Non-interference Properties for Probabilistic Processes

1

Non-interference Properties for Probabilistic ProcessesA Process Algebraic Approach

Alessandro Aldinijoint work with

Mario Bravetti and Roberto Gorrieri

2

Outline

Information flow analysis A nondeterministic calculus Non-interference for nondeterministic

processes A probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities

3

Formal methods and security

Motivation:– The Internet provides support for the transmission of

data over communication networks, but is not designed with the goal of avoiding unauthorized disclosure of such data.

– Cryptography is the solution, but…• imported code• mobile agents• malicious non-authenticated accesses• …

raise a supplementary, increasing demand for security in computer networks.

4

Formal methods and security

Formal techniques may help to:– prevent security holes,– provide a generalized, easily verifiable notion

of security.

Here, we concentrate on the security analysis ofinformation flow

in systems and, more precisely, how to characterize the absence of any insecure flow, by applying the classical idea of non-interference.

5

Non-interference

Non-interference checks the absence of information flows

through the system, in terms of confidential,high level

information illegally revealed to someone without the related access right.

6

Non-interference The users of the system are partitioned into

high level users and low level users. High and low users interact with the system

through separate interfaces. Low user cannot directly observe what high

users do. Low users know the exact, complete design of

the system, including the high interface. users interact with the system through input

actions (guided by the users) and output actions (guided by the system).

7

Non-interference

The interactions of low users with the system should not be affected by the

behavior of high users

[Gougen & Meseguer ’82]

System

Lowinterface

LOWUSERS

Highinterface

HIGHUSERS

?information flow

8

Direct information flow

var X = 0var X = 0

System

write x := 1

Highuser

Lowuser

read xread x1

A high value is directly communicated from the high user to the low user!

9

Indirect information flow

Non-interference seeks to capture also

EXAMPLE

Sharing of resources (e.g. memory devices).

shared memoryHigh user Low user

createprivate filedata.txt

data.txt

createpublic filedata.txt

FAIL!

covert channels

(indirect information flows from high level to low level)

10

Non-interference: an example

Pa

b

High level activity

c

a, b, c: low level activities

Information flow fromH to L!

h

11

Non-interference

Information flow analysis in process algebras:

[Jacob’88, Ryan’91, Focardi & Gorrieri’95, Roscoe’95,Ryan & Schneider’99]

– Information flow is analyzed by considering the possibilistic behavior of the system, i.e. what events are possible.

– Further aspects are not considered, such as the timing of actions and the probability distribution of events.

12

Non-interference

– In this talk, we take into consideration the influence of the high level behavior upon the probability distribution of the observable, low level events.

– The motivation is twofold:• probabilistic covert channels may occur

which are not observable in a purely nondeterministic setting;

• a quantitative estimate of the information flowing through the system may be given.

13

Probability & non-interference (1)

The frequency of the possible low outcomes derived from several

execution runs of the system may change depending on the interaction

of the high user with the system.

[Gray’92, Sabelfeld & Sands’99, Hankin et al.’00]

14


P

a

b

High level activity

a, b: low level activities

Information flow fromH to L!

h

15


Interactions of high users with the system which affect the interactions of low users may occur with a negligible probability.

In such a case, the illegal information flow can be tolerated by the users of the system.

[Hankin et al.’02]

16


P

High level activity


Information flow fromH to L…

quite negligible!

h

a

b

17

Outline

Information flow analysis A nondeterministic calculus Non-interference for nondeterministic


18

A non-deterministic process algebra

Actions are divided into:– a set I of input actions a* , b* , …– a set O of output actions a, b, …

Act = I U O U

Visible action types are partitioned into two disjoint sets:– ATypeL of low level types – ATypeH of high level types

AType = ATypeH U ATypeL U

19

Syntax

P : 0 P P + P P PS

PL A

where S, L are in P (AType – {}).

20

Syntax

P : 0 P P + P P PS

P A

0

Null term, denoting a terminated or deadlocked term.

L

21

Syntax

P : 0 P P + P P PS

P A

PPrefix operator: executes action and then behaves as term P( is an output action, an input action,or an internal action

L

22

Syntax

P : 0 P P + P P PS

P A

P + Q

Alternative choice operator: expresses a non-deterministic choice between a term P and a term Q(CCS-style)

L

23

L

Syntax

P : 0 P P + P P PS

P A

P QS

Parallel composition operator: expresses the concurrent execution of processes P and Q(CSP-style)

24

L

Syntax

P : 0 P P + P P PS

P A

PL

Hiding operator: turns the visible action with type in L into internal actions

25

L

Syntax

P : 0 P P + P P PS

P A

A

Constants are used to define recursive terms

A = P

26

: synchronization policy

a*

P QS

.PS

a* .Q PS

Q

a .PS

a* .Q PS

Q

a*

a

a .PS

a .Q

a is in S:

27

: synchronization policy

((a*

P QS

.PS

a* .P’)S

a

a is in S:

a* .P’’)S

a .Q

(( PS

P’)S

P’’)S

Q

Q broadcasts the output action a, while all the other processes synchronize on the input action a* (asymmetric multiway synchronization)

28

Restriction

PL

0

which cannot execute the actions of P with type in L.

P Lto stand for

a* .PS

c .Q

EXAMPLE

(with a = c and a in S)

The synchronization rule can also express the restriction of actions.

In

the action a*, constrained to synchronize, cannot be executed!

We use

29

Equivalence We use equivalence checking to express security

properties: a system S is secure if two subsystems, suitably derived from S and from the security definition, are equivalent.

We need a notion of equivalence to relate terms which behave the same from the viewpoint of an external observer.

Since actions cannot be seen by any external observer, and since the definition of security properties focuses on observable behaviors, we use a notion of equivalence which abstracts from internal actions: weak bisimulation equivalence.

30

Equivalence

Note:

G denotes the set of processes of the calculus

means that a labeled transition (with visible action) occurs possibly preceded and followed by a sequence of internal transitions

means that a labeled transitions occurs

means that zero or more labeled transitions occur

31

Weak bisimulation:

A relation R in G x G is a weak bisimulation iff (P,Q) in R implies for all in Act:

• whenever P P’, then there exists Q’ such that

Q Q’ and (P’,Q’) in R

• whenever Q Q’, then there exists P’ such that

P P’ and (P’,Q’) in R

B

[Milner’89]

32

Outline

Information flow analysisA nondeterministic calculus Non-interference for nondeterministic


33

Nondeterministic security properties

We rephrase in the context of our nondeterministic calculus some of the security properties defined in [Focardi & Gorrieri’95].

34

0 0h.b.a. +

Low user standpoint:

High user does not interact

High user interacts

a a

b

35

Nondeterministic Non-interference(int)

Intuition: a system P is secure iff the behavior of P observable by a low user does not depend on the high interactions.

Formally: P ATypeHP ATypeH

For each low behavior observable when the high user does not interact with the system, we have an equivalent low behavior observable when the high user executes high actions, and viceversa.

B

36

Examples

0 0h.b.a. + 0a. 0 0.b.a. +

0 0h.a. + 0a. 0 0.a. +

B

B

Low user viewpoint

without highinteractions

with highinteractions

37

Examples

Low user viewpoint

without highinteractions

with highinteractions

0 0h.a.a. + 0a. 0 0.a.a. +B

0

P = a.QBQ = h.Q + b.

a

b

a

b

38

0 h.h.a.a. +



High user interacts

a a

a

0

?

Nondeterministic non-interference is not enough!

39

Nondeducibility on Composition(comp)

Intuition: a system P is secure iff the behavior of P observable by a low user is invariant with respect to the interaction of any high user.

Formally:

P ATypeHP S

S

ATypeH

( )( )for any:high process andhigh communication interface S

B

40

Example

0 h.h.a.a. +

0a. 0

h

h* .0 0h.h.a.(a. +

a a

)B

0without highinteractions

interacting with 0h*.

B

41

0 h.a..a. +



High user interacts

b

0

Nondeducibility on Composition is not enough!

b.0+

a

…but the event b informs the low user that the high user did

not interact

42

Strong Nondeducibility on Composition (scomp)

Intuition: the low user should not distinguish which, if any, high level event has occurred at some point in the past.

Formally:

P1 ATypeH

For any P1 derivative of P and for any P2 s.t.

P1 P2

high action

we have

P2 ATypeHB

43

Example (1)

0a.

0 h.a..a. + 0 b.0+

0.a. + b.0B

Ph

P

0a.

=

ATypeHP =

is not scomp-secureP

44

Example (2)

0 .a..a. + 0 +h* 0 .b..b. + 0k* h,k: higha,b: low

0.a. + 0.b.

0b.

0a.

B

B

without high interactions:

after a high interactionwith action h:

after a high interactionwith action k:

45

Inclusion relations

scomp

comp

int

46

Outline

Information flow analysisA nondeterministic calculusNon-interference for nondeterministic


47

A probabilistic process algebra

algebraic operators are enriched with probabilistic information:

a mixture of the classical generative and reactive models of probability is adopted.

P : 0 P P + P P PS

Pa A

p p p

S in P (AType - ), a in AType - , and p in ]0,1[

48

Input actions as reactive actions1. The type a of the action to be performed is chosen

by the environment.2. The system chooses an action a* according to the

probability distribution associated to the input actions of type a.

b*

a*

b*

• Transitions are divided into type bundles• The choice within a bundle is purely probabilistic• The choice among bundles is nondeterministic (guided by the environment)• The sum of the probabilities within a bundle is to be 1

P Q

49

Output (and internal) actions as generative actions

The system autonomously decides the action to be performed according to the probability distribution associated to the enabled output actions.

b

a

b

• Transitions are grouped in a single bundle• The sum of the probabilities within the bundle is to be 1

50

A mixed generative/reactive model A single generative bundle contains all the output transitions which can be executed by the system. We have several reactive bundles, one for each action type.

b

a

b

generativebundle

b*

b* c*

reactivebundle b

[Segala’95,Stark et al.’97]

51

Probabilistic choice

a + b p

expresses a probabilistic choice betweentwo output actions: a is chosen with probability p while b is chosen with probability 1-p.

a* + a* p

the same!

a* + b* p

the choice is nondeterministic: p is not considered (usually we omit it).a + b*

p

52

Example: mixed choice

+a + b* p

c + b* rq

( ) ( )

b*

b*

q

1 - q

a q

1 - qc

parameters p and r are not used because they are attached to operators which refer to nondeterministic choices parameter q guides the probabilistic choice between the two generative actions a and c and between the two reactive actions of type b

53

Probabilistic parallel composition

S||p

P Q

performs the actions of P and Q by following:1. the synchronization policy described in the

nondeterministic case,2. the probabilistic mechanism described for the choice

operator, as in ACP [Baeten et al.’95]

Note: the probabilities of the actions which can be executed by the composed system are normalized[van Glabbeek et al.’95].

54


S||p

(a + b)q

c

• if a,b,c are not in S, then the system can execute the output action a with probability pq, the action b with probability p(1-q), or the action c with probability 1-p.

• if a and b are not in S and c is in S, then the system can execute output actions of the lefthand process only, i.e. a with probability q or b with probability 1-q.

• if a and c are not in S and b is in S, then the system can execute the action a of the lefthand process with probability p or the action b of the righthand process with probability 1-p.

55


L||p

(a + b)q

• All the actions of the lefthand process which belong to the synchronization set L cannot be executed! Parameter p is not used.• The probabilities of the remaining executable actions are redistributed so that the overall probability of each bundle is still 1.• Example: if a is in L, then the system can execute the action b only with probability 1.

0

PL0P L

to stand forWe usep

for any p

56

Probabilistic hiding

P = a + bq

Pap + b

q

Case 1

(probabilistic choice between

two visible actions)

(probabilistic choice between an internal action and a visible action)

The choice is already probabilistic, therefore parameter p of the hiding operator is not considered!

=

57


P = a + bq

Pap

= + bp

Case 2

(nondeterministic choice between two visible actions – parameter q is not considered)

(probabilistic choice between an internal action and a visible action)

A nondeterministic choice becomes a probabilistic choice: parameter p of the hiding operator is

needed!

*

58


Parameter p is used to turn nondeterministic choices between reactive actions of type a and generative actions into probabilistic choices between internal actions and generative actions. This corresponds to the execution of a synchronization between a* and an action a performed by the environment that gives rise to an internal action In this way, the hiding operator turns open systems, which can interact with the environment, into closed systems, which are fully specified.

Pap

59

Equivalence We introduce a notion of probabilistic weak

bisimulation. The classical weak transition is replaced by the

probability of reaching classes of equivalent states.

Note:

G denotes the set of processes of the calculus

*a denotes the set of sequences *a if a is a generative visible action and the set of sequences * if a =

GAct denotes the set of generative actions

RAct denotes the set of reactive actions

60

Probabilistic weak bisimulation:

A relation R in G x G is a probabilistic weak bisimulation iff whenever (P,Q) is in R then for all C in G /R:

PB

• Prob(P,*a,C) = Prob(Q,*a,C) for all a in GAct

• Prob(P,a*,C) = Prob(Q,a*,C) for all a* in RAct

[Baier & Hermanns’97]

61

: an example PB

b, 1/2a, 1/2 b, 1/3a, 1/3

The two systems are equivalent.

62

Outline


processesA probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities

63

Security analysis and probability

We extend the definition of the nondeterministic security properties in our probabilistic setting.

NOTE: we consider probabilistic processes which are well defined, i.e. the probability of observing, at some point in the future, a visible action cannot tend to zero.

64

Probabilistic Non-interference(intpr)

Intuition: a system P is secure iff the probabilistic low view of P is not altered by the probabilistic behavior of the high users.

Formally (denoted h1…hP the high level action

types which syntactically occur within P):

P ATypeHPPB h1

p1 …hP

pP

for any sequence of probabilities p1…pP in ]0,1[

65

An ExampleP = .(.a + h.b) + b

.5.5

b

a

b

a

b

hidinghigh events

restrictinghigh events

.5 .5

.5 .5

.5 .5

BPB

a,b: lowh: high

66

Probabilistic Non-interference

the universal quantification over all possible probabilitydistributions of the hidden reactive high actions is needed toverify the influence of the high activities upon the low view.

P = h .a + (.a + b)*

EXAMPLE

In the probabilistic setting, the nondeterministic choice can be probabilistically resolved by the high user which interacts with the system, thus altering the probability of observing the low event a (b).

(.a + b)q

PB.a + (.a + b)

qpfor any choice of p in ]0,1[

The nondeterministic process P is int-secure

P ATypeHPPB h1

…hP

p1…pP in ]0,1[

A

In

q

p1 pp

67


P = h .a + a *

EXAMPLE

aPB

.a + a p

for any choice of p in ]0,1[

The low view of P is represented by the execution of the low action a with probability 1. The high user which solves the nondeterministic choice in P cannot alter such a view.

68


P = (a + a.b) + a.h.b

EXAMPLE

a, pq

p q

a, (1-p)qa, (1-q)

b, 1

b, 1

h, 1

The nondeterministic version of P is int-secure

If the high user interacts, then the probability of observing the sequence a.b is 1-pq.

If the high user does not interact, then the probability of observing the sequence a.b is (1-p)q.

P is not intpr-secure!

69


A pure probabilistic covert channel[Sabelfeld & Sands’00]

low variable l := high variable h OR random value

High values and random values belong to the same domain:

In a nondeterministic setting, since the choice between the two different assignments is left underspecified and since the set of low outputs does not change with or without high interactions, the system is considered to be secure.

In a probabilistic setting, if we observe the frequency of the possible low outcomes of the low level variable, then we may infer the high behavior:EXAMPLEl := h +.7 random value (and we assume h=1)may give rise, after repeated executions of the system, to the sequence of outcomes: 0,1,1,1,3,1,2,1,1,1,1,4,0,1,1,1,3,1,1,1

70


P = (a + b) + h.(a + b)

Similarly, in our process algebraic setting we may consider the following system:

p qr

If the high user interacts, then the probabilistic choice between the low actions a and b is guided by parameter q. If the high user does not interact, then the probabilistic choice between the low actions a and b is guided by parameter p. The system is int-secure iff p = q. NOTE: the nondeterministic version of process P is S-secure (with S in {int,comp,scomp}).

71

Probabilistic Non-deducibility on Composition (comppr)

P ATypeHP

{h1,…,hk}

ATypeH

( )( )

for any:high user high communication interface

PB

p

h1

p1…

hk

pk

{h1,…,hk}, probabilities p,p1,…,pk in ]0,1[

72

comppr: example

P = (.(a + h) + .(a + )) + k.a

h,k: high level types – a: low level type

• P is intpr-secure• Intuitively, the high user can:

1. block the execution of the action k2. wait for the internal probabilistic choice3. accept (block) the execution of the action h

• Formally, by taking the high user = h . and the synchronization set {h,k}, it turns out that P is not comppr-secure

p p1-p p

*0

73

Strong comppr (scomppr)

As in the nondeterministic case, a stronger formulation of the comppr property is given in order to avoid the universal quantification over all possible high level users.

P1 ATypeH

For any P1 derivative of P and for any P2 s.t.

P1 P2p

in ATypeH

we have

P2 ATypeHB

, p in ]0,1]

74

Inclusion Relations

scomppr

comppr

intpr

75

Inclusion Relations

Given a nondeterministic security property SP and its probabilistic counterpart SPpr then we have

SPpr C SP

meaning that if P is SPpr-secure, then the nondeterministic version of P is SP-secure.

76

Inclusion Relations

scomppr

comppr

intpr

scomp

intcomp

P.

Q.

77

Outline


processesA probabilistic calculusNon-interference for probabilistic processes Non-interference and probabilities

78

Probability & Non-interference

P

High level activity


Information flow fromH to L…

quite negligible!

h

a

b

79

Probability & Non-interference Probabilistic information can be employed to quantify the probability associated to each information flow, thus allowing the modeler to estimate the probability of observing insecure behaviors.

Weak bisimulation is too sensitive and does not allow to relate probabilistic processes which behave almost the same.

Relaxed notions of security properties may allow to consider as secure systems those systems where the probability of observing an information flow is negligible.

80

We pass to a relaxed definition of bisimulation which is able to tolerate small -fluctuations.

A relation R in G x G is a probabilistic weak bisimulation with -precision iff whenever (P,Q) is in R then for all C in G /R:• |Prob(P,*a,C) - Prob(Q,*a,C)| <

for all a in GAct

• |Prob(P,a*,C) - Prob(Q,a*,C)| < for all a* in RAct

Bisimulation with -precision ( )PB

81

PB: example

P = (a + a.b) + a.h.bp q

As we have seen, the system

is not intpr-secure.However, if q is a value close to 0, then the low level outcome of repeated executions of the system changes according to negligible fluctuations with or without the interaction of the high user.Formally, P is intpr-secure if we employ as the notion of equivalence the

PB

82

PB : example (2)

P = h.a + .(b + h.b)p q

h, p , 1-p

b, 1

h, q b, 1-qa, 1

securecomponent

Q

insecurecomponent

83

PB : example (2)

P = h.a + .(b + h.b)p q

The probability of reaching the secure component Q is 1-p

The probability of reaching the insecure component is p

PATypeH PB

Pr

hfor any r in ]0,1[

Given p, we have:

, , 1-

a, 1

PB, 1

Q Q

for any Q

In particular:

84

Quantifying information flows

Systems which need an estimation of the illegal information flows: PROBABILISTIC ALGORITHMS.

Among the possible behaviors of the algorithm we also have an unwanted, insecure behavior which usually is executed with a probability close to 0.EXAMPLES: probabilistic non-repudiation asynchronous Byzantine agreement

85

Conclusion

1. The process algebraic approach to probabilistic non-interference is a natural, conservative extension of the nondeterministic non-interference theory.

2. Probabilistic information can be employed to quantify information flow.

86

Conclusion

Future work

Analysis of probabilistic cryptographic protocols:• generalized, easily verifiable notion of security

Extension of the calculus with message handling and cryptography:

• relaxation of the assumption of perfect cryptography

87

References1. Aldini, M. Bravetti "An Asynchronous Calculus for Generative-Reactive

Probabilistic Systems" in Proc. of the 8th Int. Workshop on Process Algebra and Performance Modeling (PAPM’00), Rolim et al. Ed., pp. 591-605, Carleton Scientific, Geneve, 2000

2. A. Aldini "Probabilistic Information Flow in a Process Algebra " in Proc. of the 12th Int. Conference on Concurrency Theory (CONCUR'01), Springer LNCS 2154, pp. 152-168, Aalborg, 2001

3. A. Aldini "On the Extension of Non-interference with Probabilities" in the 2nd ACM SIGPLAN and IFIP WG 1.7 Workshop on Issues in the Theory of Security (WITS'02), Portland, Oregon, 2002

4. A. Aldini, R. Gorrieri "Security Analysis of a Probabilistic Non-repudiation Protocol" in Proc. of the 2nd Joint Int. Workshop on Process Algebra and Performance Modelling, Probabilistic Methods in Verification (PAPM-PROBMIV'02), Springer LNCS 2399, pp. 17-36, Copenhagen, 2002

5. A. Aldini, M. Bravetti, R. Gorrieri "A Process Algebraic Approach for the Analysis of Probabilistic Non-interference" Tech. Rep. UBLCS-2002-02, University of Bologna (Italy), 2002

88

Thank you!

http://www.cs.unibo.it/~aldini ~bravetti ~gorrieri

{aldini,bravetti,gorrieri}@cs.unibo.it

Non-interference Properties for Probabilistic Processes

Documents

Transcript of Non-interference Properties for Probabilistic Processes