Multilevel Transitive and Intransitive Non-interference, Causally

Baldan, Paolo; Beggiato, Alessandro

doi:10.1007/978-3-319-39519-7_1

Cited by 4 publications

(4 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many variants of Goguen and Meseguer's definition [27] of noninterference were proposed with finite-state automaton [28], relational Hoare-type theory [29], Petri nets [30], game theory [26], etc. Ryan and Schneider [26] redefined the noninterference concept using CSP verification model [31] based on process equivalence.…”

Section: Noninterference Analysis For Eilcmmentioning

confidence: 99%

See 1 more Smart Citation

A Noninterference Model for Mobile OS Information Flow Control and Its Policy Verification

Yuan

Yang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

Mobile operating systems such as Android are facing serious security risk. First, they have a large number of users and store a large number of users’ private data, which have become major targets of network attack; second, their openness leads to high security risks; third, their coarse-grained static permission control mechanism leads to a large number of privacy leaks. Recent decentralized information flow control (DIFC) operating systems such as Asbestos, HiStar, and Flume dynamically adjust the label of each process. Asbestos contains inherent covert channels due to this implicit label adjustment. The others close these covert channels through the use of explicit label change, but this impedes communication and increases performance overhead. We present an enhanced implicit label change model (EILCM) for mobile operating systems that can close the known covert channel in these models with implicit label change and supports dynamic constraints on tags for separation of duty. We also formally analyze the reasons why EILCM can close the known covert channels and prove that abstract EILCM systems have the security property of noninterference with declassification by virtue of the model checker tool FDR. We also prove that the problem of EILCM policy verification is NP-complete and propose a backtrack-based search algorithm to solve the problem. Experiments are presented to show that the algorithm is effective.

show abstract

Section: Noninterference Analysis For Eilcmmentioning

confidence: 99%

“…is is called intransitive noninterference [33] or noninterference with declassification [18,29,30,34]. Some works analyzed formally Android programs [35], Java programs [36], and microkernel [37] with noninterference theory, while their analyses are not automated.…”

Section: Proof Of Noninterference Property Of Eilcmmentioning

confidence: 99%

A Noninterference Model for Mobile OS Information Flow Control and Its Policy Verification

Yuan

Yang

et al. 2021

Security and Communication Networks

View full text Add to dashboard Cite

show abstract

“…It would be interesting to compare how our definitions relate to those for other true concurrency models, e.g. those for Petri Nets [Baldan and Beggiato 2018;Baldan and Carraro 2014].…”

Section: Further Related Workmentioning

confidence: 99%

SecRSL: security separation logic for C11 release-acquire concurrency

Yan

Murray

2021

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

We present Security Relaxed Separation Logic (SecRSL), a separation logic for proving information-flow security of C11 programs in the Release-Acquire fragment with relaxed accesses. SecRSL is the first security logic that (1) supports weak-memory reasoning about programs in a high-level language; (2) inherits separation logic’s virtues of compositional, local reasoning about (3) expressive security policies like value-dependent classification. SecRSL is also, to our knowledge, the first security logic developed over an axiomatic memory model. Thus we also present the first definitions of information-flow security for an axiomatic weak memory model, against which we prove SecRSL sound. SecRSL ensures that programs satisfy a constant-time security guarantee, while being free of undefined behaviour. We apply SecRSL to implement and verify the functional correctness and constant-time security of a range of concurrency primitives, including a spinlock module, a mixed-sensitivity mutex, and multiple synchronous channel implementations. Empirical performance evaluations of the latter demonstrate SecRSL’s power to support the development of secure and performant concurrent C programs.

show abstract

“…Baldan and Carraro give a characterisation of noninterference based on unfoldings of 1safe Petri nets in terms of causalities and conflicts in [32]. In [33], multilevel noninterference properties are studied based on causal characterisations in the unfolding semantics of safe net systems. In [34], the authors provide an algorithm to compute all the minimal solutions for enforcing noninterference on bounded Petri nets by using linear integer programming techniques.…”

Section: Introduction and Related Workmentioning

confidence: 99%

A Finite Prefix for Analyzing Information Flow Among Transitions of a Free-Choice Net

2022

View full text Add to dashboard Cite

In distributed systems, the occurrence of an action can give information about the occurrence of other actions. This can be an unwanted situation when "high" actions of the system need to be kept secret, while allowing users to observe "low" actions. If it is possible to deduce information about occurrence of high actions by observing only low actions, then the system suffers from an unwanted information flow. "Reveals" and "excludes" relations were introduced for modelling and analysing such an information flow among actions of a distributed system that is modelled via Petri nets. In this paper, we provide a formal basis for computing reveals and excludes relations of 1-safe free-choice Petri nets. We introduce the "maximalstep computation tree" to represent the behaviour of a distributed system under maximal-step semantics. We define a finite prefix of the tree called "full prefix" and we show that it is adequate for analysing information flow by means of reveals and excludes relations.

show abstract

Multilevel Transitive and Intransitive Non-interference, Causally

Cited by 4 publications

References 27 publications

A Noninterference Model for Mobile OS Information Flow Control and Its Policy Verification

A Noninterference Model for Mobile OS Information Flow Control and Its Policy Verification

SecRSL: security separation logic for C11 release-acquire concurrency

A Finite Prefix for Analyzing Information Flow Among Transitions of a Free-Choice Net

Contact Info

Product

Resources

About