Stéphane Lafrance

On the verification of intransitive noninterference in mulitlevel security

We propose an algorithmic approach to the problem of verification of the property of intransitive noninterference (INI), using tools and concepts of discrete event systems (DES). INI can be used to characterize and solve several important security problems in multilevel security systems. In a previous work, we have established the notion of iP-observability, which precisely captures the property of INI. We have also developed an algorithm for checking iP-observability by indirectly checking P-observability for systems with at most three security levels. In this paper, we generalize the results for systems with any finite number of security levels by developing a direct method for checking iP-observability, based on an insightful observation that the iP function is a left congruence in terms of relations on formal languages. To demonstrate the applicability of our approach, we propose a formal method to detect denial of service vulnerabilities in security protocols based on INI. This method is illustrated using the TCP/IP protocol. The work extends the theory of supervisory control of DES to a new application domain.

Characterizing intransitive noninterference for 3-domain security policies with observability

This note introduces a new algorithmic approach to the problem of checking the property of intransitive noninterference (INI) using discrete-event systems (DESs) tools and concepts. INI property is widely used in formal verification of security problems in computer systems and protocols. The approach consists of two phases: First, a new property called iP-observability (observability based on a purge function) is introduced to capture INI. We prove that a system satisfies INI if and only if it is iP-observable. Second, a relation between iP-observability and P-observability (observability as used in DES) is established by transforming the automaton modeling a system/protocol into an automaton where P-observability (and, hence, iP-observability) can be determined. This allows us to check INI by checking P-observability, which can be done efficiently. Our approach can be used for all systems/protocols with three domains or levels, which is sufficient for most noninterference problems for cryptographic protocols and systems.

Bisimulation-based non-deterministic admissible interference and its application to the analysis of cryptographic protocols

Abstract In this paper, we first define bisimulation-based non-deterministic admissible interference (BNAI), derive its process-theoretic characterisation and present a compositional verification method with respect to the main operators over communicating processes, generalising in this way the similar trace-based results obtained [J. Univ. Comput. Sci. 6 (2000) 1054] into the finer notion of observation-based bisimulation [Logic and Models of Concurrent Systems, 1985]. Like its trace-based version, BNAI admits information flow between secrecy levels only through a downgrader (e.g. a cryptosystem), but is phrased into a generalisation of observational equivalence [Communication and Concurrency, 1989]. We then describe an admissible interference-based method for the analysis of cryptographic protocols, extending, in a non-trivial way, the non-interference-based approach presented by Focardi et al. [Proceedings of DERA/RHUL Workshop on Secure Architectures and Information Flow, 2000]. Confidentiality and authentication for cryptoprotocols are defined in terms of BNAI and their respective bisimulation-based proof methods are derived. Finally, as a significant illustration of the method, we consider simple case studies: the paradigmatic examples of the Wide Mouthed Frog protocol [ACM Trans. Comput. Syst. 8 (1990) 18] and the Woo and Lam one-way authentication protocol [IEEE Comput. 25 (1992) 39]. The original idea of this methodology is to prove that the intruder may interfere with the protocol only through selected channels considered as admissible when leading to harmless interference.

Bisimulation-based Non-deterministic Admissible Interference and its Application to the Analysis of Cryptographic Protocols

In this paper, we first define bisimulation-based non-deterministic admissible interference (BNAI), derive its process-theoretic characterisation and present a compositional verification method with respect to the main operators over communicating processes, generalising in this way the similar trace-based results obtained [J. Univ. Comput. Sci. 6 (2000) 1054] into the finer notion of observationbased bisimulation [Logic and Models of Concurrent Systems, 1985]. Like its trace-based version, BNAI admits information flow between secrecy levels only through a downgrader (e.g. a cryptosystem), but is phrased into a generalisation of observational equivalence [Communication and Concurrency, 1989]. We then describe an admissible interference-based method for the analysis of cryptographic protocols, extending, in a non-trivial way, the non-interference-based approach presented by Focardi et al. [Proceedings of DERA/RHUL Workshop on Secure Architectures and Information Flow, 2000]. Confidentiality and authentication for cryptoprotocols are defined in terms of BNAI and their respective bisimulation-based proof methods are derived. Finally, as a significant illustration of the method, we consider simple case studies: the paradigmatic examples of the Wide Mouthed Frog protocol [ACM Trans. Comput. Syst. 8 (1990) 18] and the Woo and Lam one-way authentication protocol [IEEE Comput. 25 (1992) 39]. The original idea of this methodology is to prove that the intruder may interfere with the protocol only through selected channels considered as admissible when leading to harmless interference. q 2003 Elsevier B.V. All rights reserved.

Using equivalence-checking to verify robustness to denial of service

In this paper, we introduce a new security property which intends to capture the ability of a cryptographic protocol being resistant to denial of service. This property, called impassivity, is formalised in the framework of a generic value-passing process algebra, called Security Protocol Process Algebra, extended with local function calls, cryptographic primitives and special semantics features in order to cope with cryptographic protocols. Impassivity is defined as an information flow property founded on bisimulation-based non-deterministic admissible interference. A sound and complete proof method, based on equivalence-checking, for impassivity is also derived. The method extends results presented in a previous paper on admissible interference and its application to the analysis of cryptographic protocols. Our equivalence-checking method is illustrated throughout the paper on the TCP/IP connection protocol and on the 1KP secure electronic payment protocol.

An algorithmic approach to verification of intransitive non-interference in security policies

In this paper, we generalize our algorithmic approach to the problem of verification of the property of intransitive non-interference (INI) using tools and concepts of discrete event systems (DES) that we first proposed in Hadj-Alouane, N., et al. (2004). The reason that we are interested in INI is that it can be used to solve several important security problems in systems and protocols. We have shown that the notion of iP-observability captures precisely the property of INI. In Hadj-Alouane, N., et al. (2004), we have developed algorithms to check iP-observability by indirectly checking P-observability. This indirect method works only for systems with at most three security levels. In this paper, we develop a direct method for checking iP-observability, which is based on an insightful observation that iP-purge is a left-congruence in terms of relations on formal languages. This directly method can be used for systems with more than three security levels. To demonstrate the application of our approach, in the full version of this paper, we propose a formal method to detect denial of service vulnerabilities in security protocols based on INI. This method is illustrated using the TCP/IP protocol.

Discrete event systems approach to the verification of the information flow properties in secure protocols

Abstract This paper introduces a new algorithmic approach to the problem of checking the intransitive non-interference (INI) using discrete event systems (DES) tools and concepts. INI is an information flow property widely used in formal verification of computer systems and security protocols. First a new property called iP-observability (observability based on a purge function) is introduced to capture INI. An equivalence between iP-observability and P-observability (observability as used in DES) is then established. This paper also presents an algorithm to transform the automaton modelling the system/protocol into an automaton where P-observability can be checked, which is equivalent to verifying INI for the original system. Since P-obervability can be checked with a polynomial complexity, this algorithmic approach can effectively verify the important security property of INI.