Angelo Troina. Joint work with: Ruggero Lanotte (University of Insubria at Como) Andrea Maggiolo Schettini (University of Pisa)

Transcription

1 Angelo Troina Dipartimento di Informatica, Università di Pisa, Italy Probabilistic Joint work with: Ruggero Lanotte (University of Insubria at Como) Andrea Maggiolo Schettini (University of Pisa) 1/23

2 Outline Multilevel Security Non-Interference [Goguen and Meseguer,1982] The Model Probabilistic Timed Automata Weak Bisimulation for Probabilistic Timed Automata Probabilistic and/or Timed Security Properties Probabilistic 2/23

3 Security in Multilevel General setting: a multilevel system, i.e. a system of interacting agents where every agent is confined in a bounded security level. Access rules: can be imposed to control direct unwanted transmissions from higher levels to lower levels. Covert channels: information could be transmitted from higher levels to lower levels by using system side effects. Aim: to control the whole flow of information : low level agents are not able to deduce anything about the activity of high level agents. Probabilistic 3/23

4 systems J. A. Goguen, J. Meseguer: Security Policy and Security Models. Proc. of Symp. on Research in Security and Privacy, IEEE CS Press, 11 20, D. McCullough: Noninterference and the Composability of Security Properties. Proc. of Symp. on Research in Security and Privacy, IEEE CS Press, , R. Focardi, R. Gorrieri: A Classification of Security Properties. Journal of Computer Security 3, 5 33, Probabilistic 4/23

5 Timed systems R. Focardi, R. Gorrieri, F. Martinelli: in a Discrete-Time Process Algebra. Proc. of 13th CSFW, IEEE CS Press, , N. Evans, S. Schneider: Analysing Time Dependent Security Properties in CSP Using PVS. Proc. of Symp. on Research in Computer Security, Springer LNCS 1895, , R. Barbuti, L. Tesei: A Decidable Notion of Timed. Fundamenta Informaticae 54, , Probabilistic 5/23

6 Probabilistic systems J. W. Gray III. Toward a Mathematical Foundation for Security. Journal of Computer Security 1, , A. Aldini, M. Bravetti, R. Gorrieri: A Process-algebraic Approach for the of Probabilistic. Journal of Computer Security 12, , A. Di Pierro, C. Hankin, H. Wiklicky: Approximate Non-Interference. Journal of Computer Security 12, 37-82, Probabilistic 6/23

7 A Probabilistic Timed Automaton (PTA) is A = (Σ, X, Q, q 0, δ, π). q0 a, 1 2 b, 1 2 x = 5 x = 5 q1 q2 Probabilistic A configuration of a PTA is a pair s = (q, v), where q Q is a state, and v is a valuation over X. 7/23

8 Weak Bisimulation of Probabilistic Timed Automata A weak bisimulation is a bisimulation which does not take care of internal moves. For a PTA A = (Σ, X, Q, q 0, δ, π) a weak bisimulation is an equivalence relation R such that, for all (s, s ) R and equivalence classes C of R: Probabilistic Prob(s, τ α, C) = Prob(s, τ α, C) α Σ {τ} IR >0 Two configurations s, s are weak bisimilar (s s ) iff (s, s ) R for some weak bisimulation R. 8/23

9 Weak Bisimulation of Probabilistic Timed Automata (2) τ, 1 3 q0 r0 a, 1 2 b, 1 2 a, 1 3 b, 1 3 x = 5 x = 5 z = 5 z = 5 q1 q2 r1 r2 A 1 A 2 Probabilistic Figure: A 1 A 2. 9/23

10 Auxiliary operators for Probabilistic Timed Automata Given two PTA A 1 and A 2, L Σ set of synchronization actions and p ]0, 1[ advancing speed parameter, A 1 p L A 2 denotes the parallel composition. The composition is a PTA obtained by normalizing probabilities and hiding with the τ label the synchronized actions. The restriction of a PTA A with respect to the set of actions L is A \ L, obtained from A by removing transitions and normalization of probabilities. Probabilistic The hiding of a PTA A with respect to the set of actions L is A/L where each transition label a L is replaced by label τ. 10/23

11 A system S satisfies the property (S NI ) if high level agents do not interfere with the observable behavior of the system from the low level point of view: S NI S/Σ H S \ Σ H where Σ H is the set of high level actions. (The observable behavior of the isolated system is bisimilar to the behavior of the system which communicates with high level agents in an invisible manner for the low agent point of view). Probabilistic Proposition. It is decidable to check whether a system S satisfies the NI property. 11/23

12 An example of non-deterministic covert channel. q 0 l q 2 h q 1 l q 3 q 0 l q 2 q 0 l q 2 τ A A \ Σ H A/Σ H q 1 l q 3 Probabilistic The high level action h interferes with the observation of the action l. In A \ Σ H the low level agent observes only the execution of l, whereas, in A/Σ H also action l may be observed. A low level agent, observing the event l knows that action h has occurred. 12/23

13 Timed An example of timing covert channel. h τ q 0 q 1 q 0 q 0 q 1 l x = 0 l x = 5 l x = 0 l x = 0 l x = 5 q 2 q 3 q 2 q 2 q 3 A A \ Σ H A/Σ H Probabilistic The high level action h interferes with the time of observing the action l. In A \ Σ H the low level agent observes l executed immediately, whereas, in A/Σ H l could either be observed immediately or when the clock x reaches value 5. A low level agent, observing the event l when clock x has value 5 knows that action h has occurred. 13/23

14 Probabilistic q 1 q 1 q 1 l, p l, p l, p q 0 l, q q 2 l, r q 3 h q 5 q 0 l, q q 2 l, r q 3 q 0 l, q q 2 l, r q 3 τ q 5 Probabilistic l q 4 l q 6 l q 4 l q 4 l q 6 A A \ Σ H A/Σ H A \ Σ H : l is obsevred with probability p + r, ll with probability q. A/Σ H : l is observed with probability p, ll with probability r + q. 14/23

15 A Classification of Quantitative Security Properties Given NNI, TNI, PNI and PTNI be non-interference properties defined for the models of non-deterministic automata, timed automata, probabilistic automata and probabilistic timed automata, respectively, the following implications hold: A PNI unprob(a) NNI A TNI untime(a) NNI A PTNI unprob(a) TNI untime(a) PNI. Probabilistic 15/23

16 A Classification of Quantitative Security Properties (2) A : A PTNI unprob(a) TNI untime(a) PNI A A \ Σ H A/Σ H l q 1 q l 7 x = 3 τ, 1 x = 3 q 9 3 q h, 0 1 τ, q 3 τ, 1 3 q l 4 q 2 x = 4 q 5 τ, 1 10 q l 6 x = 4 q 8 l q 1 x = 3 q 3 τ, 1 2 q 0 τ, 1 2 q l 4 q 2 x = 4 l q 1 x = 3 q 3 τ, 1 3 q 0 τ, 1 3 q l 4 q 2 x = 4 q l 7 x = 3 q 9 τ, 1 τ, q 5 τ, 1 10 l x = 4 q 8 q 6 Probabilistic A \ Σ H : l when x = 3 or when x = 4 with probability 1 2. A/Σ H : l when x = 3 with probability 19 30, l when x = 4 with probability /23

17 A Classification of Quantitative Security Properties (3) The following diagram summarizes our results. PNI PTNI TNI NNI Probabilistic Figure: Relations among Non-Interference security properties. 17/23

18 A system S satisfies the (NDC) if the system in isolation has not to be altered when considering all the potential interactions with the high level agents of the external environment, formally: S NDC Π Γ H, p ]0, 1[, L Σ H S/Σ H (S p L Π) \ Σ H where Γ H is the set of high level agents. (The observable behavior of the isolated system is bisimilar to the behavior of the system communicating with the high level agent Π in an invisible manner for the low agent point of view). Probabilistic Note. Decidability of NDC depends on the possibility of reducing all the high level automata in Γ H to a finite case for the particular automaton S considered. 18/23

19 (2) Theorem. S mndc S mni. h, q q h 1 q 3 q 0 τ, q q τ 1 q 3 l, 1 2 q 2 l q 4 l q 2 l, 1 2 q 2 A A \ Σ H A/Σ H l q 4 Probabilistic r 0 h r 1 τ, 3 4 r 0 l, 1 4 r 2 r 1 Π (A p L Π) \ Σ H A is PTNI secure, since A/Σ H A \ Σ H. But A is not PTNDC secure as (A p L Π) \ Σ H reaches with probability 3 4 a state where it cannot perform any visible action. 19/23

20 A Classification of Quantitative Security Properties(4) Given NNDC, TNDC, PNDC and PTNDC be non-deducibility on composition properties defined for the models of non-deterministic automata, timed automata, probabilistic automata and probabilistic timed automata, respectively, the following implication holds: A PTNDC (PNDC, TNDC, NNDC) A PTNI (PNI, TNI, NNI). Moreover, as for the NI properties, we have that: A PNDC unprob(a) NNDC; A TNDC untime(a) NNDC; A PTNDC unprob(a) TNDC untime(a) PNDC. and that A : A PTNDC unprob(a) TNDC untime(a) PNDC. Probabilistic 20/23

21 A Classification of Quantitative Security Properties (5) PNI NNDC PNDC TNDC NNI TNI Probabilistic PTNI PTNDC 21/23

22 Observations and Future Work Introduce an approximated notion of weak bisimulation for PTA. We can formulate other well known information flow security properties within our framework. Extend the model with cryptographic primitives in order to analyze security protocols. Develop an automatic technique to adjust unsecure systems. Probabilistic 22/23

23 Bibliography [1] R. Lanotte, A. Maggiolo-Schettini, A Classification of /or Probability Dependent Security Properties Proc. QAPL 05, Elsevier ENTCS, to appear. [2] R. Lanotte, A. Maggiolo-Schettini, for Probabilistic Timed Automata Proc. FAST 04, Springer IFIP series 173, pp , [3] R. Lanotte, A. Maggiolo-Schettini, Weak Bisimulation for Probabilistic Timed Automata and Applications to Security Proc. SEFM 03, IEEE Computer Society Press, pp , Probabilistic 23/23