Enforcement of Opacity Security Properties Using Insertion Functions

Enforcmnt of Opcity Scurity Proprtis Using Insrtion Functions Yi-Chin Wu nd Stéphn Lfortun EECS Dprtmnt, Univrsity of Michign CDC 12 Dc. 13 th, 2012

Motivtion Scurity nd privcy concrns in onlin srvics Opcity : whthr th scrt informtion of th systm cn infrrd y outsid osrvrs Exmpl: Loction-sd srvics Smrt phon Nvigtion rqusts Srvr Intrudr 2

Rltd Work Notions of opcity [Mzré t l 04 ], [Bryns t l. 05], [Soori t l. 07], [Bryns t l. 08] Vrifiction of opcity [Soori t l. 08, 09], [Cssz t l. 09], [Lin 11] Enforcmnt of opcity [Duril t l. 08], [Soori t l. 08], [Cssz t l. 09] 3

Contriution Enforc opcity using insrtion functions Systm G Proj. P Systm s Output Bhvior dditionl osrvl vnts Insrtion Function Modifid Bhvior Intrudr i-nforcing proprty All Insrtion Structur (AIS) Synthsis of i-nforcing insrtion functions 4

Automton Modl 0 uo 1 2 3 4 E O ={,} X 0 L(G,X 0 ) := {s E : ( i X 0 ) [f(i,s) is dfind]} E = E o E uo P()= if E o ; P()=ε if E uo {ε} 5

Wht Is Th Opcity Prolm? Th systm is prtilly osrvl Th systm hs scrt initil stt, currnt stt, sulngug, initil-nd-finl stt Th intrudr knows th systm structur 6

Wht Is Th Opcity Prolm? Th systm is prtilly osrvl Th systm hs scrt initil stt, currnt stt, sulngug, initil-nd-finl stt Th intrudr knows th systm structur Th scrt is opqu if for vry scrt hvior, thr is nonscrt hvior tht is osrvtionlly-quivlnt 6

Currnt Stt Opcity Dfinition (Currnt-Stt Opcity) Givn G = (X,E,f,X 0 ), st of scrt stts X S, nd st of non-scrt stts X NS, th utomton is currnt-stt opqu if i X 0, t L(G,i) such tht f(i,t) X S, j X 0, t L(G,j) such tht (i) f(j,t ) X NS, (ii) P(t)=P(t ). Th systm is opqu Th systm is not opqu 1 0 c 2 E O ={} 3 4 1 0 c 2 E O ={,} 3 4 Scrt stts Nonscrt stts 7

Systm G: 0 uo 1 2 3 4 Vrify Currnt-Stt Opcity opqu E O ={,} Not opqu 8

Systm G: 0 uo 1 2 3 4 Vrify Currnt-Stt Opcity E O ={,} Not opqu Currnt-Stt Estimtor: 1 3 0,2 4 8

Systm G: 0 uo 1 2 3 4 Vrify Currnt-Stt Opcity E O ={,} Not opqu Currnt-Stt Estimtor: 1 3 0,2 4 Enforc Opcity Opcity Enforcmnt Prolm How cn w nforc th scrt to opqu? 8

Existing Opcity Enforcmnt Mchnisms Suprvisory control Only prtil systm hvior is llowd [Duril t l. 10][Soori t l. 12] Dynmic osrvr Crt nw osrvl hvior [Cssz t l. 09] 9

Existing Opcity Enforcmnt Mchnisms Suprvisory control Only prtil systm hvior is llowd [Duril t l. 10][Soori t l. 12] Dynmic osrvr Crt nw osrvl hvior [Cssz t l. 09] W nforc opcity such tht All systm hvior is llowd to occur No nw osrvl hvior is crtd 9

Our Approch: Insrtion Functions Systm G Proj. P Systm s Output Bhvior dditionl osrvl vnts Insrtion Function Modifid Bhvior Intrudr A monitoring intrfc Insrt xtr osrvl vnts Intrudr cnnot distinguish twn insrtd vnts nd systm s osrvl vnts 10

I-Enforcing Proprty for Insrtion Functions dmissil Systm G Proj. P Systm s Output Bhvior dditionl osrvl vnts Insrtion Function Modifid Bhvior Intrudr Admissil: llows ll systm s output hvior 11

I-Enforcing Proprty for Insrtion Functions dmissil sf Systm G Proj. P Systm s Output Bhvior dditionl osrvl vnts Insrtion Function Modifid Bhvior Intrudr Admissil: llows ll systm s output hvior Sf: hvior ftr insrtion must look lik xisting non-scrt strings 11

Is Opcity Alwys i-nforcl? 0 1 2 E O ={,} 12

Is Opcity Alwys i-nforcl? 0 1 2 nonscrt E O ={,} 12

Is Opcity Alwys i-nforcl? 0 1 2 E O ={,} nonscrt scrt 12

Is Opcity Alwys i-nforcl? 0 1 2 E O ={,} nonscrt scrt I-nforcility Vrifiction Prolm Is opcity i-nforcl? 12

Is Opcity Alwys i-nforcl? 0 1 2 E O ={,} nonscrt scrt I-nforcility Vrifiction Prolm Is opcity i-nforcl? Insrtion Function Synthsis Prolm How to synthsiz n i-nforcing insrtion function?

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Stp 1] i-vrifir Currnt-Stt Estimtor: 1 3 0,2 4 1 3 0,2 4 13

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Stp 1] i-vrifir Currnt-Stt Estimtor: 1 3 0,2 4 {,}* 1 3 0,2 4 {,}* {,}* {,}* 13

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Stp 1] i-vrifir Currnt-Stt Estimtor: 1 3 0,2 4 d {,}* 1 3 0,2 4 {,}* {,}* {,}* 13

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Stp 1] i-vrifir Currnt-Stt Estimtor: 1 3 0,2 4 d {,}* 1 3 0,2 4 {,}* {,}* {,}* Nondtrministic, sf i-vrifir 13

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Tst 1] L( )) = P(L(G))? * No : No i-nforcing insrtion function xists. Stop. Ys : Go to Stp 2 nd complt th AIS *Should includd in th ppr 14

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Tst 1] L( )) = P(L(G))? * Ys : Go to Stp 2 nd complt th AIS *Should includd in th ppr 14

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Stp 2] Unfoldd i-vrifir V u dtrminiztion nd unfolding i-vrifir i-vrifir 15

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Stp 2] Unfoldd i-vrifir V u dtrminiztion nd unfolding systm output * insrtion choics i-vrifir i-vrifir * * ll dtrministic, sf insrtions 15

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Stp 3] Th AIS * * * Unfoldd i-vrifir 16

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Stp 3] Th AIS * uncontrolll * * Unfoldd i-vrifir 16

Th All-Insrtion Structur (AIS) Enumrt ll i-nforcing insrtion functions [Stp 3] Th AIS * Suprml controlll sulngug * * * * Unfoldd i-vrifir * ll dtrministic i-nforcing insrtions 16

Th AIS Construction Workflow G i-vrifir L1=?L2 N y Unfoldd i-vrifir AIS Not i-nforcl Th AIS numrts ll i-nforcing insrtion functions 17

Th AIS Construction Workflow G i-vrifir L1=?L2 N y Unfoldd i-vrifir AIS Φ? N y Not i-nforcl Not i-nforcl i-nforcl Th AIS numrts ll i-nforcing insrtion functions Thorm (I-Enforcility) An opcity proprty is i-nforcl iff th AIS is not th mpty utomton 17

Synthsis of I-Enforcing Insrtion Functions Givn th AIS c ((c*)*)* (c*)*c (c*)*c (c*)*c * (*(c)*)* * ((c*)*)* (c*)*c 18

Synthsis of I-Enforcing Insrtion Functions Givn th AIS Slct on insrtion t vry circl stt c ((c*)*)* (c*)*c (c*)*c (c*)*c * (*(c)*)* * ((c*)*)* - On insrtion choic (c*)*c 18

Synthsis of I-Enforcing Insrtion Functions Givn th AIS Slct on insrtion t vry circl stt c c c c (*(c)*)* - On insrtion choic - On insrtion string c 18

Synthsis of I-Enforcing Insrtion Functions Givn th AIS Slct on insrtion t vry circl stt Trnslt into th insrtion utomton insrtion + systm output systm output /c c/cc / /c / / / /c 18

Insrtion Enforcmnt Mchnism Systm G Proj. P Systm s Output Bhvior dditionl osrvl vnts Insrtion Function Modifid Bhvior Intrudr 19

Insrtion Enforcmnt Mchnism Systm G Proj. P Systm s Output Bhvior dditionl osrvl vnts Insrtion Function Modifid Bhvior Intrudr Insrtion utomtom / / / / / A finit ncoding of n insrtion function 19

Conclusion A nw opcity nforcmnt mchnism using insrtion functions Chrctriztion of th i-nforcility proprty An lgorithmic procdur to chck i-nforcility An lgorithmic procdur to synthsiz i-nforcing insrtion functions Futur work Improv th lgorithm for AIS construction Optiml insrtion function Loction-sd srvic pplictions 20