Synthesis of opaque systems with static and dynamic masks

Opacity is a security property formalizing the absence of secret information leakage and we address in this paper the problem of synthesizing opaque systems. A secret predicate S over the runs of a system G is opaque to an external user having partial observability over G, if s/he can never infer from the observation of a run of G that the run belongs to S. We choose to control the observability of events by adding a device, called a mask, between the system G and the users. We first investigate the case of static partial observability where the set of events the user can observe is fixed a priori by a static mask. In this context, we show that checking whether a system is opaque is PSPACE-complete, which implies that computing an optimal static mask ensuring opacity is also a PSPACE-complete problem. Next, we introduce dynamic partial observability where the set of events the user can observe changes over time and is chosen by a dynamic mask. We show how to check that a system is opaque w.r.t. to a dynamic mask and also address the corresponding synthesis problem: given a system G and secret states S, compute the set of dynamic masks under which S is opaque. Our main result is that the set of such masks can be finitely represented and can be computed in EXPTIME and this is a lower bound. Finally we also address the problem of computing an optimal mask.

[1]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[2]  Gurvan Le Guernic Information Flow Testing , 2007, ASIAN.

[3]  Sandy Irani,et al.  Efficient algorithms for optimum cycle mean and optimum cost to time ratio problems , 1999, DAC '99.

[4]  Benoît Caillaud,et al.  Concurrent Secrets , 2007, 2006 8th International Workshop on Discrete Event Systems.

[5]  Thierry Jéron,et al.  Monitoring confidentiality by diagnosis techniques , 2009, 2009 European Control Conference (ECC).

[6]  W. Browder,et al.  Annals of Mathematics , 1889 .

[7]  Laurent Mazare,et al.  Using Unification For Opacity Properties , 2004 .

[8]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[9]  T. Kean Invited Talk 1 , 2009 .

[10]  Albert R. Meyer,et al.  Word problems requiring exponential time(Preliminary Report) , 1973, STOC.

[11]  Maciej Koutny,et al.  Opacity generalised to transition systems , 2005, International Journal of Information Security.

[12]  Yliès Falcone,et al.  What can you verify and enforce at runtime? , 2012, International Journal on Software Tools for Technology Transfer.

[13]  Wolfgang Thomas,et al.  On the Synthesis of Strategies in Infinite Games , 1995, STACS.

[14]  Philippe Darondeau,et al.  Supervisory Control for Opacity , 2010, IEEE Transactions on Automatic Control.

[15]  Nejib Ben Hadj-Alouane,et al.  On the verification of intransitive noninterference in mulitlevel security , 2005, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[16]  S.L. Ricker A question of access: decentralized control and communication strategies for security policies , 2006, 2006 8th International Workshop on Discrete Event Systems.

[17]  Stavros Tripakis,et al.  Fault Diagnosis with Static and Dynamic Observers , 2008, Fundam. Informaticae.

[18]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[19]  Shigemasa Takai,et al.  A Formula for the Supremal Controllable and Opaque Sublanguage Arising in Supervisory Control , 2008 .

[20]  Hervé Marchand,et al.  Dynamic Observers for the Synthesis of Opaque Systems , 2009, ATVA.

[21]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[22]  P. Darondeau,et al.  Opacity enforcing control synthesis , 2008, 2008 9th International Workshop on Discrete Event Systems.

[23]  Gurvan Le Guernic Information flow testing: the third path towards confidentiality guarantee , 2007 .

[24]  Gavin Lowe,et al.  Towards a completeness result for model checking of security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[25]  Olivier Roux,et al.  Synthesis of Non-Interferent Systems , 2007 .

[26]  Iliano Cervesato Advances in Computer Science - ASIAN 2007. Computer and Network Security, 12th Asian Computing Science Conference, Doha, Qatar, December 9-11, 2007, Proceedings , 2007, ASIAN.

[27]  Richard M. Karp,et al.  A characterization of the minimum cycle mean in a digraph , 1978, Discret. Math..

[28]  李幼升,et al.  Ph , 1989 .

[29]  Pavol Cerný,et al.  Preserving Secrecy Under Refinement , 2006, ICALP.

[30]  Uri Zwick,et al.  The Complexity of Mean Payoff Games on Graphs , 1996, Theor. Comput. Sci..

[31]  Roland Groz,et al.  Test Generation for Network Security Rules , 2006, TestCom.