non-interference properties for probabilistic processes
DESCRIPTION
Non-interference Properties for Probabilistic Processes. A Process Algebraic Approach. Alessandro Aldini joint work with Mario Bravetti and Roberto Gorrieri. Outline. Information flow analysis A nondeterministic calculus Non-interference for nondeterministic processes - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/1.jpg)
1
Non-interference Properties for Probabilistic ProcessesA Process Algebraic Approach
Alessandro Aldinijoint work with
Mario Bravetti and Roberto Gorrieri
![Page 2: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/2.jpg)
2
Outline
Information flow analysis A nondeterministic calculus Non-interference for nondeterministic
processes A probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
![Page 3: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/3.jpg)
3
Formal methods and security
Motivation:– The Internet provides support for the transmission of
data over communication networks, but is not designed with the goal of avoiding unauthorized disclosure of such data.
– Cryptography is the solution, but…• imported code• mobile agents• malicious non-authenticated accesses• …
raise a supplementary, increasing demand for security in computer networks.
![Page 4: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/4.jpg)
4
Formal methods and security
Formal techniques may help to:– prevent security holes,– provide a generalized, easily verifiable notion
of security.
Here, we concentrate on the security analysis ofinformation flow
in systems and, more precisely, how to characterize the absence of any insecure flow, by applying the classical idea of non-interference.
![Page 5: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/5.jpg)
5
Non-interference
Non-interference checks the absence of information flows
through the system, in terms of confidential,high level
information illegally revealed to someone without the related access right.
![Page 6: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/6.jpg)
6
Non-interference The users of the system are partitioned into
high level users and low level users. High and low users interact with the system
through separate interfaces. Low user cannot directly observe what high
users do. Low users know the exact, complete design of
the system, including the high interface. users interact with the system through input
actions (guided by the users) and output actions (guided by the system).
![Page 7: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/7.jpg)
7
Non-interference
The interactions of low users with the system should not be affected by the
behavior of high users
[Gougen & Meseguer ’82]
System
Lowinterface
LOWUSERS
Highinterface
HIGHUSERS
?information flow
![Page 8: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/8.jpg)
8
Direct information flow
var X = 0var X = 0
System
write x := 1
Highuser
Lowuser
read xread x1
A high value is directly communicated from the high user to the low user!
![Page 9: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/9.jpg)
9
Indirect information flow
Non-interference seeks to capture also
EXAMPLE
Sharing of resources (e.g. memory devices).
shared memoryHigh user Low user
createprivate filedata.txt
data.txt
createpublic filedata.txt
FAIL!
covert channels
(indirect information flows from high level to low level)
![Page 10: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/10.jpg)
10
Non-interference: an example
Pa
b
High level activity
c
a, b, c: low level activities
Information flow fromH to L!
h
![Page 11: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/11.jpg)
11
Non-interference
Information flow analysis in process algebras:
[Jacob’88, Ryan’91, Focardi & Gorrieri’95, Roscoe’95,Ryan & Schneider’99]
– Information flow is analyzed by considering the possibilistic behavior of the system, i.e. what events are possible.
– Further aspects are not considered, such as the timing of actions and the probability distribution of events.
![Page 12: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/12.jpg)
12
Non-interference
– In this talk, we take into consideration the influence of the high level behavior upon the probability distribution of the observable, low level events.
– The motivation is twofold:• probabilistic covert channels may occur
which are not observable in a purely nondeterministic setting;
• a quantitative estimate of the information flowing through the system may be given.
![Page 13: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/13.jpg)
13
Probability & non-interference (1)
The frequency of the possible low outcomes derived from several
execution runs of the system may change depending on the interaction
of the high user with the system.
[Gray’92, Sabelfeld & Sands’99, Hankin et al.’00]
![Page 14: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/14.jpg)
14
Probability & non-interference (1)
P
a
b
High level activity
a, b: low level activities
Information flow fromH to L!
h
![Page 15: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/15.jpg)
15
Probability & non-interference (2)
Interactions of high users with the system which affect the interactions of low users may occur with a negligible probability.
In such a case, the illegal information flow can be tolerated by the users of the system.
[Hankin et al.’02]
![Page 16: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/16.jpg)
16
Probability & non-interference (2)
P
High level activity
a, b: low level activities
Information flow fromH to L…
quite negligible!
h
a
b
![Page 17: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/17.jpg)
17
Outline
Information flow analysis A nondeterministic calculus Non-interference for nondeterministic
processes A probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
![Page 18: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/18.jpg)
18
A non-deterministic process algebra
Actions are divided into:– a set I of input actions a* , b* , …– a set O of output actions a, b, …
Act = I U O U
Visible action types are partitioned into two disjoint sets:– ATypeL of low level types – ATypeH of high level types
AType = ATypeH U ATypeL U
![Page 19: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/19.jpg)
19
Syntax
P : 0 P P + P P PS
PL A
where S, L are in P (AType – {}).
![Page 20: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/20.jpg)
20
Syntax
P : 0 P P + P P PS
P A
0
Null term, denoting a terminated or deadlocked term.
L
![Page 21: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/21.jpg)
21
Syntax
P : 0 P P + P P PS
P A
PPrefix operator: executes action and then behaves as term P( is an output action, an input action,or an internal action
L
![Page 22: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/22.jpg)
22
Syntax
P : 0 P P + P P PS
P A
P + Q
Alternative choice operator: expresses a non-deterministic choice between a term P and a term Q(CCS-style)
L
![Page 23: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/23.jpg)
23
L
Syntax
P : 0 P P + P P PS
P A
P QS
Parallel composition operator: expresses the concurrent execution of processes P and Q(CSP-style)
![Page 24: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/24.jpg)
24
L
Syntax
P : 0 P P + P P PS
P A
PL
Hiding operator: turns the visible action with type in L into internal actions
![Page 25: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/25.jpg)
25
L
Syntax
P : 0 P P + P P PS
P A
A
Constants are used to define recursive terms
A = P
![Page 26: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/26.jpg)
26
: synchronization policy
a*
P QS
.PS
a* .Q PS
Q
a .PS
a* .Q PS
Q
a*
a
a .PS
a .Q
a is in S:
![Page 27: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/27.jpg)
27
: synchronization policy
((a*
P QS
.PS
a* .P’)S
a
a is in S:
a* .P’’)S
a .Q
(( PS
P’)S
P’’)S
Q
Q broadcasts the output action a, while all the other processes synchronize on the input action a* (asymmetric multiway synchronization)
![Page 28: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/28.jpg)
28
Restriction
PL
0
which cannot execute the actions of P with type in L.
P Lto stand for
a* .PS
c .Q
EXAMPLE
(with a = c and a in S)
The synchronization rule can also express the restriction of actions.
In
the action a*, constrained to synchronize, cannot be executed!
We use
![Page 29: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/29.jpg)
29
Equivalence We use equivalence checking to express security
properties: a system S is secure if two subsystems, suitably derived from S and from the security definition, are equivalent.
We need a notion of equivalence to relate terms which behave the same from the viewpoint of an external observer.
Since actions cannot be seen by any external observer, and since the definition of security properties focuses on observable behaviors, we use a notion of equivalence which abstracts from internal actions: weak bisimulation equivalence.
![Page 30: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/30.jpg)
30
Equivalence
Note:
G denotes the set of processes of the calculus
means that a labeled transition (with visible action) occurs possibly preceded and followed by a sequence of internal transitions
means that a labeled transitions occurs
means that zero or more labeled transitions occur
![Page 31: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/31.jpg)
31
Weak bisimulation:
A relation R in G x G is a weak bisimulation iff (P,Q) in R implies for all in Act:
• whenever P P’, then there exists Q’ such that
Q Q’ and (P’,Q’) in R
• whenever Q Q’, then there exists P’ such that
P P’ and (P’,Q’) in R
B
[Milner’89]
![Page 32: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/32.jpg)
32
Outline
Information flow analysisA nondeterministic calculus Non-interference for nondeterministic
processes A probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
![Page 33: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/33.jpg)
33
Nondeterministic security properties
We rephrase in the context of our nondeterministic calculus some of the security properties defined in [Focardi & Gorrieri’95].
![Page 34: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/34.jpg)
34
0 0h.b.a. +
Low user standpoint:
High user does not interact
High user interacts
a a
b
![Page 35: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/35.jpg)
35
Nondeterministic Non-interference(int)
Intuition: a system P is secure iff the behavior of P observable by a low user does not depend on the high interactions.
Formally: P ATypeHP ATypeH
For each low behavior observable when the high user does not interact with the system, we have an equivalent low behavior observable when the high user executes high actions, and viceversa.
B
![Page 36: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/36.jpg)
36
Examples
0 0h.b.a. + 0a. 0 0.b.a. +
0 0h.a. + 0a. 0 0.a. +
B
B
Low user viewpoint
without highinteractions
with highinteractions
![Page 37: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/37.jpg)
37
Examples
Low user viewpoint
without highinteractions
with highinteractions
0 0h.a.a. + 0a. 0 0.a.a. +B
0
P = a.QBQ = h.Q + b.
a
b
a
b
![Page 38: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/38.jpg)
38
0 h.h.a.a. +
Low user standpoint:
High user does not interact
High user interacts
a a
a
0
?
Nondeterministic non-interference is not enough!
![Page 39: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/39.jpg)
39
Nondeducibility on Composition(comp)
Intuition: a system P is secure iff the behavior of P observable by a low user is invariant with respect to the interaction of any high user.
Formally:
P ATypeHP S
S
ATypeH
( )( )for any:high process andhigh communication interface S
B
![Page 40: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/40.jpg)
40
Example
0 h.h.a.a. +
0a. 0
h
h* .0 0h.h.a.(a. +
a a
)B
0without highinteractions
interacting with 0h*.
B
![Page 41: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/41.jpg)
41
0 h.a..a. +
Low user standpoint:
High user does not interact
High user interacts
b
0
Nondeducibility on Composition is not enough!
b.0+
a
…but the event b informs the low user that the high user did
not interact
![Page 42: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/42.jpg)
42
Strong Nondeducibility on Composition (scomp)
Intuition: the low user should not distinguish which, if any, high level event has occurred at some point in the past.
Formally:
P1 ATypeH
For any P1 derivative of P and for any P2 s.t.
P1 P2
high action
we have
P2 ATypeHB
![Page 43: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/43.jpg)
43
Example (1)
0a.
0 h.a..a. + 0 b.0+
0.a. + b.0B
Ph
P
0a.
=
ATypeHP =
is not scomp-secureP
![Page 44: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/44.jpg)
44
Example (2)
0 .a..a. + 0 +h* 0 .b..b. + 0k* h,k: higha,b: low
0.a. + 0.b.
0b.
0a.
B
B
without high interactions:
after a high interactionwith action h:
after a high interactionwith action k:
![Page 45: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/45.jpg)
45
Inclusion relations
scomp
comp
int
![Page 46: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/46.jpg)
46
Outline
Information flow analysisA nondeterministic calculusNon-interference for nondeterministic
processes A probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
![Page 47: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/47.jpg)
47
A probabilistic process algebra
algebraic operators are enriched with probabilistic information:
a mixture of the classical generative and reactive models of probability is adopted.
P : 0 P P + P P PS
Pa A
p p p
S in P (AType - ), a in AType - , and p in ]0,1[
![Page 48: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/48.jpg)
48
Input actions as reactive actions1. The type a of the action to be performed is chosen
by the environment.2. The system chooses an action a* according to the
probability distribution associated to the input actions of type a.
b*
a*
b*
• Transitions are divided into type bundles• The choice within a bundle is purely probabilistic• The choice among bundles is nondeterministic (guided by the environment)• The sum of the probabilities within a bundle is to be 1
P Q
![Page 49: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/49.jpg)
49
Output (and internal) actions as generative actions
The system autonomously decides the action to be performed according to the probability distribution associated to the enabled output actions.
b
a
b
• Transitions are grouped in a single bundle• The sum of the probabilities within the bundle is to be 1
![Page 50: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/50.jpg)
50
A mixed generative/reactive model A single generative bundle contains all the output transitions which can be executed by the system. We have several reactive bundles, one for each action type.
b
a
b
generativebundle
b*
b* c*
reactivebundle b
[Segala’95,Stark et al.’97]
![Page 51: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/51.jpg)
51
Probabilistic choice
a + b p
expresses a probabilistic choice betweentwo output actions: a is chosen with probability p while b is chosen with probability 1-p.
a* + a* p
the same!
a* + b* p
the choice is nondeterministic: p is not considered (usually we omit it).a + b*
p
![Page 52: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/52.jpg)
52
Example: mixed choice
+a + b* p
c + b* rq
( ) ( )
b*
b*
q
1 - q
a q
1 - qc
parameters p and r are not used because they are attached to operators which refer to nondeterministic choices parameter q guides the probabilistic choice between the two generative actions a and c and between the two reactive actions of type b
![Page 53: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/53.jpg)
53
Probabilistic parallel composition
S||p
P Q
performs the actions of P and Q by following:1. the synchronization policy described in the
nondeterministic case,2. the probabilistic mechanism described for the choice
operator, as in ACP [Baeten et al.’95]
Note: the probabilities of the actions which can be executed by the composed system are normalized[van Glabbeek et al.’95].
![Page 54: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/54.jpg)
54
Probabilistic parallel composition
S||p
(a + b)q
c
• if a,b,c are not in S, then the system can execute the output action a with probability pq, the action b with probability p(1-q), or the action c with probability 1-p.
• if a and b are not in S and c is in S, then the system can execute output actions of the lefthand process only, i.e. a with probability q or b with probability 1-q.
• if a and c are not in S and b is in S, then the system can execute the action a of the lefthand process with probability p or the action b of the righthand process with probability 1-p.
![Page 55: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/55.jpg)
55
Probabilistic parallel composition
L||p
(a + b)q
• All the actions of the lefthand process which belong to the synchronization set L cannot be executed! Parameter p is not used.• The probabilities of the remaining executable actions are redistributed so that the overall probability of each bundle is still 1.• Example: if a is in L, then the system can execute the action b only with probability 1.
0
PL0P L
to stand forWe usep
for any p
![Page 56: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/56.jpg)
56
Probabilistic hiding
P = a + bq
Pap + b
q
Case 1
(probabilistic choice between
two visible actions)
(probabilistic choice between an internal action and a visible action)
The choice is already probabilistic, therefore parameter p of the hiding operator is not considered!
=
![Page 57: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/57.jpg)
57
Probabilistic hiding
P = a + bq
Pap
= + bp
Case 2
(nondeterministic choice between two visible actions – parameter q is not considered)
(probabilistic choice between an internal action and a visible action)
A nondeterministic choice becomes a probabilistic choice: parameter p of the hiding operator is
needed!
*
![Page 58: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/58.jpg)
58
Probabilistic hiding
Parameter p is used to turn nondeterministic choices between reactive actions of type a and generative actions into probabilistic choices between internal actions and generative actions. This corresponds to the execution of a synchronization between a* and an action a performed by the environment that gives rise to an internal action In this way, the hiding operator turns open systems, which can interact with the environment, into closed systems, which are fully specified.
Pap
![Page 59: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/59.jpg)
59
Equivalence We introduce a notion of probabilistic weak
bisimulation. The classical weak transition is replaced by the
probability of reaching classes of equivalent states.
Note:
G denotes the set of processes of the calculus
*a denotes the set of sequences *a if a is a generative visible action and the set of sequences * if a =
GAct denotes the set of generative actions
RAct denotes the set of reactive actions
![Page 60: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/60.jpg)
60
Probabilistic weak bisimulation:
A relation R in G x G is a probabilistic weak bisimulation iff whenever (P,Q) is in R then for all C in G /R:
PB
• Prob(P,*a,C) = Prob(Q,*a,C) for all a in GAct
• Prob(P,a*,C) = Prob(Q,a*,C) for all a* in RAct
[Baier & Hermanns’97]
![Page 61: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/61.jpg)
61
: an example PB
b, 1/2a, 1/2 b, 1/3a, 1/3
The two systems are equivalent.
![Page 62: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/62.jpg)
62
Outline
Information flow analysisA nondeterministic calculusNon-interference for nondeterministic
processesA probabilistic calculus Non-interference for probabilistic processes Non-interference and probabilities
![Page 63: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/63.jpg)
63
Security analysis and probability
We extend the definition of the nondeterministic security properties in our probabilistic setting.
NOTE: we consider probabilistic processes which are well defined, i.e. the probability of observing, at some point in the future, a visible action cannot tend to zero.
![Page 64: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/64.jpg)
64
Probabilistic Non-interference(intpr)
Intuition: a system P is secure iff the probabilistic low view of P is not altered by the probabilistic behavior of the high users.
Formally (denoted h1…hP the high level action
types which syntactically occur within P):
P ATypeHPPB h1
p1 …hP
pP
for any sequence of probabilities p1…pP in ]0,1[
![Page 65: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/65.jpg)
65
An ExampleP = .(.a + h.b) + b
.5.5
b
a
b
a
b
hidinghigh events
restrictinghigh events
.5 .5
.5 .5
.5 .5
BPB
a,b: lowh: high
![Page 66: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/66.jpg)
66
Probabilistic Non-interference
the universal quantification over all possible probabilitydistributions of the hidden reactive high actions is needed toverify the influence of the high activities upon the low view.
P = h .a + (.a + b)*
EXAMPLE
In the probabilistic setting, the nondeterministic choice can be probabilistically resolved by the high user which interacts with the system, thus altering the probability of observing the low event a (b).
(.a + b)q
PB.a + (.a + b)
qpfor any choice of p in ]0,1[
The nondeterministic process P is int-secure
P ATypeHPPB h1
…hP
p1…pP in ]0,1[
A
In
q
p1 pp
![Page 67: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/67.jpg)
67
Probabilistic Non-interference
P = h .a + a *
EXAMPLE
aPB
.a + a p
for any choice of p in ]0,1[
The low view of P is represented by the execution of the low action a with probability 1. The high user which solves the nondeterministic choice in P cannot alter such a view.
![Page 68: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/68.jpg)
68
Probabilistic Non-interference
P = (a + a.b) + a.h.b
EXAMPLE
a, pq
p q
a, (1-p)qa, (1-q)
b, 1
b, 1
h, 1
The nondeterministic version of P is int-secure
If the high user interacts, then the probability of observing the sequence a.b is 1-pq.
If the high user does not interact, then the probability of observing the sequence a.b is (1-p)q.
P is not intpr-secure!
![Page 69: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/69.jpg)
69
Probabilistic Non-interference
A pure probabilistic covert channel[Sabelfeld & Sands’00]
low variable l := high variable h OR random value
High values and random values belong to the same domain:
In a nondeterministic setting, since the choice between the two different assignments is left underspecified and since the set of low outputs does not change with or without high interactions, the system is considered to be secure.
In a probabilistic setting, if we observe the frequency of the possible low outcomes of the low level variable, then we may infer the high behavior:EXAMPLEl := h +.7 random value (and we assume h=1)may give rise, after repeated executions of the system, to the sequence of outcomes: 0,1,1,1,3,1,2,1,1,1,1,4,0,1,1,1,3,1,1,1
![Page 70: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/70.jpg)
70
Probabilistic Non-interference
P = (a + b) + h.(a + b)
Similarly, in our process algebraic setting we may consider the following system:
p qr
If the high user interacts, then the probabilistic choice between the low actions a and b is guided by parameter q. If the high user does not interact, then the probabilistic choice between the low actions a and b is guided by parameter p. The system is int-secure iff p = q. NOTE: the nondeterministic version of process P is S-secure (with S in {int,comp,scomp}).
![Page 71: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/71.jpg)
71
Probabilistic Non-deducibility on Composition (comppr)
P ATypeHP
{h1,…,hk}
ATypeH
( )( )
for any:high user high communication interface
PB
p
h1
p1…
hk
pk
{h1,…,hk}, probabilities p,p1,…,pk in ]0,1[
![Page 72: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/72.jpg)
72
comppr: example
P = (.(a + h) + .(a + )) + k.a
h,k: high level types – a: low level type
• P is intpr-secure• Intuitively, the high user can:
1. block the execution of the action k2. wait for the internal probabilistic choice3. accept (block) the execution of the action h
• Formally, by taking the high user = h . and the synchronization set {h,k}, it turns out that P is not comppr-secure
p p1-p p
*0
![Page 73: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/73.jpg)
73
Strong comppr (scomppr)
As in the nondeterministic case, a stronger formulation of the comppr property is given in order to avoid the universal quantification over all possible high level users.
P1 ATypeH
For any P1 derivative of P and for any P2 s.t.
P1 P2p
in ATypeH
we have
P2 ATypeHB
, p in ]0,1]
![Page 74: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/74.jpg)
74
Inclusion Relations
scomppr
comppr
intpr
![Page 75: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/75.jpg)
75
Inclusion Relations
Given a nondeterministic security property SP and its probabilistic counterpart SPpr then we have
SPpr C SP
meaning that if P is SPpr-secure, then the nondeterministic version of P is SP-secure.
![Page 76: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/76.jpg)
76
Inclusion Relations
scomppr
comppr
intpr
scomp
intcomp
P.
Q.
![Page 77: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/77.jpg)
77
Outline
Information flow analysisA nondeterministic calculusNon-interference for nondeterministic
processesA probabilistic calculusNon-interference for probabilistic processes Non-interference and probabilities
![Page 78: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/78.jpg)
78
Probability & Non-interference
P
High level activity
a, b: low level activities
Information flow fromH to L…
quite negligible!
h
a
b
![Page 79: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/79.jpg)
79
Probability & Non-interference Probabilistic information can be employed to quantify the probability associated to each information flow, thus allowing the modeler to estimate the probability of observing insecure behaviors.
Weak bisimulation is too sensitive and does not allow to relate probabilistic processes which behave almost the same.
Relaxed notions of security properties may allow to consider as secure systems those systems where the probability of observing an information flow is negligible.
![Page 80: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/80.jpg)
80
We pass to a relaxed definition of bisimulation which is able to tolerate small -fluctuations.
A relation R in G x G is a probabilistic weak bisimulation with -precision iff whenever (P,Q) is in R then for all C in G /R:• |Prob(P,*a,C) - Prob(Q,*a,C)| <
for all a in GAct
• |Prob(P,a*,C) - Prob(Q,a*,C)| < for all a* in RAct
Bisimulation with -precision ( )PB
![Page 81: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/81.jpg)
81
PB: example
P = (a + a.b) + a.h.bp q
As we have seen, the system
is not intpr-secure.However, if q is a value close to 0, then the low level outcome of repeated executions of the system changes according to negligible fluctuations with or without the interaction of the high user.Formally, P is intpr-secure if we employ as the notion of equivalence the
PB
![Page 82: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/82.jpg)
82
PB : example (2)
P = h.a + .(b + h.b)p q
h, p , 1-p
b, 1
h, q b, 1-qa, 1
securecomponent
Q
insecurecomponent
![Page 83: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/83.jpg)
83
PB : example (2)
P = h.a + .(b + h.b)p q
The probability of reaching the secure component Q is 1-p
The probability of reaching the insecure component is p
PATypeH PB
Pr
hfor any r in ]0,1[
Given p, we have:
, , 1-
a, 1
PB, 1
Q Q
for any Q
In particular:
![Page 84: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/84.jpg)
84
Quantifying information flows
Systems which need an estimation of the illegal information flows: PROBABILISTIC ALGORITHMS.
Among the possible behaviors of the algorithm we also have an unwanted, insecure behavior which usually is executed with a probability close to 0.EXAMPLES: probabilistic non-repudiation asynchronous Byzantine agreement
![Page 85: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/85.jpg)
85
Conclusion
1. The process algebraic approach to probabilistic non-interference is a natural, conservative extension of the nondeterministic non-interference theory.
2. Probabilistic information can be employed to quantify information flow.
![Page 86: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/86.jpg)
86
Conclusion
Future work
Analysis of probabilistic cryptographic protocols:• generalized, easily verifiable notion of security
Extension of the calculus with message handling and cryptography:
• relaxation of the assumption of perfect cryptography
![Page 87: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/87.jpg)
87
References1. Aldini, M. Bravetti "An Asynchronous Calculus for Generative-Reactive
Probabilistic Systems" in Proc. of the 8th Int. Workshop on Process Algebra and Performance Modeling (PAPM’00), Rolim et al. Ed., pp. 591-605, Carleton Scientific, Geneve, 2000
2. A. Aldini "Probabilistic Information Flow in a Process Algebra " in Proc. of the 12th Int. Conference on Concurrency Theory (CONCUR'01), Springer LNCS 2154, pp. 152-168, Aalborg, 2001
3. A. Aldini "On the Extension of Non-interference with Probabilities" in the 2nd ACM SIGPLAN and IFIP WG 1.7 Workshop on Issues in the Theory of Security (WITS'02), Portland, Oregon, 2002
4. A. Aldini, R. Gorrieri "Security Analysis of a Probabilistic Non-repudiation Protocol" in Proc. of the 2nd Joint Int. Workshop on Process Algebra and Performance Modelling, Probabilistic Methods in Verification (PAPM-PROBMIV'02), Springer LNCS 2399, pp. 17-36, Copenhagen, 2002
5. A. Aldini, M. Bravetti, R. Gorrieri "A Process Algebraic Approach for the Analysis of Probabilistic Non-interference" Tech. Rep. UBLCS-2002-02, University of Bologna (Italy), 2002
![Page 88: Non-interference Properties for Probabilistic Processes](https://reader035.vdocument.in/reader035/viewer/2022070406/5681415c550346895dad376c/html5/thumbnails/88.jpg)
88
Thank you!
http://www.cs.unibo.it/~aldini ~bravetti ~gorrieri
{aldini,bravetti,gorrieri}@cs.unibo.it