- Email: [email protected]
Discrete event systems approach to the verification of the information flow properties in secure protocols
Copyright © IFAC Discrete Event Systems. Reims. France. 2004
ELSEVIER
IFAC PUBLICATIONS www.elsevier.comllocate/ifac
DISCRETE EVEN T SYSTEMS APPROACH TO THE VERIFICATION OF THE INFORMATION FLOW PROPERTIES I N SE CURE PROTOCOLS N ej ib B en H a dj-Alou a ne' Stephane Lafrance " Fe ng Lin ••• J o hn M ullins" M oez Yeddes'
• Department of Applied Computer Sciences National School of Information Sciences. University of M anouba, Tunisia . Emails: {Nejib. BenHadjAl ouane, Mo ez .y e d des }~ e ns i . rnu .tn •• Department of Computer Engineering . Ecole Polytechmque de lvfontreal. Montreal, Quebec, Canada. Emails: {St ephane.Lafran ce , J ohn . Mulli n s}~polymt l .c a ••• Department of Electrical and Computer Engineering Wayne State UniversIty. Detrozt. MI48202, U.S.A . Email: flin~ e c e . eng. wayne . edu
Abstract: T his paper introduces a new algorithmic approach to the prob lem of checking the intransitive non-interference (1Nl) using discrete event systems (DES) tools and concepts. ['\1 is an information flow property widely used in formal verification of computer systems and security protocols. F irst a new property called iP-observability (observability based on a purge function ) is introduced to capture 1Nl. An equ ivalence bet\veen iP-observability and P-observability (observability as used in DE S) is then established. This paper also presents an algorithm to t ransform the automaton modelling the system/ protocol into an automaton whe re P -observability can be checked , which is equivalent to verifying 1Nl for the original system. Since P-oben"ability can be checked with a polynomial complexity. this algorithmic app roach can effectively verify the important security property of Il\T Copyr ight © 2004 IFAC Keywords: Interference. l ntransiti"e K on-interference. Security Policies. Formal Verification. Observability.
1. I:"JTRODl'CTIO:\
paper, we focus our attention on the application of the theory of DES to the area of computer system's and protocol's security.
The theory of supervisory control of discrete e\"ent systems (DES) was introduced o'"er fifteen years ago [15], [12], [4] Since then , the properties of controllability and observability have been used as tools to characte rize and solve many problems with diverse application domains: control and supervision applied to manufacturing [3], verification of communication protocols ~ 1 6J, and database systems [ll], just to name a few. In this
Security is a crucial property of system behavior. The need for secure protocols has seen a rapid growth during the past decade due to, on the one hand , the development and wide spread use of computer net\liorks and distributed systems, and on the other hand, the globalization of vario us forms of electron ic communication, collaboration
297
and trade. \Vithin this global context , security policies and protocols are mainly seen as tools for providing secure information exchange. The main task of cryptographic protocols is to guarantee. among other issues. the confidentiality of transmitted data over a network, the authentication of the agents participating in a protocol run, and the integrity of the data transmitted over a network. A subclass of cryptographic protocols , namely ecommerce protocols, have the additional task of guaranteeing properties addressing anonymity of the participating parties , atomicity of money and goods , non-repudiation from parties and fair exchange issues. Although the information-security community has not yet reached a consensus on the exact meaning of the terms "security" or "confidentiality" , it is quite clear that both require a strict control over the information flowing between different agents manipulating objects and acting within systems with multiple security levels [1]. In this regard , several information-flow security properties have been proposed. Non-interference [6], [7], [13], [18], \\'ith its different generalizations and forms, is one such property. Intuitively, non-interference captures any causal dependency from a high- level action h to a lower-level action I. By causal dependency we mean that the dependent action cannot occur without the occurrence of the preceding action. Such a dependency creates an insecure channel called co vert channel. having the capability to transmit high-level information concerning h to any low-level agent observing I.
The (global) operational characterizat ion of this schema is called the Unwinding Theorem , which states that in any hostile environment (the detailed specifications depend on the type of security property), no condition observable from a point of view H will be obsen'able from a point of view L , unless this observation has been previously downgraded from H to L (through a downgrading level ). Observability has played an important role within the DES theory. However. its various uses have been tied to the notion of a static projection capturing the fact that a fixed subset of events is observable and the rest are not. An important aim of this paper consists of extending the expressiveness of. DES to capture information flow specifications based on a purge function, rather then a projection. The purge function erases events from a given sequence (or trace), based on an allowable information flow lattice defined over the security levels of a given system. Intransitive non-interference is then expressed as observability \,:ith respect to a purge function. In the case of a three level security system , a transformation is given to characterize the problem of verifying intransitive non-interference in terms of regular observability (with respect to a projection ).
2. I:\,TRANSITIVE l\Ol\-IXTERFEREI\'CE II\' yIULTI-LEVEL SYSTDIS The concept of non-interference is introduced by Goguen and Meseguer [7] as a basis for specifying and analyzing security issues in computer systems and protocols . The basic idea behind noninterference can be simply stated as follows: the behavior of a given entity is said not to interfere with the behavior of a second entity whenever no action performed by the first can influence subsequent outputs seen by the second.
In practice , however , many security problems go beyond the scope of simple non-interference. In particular , the problem of confidentiality in multilevel security systems. where the relation over the set of security levels capturing allowed information flo\\'s , is not transitive. Intransitive nonmterference has been treated in the literature [8]. [10]. [17], [14]. The paradigmatic example for intransitive non-interference is a three-le\'el (pri\'ate , public and downgrade) security system modelling a cryptosystem. Such a system has the requirement of insuring non-interference from a secret data m and encryption key k to the public leveL unless it has been previously downgraded through the cryptosystem. Clearly here, encryption creates a causal dependency between the secret pair (m. k ) and the declassified data {mh (m encrypted by k ) since any variation of m or k is reflected in {m } k.
Rushby [17] gives a formalization of non-interference, in terms of input/ output automata, and introduces the concept of intransitit'e non-interference (II\I ). Information flow property 1:\,1 extends noninterference and enable the specification of a generalized class of security policies dealing with channel control mechanisms. Roughly speaking, channel control mechanisms require the following type of specification: given a system with three channels H. Land D, information is allowed to flow from H to L only after passing trough D, but ne\'er directly (intransitivity ). Here. channel D is seen as a downgrading channel (for example an encry'Ption mechanism) . In terms of noninterference. the event stream generated by H is allowed to interfere \\'ith the event stream generated by L, only through D e\'ents.
Literature has showed that intransitive information flow propert ies are suitable for expressing security properties dealing \\'ith information transmitted by cryptographic protocols. The general schema of these (local ) properties is based on a process-algebraic notion of obsen'ability :2).
298
In the remainder of this section , we formally define the notions required to capture intransitive noninterference as presented by Rushby [17]. Our treatment is based on event automata, instead of Rushby 's input/ output automata ; it is wellknown , however , that these two types of automata are equivalent. \Ve are given a set D of security domains and a set of events ~ partitioned over these domains. The operator dom ~ -; D is used to capture this partition: to every domain U E D , the set ~l' = {C7 E 2: ! dom e()) = U} specifies the events associated v.!it h U . The domains are interpreted to represent the security channels for which we will define non-interference requirements. \\'e also consider an interference relation ..,..~ ][JJ x ID> defined over D: given domains [;, U ' , the intended meaning of the relation..,.. is such that the domain U is allowed to interfere with the domain U ' whenever LT ..,.. ut vVe write U f+ U ' whenever
Fig. 2. Automaton satisfying non-interference. Next. consider a three domain system , D {H , D, L}, where D is a downgrading domain. The non-interference relation is such that:
{(H , D ), (D , L). (D , H ), (L, D ), (L, H )}. i.e. , only H ~ L is not allowed (H f+ L ). We consider the automata given in Figure 3 and Figure 4, and assume h E ~H, 1 E ~L and d E ~D ' Automaton G 3 (Figure 3) poses a problem with intransitive non-interference , since the event I is not possible following the trace hd, but becomes possible following hdh.
(/J, U' ) tf...,... G3
\Ve assume that our system, i.e. , the combined behavior associated with all the domains, is modelled by a language K ~ ~' . .\loreover , K is generated by the fini t e automaton G = (2:. X, 0, I a), that is , K = L (G ) (in particular, K is prefixclosed ).
h
However , the system specified by automaton G 4 (Figure 4) satisfies intransitive non-interference. For instance , note that the fact that 11 is possible following hd and is not possible following h does not constitute an int ransitive noninterference problem. According to the domain structure. H is allowed to interfere with L through D events. In other words, we only have the explicit requirement to preserve confidentiality of H with respect to L in between D events , but not across them.
Example 1. Consider a system with two domains: one is a high security domain (classified) , the other is a low security domain (unclassified ); e.g. , D = {H , L}. The non-interference relat ion is such t hat:
{(L. H )}.
Let h E ~H and I E 2: L , and consider the two automata given in Figure 1 and Figure 2 as possible specifications for system behavior . In the case of automaton G l (Figure 1). the behavior of t he system poses a problem: at the initial state, the L domain cannot execute the event I: but in its second state . after the execution of h by the H domain , the L domain can now execute I. Thus , the behavior generated by the H domain interferes with the behavior of the L domain (classified information is being leaked to t he unclassified levels ). This is contrary to the specification of the domain structure giyen above (i.e. , H f+ L ). Such a dependency does not exist in automaton G 2 (F igure 2). Gl
d
Fig. 3. Automaton not satisfying intransitive non interference.
Intuitively, intransit ive non-interference can be understood from the following example.
~ =
h
0>----_..'o)-----+-<>---...'·es>------+-' 0
Fig. 4. Automaton satisf ying int ransitzv e noninterference.
Tb formally capture I;.JI, a reduction function iP , called intransztive purge, is introduced by Rushby [17]. The purge of a trace. \vith respect to a given domain , removes from the trace all events from other domains that are not allowed to interfere with the gi\'en domain. The function iP is defined using the fo 11 0\"ing auxiliary function: sources ~. x ID ~ D gi\'en as follows: sources (c [': ) = {U}. and sources(C7s , LT ) = sources (s, U ) U { dom (C7 )} V , and if (::iF E sources (s. U )) dom (O' ) sou rces (O's , U ) = source s(s, U ).
o _ _h_>-o _ _ _~
Fig. 1. A u tomato n n ot satisfying non- interfere n ce.
299
Intuitively, function sources(. , .) captures the set of domains which are allowed to interfere throughout the execution of a trace. This set of domains is determined backwards (i.e., starting from the end of the trace). Moreover, the fact that a given domain V is in sources (8, U ) either means that V = U or there is a subsequence 0'1,0'2 , ... , O'n of the trace 8. such that dom(0'1) ....... dom(0'2) ....... ......... dom(O'n) with V = dom (0'1) and dom(O'n) ~
Definition 2. (i P-observability). Let M ~ 2::" and 2:: u ~ 2::. A prefix-closed sublanguage K ~ M is iP-obseT1Jable w.r.t. (M, 2:: u ) if for every U E ][]), for every S1, 82 E K and for every 0' E 2:: u , (iP (81 , U ) = iP (S2 , U) 1\ S10' E K 1\ S20' E M ) ==> S20' E K. Theorem 1. Language K satisfies 1;\1 if and only if K is iP-observable w.r.t (2::" , L l'l, for all r.: E ][]).
U.
We then consider the following int ransi tive purge function
3. P-OBSERVABILITY VS lP-OBSERVABILITY
Asssumption: For the remainder of this paper , we iP( c. [i) = E, and restrict our attention to systems and protocols 'P ( TT ) = {O'iP(S. U ) if dom(O') E 8ource8 (0'8, U) ~ 0'8.,-, 'P (8, U' ) ot herwlse . ~ "'ith only three security domains H , Land D :
.... =
Informally, purge function i P(.,.) is a string reduction function such that iP(8, U) consists of the subsequence obtained from 8 by removing every event belonging to any domain that should not interfere with the domain U (i.e. domains which are not in sources (8, U )) .
V,iithin the context of a th ree domains system , only domain L can pose an interference problem. Therefore , the corollary given below follows from Theorem 1.
It should be noted that i P is left congruent, but not right congruent (we do not prove these facts as they are not used in the developments in this paper ). )'10re importantly, given two traces sand s', with s a prefix of s', s by itself may be purged differently than s as part of s'. In addition, iP retains an important property of projections. namely, for any given trace s, iP(i P (s )) = iP(s ); this can be easily proved , as sources (s ) = sources(iP (s)) .
Corollary 1. Language K satisfies 1Nl if and only if K is i P-observable w.r.t. (2:: ", 2:: L ) Furthermore , we write iP (s ) instead of iP (s. L ) since we have to verify t he i P-observability of K only w.r.t. (2::" , LLJ. The property of iP-observability is novel. Rov/, ever , it will be unfruitful and unnecessary t o develop a new theory for i P-observability, because iP-observability is closely related to Pobservability (i.e. , observability based on the projection P ) that was introduced by Lin and Wonham [12].
Based on the above definition of sources (" .) and iP ( , .), intransitive non-interference (1:\1) is defined as follows, which is essentially the definition of Rushby [17].
Definition 1. (Intransitive :\on-Interference) . A language K satisfies 1Nl if.
The following result leads to a characterization of 1\,,1 as a \'ariant of the observability property using the iP reduction.
= iP (s2. G')
1\
In this section , we will show that by properly defining a new language KiP from the original language K , we can transform iP-observability of K into P-observability of K i P. In this "'ay. the verification of the 12\"1 property amounts to checking P-obsen'ability, for which we have efficient algorithms.
3.1 iP -Quotient Language
Lemma 1. Language K satisfies 1\,,1 if and only if, for e\'ery '0' E D. for e\'ery S1 , S2 E K and for every 0' E Le', iP (s> [' )
{(H.D ),( D , L ), (D , H ),( L , D ), (L,H )},
This section presents a language K iP obtained by transforming the language K. Recall that L = LH .,j LL U 2::D and K = L (G).
810' E K ) ==> s20' E K.
F irst. we start by int roducing the notion of a min imal subtrace for a given trace . used in the constr uction of the transformed language K i P·
consider the following property. similar in form to the obsen'ability property used in the theory of discrete event sy'stems [12]. :\evert heless iP is not a projection but rather a reduction as defined above . :\0\\'
Intuitively. a minimal subtrace. with respect to C , of a given trace in L (C ), is obtained by removing any events invoh'ed in loops in C. In this
300
manner , we can obtain a subtrace (still in .c (G )) "representing the original t race" that does not go through any loop in G. Our goal is to use the set of minimal subtraces which is finite , to represent a possible infinite sublanguage of £ (G). For our purposes , we adopt the follo\\"ing constructive definition, which associates with every given trace a unique subtrace. Defimtion 3. For every trace S E K , the minimal subtrace §. (with respect to G) is obtained from S by repeatedly, starting from the first event of the trace, removing any subsequence of contiguous events generated by a loop in G.
Explicitly, if s = 0') ... O'i-)O'i ... O'jO'}+) .. · O'n and if 0') ... 0' j is the smallest prefix of s that has a loop at the end, i.e. 5(XO,0'1.' .0',-) ) = 5(xo, 0') .. . O'i-I<7i··· O'j ), then the subsequence O'i ... O'j. involving the loop , is removed to obtain the new trace s' = 0') .. . O';_)O'j+) .. . O'n. Note that s' E K = .c ( G ). The above process is repeated until the minimal subtrace ~ is obtained.
Definition 5. Consider the operator (-) : K -+ L.ip defined inductively as follows: (E) = E, and
_ { (s )[O' ] (sO' ) [§.O']
if if
L.L U L.H
0'
E
0'
E L.D
The operator (-) transforms a trace s = O')···O'iO'i"'l' 'O'n from K , where O'i is the first event in L.D from the right , into a new trace (s) = [O') ... O'i ][O'i+d"' [O'n ] in L.ip :'-iote that ~O'i] E L.D,p and [O'i+l ], .... [O'n ] E L.H,p U L.L,p· If S ~ K , then (s) is undefined. We now define the iP-quotient language of K as follows. Definition 6. For K ~ L." , consider the following language m'er L.ip defined as follows:
K iP
= { (t ) E L.ip I t
E
K}.
\Ve sometimes also use (K ) to denote this language , that is , (K ) = KiP. The "inverse" of (-), denoted by~, is defined below. Definition 7. Consider the operator ~ : L.ip defined inductively as follows: E = E and
The set of all the minimal subtraces of K , based on G , can be given as the language generated by an acyclic automata G' = (L.. X. 5' , xc ) that is the depth-first expansion of G. G' has the same state space , initial state, and event set as G. The following algorithm implements a depthfirst expansion on G . to compute 5', the transition function of G l This Algorithm can be found in [9].
sO'
=
{ sO" " SO'
~
I:"
if 0' = [0" ] E L.L,p u L.H,p , , E L.D ,p if 0' = [sO']
The operator ~ transforms a trace
s = [O'~ ] ... [ O'~] ~ s'O'][O' ) ] ... [O'n] from L.ip into a S = S' O'O' l' .. O'n in L." . l\ote that we define ~ L.ip to L." , not just from K iP to L.". If s E then 5 must have the form 5 = [s' O'][O' tl · where [5' O'j E L.D,p, [O'i ] E L.L ,p U I:H ,p '
The following lemma states an immediate property of minimal subtraces used in results t hat follow.
t race from K iP, .[O'n L
:\ow we can present the main result of this section: iP-obsen'abi lity of K is equivalent to Pobservability of K iP. The event set L.iP of t he transformed automaton GiP can be given as follo\\"s based on the above notion of minimal subtraces. Definition 4· L. , p
Theorem 2. K is iP-observable \".f. t. (L.". L.d if and only if KiP is P-observable w.r .t. (L.ip. I:L ,p)'
= L.L ,p LJ L.H,p '-.J L.D ,p \,"here,
3.2 iP-Quotient Automaton
• L.L ,p = { [O' ] ! 0' E L.d: • L.H ,p = {[O': ! 0' E L.H}: • L.D ,p = {ls'O' ] I s' =§.,SO' E K.O' E L.D }·
To verify the iP-obsen'ability of K iP. an automaton generat ing K iP needs to be constructed. This automaton is called iP-quotient automaton and is defined as follows.
:\ote that [.] is used to denote the ne\v events of G,p based on the symbols of G's events. In the above definition. the sets L.L ,p and L.H,p are computed in an obvious way. The event set L.D ,p are computed by finding all traces in G' that can be appended with a L.D event: L.D,p = {~s'O': : s ' E .c (G') /\ 0' E L.D /\ s'O' E £ (G )}
Definition 8. Let G = (2:, X. 6. IO ) and K = .c(G ). The iP-quotient automaton of G is defined as G,p = (L.iP. X , 6iP . xc ) where the transition function 5iP : X x I:,p ~ X is given by 6,p (x. 0' ) =
?\ot that L.D,p can be computed using a modified \"ersion of G' and by backward reaching with a worst case complexit-y of O(I L. I XI).
6(x.O" ) 6(xo. sO" ) { undefined
30]
if 0' = [0" ] E I:L ,p U L.H,p , if 0' = [sc/] E L. D,p ' and x ot herwise.
= XQ,
Theorem 3. If G does not have self-loops of ~D events at the initial state. then K iP = L (Gip).
[4] C.G. Cassandras and S. Lafortune . Introduction to Discrete Event Systems. Kluwer Academic Publishers , Boston , :''lA, 1999. Example 2. Consider the state machine G of Fig[5] J. Clark and M. Jacob. A survey of authentiure 5, with h E ~H ' d E ~D' and I E I:L. In cation protocols. Technical report, Available this example, we use Definition 8 and the correat www.cs.york.ac.uk/jac/ papersj. 1997. sponding implicit algorithm, to transform G into [6] R Focardi and R Gorrieri . A classificaits iP-quotient. GiP. tion of security properties for process algeX2 bras. Journal of Computer Security, 3(1):533, 1994/ 199.) [7] J.A. Goguen and J . Yleseguer. Security polih d G cies and security models. In Proceedings 1982 Xo IEEE Symposium on Research in Security and Privacy, pages 11-20 , April 1982. d x~ Xi [8] J.A. Goguen and J. :\Ieseguer. Cnwinding and I inference control. In Proceedings of the 1984 I d X5 h X6 IEEE Symp. on Research in Security and Privacy, pages 75-285 , Oakland , CA, 1984. Fig . 5. A machine G u'ith loops. IEEE Computer Society. [9] ~. Hadj-Alouane , S. Lafrance, F Lin, First consider the computation of the minimal J . :\1ullins, and M. Yeddes. Characterizing Intraces of G needed in order to determine I:D ,p ' transitive :\on-Interference in Security PoliThe acyclic automaton corresponding to minimal cies with Observability. Preprint. available at traces is given in [9]. www.ece.eng .wayne.edur fiin. From automaton G ' and the formula: [10] JT. Haigh and \V.D. Young. Extending the noninterference vers ion of mls for sat. IEEE ~D,p = { [s'O'] 15' E L (G' )A O' E I:D A S'O' E L (G )} Tmns. on Software Engineering, 13 (2): 141we obtain: ~D,p = { [hd], [hdhd], [hdhlhd], [hdhdld]" 150, 1987 [hdhlhdld:, [lid), [lldhd], [lIdhlhd], ~lldhdld], [lldhlhdldj} 111] S. Lafortune. Ylodeling and analysis of trans-
h~l
The GiP automaton is given in [9].
act ion execution in database systems. IEEE Tmnsactions on Automatic Control, vol. 33, N5. ?vIay 1988. pp . 439-447. [12j F. Lin and \V 1\1. Wonham. On observability of discrete-event systems. Informatwn Sciences. 44:173-198. 1988. [13] J . McLean. A general theory of composition for a class of possibilistic properties. IEEE Tmns. on Software Engineering, 22(1): .53-66. 1996. [14] S. P insky. Absorbing covers and intransitive non-interference. In Proceedings of the IEEE Symp. on Research in Secunty and Privacy. Oakland, CA.. pages 102-113, \Iay 1995. ;15 1 P J. Ramadge and v,'. \1. Wonham . Supervisory control of a class of discrete-event processes. 51.4/\11 Journal of Control and Optimization, 25 (1 ) 206-230 , 1987. [16] K. Rud ie and W. :\'1. \Vonham . Protocol verification using discrete-event systems. In Proceedings of the 31st IEEE Conference on Decision and Contro/' pages 3770-37Ti, Tucson. Arizona. December 1992. [17J J. Rushby. :'\oninterference . transitivity and channel-control security policies. Techni cal Report CSL-92-02. SRI International. :\Ienlo Park CA , USA, december 1992 [I S: PY.A Ryan and S.A Schneider. Process algebra and non-interference . In Proceedings of CSFW-12 1\,fordano. Italy. IEEE, June 1999.
4. CO:---JCLUSIO:---J
In this paper , we used the observability theory of discrete event systems to formulate and provide an algorithmic approach for the problem of checking the property of intransitive noninterference of security policies. This property plays a key role in the area of security, because it is used to model information fiow and the lack of information fiO\\' within muli-level security systems and protocols.
REFERE:\CES D.E. Bell and L.J. LaPadula. Secure computer system: unified exposition and multics interpretation. Technical Report l-.ITR-2997, \Iitre Corp., Bedford , \fass. , CSA. June 1976. :2] G. Boudol. Logic and models of concurrent systems . .votes on algebraic calculi of processes, .Y4TO ASI Springer. F-13:261-303. 198.5. ;3: B. A . Brandin, \\'. 1\1 Wonham, and B. Benhabib. \Ianufacturing cell supervisory cont rol-a timed discrete event system approach. In Proceedings of the IEEE Conference on Robotics and Automation, Nice, France. \Iay 1992 . ill
302
ELSEVIER
IFAC PUBLICATIONS www.elsevier.comllocate/ifac
DISCRETE EVEN T SYSTEMS APPROACH TO THE VERIFICATION OF THE INFORMATION FLOW PROPERTIES I N SE CURE PROTOCOLS N ej ib B en H a dj-Alou a ne' Stephane Lafrance " Fe ng Lin ••• J o hn M ullins" M oez Yeddes'
• Department of Applied Computer Sciences National School of Information Sciences. University of M anouba, Tunisia . Emails: {Nejib. BenHadjAl ouane, Mo ez .y e d des }~ e ns i . rnu .tn •• Department of Computer Engineering . Ecole Polytechmque de lvfontreal. Montreal, Quebec, Canada. Emails: {St ephane.Lafran ce , J ohn . Mulli n s}~polymt l .c a ••• Department of Electrical and Computer Engineering Wayne State UniversIty. Detrozt. MI48202, U.S.A . Email: flin~ e c e . eng. wayne . edu
Abstract: T his paper introduces a new algorithmic approach to the prob lem of checking the intransitive non-interference (1Nl) using discrete event systems (DES) tools and concepts. ['\1 is an information flow property widely used in formal verification of computer systems and security protocols. F irst a new property called iP-observability (observability based on a purge function ) is introduced to capture 1Nl. An equ ivalence bet\veen iP-observability and P-observability (observability as used in DE S) is then established. This paper also presents an algorithm to t ransform the automaton modelling the system/ protocol into an automaton whe re P -observability can be checked , which is equivalent to verifying 1Nl for the original system. Since P-oben"ability can be checked with a polynomial complexity. this algorithmic app roach can effectively verify the important security property of Il\T Copyr ight © 2004 IFAC Keywords: Interference. l ntransiti"e K on-interference. Security Policies. Formal Verification. Observability.
1. I:"JTRODl'CTIO:\
paper, we focus our attention on the application of the theory of DES to the area of computer system's and protocol's security.
The theory of supervisory control of discrete e\"ent systems (DES) was introduced o'"er fifteen years ago [15], [12], [4] Since then , the properties of controllability and observability have been used as tools to characte rize and solve many problems with diverse application domains: control and supervision applied to manufacturing [3], verification of communication protocols ~ 1 6J, and database systems [ll], just to name a few. In this
Security is a crucial property of system behavior. The need for secure protocols has seen a rapid growth during the past decade due to, on the one hand , the development and wide spread use of computer net\liorks and distributed systems, and on the other hand, the globalization of vario us forms of electron ic communication, collaboration
297
and trade. \Vithin this global context , security policies and protocols are mainly seen as tools for providing secure information exchange. The main task of cryptographic protocols is to guarantee. among other issues. the confidentiality of transmitted data over a network, the authentication of the agents participating in a protocol run, and the integrity of the data transmitted over a network. A subclass of cryptographic protocols , namely ecommerce protocols, have the additional task of guaranteeing properties addressing anonymity of the participating parties , atomicity of money and goods , non-repudiation from parties and fair exchange issues. Although the information-security community has not yet reached a consensus on the exact meaning of the terms "security" or "confidentiality" , it is quite clear that both require a strict control over the information flowing between different agents manipulating objects and acting within systems with multiple security levels [1]. In this regard , several information-flow security properties have been proposed. Non-interference [6], [7], [13], [18], \\'ith its different generalizations and forms, is one such property. Intuitively, non-interference captures any causal dependency from a high- level action h to a lower-level action I. By causal dependency we mean that the dependent action cannot occur without the occurrence of the preceding action. Such a dependency creates an insecure channel called co vert channel. having the capability to transmit high-level information concerning h to any low-level agent observing I.
The (global) operational characterizat ion of this schema is called the Unwinding Theorem , which states that in any hostile environment (the detailed specifications depend on the type of security property), no condition observable from a point of view H will be obsen'able from a point of view L , unless this observation has been previously downgraded from H to L (through a downgrading level ). Observability has played an important role within the DES theory. However. its various uses have been tied to the notion of a static projection capturing the fact that a fixed subset of events is observable and the rest are not. An important aim of this paper consists of extending the expressiveness of. DES to capture information flow specifications based on a purge function, rather then a projection. The purge function erases events from a given sequence (or trace), based on an allowable information flow lattice defined over the security levels of a given system. Intransitive non-interference is then expressed as observability \,:ith respect to a purge function. In the case of a three level security system , a transformation is given to characterize the problem of verifying intransitive non-interference in terms of regular observability (with respect to a projection ).
2. I:\,TRANSITIVE l\Ol\-IXTERFEREI\'CE II\' yIULTI-LEVEL SYSTDIS The concept of non-interference is introduced by Goguen and Meseguer [7] as a basis for specifying and analyzing security issues in computer systems and protocols . The basic idea behind noninterference can be simply stated as follows: the behavior of a given entity is said not to interfere with the behavior of a second entity whenever no action performed by the first can influence subsequent outputs seen by the second.
In practice , however , many security problems go beyond the scope of simple non-interference. In particular , the problem of confidentiality in multilevel security systems. where the relation over the set of security levels capturing allowed information flo\\'s , is not transitive. Intransitive nonmterference has been treated in the literature [8]. [10]. [17], [14]. The paradigmatic example for intransitive non-interference is a three-le\'el (pri\'ate , public and downgrade) security system modelling a cryptosystem. Such a system has the requirement of insuring non-interference from a secret data m and encryption key k to the public leveL unless it has been previously downgraded through the cryptosystem. Clearly here, encryption creates a causal dependency between the secret pair (m. k ) and the declassified data {mh (m encrypted by k ) since any variation of m or k is reflected in {m } k.
Rushby [17] gives a formalization of non-interference, in terms of input/ output automata, and introduces the concept of intransitit'e non-interference (II\I ). Information flow property 1:\,1 extends noninterference and enable the specification of a generalized class of security policies dealing with channel control mechanisms. Roughly speaking, channel control mechanisms require the following type of specification: given a system with three channels H. Land D, information is allowed to flow from H to L only after passing trough D, but ne\'er directly (intransitivity ). Here. channel D is seen as a downgrading channel (for example an encry'Ption mechanism) . In terms of noninterference. the event stream generated by H is allowed to interfere \\'ith the event stream generated by L, only through D e\'ents.
Literature has showed that intransitive information flow propert ies are suitable for expressing security properties dealing \\'ith information transmitted by cryptographic protocols. The general schema of these (local ) properties is based on a process-algebraic notion of obsen'ability :2).
298
In the remainder of this section , we formally define the notions required to capture intransitive noninterference as presented by Rushby [17]. Our treatment is based on event automata, instead of Rushby 's input/ output automata ; it is wellknown , however , that these two types of automata are equivalent. \Ve are given a set D of security domains and a set of events ~ partitioned over these domains. The operator dom ~ -; D is used to capture this partition: to every domain U E D , the set ~l' = {C7 E 2: ! dom e()) = U} specifies the events associated v.!it h U . The domains are interpreted to represent the security channels for which we will define non-interference requirements. \\'e also consider an interference relation ..,..~ ][JJ x ID> defined over D: given domains [;, U ' , the intended meaning of the relation..,.. is such that the domain U is allowed to interfere with the domain U ' whenever LT ..,.. ut vVe write U f+ U ' whenever
Fig. 2. Automaton satisfying non-interference. Next. consider a three domain system , D {H , D, L}, where D is a downgrading domain. The non-interference relation is such that:
{(H , D ), (D , L). (D , H ), (L, D ), (L, H )}. i.e. , only H ~ L is not allowed (H f+ L ). We consider the automata given in Figure 3 and Figure 4, and assume h E ~H, 1 E ~L and d E ~D ' Automaton G 3 (Figure 3) poses a problem with intransitive non-interference , since the event I is not possible following the trace hd, but becomes possible following hdh.
(/J, U' ) tf...,... G3
\Ve assume that our system, i.e. , the combined behavior associated with all the domains, is modelled by a language K ~ ~' . .\loreover , K is generated by the fini t e automaton G = (2:. X, 0, I a), that is , K = L (G ) (in particular, K is prefixclosed ).
h
However , the system specified by automaton G 4 (Figure 4) satisfies intransitive non-interference. For instance , note that the fact that 11 is possible following hd and is not possible following h does not constitute an int ransitive noninterference problem. According to the domain structure. H is allowed to interfere with L through D events. In other words, we only have the explicit requirement to preserve confidentiality of H with respect to L in between D events , but not across them.
Example 1. Consider a system with two domains: one is a high security domain (classified) , the other is a low security domain (unclassified ); e.g. , D = {H , L}. The non-interference relat ion is such t hat:
{(L. H )}.
Let h E ~H and I E 2: L , and consider the two automata given in Figure 1 and Figure 2 as possible specifications for system behavior . In the case of automaton G l (Figure 1). the behavior of t he system poses a problem: at the initial state, the L domain cannot execute the event I: but in its second state . after the execution of h by the H domain , the L domain can now execute I. Thus , the behavior generated by the H domain interferes with the behavior of the L domain (classified information is being leaked to t he unclassified levels ). This is contrary to the specification of the domain structure giyen above (i.e. , H f+ L ). Such a dependency does not exist in automaton G 2 (F igure 2). Gl
d
Fig. 3. Automaton not satisfying intransitive non interference.
Intuitively, intransit ive non-interference can be understood from the following example.
~ =
h
0>----_..'o)-----+-<>---...'·es>------+-' 0
Fig. 4. Automaton satisf ying int ransitzv e noninterference.
Tb formally capture I;.JI, a reduction function iP , called intransztive purge, is introduced by Rushby [17]. The purge of a trace. \vith respect to a given domain , removes from the trace all events from other domains that are not allowed to interfere with the gi\'en domain. The function iP is defined using the fo 11 0\"ing auxiliary function: sources ~. x ID ~ D gi\'en as follows: sources (c [': ) = {U}. and sources(C7s , LT ) = sources (s, U ) U { dom (C7 )} V , and if (::iF E sources (s. U )) dom (O' ) sou rces (O's , U ) = source s(s, U ).
o _ _h_>-o _ _ _~
Fig. 1. A u tomato n n ot satisfying non- interfere n ce.
299
Intuitively, function sources(. , .) captures the set of domains which are allowed to interfere throughout the execution of a trace. This set of domains is determined backwards (i.e., starting from the end of the trace). Moreover, the fact that a given domain V is in sources (8, U ) either means that V = U or there is a subsequence 0'1,0'2 , ... , O'n of the trace 8. such that dom(0'1) ....... dom(0'2) ....... ......... dom(O'n) with V = dom (0'1) and dom(O'n) ~
Definition 2. (i P-observability). Let M ~ 2::" and 2:: u ~ 2::. A prefix-closed sublanguage K ~ M is iP-obseT1Jable w.r.t. (M, 2:: u ) if for every U E ][]), for every S1, 82 E K and for every 0' E 2:: u , (iP (81 , U ) = iP (S2 , U) 1\ S10' E K 1\ S20' E M ) ==> S20' E K. Theorem 1. Language K satisfies 1;\1 if and only if K is iP-observable w.r.t (2::" , L l'l, for all r.: E ][]).
U.
We then consider the following int ransi tive purge function
3. P-OBSERVABILITY VS lP-OBSERVABILITY
Asssumption: For the remainder of this paper , we iP( c. [i) = E, and restrict our attention to systems and protocols 'P ( TT ) = {O'iP(S. U ) if dom(O') E 8ource8 (0'8, U) ~ 0'8.,-, 'P (8, U' ) ot herwlse . ~ "'ith only three security domains H , Land D :
.... =
Informally, purge function i P(.,.) is a string reduction function such that iP(8, U) consists of the subsequence obtained from 8 by removing every event belonging to any domain that should not interfere with the domain U (i.e. domains which are not in sources (8, U )) .
V,iithin the context of a th ree domains system , only domain L can pose an interference problem. Therefore , the corollary given below follows from Theorem 1.
It should be noted that i P is left congruent, but not right congruent (we do not prove these facts as they are not used in the developments in this paper ). )'10re importantly, given two traces sand s', with s a prefix of s', s by itself may be purged differently than s as part of s'. In addition, iP retains an important property of projections. namely, for any given trace s, iP(i P (s )) = iP(s ); this can be easily proved , as sources (s ) = sources(iP (s)) .
Corollary 1. Language K satisfies 1Nl if and only if K is i P-observable w.r.t. (2:: ", 2:: L ) Furthermore , we write iP (s ) instead of iP (s. L ) since we have to verify t he i P-observability of K only w.r.t. (2::" , LLJ. The property of iP-observability is novel. Rov/, ever , it will be unfruitful and unnecessary t o develop a new theory for i P-observability, because iP-observability is closely related to Pobservability (i.e. , observability based on the projection P ) that was introduced by Lin and Wonham [12].
Based on the above definition of sources (" .) and iP ( , .), intransitive non-interference (1:\1) is defined as follows, which is essentially the definition of Rushby [17].
Definition 1. (Intransitive :\on-Interference) . A language K satisfies 1Nl if.
The following result leads to a characterization of 1\,,1 as a \'ariant of the observability property using the iP reduction.
= iP (s2. G')
1\
In this section , we will show that by properly defining a new language KiP from the original language K , we can transform iP-observability of K into P-observability of K i P. In this "'ay. the verification of the 12\"1 property amounts to checking P-obsen'ability, for which we have efficient algorithms.
3.1 iP -Quotient Language
Lemma 1. Language K satisfies 1\,,1 if and only if, for e\'ery '0' E D. for e\'ery S1 , S2 E K and for every 0' E Le', iP (s> [' )
{(H.D ),( D , L ), (D , H ),( L , D ), (L,H )},
This section presents a language K iP obtained by transforming the language K. Recall that L = LH .,j LL U 2::D and K = L (G).
810' E K ) ==> s20' E K.
F irst. we start by int roducing the notion of a min imal subtrace for a given trace . used in the constr uction of the transformed language K i P·
consider the following property. similar in form to the obsen'ability property used in the theory of discrete event sy'stems [12]. :\evert heless iP is not a projection but rather a reduction as defined above . :\0\\'
Intuitively. a minimal subtrace. with respect to C , of a given trace in L (C ), is obtained by removing any events invoh'ed in loops in C. In this
300
manner , we can obtain a subtrace (still in .c (G )) "representing the original t race" that does not go through any loop in G. Our goal is to use the set of minimal subtraces which is finite , to represent a possible infinite sublanguage of £ (G). For our purposes , we adopt the follo\\"ing constructive definition, which associates with every given trace a unique subtrace. Defimtion 3. For every trace S E K , the minimal subtrace §. (with respect to G) is obtained from S by repeatedly, starting from the first event of the trace, removing any subsequence of contiguous events generated by a loop in G.
Explicitly, if s = 0') ... O'i-)O'i ... O'jO'}+) .. · O'n and if 0') ... 0' j is the smallest prefix of s that has a loop at the end, i.e. 5(XO,0'1.' .0',-) ) = 5(xo, 0') .. . O'i-I<7i··· O'j ), then the subsequence O'i ... O'j. involving the loop , is removed to obtain the new trace s' = 0') .. . O';_)O'j+) .. . O'n. Note that s' E K = .c ( G ). The above process is repeated until the minimal subtrace ~ is obtained.
Definition 5. Consider the operator (-) : K -+ L.ip defined inductively as follows: (E) = E, and
_ { (s )[O' ] (sO' ) [§.O']
if if
L.L U L.H
0'
E
0'
E L.D
The operator (-) transforms a trace s = O')···O'iO'i"'l' 'O'n from K , where O'i is the first event in L.D from the right , into a new trace (s) = [O') ... O'i ][O'i+d"' [O'n ] in L.ip :'-iote that ~O'i] E L.D,p and [O'i+l ], .... [O'n ] E L.H,p U L.L,p· If S ~ K , then (s) is undefined. We now define the iP-quotient language of K as follows. Definition 6. For K ~ L." , consider the following language m'er L.ip defined as follows:
K iP
= { (t ) E L.ip I t
E
K}.
\Ve sometimes also use (K ) to denote this language , that is , (K ) = KiP. The "inverse" of (-), denoted by~, is defined below. Definition 7. Consider the operator ~ : L.ip defined inductively as follows: E = E and
The set of all the minimal subtraces of K , based on G , can be given as the language generated by an acyclic automata G' = (L.. X. 5' , xc ) that is the depth-first expansion of G. G' has the same state space , initial state, and event set as G. The following algorithm implements a depthfirst expansion on G . to compute 5', the transition function of G l This Algorithm can be found in [9].
sO'
=
{ sO" " SO'
~
I:"
if 0' = [0" ] E L.L,p u L.H,p , , E L.D ,p if 0' = [sO']
The operator ~ transforms a trace
s = [O'~ ] ... [ O'~] ~ s'O'][O' ) ] ... [O'n] from L.ip into a S = S' O'O' l' .. O'n in L." . l\ote that we define ~ L.ip to L." , not just from K iP to L.". If s E then 5 must have the form 5 = [s' O'][O' tl · where [5' O'j E L.D,p, [O'i ] E L.L ,p U I:H ,p '
The following lemma states an immediate property of minimal subtraces used in results t hat follow.
t race from K iP, .[O'n L
:\ow we can present the main result of this section: iP-obsen'abi lity of K is equivalent to Pobservability of K iP. The event set L.iP of t he transformed automaton GiP can be given as follo\\"s based on the above notion of minimal subtraces. Definition 4· L. , p
Theorem 2. K is iP-observable \".f. t. (L.". L.d if and only if KiP is P-observable w.r .t. (L.ip. I:L ,p)'
= L.L ,p LJ L.H,p '-.J L.D ,p \,"here,
3.2 iP-Quotient Automaton
• L.L ,p = { [O' ] ! 0' E L.d: • L.H ,p = {[O': ! 0' E L.H}: • L.D ,p = {ls'O' ] I s' =§.,SO' E K.O' E L.D }·
To verify the iP-obsen'ability of K iP. an automaton generat ing K iP needs to be constructed. This automaton is called iP-quotient automaton and is defined as follows.
:\ote that [.] is used to denote the ne\v events of G,p based on the symbols of G's events. In the above definition. the sets L.L ,p and L.H,p are computed in an obvious way. The event set L.D ,p are computed by finding all traces in G' that can be appended with a L.D event: L.D,p = {~s'O': : s ' E .c (G') /\ 0' E L.D /\ s'O' E £ (G )}
Definition 8. Let G = (2:, X. 6. IO ) and K = .c(G ). The iP-quotient automaton of G is defined as G,p = (L.iP. X , 6iP . xc ) where the transition function 5iP : X x I:,p ~ X is given by 6,p (x. 0' ) =
?\ot that L.D,p can be computed using a modified \"ersion of G' and by backward reaching with a worst case complexit-y of O(I L. I XI).
6(x.O" ) 6(xo. sO" ) { undefined
30]
if 0' = [0" ] E I:L ,p U L.H,p , if 0' = [sc/] E L. D,p ' and x ot herwise.
= XQ,
Theorem 3. If G does not have self-loops of ~D events at the initial state. then K iP = L (Gip).
[4] C.G. Cassandras and S. Lafortune . Introduction to Discrete Event Systems. Kluwer Academic Publishers , Boston , :''lA, 1999. Example 2. Consider the state machine G of Fig[5] J. Clark and M. Jacob. A survey of authentiure 5, with h E ~H ' d E ~D' and I E I:L. In cation protocols. Technical report, Available this example, we use Definition 8 and the correat www.cs.york.ac.uk/jac/ papersj. 1997. sponding implicit algorithm, to transform G into [6] R Focardi and R Gorrieri . A classificaits iP-quotient. GiP. tion of security properties for process algeX2 bras. Journal of Computer Security, 3(1):533, 1994/ 199.) [7] J.A. Goguen and J . Yleseguer. Security polih d G cies and security models. In Proceedings 1982 Xo IEEE Symposium on Research in Security and Privacy, pages 11-20 , April 1982. d x~ Xi [8] J.A. Goguen and J. :\Ieseguer. Cnwinding and I inference control. In Proceedings of the 1984 I d X5 h X6 IEEE Symp. on Research in Security and Privacy, pages 75-285 , Oakland , CA, 1984. Fig . 5. A machine G u'ith loops. IEEE Computer Society. [9] ~. Hadj-Alouane , S. Lafrance, F Lin, First consider the computation of the minimal J . :\1ullins, and M. Yeddes. Characterizing Intraces of G needed in order to determine I:D ,p ' transitive :\on-Interference in Security PoliThe acyclic automaton corresponding to minimal cies with Observability. Preprint. available at traces is given in [9]. www.ece.eng .wayne.edur fiin. From automaton G ' and the formula: [10] JT. Haigh and \V.D. Young. Extending the noninterference vers ion of mls for sat. IEEE ~D,p = { [s'O'] 15' E L (G' )A O' E I:D A S'O' E L (G )} Tmns. on Software Engineering, 13 (2): 141we obtain: ~D,p = { [hd], [hdhd], [hdhlhd], [hdhdld]" 150, 1987 [hdhlhdld:, [lid), [lldhd], [lIdhlhd], ~lldhdld], [lldhlhdldj} 111] S. Lafortune. Ylodeling and analysis of trans-
h~l
The GiP automaton is given in [9].
act ion execution in database systems. IEEE Tmnsactions on Automatic Control, vol. 33, N5. ?vIay 1988. pp . 439-447. [12j F. Lin and \V 1\1. Wonham. On observability of discrete-event systems. Informatwn Sciences. 44:173-198. 1988. [13] J . McLean. A general theory of composition for a class of possibilistic properties. IEEE Tmns. on Software Engineering, 22(1): .53-66. 1996. [14] S. P insky. Absorbing covers and intransitive non-interference. In Proceedings of the IEEE Symp. on Research in Secunty and Privacy. Oakland, CA.. pages 102-113, \Iay 1995. ;15 1 P J. Ramadge and v,'. \1. Wonham . Supervisory control of a class of discrete-event processes. 51.4/\11 Journal of Control and Optimization, 25 (1 ) 206-230 , 1987. [16] K. Rud ie and W. :\'1. \Vonham . Protocol verification using discrete-event systems. In Proceedings of the 31st IEEE Conference on Decision and Contro/' pages 3770-37Ti, Tucson. Arizona. December 1992. [17J J. Rushby. :'\oninterference . transitivity and channel-control security policies. Techni cal Report CSL-92-02. SRI International. :\Ienlo Park CA , USA, december 1992 [I S: PY.A Ryan and S.A Schneider. Process algebra and non-interference . In Proceedings of CSFW-12 1\,fordano. Italy. IEEE, June 1999.
4. CO:---JCLUSIO:---J
In this paper , we used the observability theory of discrete event systems to formulate and provide an algorithmic approach for the problem of checking the property of intransitive noninterference of security policies. This property plays a key role in the area of security, because it is used to model information fiow and the lack of information fiO\\' within muli-level security systems and protocols.
REFERE:\CES D.E. Bell and L.J. LaPadula. Secure computer system: unified exposition and multics interpretation. Technical Report l-.ITR-2997, \Iitre Corp., Bedford , \fass. , CSA. June 1976. :2] G. Boudol. Logic and models of concurrent systems . .votes on algebraic calculi of processes, .Y4TO ASI Springer. F-13:261-303. 198.5. ;3: B. A . Brandin, \\'. 1\1 Wonham, and B. Benhabib. \Ianufacturing cell supervisory cont rol-a timed discrete event system approach. In Proceedings of the IEEE Conference on Robotics and Automation, Nice, France. \Iay 1992 . ill
302