Beyond Traces and Independence

Abstract: Abstract. The formal methods, fault-tolerance, and cyber-security research communities explore models that differ from each other. The differences frustrate efforts at cross-community collaboration. Moreover, ignorance about these differences means the status quo is likely to persist. This paper discusses two of the key differences: (i) the trace-based semantic foundation for formal methods and (ii) the implicit notions of independence.

“…Given the above history, it is appealing to specify a cybersystem as a set of traces, and therefore as a subset of a security property that is also specified as a set of traces. Unfortunately, security properties are not trace properties as shown in [8,5,14] and refreshed below. First, noninterference is a security property that captures the intuition that system security is preserved as long as high-clearance (or high-privilege) processes cannot influence the behavior of lowclearance (low-privilege) processes.…”

Emergent behavior in cybersecurity

“…Given the above history, it is appealing to specify a cybersystem as a set of traces, and therefore as a subset of a security property that is also specified as a set of traces. Unfortunately, security properties are not trace properties as shown in [8,5,14] and refreshed below. First, noninterference is a security property that captures the intuition that system security is preserved as long as high-clearance (or high-privilege) processes cannot influence the behavior of lowclearance (low-privilege) processes.…”

Emergent behavior in cybersecurity

Security Measurement Steps, Missteps, and Next Steps

FORTRESS: Adding Intrusion-Resilience to Primary-Backup Server Systems