No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Formalizing Probabilistic Noninterference
Abstract
We present an Isabelle formalization of probabilistic noninterference for a multi-threaded language with uniform scheduling. Unlike in previous settings from the literature, here probabilistic behavior comes from both the scheduler and the individual threads, making the language more realistic and the mathematics more challenging. We study resumption-based and trace-based notions of probabilistic noninterference and their relationship, and also discuss compositionality w.r.t. the language constructs and type-system-like syntactic criteria. The formalization uses recent development in the Isabelle probability theory library.
... Our theory currently addresses mostly structural aspects of terms. A next step would be to cover behavioral aspects, such as binding-aware proof rules associated to SOS formats, perhaps building on existing Isabelle formalizations of process algebras and programming languages (e.g., [12,66,72,90,93,94]). ...
We present the formalization of a theory of syntax with bindings that has been developed and refined over the last decade to support several large formalization efforts. Terms are defined for an arbitrary number of constructors of varying numbers of inputs, quotiented to alpha-equivalence and sorted according to a binding signature. The theory contains a rich collection of properties of the standard operators on terms, including substitution, swapping and freshness—namely, there are lemmas showing how each of the operators interacts with all the others and with the syntactic constructors. The theory also features induction and recursion principles and support for semantic interpretation, all tailored for smooth interaction with the bindings and the standard operators.
... Future Generalizations and Integrations Our theory currently addresses mostly structural aspects of terms. A next step would be to cover behavioral aspects, such as formats for SOS rules and their interplay with binders, perhaps building on existing Isabelle formalizations of process algebras and programming languages (e.g., [5,32,38,47,50,51]). ...
We present the formalization of a theory of syntax with bindings that has been developed and refined over the last decade to support several large formalization efforts. Terms are defined for an arbitrary number of constructors of varying numbers of inputs, quotiented to alpha-equivalence and sorted according to a binding signature. The theory includes a rich collection of properties of the standard operators on terms, such as substitution and freshness. It also includes induction and recursion principles and support for semantic interpretation, all tailored for smooth interaction with the bindings and the standard operators.
... The theories in the AFP [32] were ported to our new formalization. Popescu et al. [47] use the work presented in this paper to model programs with probabilistic choice and parallel composition as infinite-state Markov chains. The Giry monad was introduced by Eberl et al. [16], the type of probability mass functions was introduced by Hölzl et al. [30]. ...
This paper presents an extensive formalization of Markov chains (MCs) and Markov decision processes (MDPs), with discrete time and (possibly infinite) discrete state-spaces. The formalization takes a coalgebraic view on the transition systems representing MCs and constructs their trace spaces. On these trace spaces properties like fairness, reachability, and stationary distributions are formalized. Similar to MCs, MDPs are represented as transition systems with a construction for trace spaces. These trace spaces provide maximal and minimal expectation over all possible non-deterministic decisions. As applications we provide a certifier for finite reachability problems and we relate the denotational semantics and operational semantics of the probabilistic guarded command language. A distinctive feature of our formalization is the order-theoretic and coalgebraic view on our concepts: we view transition systems as coalgebras, we view traces as coinductive streams, we provide iterative computation rules for expectations, and we define many properties on traces as least or greatest fixed points.
... This paper describes the positive outcome of this investigation, yielding a proposal for a "canonical" route for designing security type systems: Endto-end security ⇒ Anytime security ⇒ Type system. (More technical presentations of these ideas can be found in [8,9] for possibilistic and in [10] for probabilistic security. ) We restrict our attention to a concurrent imperative language with a nondeterministic (possibilistic) semantics ( §2). ...
We present a uniform, top-down design method for security type systems
applied to a parallel while-language. The method takes the following
route: from a notion of end-to-end security via a collection
of stronger notions of anytime security targeting
compositionality to a matching collection of type-system-like
syntactic criteria. This method has emerged by distilling and unifying
security type system results from the literature while formalizing
them in a proof assistant. Unlike in our previous papers on this
topic, here we focus entirely on high-level ideas instead of technical
proof details.
We describe Bounded-Deducibility (BD) security, an expressive framework for the specification and verification of information-flow security. The framework grew by confronting concrete challenges of specifying and verifying fine-grained confidentiality properties in some realistic web-based systems. The concepts and theorems that constitute this framework have an eventful history of such "confrontations", often involving trial and error, which are reported in previous papers. This paper is the first to focus on the framework itself rather than the case studies, gathering in one place all the abstract results about BD security.
We present two new results in machine-checked formalizations of programming languages. (1) Probabilistic Noninterference is a central notion in software security analysis. We present the first Isabelle formalization of low-security observational determinism (“LSOD”), together with a proof that LSOD implies probabilistic noninterference. The formalization of LSOD uses a flow-sensitive definition of low-equivalent traces, which drastically improves precision. (2) We present the first full and machine-checked proof that Launchbury’s well-known semantics of the lazy lambda calculus is correct as well as adequate. The proof catches a bug in Launchbury’s original proof, which was open for many years.
We present a new algorithm, together with a full soundness proof, which guarantees probabilistic noninterference (PN) for concurrent programs. The algorithm follows the “low-deterministic security” (LSOD) approach, but for the first time allows general low-nondeterminism as long as PN is not violated.
The algorithm is based on the earlier observation by Giffhorn and Snelting that low-nondeterminism is secure as long as it is not influenced by high events [ International Journal of Information Security 14 ( 2015 ) 263–287]. It uses a new system of classification flow equations in multi-threaded programs, together with inter-thread/interprocedural dominators. Compared to LSOD, precision is boosted and false alarms are minimized. We explain details of the new algorithm and its soundness proof.
The algorithm is integrated into the JOANA software security tool, and can handle full Java with arbitrary threads. We apply JOANA to a multi-threaded e-voting system, and show how the algorithm eliminates false alarms. We thus demonstrate that low-deterministic security is a highly precise and practically mature software security analysis method.
Low-security observable determinism (LSOD), as introduced by Roscoe and Zdancewic [18, 24], is the simplest criterion which guarantees probabilistic noninterference for concurrent programs. But LSOD prohibits any, even secure low-nondeterminism. Giffhorn developed an improvement, named RLSOD, which allows some secure low-nondeterminism, and can handle full Java with high precision [5].
In this paper, we describe a new generalization of RLSOD. By applying aggressive program analysis, in particular dominators for multi-threaded programs, precision can be boosted and false alarms minimized. We explain details of the new algorithm, and provide a soundness proof. The improved RLSOD is integrated into the JOANA tool; a case study is described. We thus demonstrate that low-deterministic security is a highly precise and practically mature software security analysis method.
We develop a framework for expressing and analyzing the behavior of probabilistic schedulers. There, we define noninterfering schedulers by a probabilistic interpretation of Goguen and Meseguer’s seminal notion of noninterference. Noninterfering schedulers are proved to be safe in the following sense: if a multi-threaded program is possibilistically noninterfering, then it is also probabilistically noninterfering when run under this scheduler.
We perform a formal analysis of compositionality techniques for prov-ing possibilistic noninterference for a while language with parallel composition. We develop a uniform framework where we express a wide range of noninter-ference variants from the literature and compare them w.r.t. their contracts: the strength of the security properties they ensure weighed against the harshness of the syntactic conditions they enforce. This results in a simple implementable al-gorithm for proving that a program has a specific noninterference property, using only compositionality, which captures uniformly several security type-system re-sults from the literature and suggests a further improved type system. All formal-ism and theorems have been mechanically verified in Isabelle/HOL.
Probabilistic model checkers like PRISM check the satisfiability of probabilistic CTL (pCTL) formulas against discrete-time Markov chains. We prove soundness and completeness of their underlying algorithm in Isabelle/HOL. We define Markov chains given by a transition matrix and formalize the corresponding probability measure on sets of paths. The formalization of pCTL formulas includes unbounded cumulated rewards.
Building on our published mechanisation of the probabilistic program logic pGCL we present a verified lattice scheduler, a standard covert-channel mitigation technique, employing randomisation as an elegant means of ensuring starvation-freeness. We show that this scheduler enforces probabilistic non-leakage, in addition to non-starvation. The refinement framework employed is compatible with that used in the L4.verified project, supporting our argument that full-scale verification of probabilistic security properties for realistic systems software is feasible.
This paper presents a formalisation of pGCL in Isabelle/HOL. Using a shallow
embedding, we demonstrate close integration with existing automation support.
We demonstrate the facility with which the model can be extended to incorporate
existing results, including those of the L4.verified project. We motivate the
applicability of the formalism to the mechanical verification of probabilistic
security properties, including the effectiveness of side-channel
countermeasures in real systems.
Locales are a means to define local scopes for the interactive proving process of the theorem prover Isabelle. They delimit
a range in which fixed assumption are made, and theorems are proved that depend on these assumptions. A locale may also contain
constants defined locally and associated with pretty printing syntax.
Locales can be seen as a simple form of modules. They are similar to sections as in AUTOMATH or Coq. Locales are used to enhance
abstract reasoning and similar applications of theorem provers. This paper motivates the concept of locales by examples from
abstract algebraic reasoning. It also discusses some implementation issues.
The probabilistic guarded-command language (pGCL) contains both demonic and probabilistic non-determinism, which makes it suitable for reasoning about distributed random algorithms. Proofs are based on weakest precondition semantics, using an underlying logic of real- (rather than Boolean-)valued functions.We present a mechanization of the quantitative logic for pGCL using the HOL theorem prover, including a proof that all pGCL commands satisfy the new condition sublinearity, the quantitative generalization of conjunctivity for standard GCL.The mechanized theory also supports the creation of an automatic proof tool which takes as input an annotated pGCL program and its partial correctness specification, and derives from that a sufficient set of verification conditions. This is employed to verify the partial correctness of the probabilistic voting stage in Rabin's mutual-exclusion algorithm.
Computational Indistinguishability Logic (CIL) is a logic for reasoning about cryptographic primitives in computational models. It captures reasoning patterns that are common in provable security, such as simulations and reductions. CIL is sound for the standard model, but also supports reasoning in the random oracle and other idealized models. We illustrate the benefits of CIL by formally proving the security of the probabilistic signature scheme (PSS).
We summarise a verification method for probabilistic systems that is based on abstraction and refinement, and extends traditional assertional styles of verification.The approach makes extensive use of the expectation transformers of pGCL [17, 16, 13], a compact probabilistic programming language with an associated logic of real-valued functions. Analysis of large systems is made tractable by abstraction which, together with algebraic and logical reasoning, results in strong and general guarantees about probabilistic-system properties.Although our examples are specific (to pGCL ), our overall goal in this note is to advocate the hierarchical development of probabilistic programs via levels of abstraction, connected by refinement, and to illustrate the proof obligations incurred by such an approach.
As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Game-based techniques provide a popular approach in which proofs are structured as sequences of games and in which proof steps establish the validity of transitions between successive games. Code-based techniques form an instance of this approach that takes a code-centric view of games, and that relies on programming language theory to justify proof steps. While code-based techniques contribute to formalize the security statements precisely and to carry out proofs systematically, typical proofs are so long and involved that formal verification is necessary to achieve a high degree of confidence. We present Certicrypt, a framework that enables the machine-checked construction and verification of code-based proofs. Certicrypt is built upon the general-purpose proof assistant Coq, and draws on many areas, including probability, complexity, algebra, and semantics of programming languages. Certicrypt provides certified tools to reason about the equivalence of probabilistic programs, including a relational Hoare logic, a theory of observational equivalence, verified program transformations, and game-based techniques such as reasoning about failure events. The usefulness of Certicrypt is demonstrated through various examples, including a proof of semantic security of OAEP (with a bound that improves upon existing published results), and a proof of existential unforgeability of FDH signatures. Our work provides a first yet significant step towards Halevi's ambitious programme of providing tool support for cryptographic proofs.
permissive type system that allows the running times of threads to depend on the values of H variables, provided that these timing variations cannot affect the values of L variables. The type system gives each command a type of the form τ1 cmd τ2; this type says that the command assigns only to variables of level τ1 (or higher) and has running time that depends only on variables of level τ2 (or lower). Also it uses types of the form τ cmd n for commands that terminate in exactly n steps. With these typings, timing leaks can be prevented by demanding that no assignment to an L variable may sequentially follow a command whose running time depends on H variables. We prove that well-typed multi-threaded programs satisfy a property that we call weak probabilistic noninterference; it is based on a notion of weak probabilistic bisimulation for Markov chains, allowing two Markov chains to be regarded as equivalent even when one "runs" more slowly than the other. Finally, we show that the language can safely be extended with a fork command that allows new threads to be spawned.
Non-interference is a high-level security property that guarantees the absence of illicit information leakages through executing programs. More precisely, non-interference for a program assumes a separation between secret inputs and public inputs on the one hand, and secret outputs and public outputs on the other hand, and requires that the value of public outputs does not depend on the value of secret inputs. A common means to enforce non-interference is to use an information flow type system. However, such type systems are inherently imprecise, and reject many secure programs, even for simple programming languages. The purpose of this paper is to investigate logical formulations of noninterference that allow a more precise analysis of programs. It appears that such formulations are often sound and complete, and also amenable to interactive or automated verification techniques, such as theorem-proving or model-checking. We illustrate the applicability of our method in several scenarios, including a simple imperative language, a non-deterministic language, and finally a language with shared mutable data structures.
To be practical, systems for ensuring secure information flow must be as permissive as possible. To this end, the author recently proposed a type system for multi-threaded programs running under a uniform probabilistic scheduler; it allows the running times of threads to depend on the values of H variables, provided that these timing variations cannot affect the values of L variables. But these timing variations preclude a proof of the soundness of the type system using the framework of probabilistic bisimulation, because probabilistic bisimulation is too strict regarding time. To address this difficulty, this paper proposes a notion of weak probabilistic bisimulation for Markov chains, allowing two Markov chains to be regarded as equivalent even when one "runs" more slowly that the other. The paper applies weak probabilistic bisimulation to prove that the type system guarantees the probabilistic noninterference property. Finally, the paper shows that the language can safely be extended with a fork command that allows new threads to be spawned.
With the variables of a program classified as L (low, public) or H (high, private), we wish to prevent the program front leaking information about H variables into L variables. Given a multi-threaded imperative language with probabilistic scheduling, the goal can be formalized as a property called probabilistic noninterference. Previous work identified a type system sufficient to guarantee probabilistic noninterference, but at the cost of severe restrictions: to prevent tinting leaks, H variables were disallowed from the guards of while loops, Here we present a new type system that gives each command a type of the form τ1 cmd τ2; this type says that the command assigns only to variables of level τ1 (or higher) and has running time that depends only on variables of level τ2 (or lower). Also we use types of the form τ cmd n for commands that terminate in exactly n steps. With these typings, we can prevent timing leaks by demanding that no assignment to an L variable may sequentially follow a command whose running time depends on H variables. As a result, we can use H variables more flexibly; for example, under the new system a thread that involves only H variables is always well typed. The soundness of the type system is proved using the notion of probabilistic bisimulation.
The authors previously give a type system that guarantees that
well-typed multi-threaded programs are possibilistically noninterfering.
If thread scheduling is probabilistic, however, then well-typed programs
may have probabilistic timing channels. They describe how they can be
eliminated without making the type system more restrictive. They show
that well-typed concurrent programs are probabilistically noninterfering
if every total command with a high guard executes atomically. The proof
uses the concept of a probabilistic state of a computation, following
the work of Kozen (1981)
Current standard security practices do not provide substantial assurance that the end-to-end behavior of a computing system satisfies important security policies such as confidentiality. An end-to-end confidentiality policy might assert that secret input data cannot be inferred by an attacker through the attacker's observations of system output; this policy regulates information flow. Conventional security mechanisms such as access control and encryption do not directly address the enforcement of information-flow policies. Recently, a promising new approach has been developed: the use of programming-language techniques for specifying and enforcing information-flow policies. In this paper, we survey the past three decades of research on information-flow security, particularly focusing on work that uses static program analysis to enforce information-flow policies. We give a structured view of recent work in the area and identify some important open challenges.
We present a probability-sensitive confidentiality specification -- a form of probabilistic noninterference -- for a small multi-threaded programming language with dynamic thread creation. Probabilistic covert channels arise from a scheduler which is probabilistic. Since scheduling policy is typically outside the language specification for multithreaded languages, we describe how to generalise the security condition in order to define robust security with respect to a wide class of schedulers, not excluding the possibility of deterministic (e.g., round-robin) schedulers and program-controlled thread priorities. The formulation is based on an adaptation of Larsen and Skou's notion of probabilistic bisimulation. We show how the security condition satisfies compositionality properties which facilitate straightforward proofs of correctness for, e.g., security type systems. We illustrate this by defining a security type system which improves on previous multi-threaded systems, and by provin...
Ensuring secure information flow within programs in the context of multiple sensitivity levels has been widely studied. Especially noteworthy is Denning's work in secure flow analysis and the lattice model [6][7]. Until now, however, the soundness of Denning's analysis has not been established satisfactorily. We formulate Denning's approach as a type system and present a notion of soundness for the system that can be viewed as a form of noninterference. Soundness is established by proving, with respect to a standard programming language semantics, that all well-typed programs have this noninterference property. Keywords: type systems, program security, soundness proofs 1. Introduction The problem of ensuring secure information flow within systems having multiple sensitivity levels has been studied extensively, beginning with the early work of Bell and LaPadula [3]. This was extended by the lattice-model work of Denning [5][6][7] who pioneered program certification, an efficient form...
Previously, we developed a type system to ensure secure information flow in a sequential, imperative programming language [VSI96]. Program variables are classified as either high or low security; intuitively, we wish to prevent information from flowing from high variables to low variables. Here, we extend the analysis to deal with a multithreaded language. We show that the previous type system is insufficient to ensure a desirable security property called noninterference. Noninterference basically means that the final values of low variables are independent of the initial values of high variables. By modifying the sequential type system, we are able to guarantee noninterference for concurrent programs. Crucial to this result, however, is the use of purely nondeterministic thread scheduling. Since implementing such scheduling is problematic, we also show how a more restrictive type system can guarantee noninterference, given a more deterministic (and easily implementable) scheduling policy, such as round-robin time slicing. Finally, we consider the consequences of adding a clock to the language.
In previous work [16], we give a type system that guarantees that well-typed multithreaded programs are possibilistically noninterfering. If thread scheduling is probabilistic, however, then well-typed programs may have probabilistic timing channels. We describe how they can be eliminated without making the type system more restrictive. We show that well-typed concurrent programs are probabilistically noninterfering if every total command with a guard containing high variables executes atomically. The proof uses the notion of a probabilistic state of a computation from Kozen's work in the denotational semantics of probabilistic programs [11]. 1 1 Introduction This work is motivated by applications of mobile code where programs are downloaded, as needed, and executed on a trusted host. Here a host may have sensitive data that downloaded code may need, and we want assurance that they are not leaked by the code. In some cases, the best approach may simply be to forbid any access to the ...
In previous work (Smith and Volpano, Proceedings 25th Symposium on Principles of Programming Languages, San Diego, CA, 1998, pp. 355-364), we give a type system that guarantees that well-typed multi-threaded programs are possibilistically noninterfering. If thread scheduling is probabilistic, however, then well-typed programs may have probabilistic timing channels. We describe how they can be eliminated without making the type system more restrictive. We show that well-typed concurrent programs are probabilistically noninterfering if every total command with a guard containing high variables executes atomically. The proof uses the notion of a probabilistic state of a computation from Kozens work in the denotational semantics of probabilistic programs (Kozen, Journal of Computer and System Sciences 22 (1981), 328-350).^{2}
This is the first edition of the book. The second edition was published in 1976. Theorem 9.53 of the first edition contains an error, which is corrected in the second edition.
As cryptographic proofs have become essentially unverifiable, cryptographers have argued in favor of developing techniques that help tame the complexity of their proofs. Game-based techniques provide a popular approach in which proofs are structured as sequences of games and in which proof steps establish the validity of transitions between successive games. Code-based techniques form an instance of this approach that takes a code-centric view of games, and that relies on programming language theory to justify proof steps. While code-based techniques contribute to formalize the security statements precisely and to carry out proofs systematically, typical proofs are so long and involved that formal verification is necessary to achieve a high degree of confidence. We present Certicrypt, a framework that enables the machine-checked construction and verification of code-based proofs. Certicrypt is built upon the general-purpose proof assistant Coq, and draws on many areas, including probability, complexity, algebra, and semantics of programming languages. Certicrypt provides certified tools to reason about the equivalence of probabilistic programs, including a relational Hoare logic, a theory of observational equivalence, verified program transformations, and game-based techniques such as reasoning about failure events. The usefulness of Certicrypt is demonstrated through various examples, including a proof of semantic security of OAEP (with a bound that improves upon existing published results), and a proof of existential unforgeability of FDH signatures. Our work provides a first yet significant step towards Halevi's ambitious programme of providing tool support for cryptographic proofs.
We propose a language for testing concurrent processes and examine its strength in terms of the processes that are distinguished by a test. By using probabilistic transition systems as the underlying semantic model, we show how a testing algorithm can distinguish, with a probability arbitrarily close to one, between processes that are not bisimulation equivalent. We also show a similar result (in a slightly stronger form) for a new process relation called —which lies strictly between that of simulation and bisimulation. Finally, the ultimately strength of the testing language is shown to identify a new process relation called probabilistic bisimulation—which is strictly stronger than bisimulation.
Information flow type systems provide an elegant means to enforce confidentiality of programs. Using the proof assistant Isabelle/HOL, we have machine-checked a recent work of Boudol and Castellani, which defines an information flow type system for a concurrent language with scheduling, and shows that typable programs are non-interferent. As a benefit of using a proof assistant, we are able to deal with a more general language than the one studied by Boudol and Castellani. The development constitutes to our best knowledge the first machine-checked account of non-interference for a concurrent language.
We investigate the issue of typing confidentiality in a language-based information-flow security approach, aiming at improving
some previously proposed type systems, especially for higher-order languages with mutable state à la ML. We show that the
typing of termination leaks can be largely improved, by particularizing the case where the alternatives in a conditional branching
both terminate. Moreover, we also provide a quite precise way of approximating the confidentiality level of an expression,
that ignores the level of values used for side-effects only.
Bisimulation has been a popular foundation for characteriz- ing the confidentiality properties of concurrent programs. However, be- cause a variety of bisimulation definitions are available in the literature, it is often difficult to pin down the "right" definition for modeling a particular attacker. Focusing on timing- and probability-sensitive con- fidentiality for shared-memory multithreaded programs, we clarify the relation between different kinds of bisimulation by proving inclusion re- sults. As a consequence, we derive the relationship between scheduler- specific, scheduler-independent, and strong confidentiality definitions. A key result justifying strong confidentiality is that it is the most accurate (largest) compositional indistinguishability-based confidentiality prop- erty that implies scheduler-independent confidentiality.
We propose an approach to certify the information flow security of multi-threaded programs independently from the scheduling
algorithm. A scheduler-independent verification is desirable because the scheduler is part of the runtime environment and,
hence, usually not known when a program is analyzed. Unlike for other system properties, it is not straightforward to achieve
scheduler independence when verifying information flow security, and the existing independence results are very restrictive.
In this article, we show how some of these restrictions can be overcome. The key insight in our development of a novel scheduler-independent
information flow property was the identification of a suitable class of schedulers that covers the most relevant schedulers.
The contributions of this article include a novel security property, a scheduler independence result, and a provably sound
program analysis.
We propose a type system to ensure the property of noninterference in a system of concurrent programs, described in a standard imperative language enriched with parallelism. Our proposal is in the line of some recent work by Irvine, Volpano and Smith. Our type system seems more natural and less restrictive than that originally presented by these authors for the concurrent case. Moreover, we show how to extend the language in order to formalise scheduling policies for systems of sequential threads. The type system is extended to the new constructs, and we show that noninterference still holds, while remaining in a nonprobabilistic setting.
Randomized algorithms are widely used either for finding efficiently approximated solutions to complex problems, for instance primality testing, or for obtaining good average behavior, for instance in distributed computing. Proving properties of such algorithms requires subtle reasoning both on algorithmic and probabilistic aspects of the programs. Providing tools for the mechanization of reasoning is consequently an important issue. Our paper presents a new method for proving properties of randomized algorithms in a proof assistant based on higher-order logic. It is based on the monadic interpretation of randomized programs as probabilistic distribution [1]. It does not require the definition of an operational semantics for the language nor the development of a complex formalization of measure theory, but only use functionals and algebraic properties of the unit interval. Using this model, we show the validity of general rules for estimating the probability for a randomized algorithm to satisfy certain properties, in particular in the case of general recursive functions.
We apply this theory for formally proving a program implementing a Bernoulli distribution from a coin flip and the termination of a random walk. All the theories and results presented in this paper have been fully formalized and proved in the Coq proof assistant [2].
Noninterference is a property of sequential programs that is useful for expressing security policies for data confidentiality and integrity. However, extending noninterference to concurrent programs has proved problematic. In this paper we present a relatively expressive secure concurrent calculi, provides first-class channels, high-order functions, and an unbounded number of threads. Well-typed programs obey a generalization of noninterference that ensures immunity to internal timing attacks and to attacks that exploit information about the thread scheduler. Elimination of these refinement attacks is possible because the enforced security property extends noninterference with observational determinism. Although the security property is strong, it also avoids some of the restrictiveness imposed on previous security-typed concurrent languages.
Analyzing discrete-time Markov chains with countable state space in Isabelle
- J Hölzl
Formal development associated with this paper
- A Popescu
- J Hölzl
A uniform framework for the specification and verification of security properties
- H Mantel
Abstraction, Refinement and Proof for Probabilistic Systems
- A Mciver
- C Morgan