Upload
stew
View
20
Download
0
Embed Size (px)
DESCRIPTION
Non-interference Properties for Probabilistic Processes. A Process Algebraic Approach. Alessandro Aldini joint work with Mario Bravetti and Roberto Gorrieri. Outline. Information flow analysis A nondeterministic calculus Non-interference for nondeterministic processes - PowerPoint PPT Presentation
Citation preview
1
Non-interference Properties for Probabilistic ProcessesA Process Algebraic Approach
Alessandro Aldinijoint work with
Mario Bravetti and Roberto Gorrieri
2
Outline
Information flow analysis A nondeterministic calculus Non-interference for nondeterministic
processes A probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
3
Formal methods and security
Motivation:– The Internet provides support for the transmission of
data over communication networks, but is not designed with the goal of avoiding unauthorized disclosure of such data.
– Cryptography is the solution, but…• imported code• mobile agents• malicious non-authenticated accesses• …
raise a supplementary, increasing demand for security in computer networks.
4
Formal methods and security
Formal techniques may help to:– prevent security holes,– provide a generalized, easily verifiable notion
of security.
Here, we concentrate on the security analysis ofinformation flow
in systems and, more precisely, how to characterize the absence of any insecure flow, by applying the classical idea of non-interference.
5
Non-interference
Non-interference checks the absence of information flows
through the system, in terms of confidential,high level
information illegally revealed to someone without the related access right.
6
Non-interference The users of the system are partitioned into
high level users and low level users. High and low users interact with the system
through separate interfaces. Low user cannot directly observe what high
users do. Low users know the exact, complete design of
the system, including the high interface. users interact with the system through input
actions (guided by the users) and output actions (guided by the system).
7
Non-interference
The interactions of low users with the system should not be affected by the
behavior of high users
[Gougen & Meseguer ’82]
System
Lowinterface
LOWUSERS
Highinterface
HIGHUSERS
?information flow
8
Direct information flow
var X = 0var X = 0
System
write x := 1
Highuser
Lowuser
read xread x1
A high value is directly communicated from the high user to the low user!
9
Indirect information flow
Non-interference seeks to capture also
EXAMPLE
Sharing of resources (e.g. memory devices).
shared memoryHigh user Low user
createprivate filedata.txt
data.txt
createpublic filedata.txt
FAIL!
covert channels
(indirect information flows from high level to low level)
10
Non-interference: an example
Pa
b
High level activity
c
a, b, c: low level activities
Information flow fromH to L!
h
11
Non-interference
Information flow analysis in process algebras:
[Jacob’88, Ryan’91, Focardi & Gorrieri’95, Roscoe’95,Ryan & Schneider’99]
– Information flow is analyzed by considering the possibilistic behavior of the system, i.e. what events are possible.
– Further aspects are not considered, such as the timing of actions and the probability distribution of events.
12
Non-interference
– In this talk, we take into consideration the influence of the high level behavior upon the probability distribution of the observable, low level events.
– The motivation is twofold:• probabilistic covert channels may occur
which are not observable in a purely nondeterministic setting;
• a quantitative estimate of the information flowing through the system may be given.
13
Probability & non-interference (1)
The frequency of the possible low outcomes derived from several
execution runs of the system may change depending on the interaction
of the high user with the system.
[Gray’92, Sabelfeld & Sands’99, Hankin et al.’00]
14
Probability & non-interference (1)
P
a
b
High level activity
a, b: low level activities
Information flow fromH to L!
h
15
Probability & non-interference (2)
Interactions of high users with the system which affect the interactions of low users may occur with a negligible probability.
In such a case, the illegal information flow can be tolerated by the users of the system.
[Hankin et al.’02]
16
Probability & non-interference (2)
P
High level activity
a, b: low level activities
Information flow fromH to L…
quite negligible!
h
a
b
17
Outline
Information flow analysis A nondeterministic calculus Non-interference for nondeterministic
processes A probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
18
A non-deterministic process algebra
Actions are divided into:– a set I of input actions a* , b* , …– a set O of output actions a, b, …
Act = I U O U
Visible action types are partitioned into two disjoint sets:– ATypeL of low level types – ATypeH of high level types
AType = ATypeH U ATypeL U
19
Syntax
P : 0 P P + P P PS
PL A
where S, L are in P (AType – {}).
20
Syntax
P : 0 P P + P P PS
P A
0
Null term, denoting a terminated or deadlocked term.
L
21
Syntax
P : 0 P P + P P PS
P A
PPrefix operator: executes action and then behaves as term P( is an output action, an input action,or an internal action
L
22
Syntax
P : 0 P P + P P PS
P A
P + Q
Alternative choice operator: expresses a non-deterministic choice between a term P and a term Q(CCS-style)
L
23
L
Syntax
P : 0 P P + P P PS
P A
P QS
Parallel composition operator: expresses the concurrent execution of processes P and Q(CSP-style)
24
L
Syntax
P : 0 P P + P P PS
P A
PL
Hiding operator: turns the visible action with type in L into internal actions
25
L
Syntax
P : 0 P P + P P PS
P A
A
Constants are used to define recursive terms
A = P
26
: synchronization policy
a*
P QS
.PS
a* .Q PS
Q
a .PS
a* .Q PS
Q
a*
a
a .PS
a .Q
a is in S:
27
: synchronization policy
((a*
P QS
.PS
a* .P’)S
a
a is in S:
a* .P’’)S
a .Q
(( PS
P’)S
P’’)S
Q
Q broadcasts the output action a, while all the other processes synchronize on the input action a* (asymmetric multiway synchronization)
28
Restriction
PL
0
which cannot execute the actions of P with type in L.
P Lto stand for
a* .PS
c .Q
EXAMPLE
(with a = c and a in S)
The synchronization rule can also express the restriction of actions.
In
the action a*, constrained to synchronize, cannot be executed!
We use
29
Equivalence We use equivalence checking to express security
properties: a system S is secure if two subsystems, suitably derived from S and from the security definition, are equivalent.
We need a notion of equivalence to relate terms which behave the same from the viewpoint of an external observer.
Since actions cannot be seen by any external observer, and since the definition of security properties focuses on observable behaviors, we use a notion of equivalence which abstracts from internal actions: weak bisimulation equivalence.
30
Equivalence
Note:
G denotes the set of processes of the calculus
means that a labeled transition (with visible action) occurs possibly preceded and followed by a sequence of internal transitions
means that a labeled transitions occurs
means that zero or more labeled transitions occur
31
Weak bisimulation:
A relation R in G x G is a weak bisimulation iff (P,Q) in R implies for all in Act:
• whenever P P’, then there exists Q’ such that
Q Q’ and (P’,Q’) in R
• whenever Q Q’, then there exists P’ such that
P P’ and (P’,Q’) in R
B
[Milner’89]
32
Outline
Information flow analysisA nondeterministic calculus Non-interference for nondeterministic
processes A probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
33
Nondeterministic security properties
We rephrase in the context of our nondeterministic calculus some of the security properties defined in [Focardi & Gorrieri’95].
34
0 0h.b.a. +
Low user standpoint:
High user does not interact
High user interacts
a a
b
35
Nondeterministic Non-interference(int)
Intuition: a system P is secure iff the behavior of P observable by a low user does not depend on the high interactions.
Formally: P ATypeHP ATypeH
For each low behavior observable when the high user does not interact with the system, we have an equivalent low behavior observable when the high user executes high actions, and viceversa.
B
36
Examples
0 0h.b.a. + 0a. 0 0.b.a. +
0 0h.a. + 0a. 0 0.a. +
B
B
Low user viewpoint
without highinteractions
with highinteractions
37
Examples
Low user viewpoint
without highinteractions
with highinteractions
0 0h.a.a. + 0a. 0 0.a.a. +B
0
P = a.QBQ = h.Q + b.
a
b
a
b
38
0 h.h.a.a. +
Low user standpoint:
High user does not interact
High user interacts
a a
a
0
?
Nondeterministic non-interference is not enough!
39
Nondeducibility on Composition(comp)
Intuition: a system P is secure iff the behavior of P observable by a low user is invariant with respect to the interaction of any high user.
Formally:
P ATypeHP S
S
ATypeH
( )( )for any:high process andhigh communication interface S
B
40
Example
0 h.h.a.a. +
0a. 0
h
h* .0 0h.h.a.(a. +
a a
)B
0without highinteractions
interacting with 0h*.
B
41
0 h.a..a. +
Low user standpoint:
High user does not interact
High user interacts
b
0
Nondeducibility on Composition is not enough!
b.0+
a
…but the event b informs the low user that the high user did
not interact
42
Strong Nondeducibility on Composition (scomp)
Intuition: the low user should not distinguish which, if any, high level event has occurred at some point in the past.
Formally:
P1 ATypeH
For any P1 derivative of P and for any P2 s.t.
P1 P2
high action
we have
P2 ATypeHB
43
Example (1)
0a.
0 h.a..a. + 0 b.0+
0.a. + b.0B
Ph
P
0a.
=
ATypeHP =
is not scomp-secureP
44
Example (2)
0 .a..a. + 0 +h* 0 .b..b. + 0k* h,k: higha,b: low
0.a. + 0.b.
0b.
0a.
B
B
without high interactions:
after a high interactionwith action h:
after a high interactionwith action k:
45
Inclusion relations
scomp
comp
int
46
Outline
Information flow analysisA nondeterministic calculusNon-interference for nondeterministic
processes A probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
47
A probabilistic process algebra
algebraic operators are enriched with probabilistic information:
a mixture of the classical generative and reactive models of probability is adopted.
P : 0 P P + P P PS
Pa A
p p p
S in P (AType - ), a in AType - , and p in ]0,1[
48
Input actions as reactive actions1. The type a of the action to be performed is chosen
by the environment.2. The system chooses an action a* according to the
probability distribution associated to the input actions of type a.
b*
a*
b*
• Transitions are divided into type bundles• The choice within a bundle is purely probabilistic• The choice among bundles is nondeterministic (guided by the environment)• The sum of the probabilities within a bundle is to be 1
P Q
49
Output (and internal) actions as generative actions
The system autonomously decides the action to be performed according to the probability distribution associated to the enabled output actions.
b
a
b
• Transitions are grouped in a single bundle• The sum of the probabilities within the bundle is to be 1
50
A mixed generative/reactive model A single generative bundle contains all the output transitions which can be executed by the system. We have several reactive bundles, one for each action type.
b
a
b
generativebundle
b*
b* c*
reactivebundle b
[Segala’95,Stark et al.’97]
51
Probabilistic choice
a + b p
expresses a probabilistic choice betweentwo output actions: a is chosen with probability p while b is chosen with probability 1-p.
a* + a* p
the same!
a* + b* p
the choice is nondeterministic: p is not considered (usually we omit it).a + b*
p
52
Example: mixed choice
+a + b* p
c + b* rq
( ) ( )
b*
b*
q
1 - q
a q
1 - qc
parameters p and r are not used because they are attached to operators which refer to nondeterministic choices parameter q guides the probabilistic choice between the two generative actions a and c and between the two reactive actions of type b
53
Probabilistic parallel composition
S||p
P Q
performs the actions of P and Q by following:1. the synchronization policy described in the
nondeterministic case,2. the probabilistic mechanism described for the choice
operator, as in ACP [Baeten et al.’95]
Note: the probabilities of the actions which can be executed by the composed system are normalized[van Glabbeek et al.’95].
54
Probabilistic parallel composition
S||p
(a + b)q
c
• if a,b,c are not in S, then the system can execute the output action a with probability pq, the action b with probability p(1-q), or the action c with probability 1-p.
• if a and b are not in S and c is in S, then the system can execute output actions of the lefthand process only, i.e. a with probability q or b with probability 1-q.
• if a and c are not in S and b is in S, then the system can execute the action a of the lefthand process with probability p or the action b of the righthand process with probability 1-p.
55
Probabilistic parallel composition
L||p
(a + b)q
• All the actions of the lefthand process which belong to the synchronization set L cannot be executed! Parameter p is not used.• The probabilities of the remaining executable actions are redistributed so that the overall probability of each bundle is still 1.• Example: if a is in L, then the system can execute the action b only with probability 1.
0
PL0P L
to stand forWe usep
for any p
56
Probabilistic hiding
P = a + bq
Pap + b
q
Case 1
(probabilistic choice between
two visible actions)
(probabilistic choice between an internal action and a visible action)
The choice is already probabilistic, therefore parameter p of the hiding operator is not considered!
=
57
Probabilistic hiding
P = a + bq
Pap
= + bp
Case 2
(nondeterministic choice between two visible actions – parameter q is not considered)
(probabilistic choice between an internal action and a visible action)
A nondeterministic choice becomes a probabilistic choice: parameter p of the hiding operator is
needed!
*
58
Probabilistic hiding
Parameter p is used to turn nondeterministic choices between reactive actions of type a and generative actions into probabilistic choices between internal actions and generative actions. This corresponds to the execution of a synchronization between a* and an action a performed by the environment that gives rise to an internal action In this way, the hiding operator turns open systems, which can interact with the environment, into closed systems, which are fully specified.
Pap
59
Equivalence We introduce a notion of probabilistic weak
bisimulation. The classical weak transition is replaced by the
probability of reaching classes of equivalent states.
Note:
G denotes the set of processes of the calculus
*a denotes the set of sequences *a if a is a generative visible action and the set of sequences * if a =
GAct denotes the set of generative actions
RAct denotes the set of reactive actions
60
Probabilistic weak bisimulation:
A relation R in G x G is a probabilistic weak bisimulation iff whenever (P,Q) is in R then for all C in G /R:
PB
• Prob(P,*a,C) = Prob(Q,*a,C) for all a in GAct
• Prob(P,a*,C) = Prob(Q,a*,C) for all a* in RAct
[Baier & Hermanns’97]
61
: an example PB
b, 1/2a, 1/2 b, 1/3a, 1/3
The two systems are equivalent.
62
Outline
Information flow analysisA nondeterministic calculusNon-interference for nondeterministic
processesA probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
63
Security analysis and probability
We extend the definition of the nondeterministic security properties in our probabilistic setting.
NOTE: we consider probabilistic processes which are well defined, i.e. the probability of observing, at some point in the future, a visible action cannot tend to zero.
64
Probabilistic Non-interference(intpr)
Intuition: a system P is secure iff the probabilistic low view of P is not altered by the probabilistic behavior of the high users.
Formally (denoted h1…hP the high level action
types which syntactically occur within P):
P ATypeHPPB h1
p1 …hP
pP
for any sequence of probabilities p1…pP in ]0,1[
65
An ExampleP = .(.a + h.b) + b
.5.5
b
a
b
a
b
hidinghigh events
restrictinghigh events
.5 .5
.5 .5
.5 .5
BPB
a,b: lowh: high
66
Probabilistic Non-interference
the universal quantification over all possible probabilitydistributions of the hidden reactive high actions is needed toverify the influence of the high activities upon the low view.
P = h .a + (.a + b)*
EXAMPLE
In the probabilistic setting, the nondeterministic choice can be probabilistically resolved by the high user which interacts with the system, thus altering the probability of observing the low event a (b).
(.a + b)q
PB.a + (.a + b)
qpfor any choice of p in ]0,1[
The nondeterministic process P is int-secure
P ATypeHPPB h1
…hP
p1…pP in ]0,1[
A
In
q
p1 pp
67
Probabilistic Non-interference
P = h .a + a *
EXAMPLE
aPB
.a + a p
for any choice of p in ]0,1[
The low view of P is represented by the execution of the low action a with probability 1. The high user which solves the nondeterministic choice in P cannot alter such a view.
68
Probabilistic Non-interference
P = (a + a.b) + a.h.b
EXAMPLE
a, pq
p q
a, (1-p)qa, (1-q)
b, 1
b, 1
h, 1
The nondeterministic version of P is int-secure
If the high user interacts, then the probability of observing the sequence a.b is 1-pq.
If the high user does not interact, then the probability of observing the sequence a.b is (1-p)q.
P is not intpr-secure!
69
Probabilistic Non-interference
A pure probabilistic covert channel[Sabelfeld & Sands’00]
low variable l := high variable h OR random value
High values and random values belong to the same domain:
In a nondeterministic setting, since the choice between the two different assignments is left underspecified and since the set of low outputs does not change with or without high interactions, the system is considered to be secure.
In a probabilistic setting, if we observe the frequency of the possible low outcomes of the low level variable, then we may infer the high behavior:EXAMPLEl := h +.7 random value (and we assume h=1)may give rise, after repeated executions of the system, to the sequence of outcomes: 0,1,1,1,3,1,2,1,1,1,1,4,0,1,1,1,3,1,1,1
70
Probabilistic Non-interference
P = (a + b) + h.(a + b)
Similarly, in our process algebraic setting we may consider the following system:
p qr
If the high user interacts, then the probabilistic choice between the low actions a and b is guided by parameter q. If the high user does not interact, then the probabilistic choice between the low actions a and b is guided by parameter p. The system is int-secure iff p = q. NOTE: the nondeterministic version of process P is S-secure (with S in {int,comp,scomp}).
71
Probabilistic Non-deducibility on Composition (comppr)
P ATypeHP
{h1,…,hk}
ATypeH
( )( )
for any:high user high communication interface
PB
p
h1
p1…
hk
pk
{h1,…,hk}, probabilities p,p1,…,pk in ]0,1[
72
comppr: example
P = (.(a + h) + .(a + )) + k.a
h,k: high level types – a: low level type
• P is intpr-secure• Intuitively, the high user can:
1. block the execution of the action k2. wait for the internal probabilistic choice3. accept (block) the execution of the action h
• Formally, by taking the high user = h . and the synchronization set {h,k}, it turns out that P is not comppr-secure
p p1-p p
*0
73
Strong comppr (scomppr)
As in the nondeterministic case, a stronger formulation of the comppr property is given in order to avoid the universal quantification over all possible high level users.
P1 ATypeH
For any P1 derivative of P and for any P2 s.t.
P1 P2p
in ATypeH
we have
P2 ATypeHB
, p in ]0,1]
74
Inclusion Relations
scomppr
comppr
intpr
75
Inclusion Relations
Given a nondeterministic security property SP and its probabilistic counterpart SPpr then we have
SPpr C SP
meaning that if P is SPpr-secure, then the nondeterministic version of P is SP-secure.
76
Inclusion Relations
scomppr
comppr
intpr
scomp
intcomp
P.
Q.
77
Outline
Information flow analysisA nondeterministic calculusNon-interference for nondeterministic
processesA probabilistic calculusNon-interference for probabilistic processes Non-interference and probabilities
78
Probability & Non-interference
P
High level activity
a, b: low level activities
Information flow fromH to L…
quite negligible!
h
a
b
79
Probability & Non-interference Probabilistic information can be employed to quantify the probability associated to each information flow, thus allowing the modeler to estimate the probability of observing insecure behaviors.
Weak bisimulation is too sensitive and does not allow to relate probabilistic processes which behave almost the same.
Relaxed notions of security properties may allow to consider as secure systems those systems where the probability of observing an information flow is negligible.
80
We pass to a relaxed definition of bisimulation which is able to tolerate small -fluctuations.
A relation R in G x G is a probabilistic weak bisimulation with -precision iff whenever (P,Q) is in R then for all C in G /R:• |Prob(P,*a,C) - Prob(Q,*a,C)| <
for all a in GAct
• |Prob(P,a*,C) - Prob(Q,a*,C)| < for all a* in RAct
Bisimulation with -precision ( )PB
81
PB: example
P = (a + a.b) + a.h.bp q
As we have seen, the system
is not intpr-secure.However, if q is a value close to 0, then the low level outcome of repeated executions of the system changes according to negligible fluctuations with or without the interaction of the high user.Formally, P is intpr-secure if we employ as the notion of equivalence the
PB
82
PB : example (2)
P = h.a + .(b + h.b)p q
h, p , 1-p
b, 1
h, q b, 1-qa, 1
securecomponent
Q
insecurecomponent
83
PB : example (2)
P = h.a + .(b + h.b)p q
The probability of reaching the secure component Q is 1-p
The probability of reaching the insecure component is p
PATypeH PB
Pr
hfor any r in ]0,1[
Given p, we have:
, , 1-
a, 1
PB, 1
Q Q
for any Q
In particular:
84
Quantifying information flows
Systems which need an estimation of the illegal information flows: PROBABILISTIC ALGORITHMS.
Among the possible behaviors of the algorithm we also have an unwanted, insecure behavior which usually is executed with a probability close to 0.EXAMPLES: probabilistic non-repudiation asynchronous Byzantine agreement
85
Conclusion
1. The process algebraic approach to probabilistic non-interference is a natural, conservative extension of the nondeterministic non-interference theory.
2. Probabilistic information can be employed to quantify information flow.
86
Conclusion
Future work
Analysis of probabilistic cryptographic protocols:• generalized, easily verifiable notion of security
Extension of the calculus with message handling and cryptography:
• relaxation of the assumption of perfect cryptography
87
References1. Aldini, M. Bravetti "An Asynchronous Calculus for Generative-Reactive
Probabilistic Systems" in Proc. of the 8th Int. Workshop on Process Algebra and Performance Modeling (PAPM’00), Rolim et al. Ed., pp. 591-605, Carleton Scientific, Geneve, 2000
2. A. Aldini "Probabilistic Information Flow in a Process Algebra " in Proc. of the 12th Int. Conference on Concurrency Theory (CONCUR'01), Springer LNCS 2154, pp. 152-168, Aalborg, 2001
3. A. Aldini "On the Extension of Non-interference with Probabilities" in the 2nd ACM SIGPLAN and IFIP WG 1.7 Workshop on Issues in the Theory of Security (WITS'02), Portland, Oregon, 2002
4. A. Aldini, R. Gorrieri "Security Analysis of a Probabilistic Non-repudiation Protocol" in Proc. of the 2nd Joint Int. Workshop on Process Algebra and Performance Modelling, Probabilistic Methods in Verification (PAPM-PROBMIV'02), Springer LNCS 2399, pp. 17-36, Copenhagen, 2002
5. A. Aldini, M. Bravetti, R. Gorrieri "A Process Algebraic Approach for the Analysis of Probabilistic Non-interference" Tech. Rep. UBLCS-2002-02, University of Bologna (Italy), 2002
88
Thank you!
http://www.cs.unibo.it/~aldini ~bravetti ~gorrieri
{aldini,bravetti,gorrieri}@cs.unibo.it