Moez Yeddes

Characterizing intransitive noninterference for 3-domain security policies with observability

This note introduces a new algorithmic approach to the problem of checking the property of intransitive noninterference (INI) using discrete-event systems (DESs) tools and concepts. INI property is widely used in formal verification of security problems in computer systems and protocols. The approach consists of two phases: First, a new property called iP-observability (observability based on a purge function) is introduced to capture INI. We prove that a system satisfies INI if and only if it is iP-observable. Second, a relation between iP-observability and P-observability (observability as used in DES) is established by transforming the automaton modeling a system/protocol into an automaton where P-observability (and, hence, iP-observability) can be determined. This allows us to check INI by checking P-observability, which can be done efficiently. Our approach can be used for all systems/protocols with three domains or levels, which is sufficient for most noninterference problems for cryptographic protocols and systems.

Opacity with Orwellian Observers and Intransitive Non-interference

Abstract Opacity is a general behavioural security scheme flexible enough to account for several specific properties. Some secret set of behaviors of a system is opaque if a passive attacker can never tell whether the observed behavior is a secret one or not. Instead of considering the case of static observability where the set of observable events is fixed off-line or dynamic observability where the set of observable events changes over time depending on the history of the trace, we consider Orwellian partial observability where unobservable events are not revealed unless a downgrading event occurs in the future of the trace. We show that verifying opacity of some regular secret for a regular language L w.r.t. an Orwellian projection is PSPACE-complete while it has been proved undecidable even for a regular language L w.r.t. a general Orwellian observation function. We finally illustrate relevancy of our results by proving the equivalence between the opacity property of regular secrets w.r.t. Orwellian projection and the intransitive non-interference property.

Online Diagnosis of Systems with Rectangular Hybrid Automata Models

Abstract We propose an online diagnosis approach for a class of hybrid systems. The normal and the faulty behaviors of the system are modeled with rectangular hybrid automata. Our approach is based on the use of a diagnosis procedure which performs, online, an estimation of the system states, within a given time window, and based on the current record of observable timed events. Each new estimation can be triggered either, by a new event observation, or simply by the elapse of time. We give examples to illustrate the use of our hybrid systems diagnosis approach.

Negotiating Deadline Constraints in Inter-organizational Logistic Systems: A Healthcare Case Study

Current logistics methods are more focused on strategic goals and do not deal with short term objectives, such as, reactivity and real-time constraints. Automated logistics management systems tend to facilitate information sharing between companies, in order to support cooperative strategies, improve productivity, control service quality and reduce administrative costs. In this paper, we discuss the application of Inter-Organizational Workflows (IOW) for automating logistic procedures in a collaborative context. A case study of healthcare process is presented, and focuses on the negotiations aspects of temporal constraints in critical situations. We show how our proposed temporal extension of the CoopFlow approach, brings advantages to automating logistics operational procedures, by providing real-time data knowledge and decision routing for the case of emergency healthcare.

Cost Optimization Strategy for Iterative Integration of Multi-critical Functions in IMA and TTEthernet Architecture

Throughout the life cycle of an aircraft, its avionic architecture can be updated or re-configured leading to what we call the iterative integration problem. In particular, new avionics functions of mixed criticality must be added to computation modules. This can cause a modification of the scheduling parameters, inducing a re-certification of modules, whose cost depends on the criticality level of the modified functions. We define a new approach to help the system designer in producing a proper modified scheduling at a minimal cost while satisfying some real-time constraints. The emphasis is put on the iterative process and we focus on Integrated Modular Avionics (IMA) architecture supported by a time-triggered network. First, we give a general formalization of the problem and provide some results on the real-time constraints considered. In particular, we show how they can directly be taken into account in the variable domains. Then, our approach consists in formalizing the problem as a Binary Integer Problem. Thus, using an off-the-shelf solver, an optimal scheduling minimizing the cost can be automatically determined.

A Semantics-Based Privacy-Aware Approach for Fragmenting Business Processes

There is a growing need for the ability to fragment ones business processes effectively, in order to get useful fragments for future reutilization in building business processes. This can prove to increase the productivity and shorten the development time. The decomposition task aims at clustering workflow activities into fragments according to business constraints. Existing approaches lack semantic and privacy concerns. In this paper, we propose a semantic fragment identification approach to assemble activities that are semantically close according a semantic attraction threshold. Moreover, Fragments must be aware of sensitive information preserving. Our fragmentation approach is based on the so-called formal concept analysis approach, while integrating a semantic clustering technique for avoiding the association of sensitive information.

An algorithmic approach to verification of intransitive non-interference in security policies

In this paper, we generalize our algorithmic approach to the problem of verification of the property of intransitive non-interference (INI) using tools and concepts of discrete event systems (DES) that we first proposed in Hadj-Alouane, N., et al. (2004). The reason that we are interested in INI is that it can be used to solve several important security problems in systems and protocols. We have shown that the notion of iP-observability captures precisely the property of INI. In Hadj-Alouane, N., et al. (2004), we have developed algorithms to check iP-observability by indirectly checking P-observability. This indirect method works only for systems with at most three security levels. In this paper, we develop a direct method for checking iP-observability, which is based on an insightful observation that iP-purge is a left-congruence in terms of relations on formal languages. This directly method can be used for systems with more than three security levels. To demonstrate the application of our approach, in the full version of this paper, we propose a formal method to detect denial of service vulnerabilities in security protocols based on INI. This method is illustrated using the TCP/IP protocol.

Modeling and control of constant speed Dynamic Hybrid Systems using Extended Time Petri Networks

In this paper, we consider the supervisory control problem of systems modeled by Extended Time Petri Networks (ETPNs). These are Dynamic Hybrid Systems (DHS) characterized by a strong discrete component, and presenting some features, such as, cumulative memory, continuous variables, and the possibility of preempting and restarting of actions. Our control approach, based on a safety specification, use Linear Hybrid Automata (LHA), which are derived automatically from the ETPN and used as a solution tool.

Limited-Time Lookahead Diagnosability of Rectangular Hybrid Automata

Abstract This paper investigates the diagnosability of Rectangular Hybrid Automata (RHAs) (Henzinger et al., 1998) used for modeling a class of hybrid systems. First, a definition of so-called Limited-Time Lookahead diagnosability (LTLa), appropriate for characterising the diagnosability of timed languages accepted by RHAs, is proposed. Then, we provide a systematic approach, for checking the LTLa diagnosability of system modeled with RHAs, and verifying some reasonable assumptions.

Discrete event systems approach to the verification of the information flow properties in secure protocols

Abstract This paper introduces a new algorithmic approach to the problem of checking the intransitive non-interference (INI) using discrete event systems (DES) tools and concepts. INI is an information flow property widely used in formal verification of computer systems and security protocols. First a new property called iP-observability (observability based on a purge function) is introduced to capture INI. An equivalence between iP-observability and P-observability (observability as used in DES) is then established. This paper also presents an algorithm to transform the automaton modelling the system/protocol into an automaton where P-observability can be checked, which is equivalent to verifying INI for the original system. Since P-obervability can be checked with a polynomial complexity, this algorithmic approach can effectively verify the important security property of INI.