Synthesis of non-interferent systems Gilles Benattar Franck Cassez - - PowerPoint PPT Presentation

Introduction Definitions Results Conclusion

Synthesis of non-interferent systems

Gilles Benattar† Franck Cassez‡ Didier Lime† Olivier H.Roux†

†IRCCyN/CNRS UMR 6597, Nantes, France ‡CNRS and National ICT Australia, Sydney, Australia

Formal Modelling and Analysis of Timed Systems 2009 (FORMATS09)

1

Introduction Definitions Results Conclusion

Introduction

1 Studies of information flow security properties has been a very

active domain.

2 Information flow analysis defines secrecy as: “high level

information never flows into low level channels” i.e., non-interference.

3 There are many results on model checking of non-interference

properties.

4 We consider the problem of the synthesis of non-interferent

systems for timed and untimed automata.

2

Introduction Definitions Results Conclusion

1

Introduction

2

Definitions Preliminaries Non-interference Control problem

3

Results SNNI verification problem SNNI control problem SNNI control synthesis problem

4

Conclusion

3

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

Restriction definition

1 2 3 4 5 h1 l1 l1 h2 l2

Figure: B

4

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

Restriction definition

1 2 3 4 5 h1 l1 l1 h2 l2

(a) Automaton B

1 2 3 h1 l1 l1

(b) B\{h2}

4

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

Abstraction (hiding) definition

1 2 3 4 5 h1 l1 l1 h2 l2

Figure: B

5

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

Abstraction (hiding) definition

1 2 3 4 5 h1 l1 l1 h2 l2

(a) Automaton B

1 2 3 4 5 h1 l1 l1 ε l2

(b) B/{h2}

5

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

Strong Non-deterministic Non-Interference (SNNI) 1/4

1 The systems is defined by an automaton A over an alphabet

Σ divided into two sub-alphabets : Σh the high level actions and Σl the low level actions

2 A system defined by an automaton A is non-interferent if the

low level user cannot distinguish A/Σh from A\Σh. Definition (SNNI) A TA A has the strong non-deterministic non-interference property (in short “A is SNNI”) if A/Σh ≈L A\Σh, where A1 ≈L A2 mean that A1 and A2 are language equivalent.

6

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

SNNI finite automata example 1/2

1 2 3 4 5 h1 l1 l1 h2 l2

Figure: B that is not SNNI

L(B/{h1, h2}) = {l1, l2} L(B\{h1, h2}) = {l1}

7

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

SNNI finite automata example 2/2

1 2 3 4 h1 l1 l1 h2

Figure: C that is SNNI

L(C/{h1, h2}) = {l1} L(C\{h1, h2}) = {l1}

8

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

SNNI timed automata example

A0 A1 A2 A3 [x1 ≤ 4] l, x1 ≥ 2 h, x1 ≥ 1 l

Figure: Timed Automaton A

9

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

SNNI timed automata example

A0 A1 A2 A3 l h l

Figure: Finite Automaton A = untimed(A)

L(A/{h}) = {l} L(A\{h}) = {l}

9

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

SNNI timed automata example

A0 A1 A2 A3 [x1 ≤ 4] l, x1 ≥ 2 h, x1 ≥ 1 l

Figure: Timed Automaton A

ρ = (A0, 0) 1.1 − − → (A0, 1.1) h − → (A2, 0) 0.5 − − → (A2, 1.6)

l

− →(A3, 1.6) ∈ Runs(A)

9

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

SNNI timed automata example

A0 A1 A2 A3 [x1 ≤ 4] l, x1 ≥ 2 h, x1 ≥ 1 l

Figure: Timed Automaton A

ρ = (A0, 0) 1.1 − − → (A0, 1.1) h − → (A2, 0) 0.5 − − → (A2, 1.6)

l

− →(A3, 1.6) ∈ Runs(A) (1.1, h).(0.5, l) ∈ L(A)

9

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

SNNI timed automata example

A0 A1 A2 A3 [x1 ≤ 4] l, x1 ≥ 2 h, x1 ≥ 1 l

Figure: Timed Automaton A

ρ = (A0, 0) 1.1 − − → (A0, 1.1) h − → (A2, 0) 0.5 − − → (A2, 1.6)

l

− →(A3, 1.6) ∈ Runs(A) (1.1, h).(0.5, l) ∈ L(A) ⇒ (1.6, l) ∈ L(A/{h})

9

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

SNNI timed automata example

A0 A1 A2 A3 [x1 ≤ 4] l, x1 ≥ 2 h, x1 ≥ 1 l

Figure: Timed Automaton A

ρ = (A0, 0) 1.1 − − → (A0, 1.1) h − → (A2, 0) 0.5 − − → (A2, 1.6)

l

− →(A3, 1.6) ∈ Runs(A) (1.1, h).(0.5, l) ∈ L(A) ⇒ (1.6, l) ∈ L(A/{h}) ⇒ A is not SNNI

9

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

Control problem 1/2

The SNNI Verification Problem (SNNI-VP) for a system S asks the following: is S SNNI ? The Control Problem (SNNI-CP) for a system S asks the following: Is there a controller C s.t. C(S) is SNNI ? The Controller Synthesis Problem (SNNI-CSP) asks to compute a witness controller C.

10

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

Control problem 2/2

Let Σc ⊆ Σ = Σh ∪ Σl a set of controllable actions, let λ ∈ Σ the waiting action. Definition (Controller) A controller C for A is a partial mapping C : Runs(A) → 2Σc∪{λ}. After each run ρ ∈ Runs(A), the controller chose a set C(ρ)

• f actions that are not disabled.

11

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

Control problem 2/2

Let Σc ⊆ Σ = Σh ∪ Σl a set of controllable actions, let λ ∈ Σ the waiting action. Definition (Controller) A controller C for A is a partial mapping C : Runs(A) → 2Σc∪{λ}. After each run ρ ∈ Runs(A), the controller chose a set C(ρ)

• f actions that are not disabled.

If λ ∈ C(ρ), the system may wait, otherwise, a controllable action must be done by one of the users.

11

Introduction Definitions Results Conclusion Preliminaries Non-interference Control Problem

1

Introduction

2

Definitions Preliminaries Non-interference Control problem

3

Results SNNI verification problem SNNI control problem SNNI control synthesis problem

4

Conclusion

12

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Verification Problem (SNNI-VP)

Untimed Automata Timed Automata Deterministic A\Σh PTIME PSPACE-Complete Non-deterministic A\Σh PSPACE-Complete Undecidable [1]

Table: Results for the SNNI-VP

13

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Control Problem (SNNI-CP) for finite automata 1/2

Theorem For finite automata, the SNNI-CP is PSPACE-Complete.

14

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Control Problem (SNNI-CP) for finite automata 2/2

For finite automata, we can easily check if SNNI is controllable by cutting all the controllable actions and checking if the obtained system is SNNI. 1 2 3 4 5 l1 h2 l2 h1 l1

Figure: Automaton D

Σc = {l1}

15

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Control Problem (SNNI-CP) for finite automata 2/2

For finite automata, we can easily check if SNNI is controllable by cutting all the controllable actions and checking if the obtained system is SNNI. 4 h1

Figure: Automaton D\Σc

Σc = {l1}

15

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Control Problem (SNNI-CP) for timed automata

This does not work in the timed case : 1 2 3 a, x1 > 1 h, x1 ≥ 5 b

Figure: Timed Automaton E

Σc = {a}

16

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Control Problem (SNNI-CP) for timed automata

This does not work in the timed case : 1 2 3 a, x1 > 1 h, x1 ≥ 5 b

(a) Timed Automaton E

2 3 h, x1 ≥ 5 b

(b) Timed Automaton E\Σc

Σc = {a}

16

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Control Problem (SNNI-CP) for timed automata

This does not work in the timed case : 1 2 3 a, x1 > 1 h, x1 ≥ 5 b

(c) Automaton E

1 [x1 ≤ 4] a, x1 > 1

(d) Timed Automaton C(E)

Σc = {a}

16

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP)

Theorem If A is a finite automaton, we can compute the most permissive controller C s.t. C(A) is SNNI. Theorem If A is a timed automaton and A\Σh is deterministic, we can compute the most permissive controller C s.t. C(A) is SNNI.

17

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP) for finite automata 1/5

Let D be an automaton. In order to solve the SNNI-CSP, we calculate iteratively the most permissive controller of safety games calculated from D and D\Σh. 1 2 3 4 5 l1 h2 l2 h1 l1

Figure: Timed Automaton D = D0

Σc = {l1, h1}

18

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP) for finite automata 2/5

We define D2 as the complete version of D\Σh. 1 bad l1 l1, l2 l2

Figure: Automaton D0

2

19

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP) for finite automata 3/5

We compute D0 ⊗ D0

2, and define a controller C ⊗ 1 that solves the

safety game. 00 11 21 3bad 40 51 l1 h2 l2 h1 l1

Figure: Automaton D0 ⊗ D0

2

Σc = {l1, h1}

20

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP) for finite automata 3/5

We compute D0 ⊗ D0

2, and define a controller C ⊗ 1 that solves the

safety game. 00 11 21 3bad 40 51 l1 h2 l2 h1 l1

Figure: Timed Automaton D0

p = D0 ⊗ D0 2

Σc = {l1, h1}

20

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP) for finite automata 3/5

We compute D0 ⊗ D0

2, and define a controller C ⊗ 1 that solves the

safety game. 00 40 51 h1 l1

Figure: Timed Automaton C ⊗

1 (D ⊗ D2)

Σc = {l1, h1}

20

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP) for finite automata 4/5

We compute C 1 from C ⊗

1 and if L(C 1(D0)\Σh) = L(D0)\Σh), we

iterate process. 4 5 h1 l1

Figure: Timed Automaton C 1(D)

21

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP) for finite automata 5/5

We reach a fix point C ∗ 1 h1

Figure: Timed Automaton C ∗(D) that is SNNI

22

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP) for timed automata

We proved that the same algorithm works for a timed automaton A if A\Σh is deterministic. A0 A1 A2 A3 [x1 ≤ 4] l, x1 ≥ 2 h, x1 ≥ 1 l

Figure: Timed Automaton A

Σc = {l}

23

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

SNNI Controller Synthesis Problem (SNNI-CSP) for timed automata

We proved that the same algorithm works for a timed automaton A if A\Σh is deterministic. A0 A1 A2 A3 [x1 ≤ 4] l, x1 ≥ 2 h, x1 ≥ 1 l, 2 ≤ x1 ≤ 4

Figure: Timed Automaton C ∗(A)

23

Introduction Definitions Results Conclusion SNNI-VP SNNI-CP SNNI-CSP

1

Introduction

2

Definitions Preliminaries Non-interference Control problem

3

Results SNNI verification problem SNNI control problem SNNI control synthesis problem

4

Conclusion

24

Introduction Definitions Results Conclusion

Conclusion

A Timed Automaton A Finite Automaton A\Σh Non-Det. A\Σh Det. A\Σh Non-Det. A\Σh Det. SNNI-VP undecidable [1] PSPACE-C PSPACE-C PTIME SNNI-CP undecidable [1] EXPTIME-C PSPACE-C PTIME SNNI-CSP undecidable [1] EXPTIME-C EXPTIME [2] PSPACE-C

Table: Summary of the Results

25

Introduction Definitions Results Conclusion

Future works

1 Extend the results on other form of non-interference (CSNNI

and BSNNI) for untimed and timed automata.

2 Determine conditions under which a most permissive

controller exists for the BSNNI-CSP and CSNNI-CSP

26

Introduction Definitions Results Conclusion

Thanks Thank you for your attention

27

Introduction Definitions Results Conclusion

Bibliography

Gardey, G., Mullins, J., Roux, O.H.: Non-interference control synthesis for security timed automata.

• Elec. Notes in Theo. Comp. Science 180(1) (2005) 35–53.

Proceedings of the 3rd International Workshop on Security Issues in Concurrency (SecCo’05). Cassez, F., Mullins, J., Roux, O.H.: Synthesis of non-interferent systems. In: Proceedings of the 4th Int. Conf. on Mathematical Methods, Models and Architectures for Computer Network Security (MMM-ACNS’07). Volume 1 of Communications in Computer and Inform. Science, Springer (2007) 307–321.

28