describing secure interfaces with interface automata · 2010. 4. 23. · with interface automata...

Interfaces Structure for SecurityDeriving secure ISS

Preserving BSNNI after CompositionContribution and future works

Describing Secure Interfaceswith Interface Automata

Matias Lee Pedro R. D’Argenio

FaMAF - UNCCONICET

FESCA Workshop

Matias Lee, Pedro R. D’Argenio Interface Structure for Security



Outline

1 Interfaces Structure for SecurityInterfaces Automata and Interface Structure For SecurityCompositionBisimulation-based (Strong) Non-deterministicNon-interference

2 Deriving secure ISSChecking BSNNISynthesizing Secure ISSThe algorithm - Example

3 Preserving BSNNI after CompositionPreserving BSNNI after Composition

4 Contribution and future works




Interfaces Automata and Interface Structure For SecurityWhy IA and ISS?CompositionBisimulation-based (Strong) Non-deterministic Non-interference

Outline









Interface Automata (IA):

We use Interface Automata [De Alfaro, Hezinger 2001,2005]to represent interfaces. E.g.:

s1 s2 s3

s4 s5 s6

s7

�� newT? // startT ! //

endT?

��

newT? // startT ! //

endT?kk

logM!

[[

startM?��endM?

BB''acceptT?

IA has three different sorts of actions: input, output and hidden.As usual, input are suffixed by ? and output by !. We indicate hidden

actions by suffixing ;.





Interface Structure for Security (ISS)

Extends IA to cope with security.Visible actions are separated in two classes:

public or low: can be observed/manipulated by any userprivate or high: only for users with appropiate clearance.

s1 s2 s3

s4 s5 s6

s7


endT?

��


endT?kk

logM!

[[

startM?��

endM?BB''acceptT?

High actions are underlined





Why IA and ISS?

Component Based Development and Design has becomemain approach for software development. Example: webservices.We need good interface description that allows us toanalyze interaction between components. In this way, wecan predict if the composed system can satisfy ourrequirements.IA captures temporal aspects of the component interface.This framework requires that the communication isproperly carried out by the interfaces.ISS inherits the properties of IA and also allows us to studyproperties related with secure data flow.





Example:

A distributed transaction processing system (DTPS):a main server (Transaction Service) that provides a servicea remote transaction process unit (Trans. Processing Unit)a supervisor module (Supervisor).





s1 s2 s3

s4 s5 s6

s7

Transaction Service


endT?

��


endT?kk

logM!

[[

startM?��

endM?BB''acceptT?

t1 t2 t4

t3

Trans. Processing Unit

�� startT? //

ok!��

nOk! //

logF !{{endT !

cc

u1 u2 u3

u4u5

Supervisor

��''logF?mOn? // startM!//

gg

logM?

logF?��

logM?oo

endM!

ZZ





We are interested in studyinghow the components work together.

Therefore, we need a concept of composition.





Outline









Composition

CSP likes parallel composition in IA:the state space is the product of the set of states of thecomponents,synchronization through shared action, i.e. bothcomponent should perform a transition with the samesynchronizing label (one input, and the other output), andtransitions with non-shared actions are interleaved.

Besides, shared actions are hidden in the product.





s1t1u1 s1t1u2 s4t1u3

s3t3u1 s2t1u1 s4t1u5 s7t1u3 s5t1u3


s6t3u4 s6t4u3


//

acceptT?

��

acceptT?

��

newT?

��

startT ;

��

ok!

gg

nOk!oo

logF ;

OO

endT ;

33mOn? // startM; //

newT?

��

startT ;

��ok!oo

endT ;

OO

logM;

33

nOk!pp

logF ;oo

endT ;

OO

logM;

OO

endM;ll

newT?

ee startT ;//

nOk!//





Error, Incompatible and Compatible states

In state s3t4u2, the TP unit sends a message (LogF!) to theSupervisor, which is not ready to receive it. We call thismiscommunication. The state s3t4u2 is an error state.States s3t3u2 and s2t1u2 are incompatibles states becausethey reach an error/incompatible state autonomously (i.e.using only output and/or hidden actions).A state that is not incompatible is called compatible.For example, s1t1u2 is compatible.If the initial state of the product is compatible, then theinterfaces are compatible.








s6t3u4 s6t4u3


��

acceptT?

��

acceptT?

��

newT?

��

startT ;

��

ok!

gg

nOk!oo

logF ;

OO

endT ;


newT?

��

startT ;

��ok!oo

endT ;

OO

logM;

33

nOk!pp

logF ;oo

endT ;

OO

logM;

OO

endM;ll

newT?

ee startT ;//

nOk!//

logF !//





2nd Step: Avoid reaching incompatibles states

If a set of interfaces are compatible,reaching incompatibles states in the composition

can be avoided by not allowing certain inputs.

In this way, we finally obtain the composition of the interface.








s6t3u4 s6t4u3


��

acceptT?

��

acceptT?

��

newT?

��

startT ;

��

ok!

gg

nOk!oo

logF ;

OO

endT ;


newT?

��

startT ;

��ok!oo

endT ;

OO

logM;

33

nOk!pp

logF ;oo

endT ;

OO

logM;

OO

endM;ll

newT?

ee startT ;//

nOk!//

logF !//

mmmmmmmmmm

mmmmmmmmmm








s6t3u4 s6t4u3

��

acceptT?

��

acceptT?

��

newT?

��

startT ;

��

ok!

gg

nOk!oo

logF ;

OO

endT ;


newT?

��

startT ;

��ok!oo

endT ;

OO

logM;

33

nOk!pp

logF ;oo

endT ;

OO

logM;

OO

endM;ll





Outline









Motivation

In the previous example, low-level users should not beallowed to know whether they are under supervisionI.e. they should not distinguish the occurrence of highactions.Therefore, for a low-level user, the system should behavein the same way regardless whether high actions areperformed or not.

⇒ non-interference.

In our setting, the concept of non-interference is formalized bybisimulation-based strong non-deterministic non-interference(BSNNI) and bisimulation-based non-deterministicnon-interference (BNNI).





BSNNI and BNNI (Focardi, Gorrieri 2001)

S ≈ S ′ denotes weak bisimulation between S and S ′.S/X represents the hiding of actions X in SS\X represents the restriction of actions X in S

Definition

(i) S is bisimulation-based strong non-deterministicnon-interference (BSNNI) if S\Ah ≈ S/Ah.

(ii) S is bisimulation-based non-deterministic non-interference(BNNI) if S\AI,h/AO,h ≈ S/Ah.





Example: S is BSNNI

u1 u2 u3

u4u5

S

��''logF?mOn? // startM!//

gg

logM?

logF?��

logM?oo

endM!

ZZ

u1

S\Ah

��logF?

''u1 u2 u3

u4u5

S/Ah

��''logF?mOn; // startM;//

gg

logM;

logF?��

logM;oo

endM;

ZZ

S\Ah ≈ S/Ah





BSNNI and Composition

Every single ISS component of our example is BSNNI but...

... the composed system is not! :’(




Checking BSNNISynthesizing Secure ISSThe algorithm - Example

Outline









Algorithm for Checking Bisimulation

A variation of Fernandez and Mounier’s algorithm to checkbisimulation on the fly. Roughly, it works as follows:

the IA are saturated adding all weak transitionsa full synchronous product is constructed where transitionssynchronize whenever they have the same label;whenever there is a mismatching transition, a newtransition is added on the product leading to a special failstate;if reaching a fail state is inevitable (we later define thisproperly) the IA are not bisimilar; if there is always a way toavoid reaching a fail state, the IA are bisimilar.





Consider a simplified version of the composed DTPS

s1 s2 s3

s4 s5

S//

acceptT?

��

acceptT?

��

newT?

~~ok!,nOk!

>>mOn? // startM; //

newT?

~~ok!

>>nOk!

kk





Checking the simplified DTPS

We first construct the restriction and hiding of the system

s1

s4

S\Ah

//

acceptT?

��

newT?

}}ok!,nOk!

== s1 s2 s3

s4 s5

S/Ah

//

acceptT?

��

acceptT?

��

newT?

}}ok!,nOk!

==mOn; // startM; //

newT?

}}ok!

==nOk!

ii





Saturation marking set B (with B = {mOn?})

s1 s2 s3

s4 s5

S/Ah

//

acceptT?

��

acceptT?

��

newT?

~~ok!,nOk!

>>mOn;

// startM; //

newT?

~~ok!

>>nOk!

kk

Actions in B will be replaced by ε′, to record that these actions arehigh inputs actions that can be pruned. Other hidden actions arereplaced by ε.Saturation adds to all state a self loop with ε and ε′ (not depicted)Actions added by the saturation are overlined.





Saturation marking set B with B = {mOn?}

After the saturation we obtain this interface:

s1 s2 s3

s4 s5

S/AhAh,I

//

acceptT?

��

acceptT?

��

newT?

}}ok!,nOk!

==ε′ // ε //

newT?

}}ok!

==nOk!

kk

acceptT?

((

acceptT?

��acceptT?

((

newT?

''

Note: In the next slides we will omit some actions added by the saturation process that are redundant.





Synchronous Product: S\Ah∅ × S/Ah

Ah,I

The saturated interfaces (with some transitions omitted):

s1

s4

//

acceptT?

��

newT?

~~ok!,nOk!

>> s1 s2 s3

s4 s5

//

acceptT?

��

acceptT?

��

newT?

~~ok!,nOk!

>>ε // ε′ //

newT?

~~ok!

>>nOk!

jj

newT?

&&

After saturating both interfaces, we can construct the synchronousproduct:

s1, s1






Ah,I

s1

s4

//

acceptT?

��

newT?

~~ok!,nOk!

>> s1 s2 s3

s4 s5

//

acceptT?

��

acceptT?

��

newT?

~~ok!,nOk!

>>ε // ε′ //

newT?

~~ok!

>>nOk!

jj

newT?

&&

The product synchronizes using common actions:

s1, s1 s1, s2

s4, s4

//

newT?

��

ε′ //






Ah,I

s1

s4

//

acceptT?

��

newT?

~~ok!,nOk!

>> s1 s2 s3

s4 s5

//

acceptT?

��

acceptT?

��

newT?

~~ok!,nOk!

>>ε // ε′ //

newT?

~~ok!

>>nOk!

jj

newT?

&&

The process continue adding transitions and new states:

s1, s1 s1, s2

s4, s4 s4, s5

//

newT?

��

ε′ //

newT?

''






Ah,I

s1

s4

//

acceptT?

��

newT?

~~ok!,nOk!

>> s1 s2 s3

s4 s5

//

acceptT?

��

acceptT?

��

newT?

~~ok!,nOk!

>>ε // ε′ //

newT?

~~ok!

>>nOk!

jj

newT?

&&

Notice that s1accept?−−−−→ s1 but s3

accept?−−−−→6 .

s1, s1 s1, s2 s1, s3

s4, s4 s4, s5

//

acceptT?

��

acceptT?

��

newT?

��ok!

??ε′ // ε //

newT?

��ok!

??newT?

''nOk!

kk






Ah,I

s1

s4

//

acceptT?

��

newT?

~~ok!,nOk!

>> s1 s2 s3

s4 s5

//

acceptT?

��

acceptT?

��

newT?

~~ok!,nOk!

>>ε // ε′ //

newT?

~~ok!

>>nOk!

jj

newT?

&&

Therefore, we add a transition to a special state fail

s1, s1 s1, s2 s1, s3

s4, s4 s4, s5

fail//

acceptT?

��

acceptT?

��

newT?

��ok!

??ε′ // ε //

newT?

��ok!

??acceptT? //

newT?

''nOk!

kk






Ah,I

s1s3 contains a pair of state that are not bisimilar.In this case, we say the state s1s3 does not pass thebisimulation testWe let NoPass be the set of pair of states not passing thebisimulation test.The definition of NoPass is inductive. Under somerestrictions, it propagates the condition “does not pass thebisimulation test” to predecessor states in the synchronousproduct.






Ah,I

s1, s1 s1, s2 s1, s3

s4, s4 s4, s5

fail//

acceptT?

��

acceptT?

��

newT?

��ok!

??ε′ // ε //

newT?

��ok!

??acceptT? //

newT?

''nOk!

kk

If the initial state does not pass the bisimulation test, theinterfaces are not bisimilar.

Otherwise, the interfaces are bisimilar, and then, the system issecure.

In the example, the interfaces are not bisimilar and hence thesystem is not secure.





Outline









Synthesizing Secure ISS

If the system does not pass a the bisimulation test, we divide allthe pairs of states of the synchronous product that does notpass the bisimulation test in 3 disjoint sets:

May State: contains all pairs that may become bisimilar ifsome particular low input transition is not executed.Fail State: contains all pairs that cannot be turned intobisimilar by avoiding input transitions.Undetermined state: Contains all undetermined pairs. Thisis consequence that they may become bisimilar if a highinput transitions is not executed.





May State Example:

s0

s1

s2

s3

s4

a! ��

h! //

a!��

b?��

S

s0

s1

a! ��

S\Ah

s0

s1

s2

s3

s4

a! ��

ε //

a!��

b?��

a!

%%

S/Ah

s0, s0

s1, s1

s0, s2

s0, s3

fail

a! ��

ε //

a!��a!

$$

b?��

S\Ah × S/Ah

The interface is not secure as a consequence of transition s3b?−→ s4.

If this transition is forbidden/pruned (i.e., the interface provides fewerservices), the resulting ISS is secure.

This is the same approach used to avoid miscommunication.





Fail state Example:

s0

s1

s2

s3

s4

a! ��

h! //

a!��

b!��

S

s0

s1

a! ��

S\Ah

s0

s1

s2

s3

s4

a! ��

ε //

a!��

b!��

a!

%%

S/Ah

s0, s0

s1, s1

s0, s2

s0, s3

fail

a! ��

ε //

a!��a!

$$

b!��

S\Ah × S/Ah

A similar example to the previous one, but now transition b is anoutput action.

Then, the transition cannot be pruned (since it is not controllable),and hence the interface is not “recoverable”.





Undetermined states (example 1):

s0

s1

s2

s3

s4

a! ��

h! //

h’?��

a!oo

b!��

S

s0

s1

a! ��

S\Ah∅

s0

s1

s2

s3

s4

a!,a! ��

ε //

ε′��

a!oo

b!��

a!

yyb!

��

S/Ah{h′?}

s0, s0

s1, s1

s0, s2

s0, s3

fail

a!,a! ��

ε //

ε′��

a!oo

b!��

a!

zz

S\Ah∅ × S/Ah

{h′?}

S is not secure.

The only option to recover is the elimination of transition s2h′?−−→ s3.

Then, we obtain the next interface, which is not secure:

s0

s1

s2

a! ��

h! //





Undetermined states (example 2):

s0

s1

s2

s3

s4

a! ��

h! //

a!yyh’?

��

a!oo

b!��

S

s0

s1

a! ��

S\Ah∅

s0

s1

s2

s3

s4

a!,a! ��

ε //

ε′��

a!oo

b!��

a,a!

yyb!

��

S/Ah{h′?}

s0, s0

s1, s1

s0, s2

s0, s3

fail

a!,a! ��

ε //

ε′��

a!oo

b!��

a!,a!

zz

S\Ah∅ × S/Ah

{h′?}

If transition s2h′?−−→ s3 is eliminated, the resulting interface is secure.

Notice: this example is the previous one with the new transition:s2

a!−→ s1.

s0

s1

s2

a! ��

h! //

a!yy





May/Fail/Undetermined ISS

The definitions of May/Fail/Undetermined state are inductive.Under some restrictions the property propagates topredecessor states in the synchronous product.If the initial state of the sync. product is a may (fail,undetermined) state, we say that interface may pass (fail, isundetermined w.r.t.) the bisimulation test.

s0, s0

s1, s1

s0, s2

s0, s3

fail

a! ��

ε //

a!��a!

$$

b?��

s0, s0

s1, s1

s0, s2

s0, s3

fail

a! ��

ε //

a!��a!

$$

b!��

s0, s0

s1, s1

s0, s2

s0, s3

fail

a!,a! ��

ε //

ε′��

a!oo

b!��

a!,a!

zz





Main result:

Theorem

If S\Ah∅ × S/Ah

Ah,I may pass the bisimulation test, then there isa set −→χ of low input transitions s.t. the ISS obtained from S byremoving all transitions in −→χ is BSNNI.

The set −→χ is obtained by calculating a succession setsEC(S) of eliminable candidatesEC(S) contains all (low input) transitions that go from Maystates to Fail or Undetermined states.The proof is constructive and it defines the algorithm.





Outline









Iteration 1

s1

s4

//

acceptT?

��

newT?

~~ok!,nOk!

>> s1 s2 s3

s4 s5

//

acceptT?

��

acceptT?

��

newT?

~~ok!,nOk!

>>ε // ε′ //

newT?

~~ok!

>>nOk!

jj

newT?

&&

s1, s1 s1, s2 s1, s3

s4, s4 s4, s5

fail//

acceptT?

��

acceptT?

��

newT?

��ok!

??ε′ // ε //

newT?

��ok!

??acceptT? //

newT?

''nOk!

kk

EC(S) = {s1acceptT?−−−−−→ s1}Matias Lee, Pedro R. D’Argenio Interface Structure for Security




Iteration 2

s1

s4

//

newT?

~~ok!,nOk!

>> s1 s2 s3

s4 s5

//

acceptT?

��

newT?

~~ok!,nOk!

>>ε // ε′ //

newT?

~~ok!

>>nOk!

jj

newT?

&&

s1, s1 s1, s2 s1, s3

s4, s4 s4, s5

fail//

acceptT?

**

newT?

��ok!

??ε′ // ε //

newT?

��ok!

??newT?

''nOk!

kk

EC(S) = {s2acceptT?−−−−−→ s2}Matias Lee, Pedro R. D’Argenio Interface Structure for Security




Iteration 3

s1

s4

//

newT?

~~ok!,nOk!

>> s1 s2 s3

s4 s5

//

newT?

~~ok!,nOk!

>>ε // ε′ //

newT?

~~ok!

>>nOk!

jj

newT?

&&

s1, s1 s1, s2 s1, s3

s4, s4 s4, s5

//

newT?

��ok!

??ε′ // ε //

newT?

��ok!

??newT?

''nOk!

kk

We obtain a secure interface!

and −→χ= {s1acceptT?−−−−−→ s1, s2

acceptT?−−−−−→ s2}




Preserving BSNNI after Composition

Outline








Preserving BSNNI after Composition

The following lemma give sufficient conditions to ensure thatcomposition leads to secure systems.

Lemma

Let S = 〈S, AhS, Al

S〉 and T = 〈T , AhT , Al

T 〉 be two composableISS. Define

S ′ = 〈S, AhS − shared(S, T ), Al

S ∪ shared(S, T )〉T ′ = 〈T , Ah

T − shared(S, T ), AlT ∪ shared(S, T )〉

If S ′ and T ′ are BSNNI/BNNI and S ⊗ T has not error states,then S ‖ T is BSNNI/BNNI.




Contributions

We extended Interface Automata to cope with security andadapted the definition of no interference to this context.We design an algorithm to synthesis a secure interfacefrom a non-secure one whenever possible.The algorithm proceeds by controlling the permitted lowinput transitions.We give sufficient conditions to ensure that thecomposition of ISS results in a non-interferent ISS.




Future Work

Relax the necessary conditions to preserve no interferenceunder composition.Adapt the concept of refinement of IA to ISS and studyingits relation to BSNNI and BNNI.Define new concepts of “security” to ISS and adapt theresults of this work to the new definitions.


describing secure interfaces with interface automata · 2010. 4. 23. · with interface automata...

Documents