Elements of security: Closure, convergence, and protection

Information Processing Letters 77 (2001) 109–114

Elements of security: Closure, convergence, and protection Mohamed G. Gouda Department of Computer Sciences, University of Texas at Austin, Austin, TX 78712-1188, USA

Abstract We argue that three concepts of stabilization theory are adequate to explain system security. Our argument is based on the assumption that the reachable states of a secure system can be partitioned into legitimate and illegitimate states such that three conditions hold. First, the set of reachable states is closed under both system execution and adversary interference, and the set of legitimate states is closed under system execution. Second, any system computation that starts at an illegitimate state eventually converges to a legitimate state. Third, the critical variables of the system are protected from being updated during any adversary interference and during any system transition that starts at an illegitimate state.  2001 Elsevier Science B.V. All rights reserved. Keywords: Security

0. Introduction In 1974, Edsger W. Dijkstra published a paper [1] that contains several examples of self-stabilizing computing systems. Over the years, this paper has become the recognized root of an active research area called stabilization theory. (Three surveys of stabilization theory are presented by Schneider [6], by Flatebo, Datta, and Ghosh [3], and by Gouda [4]. A comprehensive bibliography of this research area is made available on the Web by Herman [5], and the first monograph on this area is published recently by Dolev [2].) In 1991, Arora and Gouda [0] identified two building blocks of stabilization theory, called closure and convergence. They argued that these two concepts can adequately explain fault-tolerant computing. In this paper, we identify a third building block of stabilization theory, called protection, and argue that the three concepts of closure, convergence, and protection can adequately explain system security. 1. Closure, convergence, and protection A (computing) system is a nonempty set of variables, whose values are from predefined domains, and a nonempty set of actions that can be executed to update the values of these variables. Each action is of the form:
guard →
statement E-mail address: [email protected] (M.G. Gouda). 0020-0190/01/$ – see front matter  2001 Elsevier Science B.V. All rights reserved. PII: S 0 0 2 0 - 0 1 9 0 ( 0 0 ) 0 0 2 0 7 - 6

110

M.G. Gouda / Information Processing Letters 77 (2001) 109–114

where
guard is a Boolean expression over the system variables and
statement is a sequence of assignment statements over the system variables. A state of a system S is an assignment of a value to each variable of S. The value assigned to each variable is from the domain of that variable. If the guard of an action of S has the value true at some state of S, then the action is said to be enabled at that state. For simplicity, we assume that at each state of a system, at least one action of that system is enabled. A transition of a system S is a triple (p, c, p ), where p and p are states of S, c is an action of S, the guard of action c is true at state p, and executing the statement of action c when system S is in state p yields S in state p . For any transition (p, c, p ), p is called the tail state of the transition, p is called the head state of the transition, and action c is said to be executed in this transition. A computation of a system S is an infinite sequence of transitions of S such that the following two conditions hold. (i) Order: The head state of each transition is the same as the tail state of the next transition in the sequence. (ii) Fairness: If the sequence has a transition where an action c of system S is enabled at the tail state of the transition, then action c is executed in this transition or the sequence has a later transition where c is executed or where c is not enabled at the tail state. The tail state of the first transition in a computation is called the starting state of the computation. If a transition in a computation has a state p (as the tail or head state of that transition), then the computation is said to reach state p. A state predicate of a system S is a function that has a Boolean value, true or false, at each state of S. Let true denote the state predicate whose value is true at each state of system S. Let P be a state predicate of a system S. A state of S is called a P -state iff the value of P is true at that state. Let P be a state predicate of a system S. Predicate P is called closed in S iff for each transition (p, c, p ) of system S, if p is a P -state, then p is a P -state. Let P and Q be two state predicates of a system S. Predicate P implies predicate Q, denoted by P ⇒ Q, in system S iff for every state p of S, if p is a P -state, then p is a Q-state. Let V be a subset of variables of a system S, and let P and Q be two state predicates of S. System S is called V -safe from P to Q iff the following three conditions hold. (i) Closure: Both P and Q are closed in S and Q ⇒ P in S. (ii) Convergence: Every computation of S that starts at a P -state reaches a Q-state. (iii) Protection: No variable in V is written in any transition (p, c, p ) of S where p is a P -state but not a Q-state. In this definition, predicate P identifies all (reachable) states of system S that can be reached under any interleaving of system execution and adversary interference. Predicate Q identifies all legitimate states of system S that can be reached under system execution only. Thus, both P and Q are closed in S, and Q ⇒ P in S, as stated by the closure condition. The convergence condition states that every computation of system S that starts at an illegitimate state eventually reaches a legitimate state. The protection condition states that no transition of system S that starts at an illegitimate state can affect the critical variables in V . (In other words, the critical variables in V are protected from being updated in any transition that starts at an illegitimate state.)

2. Security against an adversary An adversary D of a system S is a set of actions of the form
guard →
statement where
guard is a Boolean expression over the variables of S and
statement is a sequence of assignment statements over the variables of S.

M.G. Gouda / Information Processing Letters 77 (2001) 109–114

111

A transition of an adversary D of a system S is a triple (p, d, p ), where p and p are states of S, d is an action of D, the guard of d is true at state p, and executing the statement of d when system S is in state p yields S in state p . Let P be a state predicate of a system S, and let D be an adversary of S. Predicate P is called closed in D iff for each transition (p, d, p ) of adversary D, if p is a P -state, then p is a P -state. Let V be a subset of variables of a system S and let P and Q be two state predicates of system S. System P is called V -secure from P to Q against D iff the following three conditions hold. (i) Safety: S is V -safe from P to Q. (ii) Adversary closure: P is closed in D. (iii) Adversary protection: No variable in V is written in any transition (p, d, p ) of D where p is a P -state. The second condition states that the adversary will maintain the system within the reachable states. The third condition states that while the system is within the reachable states, the adversary cannot corrupt the values of the critical variables in V . It is straightforward to show that if S is V -secure from P to Q against D, then every computation C that starts at a Q-state and consists of an infinite number of S transitions and a finite number of D transitions satisfies the following two properties. (i) Computation C has an infinite suffix whose transitions are all S transitions and whose states are all Q-states. (ii) Every transition in C that updates the variables in V is an S transition whose tail and head states are both Q-states.

3. A secure data transfer example Consider a system S where a sender process sends a continuous stream of data items to a receiver process via three shared variables that are written by the sender and read by the receiver. The shared variables are as follows. shared var seq, data, chk : integer Variable seq contains the sequence number of the current data item, and variable data contains the current data item. Variable chk contains an integrity check for the current values of seq and data. Specifically, chk = H.(ss | seq | data) where H.(ss | seq | data) is a secure hash function applied to the concatenation of a secret value ss and the current values of seq, and data. The secret value ss is known only to the sender and the receiver. The sender has the following local variables. local var sent : array [integer] of integer, x

: integer

Infinite array sent contains all the data items to be sent by the sender, and variable x is an index of array sent. The sender has only one action; it is as follows. true → seq := x; data := sent[seq]; chk := H.(ss | seq | data); x := x + 1 The receiver has the following three local variables. local var rcvd : array [integer] of integer, y, z : integer

112

M.G. Gouda / Information Processing Letters 77 (2001) 109–114

Infinite array rcvd contains all the data items received by the receiver, and z is an index of array rcvd. Variable y contains the sequence number of the last data item received by the receiver. The receiver has only one action; it is as follows. true → if seq > y ∧ H.(ss | seq | data) = chk → y, rcvd[z], z := seq, data, z + 1 [] seq
y ∨ H.(ss | seq | data) = chk → skip fi The set V of critical variables for system S is as follows. V = {rcvd, z} In order to show that these two variables are protected from being updated in any S transition that starts at an illegitimate state, we first need to define the set of reachable states and the set of legitimate states of system S. Consider the following state predicates P and Q of system S. P = sent[0..x − 1] is a super sequence of rcvd[0..z] ∧ data = sent[seq]

∧

chk = H.(ss | seq | data)

∧

x >yz

∧

x > seq Q = P ∧ seq  y The set of reachable states of S is defined by P , and the set of legitimate states of S is defined by Q. Next we show that system S is V -safe from P to Q by showing that the three conditions of closure, convergence, and protection hold. First, both P and Q are closed in S and Q ⇒ P in S; thus the closure condition holds. Second, the sender action is continuously enabled and any execution of this action starting from a P -state leads the system to a Q-state; thus the convergence condition holds. Third, neither variable in V is updated in any S transition that starts at a (P ∧ not Q)-state; thus the protection condition holds. Now, consider an adversary D that has only one action as follows. Q → seq := any value in the range 0..x − 1; data := sent[seq]; chk := H.(ss | seq | data); x := x + 1 Note that adversary D attacks system S only when S is at a (legitimate) Q-state. Note also that D attacks S by “replaying old messages”; i.e., by assigning the triple (seq, data, chk) any value combination that was assigned earlier by the sender to the same triple. Clearly, the two conditions of adversary closure and adversary protection hold in this case, and we conclude that S is V -secure from P to Q against D. 4. Theorems of security We now present some useful theorems that follow from the definitions of security in Sections 2 and 3. In what follows, let S be a system, V and V  be subsets of the variables of S, and P , P  , Q, Q , and R be state predicates of S. Also, let D and D  be adversaries of system S, and let E denote the empty adversary (that has no actions) of S.

M.G. Gouda / Information Processing Letters 77 (2001) 109–114

113

Base Theorem. If

P is closed in S,

then S is V -secure from P to P against E. Union Theorem. If

S is V -secure from P to Q against D and S is V  -secure from P to Q against D,

then S is (V ∪ V  )-secure from P to Q against D. Adversary Union Theorem. If

S is V -secure from P to Q against D and S is V -secure from P to Q against D  ,

then S is V -secure from P to Q against (D ∪ D  ). Junctivity Theorem. If

S is V -secure from Q to P against D and S is V -secure from Q to P  against D,

then S is V -secure from Q ∨ Q to P ∨ P  against D, and S is V -secure from Q ∧ Q to P ∧ P  against D. Transitivity Theorem. If

S is V -secure from P to Q against D and S is V -secure from Q to R against D,

then S is V -secure from P to R against D. Weakening Theorem. If

S is V -secure from P to Q against D, V  is a subset of V , P  is closed and P  ⇒ P in S, Q is closed and Q ⇒ Q and Q ⇒ P  in S, and D  is a subset of D and P  is closed in D  ,

then S is V  -secure from P  to Q against D  . Next, we sketch a proof of the Weakening Theorem. (Proofs for all other theorems can proceed in the same way.) In this proof, we assume that the antecedent of the theorem holds, then show that the consequent of the theorem also holds. From the antecedent of the weakening theorem, the following five assertions hold. (0) S is V -secure from P to Q against D. (1) V  is a subset of V .

114

M.G. Gouda / Information Processing Letters 77 (2001) 109–114

(2) P  is closed and P  ⇒ P in S. (3) Q is closed and Q ⇒ Q and Q ⇒ P  in S. (4) D  is a subset of D and P  is closed in D  . From (0), the following five assertions hold. (5) S, P , and Q satisfy the closure condition. (6) S, P , and Q satisfy the convergence condition. (7) S, P , Q and V satisfy the protection condition. (8) D and P satisfy the adversary closure condition. (9) D, P , and V satisfy the adversary protection condition. From assertions (1) through (9), we conclude the following. (10) From (2), (3), and (5), S, P  , and Q satisfy the closure condition. (11) From (2), (3), and (6), S, P  , and Q satisfy the convergence condition. (12) From (1), (2), (3), and (7), S, P  , Q and V  satisfy the protection condition. (13) From (4), D  and P  satisfy the adversary closure condition. (14) From (1), (2), (4), and (9), D  , P  and V  satisfy the adversary protection condition. From assertions (10) through (14), we conclude that S is V  -secure from P  to Q against D  ; i.e., the consequent of the weakening theorem holds.

5. Concluding remarks We presented a definition of system security that is based on the three concepts of closure, convergence, and protection in stabilization theory. We are currently using this definition in specifying correctness criteria for several secure systems that perform authentication and secure data transfer. On one hand, these exercises have demonstrated that our definition can capture the security notions of “authentication”, “privacy”, and “integrity”. On the other hand, we have become aware of some security notions that cannot be easily captured by our definition of security. For example, correctness criteria for systems that counter denial of service attacks are not easy to state using this definition.

Acknowledgement An early version of this paper was presented at a Dagstuhl-Seminar on Self-Stabilization in the fall of 1998. I am thankful to Anish Arora for helpful discussions concerning this paper. I am also thankful to an anonymous referee for detecting two missing conjuncts in the antecedent of the weakening theorem. Finally, I am thankful to David Gries for his advice that resulted in improving the presentation.

References [0] A. Arora, M.G. Gouda, Closure and convergence: A foundation for fault-tolerant computing, IEEE Trans. Software Eng. 19 (3) (1993) 1015–1027. [1] E.W. Dijkstra, Self stabilizing systems in spite of distributed control, Comm. ACM 17 (1974) 643–644. [2] S. Dolev, Self-Stabilization, MIT Press, Cambridge, MA, 2000. [3] M. Flatebo, A.K. Datta, S. Ghosh, Self-stabilization in distributed systems, in: T.L. Casavant, M. Singal (Eds.), Readings in Distributed Computing Systems, 1994, pp. 100–114. [4] M.G. Gouda, The triumph and tribulation of system stabilization, Invited Paper, in: J.M. Helary, M. Raynal (Eds.), Proceedings of the International Workshop on Distributed Algorithms, Lecture Notes in Comput. Sci., Vol. 972, Springer, Berlin, 1995, pp. 1–18. [5] T. Herman, A comprehensive bibliography on self-stabilization, http://www.cs.uiowa.edu/ftp/selfstab/bibliography/, 2000. [6] M. Schneider, Self-stabilization, ACM Comput. Surveys 25 (1993) 45–67.