Heiko Mantel

Possibilistic definitions of security-an assembly kit

We present a framework in which different notions of security can be defined in a uniform and modular way. Each definition of security is formalized as a security predicate by assembling more primitive basic security predicates. A collection of such basic security predicates is defined and we demonstrate how well-known concepts like generalized non-interference or separability can be constructed from them. The framework is open and can be extended with new basic security predicates using a general schema. We investigate the compatibility of the assembled definitions with system properties apart from security and propose a new definition of security which does not restrict non-critical information flow. It turns out that the modularity of our framework simplifies these investigation. Finally, we discuss the stepwise development of secure systems.

On the composition of secure systems

When complex systems are constructed from simpler components it is important to know how properties of the components behave under composition. We present various compositionality results for security properties. In particular we introduce a novel security property and show that this property is, in general, composable although it is weaker than forward correctability. Moreover we demonstrate that certain nontrivial security properties emerge under composition and illustrate how this fact can be exploited. All compositionality results that we present are verified with the help of a single, quite powerful lemma. Basing on this lemma, we also re-prove several already known compositionality results with the objective to unify these results. As a side effect, we obtain a classification of known compositionality results for security properties.

Static Confidentiality Enforcement for Distributed Programs

Preserving the confidentiality of data in a distributed system is an increasingly important problem of current security research. Distributed programming often involves message passing over a publicly observable medium, which opens up various opportunities for eavesdropping. Not only may the contents of messages sent on a public channel reveal confidential data, but merely observing the presence of a message on a channel for encrypted traffic may leak information. Another source of leaks is blocking, which may change the observable behavior of a process that attempts to receive on an empty channel.In this article, we investigate the interplay between, on the one side, public, encrypted, and private (or hidden) channels of communication and, on the other side, blocking and nonblocking communication primitives for a simple multi-threaded language. We argue for timing-sensitive security and give a compositional timing-sensitive confidentiality specification. A key contribution of this article is a security-type system that statically enforces confidentiality. That the type system is not over-restrictive is exemplified by a typable distributed file-server program.Preserving the confidentiality of data in a distributed system is an increasingly important problem of current security research. Distributed programming often involves message passing over a publicly observable medium, which opens up various opportunities for eavesdropping. Not only may the contents of messages sent on a public channel reveal confidential data, but merely observing the presence of a message on a channel for encrypted traffic may leak information. Another source of leaks is blocking, which may change the observable behavior of a process that attempts to receive on an empty channel.

Preserving information flow properties under refinement

In a stepwise development process, it is essential that system properties that have been already investigated in some phase need not be re-investigated in later phases. In formal developments, this corresponds to the requirement that properties are presented under refinement. While safety and liveness properties are indeed preserved under most standard forms of refinement, it is well known that this is, in general, not true for information flow properties, a large and useful class of security properties. We propose a collection of refinement operators as a solution to this problem. We prove that these operators preserve information flow as well as other system properties. Thus, information flow properties become compatible with stepwise development. Moreover we show that our operators are an optimal solution.

Controlled Declassification based on Intransitive Noninterference

Traditional noninterference cannot cope with common features of secure systems like channel control, information filtering, or explicit downgrading. Recent research has addressed the derivation and use of weaker security conditions that could support such features in a language-based setting. However, a fully satisfactory solution to the problem has yet to be found. A key problem is to permit exceptions to a given security policy without permitting too much. In this article, we propose an approach that draws its underlying ideas from intransitive noninterference, a concept usually used on a more abstract specification level. Our results include a new bisimulation-based security condition that controls tightly where downgrading can occur and a sound security type system for checking this condition.

Information Flow Control and Applications - Bridging a Gap

The development of formal security models is a difficult, time consuming, and expensive task. This development burden can be considerably reduced by using generic security models. In a security model, confidentiality as well as integrity requirements can be expressed by restrictions on the information flow. Generic models for controling information flow in distributed systems have been thoroughly investigated. Nevertheless, the known approaches cannot cope with common features of secure distributed systems like channel control, information filters, or explicit downgrading. This limitation caused a major gap which has prevented the migration of a large body of research into practice. To bridge this gap is the main goal of this article.

Unwinding Possibilistic Security Properties

Unwinding conditions are helpful to prove that deterministic systems fulfill non-interference. In order to generalize non-interference to non-deterministic systems various possibilistic security properties have been proposed. In this paper, we present generic unwinding conditions which are applicable to a large class of such security properties. That these conditions are sufficient to ensure security is demonstrated by unwinding theorems. In certain cases they are also necessary. The practical usefulness of our results is illustrated by instantiating the generic unwinding conditions for well-known security properties. Furthermore, similarities of proving security with proving refinement are identified which results in proof techniques which are correct as well as complete.

A uniform framework for the formal specification and verification of information flow security

In this thesis, we elaborate a uniform basis for the systematic investigation of possibilistic information flow properties. These properties are suitable for specifying security requirements formally such that they can be verified with mathematical rigor. We analyze the variety of known properties, propose new ones, and develop techniques that simplify their verification. To this end, we introduce MAKS, a uniform framework for the investigation of information flow properties. The two basic ideas underlying MAKS are: firstly, to separate application specific aspects of an information flow property from more application-independent aspects and, secondly, to express the latter aspects by assembling primitive building blocks. This modular representation provides a basis for reducing complex reasoning about information flow properties to reasoning about conceptually simpler building blocks. Following this approach, we analyze several information flow properties from the literature, elaborate their advantages and disadvantages, and derive a taxonomy of these properties. In this process, we discover several novel information flow properties that constitute improvements of known ones. Moreover, we exploit the modular representation for developing verification techniques for information flow properties. In particular, we derive unwinding results that reduce the verification of information flow properties to the verification of simpler unwinding conditions. We also derive compositionality results that support the verification task to the verification of the individual system components. The applicability of our results is demonstrated by several examples and also by a complex case study from the area of language-based security. Die vorliegende Arbeit prasentiert einen Ansatz zur systematischen Untersuchung possibilistischer Informationsflusseigenschaften. Diese Klasse von Eigenschaften eignet sich fur die formale Spezifikation von Sicherheitsanforderungen hinsichtlich Vertraulichkeit und Integritat und ermoglicht es, solche Anforderungen mit mathematischer Genauigkeit zu beweisen. Die aus der Literatur bekannten Informationsflusseigenschaften werden in der Arbeit eingehend analysiert und verglichen, neue Eigenschaften werden synthetisiert, und es werden Verifikationstechniken fur Informationsflusseigenschaften vorgeschlagen.

A unifying approach to the security of distributed and multi-threaded programs

The security of computation at the level of a specific programming language and the security of complex systems at a more abstract level are two major areas of current security research. With the objective to integrate the two, this article proposes an adequate translation of a timing-sensitive security property for simple multi-threaded programs into a more general security framework. Soundness and completeness of the translation guarantee that the trace-based specification of the translation of a multi-threaded program is secure if and only if the original program is secure. Finally, the translation is extended to a distributed setting, and it is demonstrated how to derive global security of the overall system from local security of each thread. The translation is presented as a two-step process where the first step is independent from the concrete programming language.

A generic approach to the security of multi-threaded programs

Abstract: The security of computation at the level of a specific programming language and the security of complex systems at a more abstract level are two major areas of current security research. With the objective to integrate the two, this article proposes a translation of a timing-sensitive security property for simple multi-threaded programs into a more general security framework. Interestingly, our notion of security for programs is bisimulation-based while the security framework is trace-based. Nevertheless, we show that the translation is sound and complete in the sense that the trace-based specification which results from the translation of a multi-threaded program is secure if and only if the original program is secure. The translation is presented as a two-step process where the first step is independent from the concrete programming language.