Chiara Braghin

Boundary Inference for Enforcing Security Policies in Mobile Ambients

The notion of “boundary ambient” has been recently introduced to model multilevel security policies in the scenario of mobile systems, within pure Mobile Ambients calculus. Information flow is defined in terms of the possibility for a confidential ambient/data to move outside a security boundary, and boundary crossings can be captured through a suitable Control Flow Analysis. We show that this approach can be further enhanced to infer which ambients should be “protected” to guarantee the lack of information leakage for a given process.

A model checking-based approach for security policy verification of mobile systems

This article describes an approach for the automated verification of mobile systems. Mobile systems are characterized by the explicit notion of location (e.g., sites where they run) and the ability to execute at different locations, yielding a number of security issues. To this aim, we formalize mobile systems as Labeled Kripke Structures, encapsulating the notion of location net that describes the hierarchical nesting of the threads constituting the system. Then, we formalize a generic security-policy specification language that includes rules for expressing and manipulating the code location. In contrast to many other approaches, our technique supports both access control and information flow specification. We developed a prototype framework for model checking of mobile systems. It works directly on the program code (in contrast to most traditional process-algebraic approaches that can model only limited details of mobile systems) and uses abstraction-refinement techniques, based also on location abstractions, to manage the program state space. We experimented with a number of mobile code benchmarks by verifying various security policies. The experimental results demonstrate the validity of the proposed mobile system modeling and policy specification formalisms and highlight the advantages of the model checking-based approach, which combines the validation of security properties with other checks, such as the validation of buffer overflows.

Information flow security in Boundary Ambients

A variant of the Mobile Ambient calculus, called Boundary Ambients, is introduced, supporting the modelling of multi-level security policies. Ambients that may guarantee to properly protect their content are explicitly identified as boundaries: a boundary can be seen as a resource access manager for confidential data. In this setting, absence of direct information leakage is granted as soon as the initial process satisfies some syntactic conditions. We then give a new notion of non-interference for Boundary Ambients aiming at capturing indirect flows, too. We design a Control Flow Analysis that computes an over-approximation of all ambients that may be affected at run-time by high-level data and we show that this static analysis can be used to enforce non-interference, i.e., to statically detect that no (direct or indirect) information leakage is ever possible at run-time.

BANANA: a tool for boundary ambients nesting analysis

Banana is a tool for the analysis of information leakage in mobile agent specifications. The language considered is Mobile Ambient calculus, initially proposed by Cardelli and Gordon with the main purpose of explicitly modeling mobility [5]. Sites and agents (i.e., processes) are modeled as nested boxes (i.e., ambients), provided with capabilities for entering, exiting and dissolving other boxes. This specification language provides a very simple framework to reason about information flow and security when mobility is an issue [1].

Automated verification of security policies in mobile code

This paper describes an approach for the automated verification of mobile programs. Mobile systems are characterized by the explicit notion of locations (e.g., sites where they run) and the ability to execute at different locations, yielding a number of security issues.We give formal semantics to mobile systems as Labeled Kripke Structures, which encapsulate the notion of the location net. The location net summarizes the hierarchical nesting of threads constituting a mobile program and enables specifying security policies. We formalize a language for specifying security policies and show how mobile programs can be exhaustively analyzed against any given security policy by using model checking techniques. We developed and experimented with a prototype framework for analysis of mobile code, using the SATABS model checker. Our approach relies on SATABSs support for unbounded thread creation and enhances it with location net abstractions, which are essential for verifying large mobile programs. Our experimental results on various benchmarks are encouraging and demonstrate advantages of the model checking-based approach, which combines the validation of security properties with other checks, such as for buffer overflows.

Nesting analysis of mobile ambients

A new algorithm is introduced for analyzing possible nestings in mobile ambient calculus. It improves both time and space complexities of the technique proposed by Nielson and Seidl. The improvements are achieved by enhancing the data structure representations, and by reducing the computation to the control flow analysis constraints that are effectively necessary to get to the least solution. These theoretical results are also supported by experimental tests run on a Java-based tool that implements a suite of algorithms for nesting analysis of mobile ambients.

Flow-sensitive Leakage Analysis in Mobile Ambients

In this paper, we present a refinement of a Control Flow Analysis aimed at studying information flow security in the the calculus of Mobile Ambients. The improvements are achieved by making the analysis be flow-sensitive: the analysis is able to keep track of temporal dependencies of capabilities application when computing a safe approximation of the run-time topology of Mobile Ambient processes.

Complexity of Nesting Analysis in Mobile Ambients

A new algorithm is introduced for analyzing possible nesting in Mobile Ambient calculus. It improves both time and space complexities of the technique proposed by Nielson and Seidl. The improvements are achieved by enhancing the data structure representations, and by reducing the computation to the Control Flow Analysis constraints that are effectively necessary to get to the least solution.

Privacy on the Internet

In recent years, large-scale computer networks have become an essential aspect of our daily computing environment. We often rely on a global information infrastructure for ebusiness activities such as home banking, ATM transactions, or shopping online. One of the main scientific and technological challenges in this setting has been to provide security to individuals who operate in possibly untrusted and unknown environments. However, beside threats directly related to computer intrusions, epidemic diffusion of malwares, and outright frauds conducted online, a more subtle though increasing erosion of individuals’ privacy has progressed and multiplied. Such an escalating violation of privacy has some direct harmful consequences—for example, identity theft has spread in recent years—and negative effects on the general perception of insecurity that many individuals now experience when dealing with online services. Nevertheless, protecting personal privacy from the many parties—business, government, social, or even criminal—that examine the value of personal information is an old concern of modern society, now increased by the features of the digital infrastructure. In this chapter, we address these privacy issues in the digital society from different points of view, investigating: The various aspects of the notion of privacy and the debate that the intricate essence of privacy has stimulated; the most common privacy threats and the possible economic aspects that may influence the way privacy is (and especially is not, in its current status) managed in most firms; the efforts in the computer science community to face privacy threats, especially in the context of distributed networks; and, the network-based technologies available to date to provide anonymity in user communications over a private network.

Behind BANANA: Design and Implementation of a Tool for Nesting Analysis of Mobile Ambients

We present a survey of the work on control-flow analysis carried on by the Venice Team during the Mefisto project. We study security issues, in particular information leakage detection, in the context of the Mobile Ambient calculus. We describe BANANA, a Java-based tool for ambient nesting analysis, by focussing on analysis accuracy and algorithmic optimizations.