John Mullins

On the verification of intransitive noninterference in mulitlevel security

We propose an algorithmic approach to the problem of verification of the property of intransitive noninterference (INI), using tools and concepts of discrete event systems (DES). INI can be used to characterize and solve several important security problems in multilevel security systems. In a previous work, we have established the notion of iP-observability, which precisely captures the property of INI. We have also developed an algorithm for checking iP-observability by indirectly checking P-observability for systems with at most three security levels. In this paper, we generalize the results for systems with any finite number of security levels by developing a direct method for checking iP-observability, based on an insightful observation that the iP function is a left congruence in terms of relations on formal languages. To demonstrate the applicability of our approach, we propose a formal method to detect denial of service vulnerabilities in security protocols based on INI. This method is illustrated using the TCP/IP protocol. The work extends the theory of supervisory control of DES to a new application domain.

Quantifying Opacity

In this paper we propose two dual notions of quantitative information leakage in probabilistic systems, both related to opacity for non probabilistic systems. The liberal one measures the probability for an attacker observing a random execution of the system, to be able to gain information he can be sure about. We show that a null value for this measure corresponds to a secure system, in the usual sense of opacity. On the other hand, restrictive opacity is defined as the complement of the information-theoretic notion of mutual information. It measures the level of certitude in the information acquired by an attacker observing the system: we prove that a null value for this second measure corresponds to non opacity. We also show how these measures can be computed for regular secrets and observations. We finally apply them to the dining cryptographers problem and to the crowd anonymity protocol.

A Calculus for Generation, Verification and Refinement of BPEL Specifications

Business Process Execution Language for Web Services (WS-BPEL) is the emerging standard for designing Web Services compositions. In this context, formal methods can contribute to increased reliability and consistency in the BPEL design process. In this paper we propose an approach based on the HAL Toolkit that allows verification of the correctness of the behavior of a @p-based specification of interacting Web Services, and generates the BPEL processes that have the same behavior. This correlation based on two-way mapping between the @p-based orchestration calculus and BPEL. This approach facilitates the verification and refinement process and may be applied to any BPEL implementation.

A flaw in the electronic commerce protocol SET

The Secure Electronic Transaction (SET) protocol has been developed by the major credit card companies in association with some of the top software corporations to secure e-commerce transactions. This paper recalls the basics of the SET protocol and presents a new flaw: a dishonest client may purchase goods from an honest merchant (with the help of another merchant) for which he does not pay. Fortunately, by checking his balance sheet, the merchant may trace with the help of his bank the client and his accomplice. We also propose a modification to fix the flaw.

Non-Interference Control Synthesis for Security Timed Automata

In this paper, the problem of synthesizing controllers that ensures non interference for multilevel security dense timed discrete event systems modeled by an extension of Timed Automata, is addressed for the first time. We first discuss a notion of non interference for dense real-time systems that refines notions existing in the literature and investigate decidability issues raised by the verification problem for dense time properties. We then prove the decidability of the problem of synthesis of the timed controller for some of these timed non interference properties, providing so a symbolic method to synthesize a controller that ensures them.

Model-checking Web Services Orchestrations using BP-calculus

The Business Process Execution Language for Web Services (BPEL) is the standard for implementing orchestrated business processes designed but not limited to, as web services. BPEL is a powerful language but lacks a widely accepted formal semantics, and this makes it difficult to formally validate the correct execution of BPEL implementations. In the other hand, process algebras have proved their efficiency in the specification of web services orchestrations. In this paper we improve the BP-calculus, a @p-calculus based formalism designed to ease the automatic generation of verified BPEL code, by defining specific equivalence and logic in order to verify BPEL implementations through their formal specification expressed in this calculus. The formal specification of service-oriented applications allows the checking of functional properties described by means of the new logic, that is shown to be well suited to capture peculiar aspects of services formalized in @p-like languages. As an illustrative example, we present the BP-calculus specification and the verification results of a trade market service scenario.

Queue management as a DoS counter-measure?

In this paper, we study the performance of timeout-based queue management practices in the context of flood denial-of-service (DoS) attacks on connection-oriented protocols, where server resources are depleted by uncompleted illegitimate requests generated by the attacker. This includes both crippling DoS attacks where services become unavailable and Quality of Service (QoS) degradation attacks. While these queue management strategies were not initially designed for DoS attack protection purposes, they do have the desirable side-effect or providing some protection against them, since illegitimate requests time out more often than legitimate ones. While this fact is intuitive and wellknown, very few quantitative results have been published on the potential impact on DoS-attack resilience of various queue management strategies and the associated configuration parameters. We report on the relative performance of various queue strategies under a varying range of attack rates and parameter configurations. We hope that such results will provide usable configuration guidelines for end-server or network appliance queue hardening. The use of such optimisation techniques is complementary to the upstream deployment of other types of DoS-protection countermeasures, and will probably prove most useful in scenarios where some residual attack traffic still bypasses them.

Characterizing intransitive noninterference for 3-domain security policies with observability

This note introduces a new algorithmic approach to the problem of checking the property of intransitive noninterference (INI) using discrete-event systems (DESs) tools and concepts. INI property is widely used in formal verification of security problems in computer systems and protocols. The approach consists of two phases: First, a new property called iP-observability (observability based on a purge function) is introduced to capture INI. We prove that a system satisfies INI if and only if it is iP-observable. Second, a relation between iP-observability and P-observability (observability as used in DES) is established by transforming the automaton modeling a system/protocol into an automaton where P-observability (and, hence, iP-observability) can be determined. This allows us to check INI by checking P-observability, which can be done efficiently. Our approach can be used for all systems/protocols with three domains or levels, which is sufficient for most noninterference problems for cryptographic protocols and systems.

Opacity with Orwellian Observers and Intransitive Non-interference

Abstract Opacity is a general behavioural security scheme flexible enough to account for several specific properties. Some secret set of behaviors of a system is opaque if a passive attacker can never tell whether the observed behavior is a secret one or not. Instead of considering the case of static observability where the set of observable events is fixed off-line or dynamic observability where the set of observable events changes over time depending on the history of the trace, we consider Orwellian partial observability where unobservable events are not revealed unless a downgrading event occurs in the future of the trace. We show that verifying opacity of some regular secret for a regular language L w.r.t. an Orwellian projection is PSPACE-complete while it has been proved undecidable even for a regular language L w.r.t. a general Orwellian observation function. We finally illustrate relevancy of our results by proving the equivalence between the opacity property of regular secrets w.r.t. Orwellian projection and the intransitive non-interference property.

SMT-Based Cost Optimization Approach for the Integration of Avionic Functions in IMA and TTEthernet Architectures

The design of avionic systems is a complex engineering activity. The iterative integration approach helps in controlling the complexity of such activity. On the other hand, using such approach to design evolving systems requires the reconfiguration of scheduling parameters of already integrated parts. This reconfiguration results in a recertification process having a cost that depends on the criticality level of the affected application. We propose a new approach which helps the system designer at each integration step in establishing the new scheduling parameters that minimize such cost. In this work, we focus on the Integrated Modular Avionic (IMA) architecture connected through a Time-Triggered Ethernet (TTEthernet) network. We present a formal model for such systems and we use this model to define a set of constraints that ensure the real-time requirements. These constraints are expressed using an SMTbased language and we used the SMT-solver YICES to find automatically a feasible scheduling parameters that minimize the cost of integration. We show our framework at work by analyzing the iterative integration of some functionalities of the Flight Management System.