James W. Gray

Toward a mathematical foundation for information flow security

A general-purpose, probabilistic state machine model which can be used to model a large class of nondeterministic (as well as deterministic) computer systems is described. The necessary probability theory to rigorously state and prove probabilistic properties of modeled systems is developed. A definition of information flow-security making use of this formalism is given. Intuitively, information flow security is the aspect of computer security concerned with how information is permitted to flow through a computer system. It is proved that the proposed definition of information flow security implies an information-theoretic definition. Finally, the author gives a verification condition for information flow security and proves that it implies the proposed definition of information flow security.<<ETX>>

Toward a Mathematical Foundation for Information Flow Security

We describe a general purpose, probabilistic system model that can be used to model a large class of probabilistic (as well as deterministic) computer systems. We develop the necessary probability theory to rigorously state and reason about properties of probabilistic systems. Then we give two definitions of information flow security that make use of this formalism. Intuitively, information flow security is the aspect of computer security concerned with how information is permitted to flow through a computer system. The first definition is based on Goguen and Meseguers Noninterference; the second is based on McLeans FM. We prove that the second definition is strictly stronger than the first. We give a verification condition for information flow security and prove that it implies both of our definitions. Finally, we show some relationships between our definitions and other definitions in the literature, including definitions from classical information theory.

On introducing noise into the bus-contention channel

The author explores two approaches to introducing noise into the bus-contention channel: an existing approach called fuzzy time, and a novel approach called probabilistic partitioning. He compares the two approaches in terms of the impact on covert channel capacity, the impact on performance, the amount of random data needed, and their suitability for various applications. For probabilistic partitioning, a precise tradeoff is obtained between covert channel capacity and performance.<<ETX>>

A logical approach to multilevel security of probabilistic systems

Summary. We set out a modal logic for reasoning about multilevel security of probabilistic systems. This logic contains expressions for time, probability, and knowledge. Making use of the Halpern-Tuttle framework for reasoning about knowledge and probability, we give a semantics for our logic and prove it is sound. We give two syntactic definitions of perfect multilevel security and show that their semantic interpretations are equivalent to earlier, independently motivated characterizations. We also discuss the relation between these characterizations of security and between their usefulness in security analysis.

The epistemic representation of information flow security in probabilistic systems

We set out a logic for reasoning about multilevel security of probabilistic systems. This logic includes modalities for time, knowledge, and probability. In earlier work we gave syntactic definitions of multilevel security and showed that their semantic interpretations are equivalent to independently motivated information-theoretic definitions. This paper builds on that earlier work in two ways. First, it substantially recasts the language and model of computation into the more standard Halpern-Tuttle framework for reasoning about knowledge and probability. Second, it brings together two distinct characterizations of security from that work. One was equivalent to the information-theoretic security criterion for a system to be free of covert channels but was difficult to prove. The other was a verification condition that implied the first; it was more easily provable but was too strong. This paper presents a characterization that is syntactically very similar to our previous verification condition but is proven to be semantically equivalent to the security criterion. The new characterization also means that our security criterion is expressible in a simpler logic and model.

Provable security for cryptographic protocols-exact analysis and engineering applications

We develop an approach to deriving concrete engineering advice for cryptographic protocols from provable-security-style proofs of security. The approach is illustrated with a simple, yet useful protocol. The proof is novel and is the first published proof that provides an exact relationship between a high level protocol and multiple cryptographic primitives.

On analyzing the bus-contention channel under fuzzy time

The bus-contention channel is a covert channel that can be exploited at a rate exceeding 1000 bits per second. Fuzzy time is a countermeasure first described by Wei-Ming Hu (1991). To assess the effectiveness of fuzzy time, it is desirable to have an information-theoretic capacity analysis of the bus-contention channel under fuzzy time. The author points out that the capacity of this channel depends on the assumptions that are held regarding the environment in which the channel is being exploited. He discusses various assumptions that may be held regarding the environment. He argues that a capacity analysis under the weakest of these assumptions (viz. the secure environment assumption) provides an upper bound on the capacity under the other assumptions discussed. It has been argued that a capacity analysis under the stronger assumptions is intractable. Therefore, an analysis under the weaker assumption provides the best available upper bound on the capacity of this channel. The author shows how to analyze the capacity of the channel under the weaker environment assumption and carries out such analysis of the channel using realistic system parameters and variety of fuzzy time parameters.<<ETX>>

Protection Against EEPROM Modification Attacks

In recent work, Anderson and Kuhn described an attack against tamperproof devices wherein a secret key stored in EEPROM is compromised using a simple and low-cost attack. The attacker uses low-cost probes to set individual EEPROM bits to 0 or 1 and observes the effect on the output of the device. These attacks are extremely general, as they apply to virtually any cryptosystem. In this paper we explore high-level design techniques with the goal of providing some degree of protection against these attacks. We describe a cascaded m-permutation protection scheme that uses an (m × n)-bit encoding for an n-bit key and for which the best known attack requires O(nm) probes to compromise the key. Although the attack is of polynomial time complexity, it would be impractical to apply it when the protection scheme uses 5 or more cascaded permutations of a 128-bit key; in particular, in this case, the best known attack requires approximately 3.4 × 109 manual probes.

On information flow security models

Prior work is discussed and positions are given on the following two questions: (1) What basis should be used to evaluate information flow security models? and (2) What should the scope of an information flow security model be? As part of the position on question (1), a reformulation of McLeans FM (1990) is given.<<ETX>>

On the Clark-Jacob version of SPLICE/AS

Abstract SPLICE/AS is an authentication system for large-scale distributed systems. Two distinct flaws have been discovered in SPLICE/AS — the most recent by Clark and Jacob. In addition to pointing out the flaw, Clark and Jacob propose a modification. We show the Clark-Jacob version is still flawed by describing an attack that can be carried out under certain assumptions. We argue that the underlying reason for the flaw is that the Clark-Jacob version and its predecessors are not using the appropriate cryptographic tool (namely a digital signature) for authentication. We also propose a new protocol.