Two Formal Approaches for Approximating Noninterference Properties.

In this paper, we present two formal models in which the notion of noninterference, which is at the basis of a large variety of security properties defined in the recent literature, is approximated. ... The formalisation of security properties for computer systems raises the problem of overcoming also in a formal setting the classical view according to which confidentiality is an absolute property stating ... In this paper, we presented two techniques for approximating noninterference properties, thus enriching the intuition behind the definition of probabilistic noninterference, which appeared in the literature ...

doi:10.1007/978-3-540-24631-2_1 fatcat:im6dlh6wpngn5bmpzfmzooae6m

Information flow control (IFC) is a category of techniques for enforcing information flow properties. ... For every potential illegal information flow reported by the SDG-based approach, the Combined Approach automatically generates proof obligations that, if valid, prove that there is no program path for ... We are grateful to the student Holger Klein for implementing the prototype. ...

doi:10.1007/978-3-030-02450-5_17 fatcat:d3efgbdhkbdxdgsw4yu7aeoy5a

As an illustration of our approach, we formally model and analyze an example system inspired by the GWV Firewall. ... These extensions enable the reasoning at an abstract level built on top of noninterference, at a much finer level than allowed by base noninterference. ... For this system, we want to ensure -and formally verifythat u never gets access to i. The system is designed around two design properties that together ensure this security requirement. ...

doi:10.5281/zenodo.47980 dblp:conf/hipeac/KoolenS16 fatcat:nanskixuezeuxlowxctw4pot2q

Open Access

Differential privacy is a promising approach to privacy preserving data analysis with a well-developed theory for functions. ... We develop a formal probabilistic automaton model of differential privacy for systems by adapting prior work on differential privacy for functions. ... flow property noninterference [21] . ...

doi:10.1016/j.entcs.2011.09.015 fatcat:7ykaadvjq5hu7gprsbkhxjlfbi

Open Access

ACKNOWLEDGMENT We thank to the paper reviewers for their many valuable comments. We also thank to AJE for its linguistic assistance during the preparation of this manuscript. ... Our approach uses Coq, which can express richer properties that Serval cannot. For noninterference, Serval tends to prove Nickel's [38] specification instead of our noninterference specification. ... The following corollary states the noninterference property for the real machine. Corollary 1. ...

doi:10.1109/access.2020.2974487 fatcat:efkxklgmlbah5jbp4nxpegfyau

DOAJ

A prototype tool called KEG implementing the described approach for Java programs has been developed, which generates exploits as executable JUnit tests. ... Our approach combines self-composition and symbolic execution to compose an insecurity formula for a given information flow policy and a specification of the security level of the program locations. ... Conclusion We presented a novel approach for automatically detecting information flow leaks in object-oriented imperative programs. ...

doi:10.1007/978-3-319-18467-8_27 fatcat:5zwbqypqurbajbp3lja4qowwwi

As an illustration of our approach, we formally model and analyse an example system inspired by the GWV Firewall. ... To achieve security certification according to the highest levels of assurance, formal models and proofs of security properties are required. ... For this reason, we propose a model describing the behaviour of flowing information that aims to approximate reality well enough to enable formal verification of practical information flow properties, ...

doi:10.5281/zenodo.57413 fatcat:mvqqomtiafcfxmyb3fkaagor6q

Open Access

Our contributions include a formal security condition and a sound approach to statically enforcing this condition. ... Noninterference provides reliable guarantees for the confidentiality of sensitive information, but it is too restrictive if exceptions shall be permitted. ... We thank the anonymous reviewers for their suggestions. ...

doi:10.1007/978-3-642-01465-9_3 fatcat:ztw3fobepvardojqbkur2pe6k4

To formalize conditional confidentiality policies, we present a modified definition of noninterference that depends on runtime information. ... While we focus on using our analysis for policy extraction, the process can more generally be used for information flow analysis. ... We thank Jonathan Aldrich for scrutinizing our inference rules. We also thank him, Karl Crary, and Frank Pfenning for helpful comments. ...

doi:10.1109/sefm.2008.46 dblp:conf/sefm/TschantzW08 fatcat:5an2e6tz3vhmpi4n52wphlqa6e

The goal of this paper is to understand the subtleties of timing-and termination-sensitive noninterference, explore the space of possible strategies for enforcing noninterference guarantees, and formalize ... Covert channels can be used to subvert these security guarantees; for example, timing and termination channels can, either intentionally or inadvertently, violate these guarantees by modifying the timing ... Acknowledgements: We thank Frank Piessens, Dominique Devriese, and the anonymous reviewers for their comments on this paper. ...

doi:10.1109/sp.2011.19 dblp:conf/sp/KashyapWH11 fatcat:o7humqfjafcwjc2zwfk2q5kjdm

We advocate the use of approximate noninterference for the security analysis of probabilistic protocols. ... We illustrate this approach by presenting the analysis of a probabilistic nonrepudiation protocol which allows us to quantitatively estimate its fairness degree. ... In the following we formally introduce the process algebraic framework and the approximate noninterference approach to security (Section 2), by describing the syntax and the semantics of the probabilistic ...

doi:10.1016/j.entcs.2004.01.019 fatcat:3tas464iwjhonbwdstleap4uiq

Open Access

We prove soundness for this definition, meaning that if a thread satisfies one of these properties then it satisfies the noninterference property proposed by Goguen and Meseguer [15] . ... We will take the noninterference property given by Volpano et al. [D. Volpano, G. Smith and C. Irvine, J. Comput. Secur. 4 (1996) 167-187] on type systems as an example of our approach. ... In these approaches, if a program is well-typed according to the typing rules of a type system then it has the noninterference property. ...

doi:10.1051/ita:2008026 fatcat:kcihc6x2fve4zl5hm64ieqgrji

Szczepanski

In order to strengthen the relation between these two different analysis techniques we advocate the use of performance-aware notions of behavioral equivalence as a formal means for detecting functional ... To achieve a balanced tradeoff among these aspects, we have previously proposed the use of a predictive methodology, which encompasses classical tools such as the noninterference approach to security analysis ... Acknowledgement The authors thank the anonymous referees for their valuable comments. ...

doi:10.1007/978-3-642-10248-6_10 fatcat:eqxcmeqwcjgqthqn7ie5dhlcai

Several tools and approaches for proving noninterference properties for Java and other languages exist. ... To illustrate the hybrid approach, in a case study we use this approach-along with the fully automatic tool Joana for checking noninterference properties for Java programs and the theorem prover KeY for ... We write I 0 S : I 1 for I 0 S and S : I 1 . For two systems S and T , we denote by S · T the composition of S and T which, formally, is the union of (declarations in) S and T . ...

doi:10.1109/csf.2015.28 dblp:conf/csfw/KustersTBBKM15 fatcat:jhx3t7x3szbipbyv6loalxzcsq

In traditional information-flow type systems, the security policy is often formalized as noninterference properties. ... However, noninterference alone is too strong to express security properties useful in practice. ... Acknowledgements We would like to thank Stephen Chong, Stephen Tse, Geoffrey Washburn and the POPL reviewers for their valuable feedbacks and extensive proofreading of the original draft. ...

doi:10.1145/1047659.1040319 fatcat:sko6eopu5beqxg7soswl2yww5a

Two Formal Approaches for Approximating Noninterference Properties [chapter]

Preserved Fulltext

Using Theorem Provers to Increase the Precision of Dependence Analysis for Information Flow Control [chapter]

Preserved Fulltext

Modeling Information Routing With Noninterference

Preserved Fulltext

Formal Verification of Differential Privacy for Interactive Systems (Extended Abstract)

Preserved Fulltext

A Design and Verification Methodology for a TrustZone Trusted Execution Environment

Preserved Fulltext

Exploit Generation for Information Flow Leaks in Object-Oriented Programs [chapter]

Preserved Fulltext

Formal Framework For Mils Integration

Preserved Fulltext

Who Can Declassify? [chapter]

Preserved Fulltext

Extracting Conditional Confidentiality Policies

Preserved Fulltext

Timing- and Termination-Sensitive Secure Information Flow: Exploring a New Approach

Preserved Fulltext

On Quantitative Analysis of Probabilistic Protocols

Preserved Fulltext

Thread algebra for noninterference

Preserved Fulltext

Weak Behavioral Equivalences for Verifying Secure and Performance-Aware Component-Based Systems [chapter]

Preserved Fulltext

A Hybrid Approach for Proving Noninterference of Java Programs

Preserved Fulltext

Downgrading policies and relaxed noninterference

Preserved Fulltext