is, never diverges and do not have the choice of accepting and refusing an action That is, never diverges and do not have the choice of accepting and refusing an action Deterministic processes are the maximal elements under ⊑ FD Deterministic processes are the maximal elements under ⊑ FD Example: (a →STOP)□(a→a→STOP) is non- deterministic Example: (a →STOP)□(a→a→STOP) is non- deterministic

27. 27CSP Semantics27 Deterministic Processes and LTS Two nondeterministic LTS whose behavior is deterministic Two nondeterministic LTS whose behavior is deterministic a a a a

28. 28CSP Semantics28 Abstraction - 1 Abstraction = hide details Abstraction = hide details Example: many-to-one renaming Example: many-to-one renaming [(a →c→ STOP )□(b→d→ STOP )] [[b/a]] = (a→c→STOP) □(a→d→ STOP )] = a→( (c→ STOP )⊓(d→ STOP ) ) Eager abstraction: hiding operator Eager abstraction: hiding operator ℰ H (P)=p\H – assumes that events in H pass out of sight ℰ H (P)=p\H – assumes that events in H pass out of sight

29. 29CSP Semantics29 Abstraction - 2 Lazy abstraction: Projection of P into L Lazy abstraction: Projection of P into L ℒ H (P)= P@L= ℒ H (P)= P@L= {(s\H,X)|(s,X∩L)∈ failures {(s\H,X)|(s,X∩L)∈ failures ⊥ ( P)} Example: L={l1,l2}, H={h} →P) □ (l2→h→P) □ (h→P) P ≡ (l1 →P) □ (l2→h→P) □ (h→P) ℒ H (P)= Q →Q) □ l2→(STOP⊓Q) ℒ H (P)= Q ≡ (l1 →Q) □ l2→(STOP⊓Q) Finite traces of ℒ H (P) are precisely {s\H| s ∈ traces Finite traces of ℒ H (P) are precisely {s\H| s ∈ traces( P)}

30. 30CSP Semantics30 Strong Bisimulation Suppose S is a LTS and the relation R on the set of nodes S’  S, a set of nodes is said to be a strong bisimulation of S iff Suppose S is a LTS and the relation R on the set of nodes S’  S, a set of nodes is said to be a strong bisimulation of S iff ∀ n1,n2,m1 ∈ S’ ∀ x ∈ ΣU{} R(n1,n2) and n1 ⇒ x ⇒ n2,  m2 ∈ S’ n2 ⇒ x ⇒ m2 and R(m1,m2) ∀ n1,n2,m1 ∈ S’ ∀ x ∈ ΣU{ ✔ } R(n1,n2) and n1 ⇒ x ⇒ n2,  m2 ∈ S’ n2 ⇒ x ⇒ m2 and R(m1,m2) ∀ n1,n2,m2 ∈ S’ ∀ x ∈ ΣU{} R(n1,n2) and n1 ⇒ x ⇒ n2,  m1 ∈ S’ n1 ⇒ x ⇒ m1 and R(m1,m2) ∀ n1,n2,m2 ∈ S’ ∀ x ∈ ΣU{ ✔ } R(n1,n2) and n1 ⇒ x ⇒ n2,  m1 ∈ S’ n1 ⇒ x ⇒ m1 and R(m1,m2)

31. 31CSP Semantics31 Casper Compiler Compiler Easy to specify protocols and security properties Easy to specify protocols and security properties E.g., Yahalom protocol E.g., Yahalom protocol Input: 1 page protocol and security spec. Input: 1 page protocol and security spec. Output (CSP): 10 pages Output (CSP): 10 pages

32. 32CSP Semantics32 Casper Protocol Definition: Protocol Definition: protocol operation, including protocol operation, including messages between the agents, messages between the agents, tests performed by the agents, tests performed by the agents, types of data, types of data, initial knowledge, initial knowledge, specification of the protocol’s goals, specification of the protocol’s goals, algebraic equivalences over the types algebraic equivalences over the types Components: Components: Protocol description Protocol description Free variables Free variables Processes Processes Specification Specification

33. 33CSP Semantics33 Casper System definition: actual system to be checked, including agents, their roles, actual data types, intruder’s abilities System definition: actual system to be checked, including agents, their roles, actual data types, intruder’s abilities Components: Components: Actual variables Actual variables Functions Functions System System Intruder information Intruder information

34. 34CSP Semantics34 Protocol Description Image from M. Morgenthal

35. 35CSP Semantics35 Free Variables Image from M. Morgenthal

36. 36CSP Semantics36 Processes Image from M. Morgenthal

37. 37CSP Semantics37 Specification Image from M. Morgenthal

38. 38CSP Semantics38 System specs: Variables Image from M. Morgenthal

39. 39CSP Semantics39 System specs: Functions Image from M. Morgenthal

40. 40CSP Semantics40 System specs: The System Image from M. Morgenthal

41. 41CSP Semantics41 System specs: The Intruder Image from M. Morgenthal

42. Non-interference freedom from covert channels

43. 43 References Bishop’s Book: Chapters 8 and 17 CSP and determinism in security modeling by A. W. Roscoe, IEEE Symposium on Security and Privacy, 1995 114-127. Extending non-interference properties to the timed world by Jian Huang and A. W. Roscoe, SAC’06, 2006.

44. 44 Basic Definitions Basic issue: Confidentiality in MLS Information should not flow from system high to system low Actions are categorizes as H (high) and L (low) Want: if two traces of process P differ only in their H actions, then the subsequent behavior of P seen from L are identical ℰ P is eagerly trace-invariant w.r.t. L, ℰ trINV L (P) tr,tr’ ∈Traces(P) /\ tr↾L= tr ’ ↾L  (P/tr)\H=(P/tr ’ )\H

45. 45 Lazy Trace Invariance Define RUN H ≡ ?x:H → RUN H ℒ trINV L (P) P is lazy-trace invariant w.r.t. H, ℒ trINV L (P) tr,tr’ ∈Traces(P) /\ tr↾L= tr ’ ↾L  (P/tr) ||| RUN H = (P/tr) ||| RUN H What is the difference? All H communications of P are being made ambiguous by mixing them with RUN H Camouflage communication rather than hide! Note: (P||| RUN A )\A= P\A

46. 46 Some Examples H={a,b,c,d}, L={w,x,y,z} 1. 1. P1 ≡ a → x → P1□ b → y → P1 2. 2. P2 ≡ a → x → P2□ b → x → P2 3. 3. P3 ≡ a → x → P3□ b → x → x → P3 4. 4. P4 ≡ a → P4□ b → x → P4 5. 5. P5 ≡ x → (a → P5□ x → P5 □ → y → P5) □ y → (b→ P5□ x → P5 □ → y → P5) 6. 6. P6 ≡ w → y → P6 □ x→z → P6 □ a → c → P6 □ b → d → P6

47. 47 Analyzing Example 1 P1 ≡ a → x → P1□ b → y → P1 Not secure: The event in L directly depends on an event in H. An event observed by L can be used to deduce the corresponding event in H occurred ℰ Fails ℰ trINV L (P) as trace tr1={a,x,b,y}, tr2={x,y} satisfy tr1 ↾L= tr1 ↾L={x} but (P/tr1)\H = { } and (P/tr1)\H ={} ℒ trINV L (P) Fails ℒ trINV L (P) as (P/tr1)|||RUN H ={ } and (P/tr1)|||RUN H ={}

48. 48 Analyzing Examples 2,3,4 P2 ≡ a → x → P2□ b → x → P2 P3 ≡ a → x → P3□ b → x → x → P3 P4 ≡ a → P4□ b → x → P4 ℰ trINV L (P) Satisfy ℰ trINV L (P) as they satisfy (Pi/tr)\H = RUN {x} for any trace tr. ℒ trINV L (P) Fails ℒ trINV L (P) because every available L action depends upon a H action. Thus, can derive if an H action occurred.

49. 49 Analyzing Examples 5 and 6 P5 ≡ x → (a → P5 □ x → P5 □ → y → P5) □ y → (b → P5 □ x → P5 □ → y → P5) P6 ≡ w → y → P6 □ x → z → P6 □ a → c → P6 □ b → d → P6 ℰ trINV L (P) and ℒ trINV L (P) For U L, P5 always communicates when x or y are present. For any tr, P5 satisfy P5/tr ||| RUN H = RUN H ∪ {x,y} Thus P5 satisfy ℰ trINV L (P) and ℒ trINV L (P). ℰ trINV L (P) and f ℒ trINV L (P) P6 satisfy ℰ trINV L (P) and f ail ℒ trINV L (P). Reason for failure: If {a,b} have occurred then then {c,d} must occur for the system to work. Hence if U L cannot communicate with P6, then she knows that U H has communicated with P6. Lesson: The failure model matters in deciding what is observable by U L !

50. 50 Determinism - 1 ℰ fdINV L (P) and ℒ fdINV L (P) Semantics matters in deciding what the intruder can observe! Can define ℰ fdINV L (P) and ℒ fdINV L (P). Points: (The FDR model is not capable of distinguishing between these!) Can an intruder observe what events take place before and after refusals? Same range of non-determinism, but very different probabilistic behavior A process is deterministic if Recall Determinism: A process is deterministic if 1. t^ ∈ trace (P) ⇒ (t,{a})∉ failure(P) 2. divergence(P) ={}

51. 51 Determinism - 2 The Intuitive Idea: The Intuitive Idea: I way to leak information from U H to U L via using the process P is to behave differently towards U L depending on what U H does. Appears as if U H resolves non-determinism for U L to notice and observe! Theorem 1: Theorem 1: 1. ℰ trINV L (P), ℰ fdINV L (P) 1. P\H is deterministic ⇒ ℰ trINV L (P), ℰ fdINV L (P) 2. P||| ℒ trINV L (P) ℒ fdINV L (P) 2. P|||RUN H deterministic ⇒ ℒ trINV L (P), ℒ fdINV L (P) Theorem 2: Theorem 2: 1. P deterministic, P\H divergence free, ℰ trINV L (P) 1. P deterministic, P\H divergence free, ℰ trINV L (P) ⇒ P\H is deterministic 2. P deterministic, ℰ trINV L (P) P||| 2. P deterministic, ℰ trINV L (P) ⇒ P|||RUN H deterministic

52. 52 Eager, Lazy, Strong Independence Say that P is eagerly independent, ℰ IND L (P) if P\H is deterministic w.r.t L. Say that P is lazily independent, ℒ IND L (P) if P|||RUN H is deterministic w.r.t. L. Say P is strongly independent, S IND L (P) if (P|||CHAOS H )\H is deterministic where CHAOS A ≡ STOP Π (?x:A → CHAOS A ) Theorem: A process satisfies S IND L (P) iff it satisfy ℰ IND L (P) and ℒ IND L (P)

53. 53 Delay-able H actions and Signals-1 P6 ≡ w → y → P6 □ x → z → P6 □ a → c → P6 □ b → d → P6 if U L cannot communicate with P6, then U L knows that U H has communicated with P6 What if {c, d} are signals – such as output communications whose refusals are not observable before it occurs. The process is secure! But need to make a distinction between the two kinds of H signals. So H=(D,S)

54. 54 Delay-able H actions and Signals-2 Divide H into two parts D = delay-able S = signals (like output) Mixed conditions Mixed eager invariance M INV L (D,S) (P) holds if tr,tr’ ∈Traces(P) /\ tr↾L= tr ’ ↾L  (P/tr)\S ||| RUN D = (P/tr ’ )\S ||| RUN D Mixed independence M IND L (D,S) (P) holds if (P\S) ||| RUN D is deterministic

55. 55 Properties of H=(D,S) M IND L (D,S) (P) ⇒ M INV L (D,S) (P) If P is deterministic and P\D is divergence- free then M INV L (D,S) (P) ⇒ M IND L (D,S) (P)

56. 56 Abstract Models of U H - 1 CHAOS A ≡ STOP Π (?x:A → CHAOS A ) CHAOS A is the most non-deterministic U H All determinism properties can be specified as (P|| H U)\H for some U (for eg U = RUN H ) The lazy specifications do not forbid infinite runs of H actions, requiring a different semantics (F,D,I) for CSP

57. 57 Abstract Models of U H -2 Can choose finite traces by defining a new process FINITE A ≡ Π{Q n | n ∈ℕ } with Q n ≡ STOP, and Q n+1 ≡ a: → Q n FINITE A is a user process U for lazy conditions Theorem: P satisfy ℰ IND L (P) iff (P|| H FINITE H )\H is deterministic M IND L (D,S) (P) iff (P||(RUN S ||| FINITE D )\(DUS) is deterministic

58. 58 Modeling non-interference Example: An email system where U H can send mail to U L. Referred to as conditional non-interference General approach: Finite traces of U are H* Show that if U H communicates within H* no information leaks to U L. U H can delay only refusals U is divergent free

59. 59 A Timed Version H t = H U {tock}, L t = L U {tock},  t = H t U L t Events are D (delayable) or S (signals) Maximal Progress Assumption: No tock occurs when  is present P is timed-deterministic iff ∀s∈  t *∀a∈  t (s,{a}) ∉failures(P) ⇒ s^ ∈traces(P) P is timed-lazy independent T-L-Ind(P) iff a∈ L t s,s’ ∈traces(P)/\ s↾L t = s ’ ↾L t ⇒ [ (s,{a}) ∈failures(P) ⇔ (P/s ’ ) o ∩{a}={} ]

60. 60 Timed Abstractions Example: Example: Let H={d} and L={l} and P ≡ tock → Q □ d → TOCKS Q ≡ tock → Q □ d → l → TOCKS, TOCKS ≡ tock → TOCKS and CHAOS H ≡ STOP Π (?x:H → CHAOS H ) P is not secure because U L can find out when d occurs by observing l. Un-timed lazy abstraction (P|| H CHAOS H )\H= TOCKS If P↝Q is allowed then the STOP branch of Chaos H is blocks d and therefore does not change state CHAOS H need to be redefined!

61. 61 Defining CHAOST Define a timed version that changes its mind when time passes (t n is a new event) CHAOST(D) ≡ CHOAST ’ (D) \ {tn} ٱ CHAOST’(D) ≡ ?x:D → CHAOST’(D) ٱ t n → tock → CHAOST’(D) Timed-Lazy abstraction: Timed-Lazy abstraction: ℒ tH (P) ≡ (P|| H t CHAOST H ) \ H Timed-Mixed abstraction: M S tH (P) ≡ ℒ tH (P\S) Timed-Mixed abstraction: M S tH (P) ≡ ℒ tH (P\S) Note: D and S are delayable and signal events

62. 62 Time Consistency Check TOCKS ⊑ (P || DU{tock} CHAOST(D))\  It means that when P is synchronized with CHOST(D) on events in D U {tock}, only the tock events remain other than those from . This can check if the timed behavior is consistent

63. 63 Some Properties Theorem  ℒ tH (P) is time deterministic iff T-L-Ind(P)  Suppose P and Q are processes with Alphabets A and B. If P and Q are T-L-Independent then so is P A || B Q Separability:  A process P is separable iff it is a parallel composition of sub-processes A and B with disjoint alphabets  In the timed world, A and B can synchronize on tock

64. 64 Time Separability - 1 Definition: Definition: Suppose P is process whose non- tock alphabet is partitioned into disjoint subsets H and L. P is time-separable w.r.t {H,L} if there are processes P H and P L with TCC(P H ) /\ TCC(P L ) satisfying [here TCC=time consistency check]  P H =H t /\  P L =L t P= P H || {tock} P L Note: Note: equivalence to a structurally secure process may conceal insecurities. Does not exclude information flow

65. 65 Time Separability - 2 Definition: Definition: Suppose P is process whose non- tock alphabet is partitioned into disjoint subsets H and L. P is strongly time-separable w.r.t {H,L} if there are time-deterministic processes P H and P L with [here TCC=time consistency check] TCC(P H ) /\ TCC(P L )  P H =H t /\  P L =L t P= P H || {tock} P L Theorem: Theorem: P is strongly time separable w.r.t. {H,L} iff T-H-Ind(P) and T-L-Ind(P) Definition: Definition: A process P/H has H labels removed from the LTS. That is, P/H ≡ P || H STOP

66. 66 Local non-interference Local non-interference: Low level users cannot tell the difference between states linked by high level action R ⊆ Proc X Proc is a weak-bisimulation ≈ t iff ∀ x ∈ Σ t, , R(p,q) p ⇒ x ⇒ p’,  q’ q ⇒ x ⇒ q’ and R(p’,q’) q ⇒ x ⇒ q’,  p’ p ⇒ x ⇒ p’ and R(p’,q’) P Q P’ Q’ X X RR P Q P’ Q’ RR X X

67. 67 Timed local non-interference - 1 P satisfies timed strong local non-interference written tSLNI L (P) if for states s 1,s 2 and h∈H s⇒ h ⇒ s 1, then s/H ≈ t s 1 /H P satisfies timed local non-interference written tLNI L (P) if s⇒ h ⇒ s 1, s⇒ h ⇒ s 2, …. s⇒ h ⇒ s n is a complete list of H transforms, then s/H ≈ t Π s i /H S S 1 /H S 1 without H links S1 h S/H S without H links S/H S without H links any low action X S 1 /H S 1 without H links same low action X

68. 68 Timed local non-interference - 2 P satisfies timed strong FD local non- interference written t FD SLNI L (P) if for all states s 1,s 2 and all h∈H s⇒ h ⇒ s 1, then s/H = FD s 1 /H P satisfies timed FD local non-interference written t FD LNI L (P) if s⇒ h ⇒ s 1, s⇒ h ⇒ s 2, …. s⇒ h ⇒ s n is a complete list of H transforms, then s/H = FD Π s i /H S S 1 /H S 1 without H links S1 h S/H S without H links same FD semantics

69. 69 A Theorem If P does not diverge, then the following are equivalent tSLNI L (P) tLNI L (P) t FD SLNI L (P) t FD LNI L (P) T-L-Ind(P)

70. 70 Time-delayed local non-interference-1 S={s 1,s 2 }, L={l 1,l 2 } P ≡ s 1 →tock →l 1 → P Q ≡ s 1 →tock→l 1 →Q ٱ s 2 →tock→l 1 →Q R ≡ s 1 →tock→l 1 →R ٱ s 2 →tock→l 2 →R For P, U L knows that s 1 takes place – not a secret For Q, U L knows that an H event happens, but he cannot discern which one – want this to be secure For R, U H resolves the non-determinism and U L knows the choice. But S events are not chosen by U H, but by the environment P, Q, R do not satisfy the timed local non- interference conditions – need mixed conditions

71. 71 Time-delayed local non-interference-2 P is said to satisfy Time-delayed strong local non-interference tDSLNI L (P) if tDSLNI L (P\S) holds Time-delayed local non-interference tDLNI L (P) if tDLNI L (P\S) holds Time-delayed strong FD local non- interference tDSLNI FD L (P) if tDSLNI FD L (P\S) holds Time-delayed FD local non-interference tDLNI FD L (P) if tDLNI FD L (P\S) holds

72. 72 Another Theorem If P does not diverge and (P\S)/H is timed deterministic. Then the following are equivalent tDSLNI L (P) tDLNI L (P) tDSLNI FD L (P) tDLNI FD L (P)

73. 73 A Case Study Will show A timed implementation of a secure un-timed process may be insecure Developed conditions helps design a secure timed implementation. Example: 2 users U L, U H and 1 file in the system. U H reads and U L writes, so information flow: L ⇒ H Both must request before access U L can write between U H reads in order to make fresh information available to U H

74. 74 Case Study: the un-timed version Sys ≡ req H → Sys1 ٱ req L → write L → Sys1 Sys1 ≡ req H → Sys ٱ req L → write L → Sys1 The system is L-ind and SLNI (i.e. strong non-local non-interference) secure Adding time: (assumptions) All actions need one unit of time A low level request following a high level request takes an extra time unit. The system may idle until a request is made.

75. 75 Case Study: adding time Sys ≡ tock → sys ٱ req H → Sys1ٱ req L → tock → write L → tock → Sys1 Sys1 ≡ tock → ( read H → tock → Sys ٱ req L →tock→tock→write L →tock→Sys1) U L can notice the existence of 2 tocks between req L → and write L ⇦ leaks! In state Sys, U L can communicate req L and not in state Sys1 ⇦ can distinguish using failure semantics!

76. 76 tock readH reqH writeL reqL writeL tock readH reqH reqL writeL    Sys1 Sys Q1 Q6 Q5 Q4 Q3 Q2 P2 P1 P6 P5 P3 P4 The Original Timed Version The tDSLNI L Secure Version

77. 77 A tDSLNI L secure version ready H is a response to req H. Hence S={ready H }, D={req H }. Use R to ensure Sys\S/H ≈ t Sys1\S/H R={(X\S/H,Y\S/H)| (X,Y) ∈R ’ } where R ’ ={(Sys,Sys1),(P1,Sys),(Sys,Q1),(P2,Sys1), (P3,Q1),(P4,Q3),(P5,Q4),(P6,Q5),(Sys,Q6), (P1,Q6),(P2,Q6),(P1,Q2),(P3,Q2),(P3,Sys), (P3,P1), (P3,P2),(P3,P3)