Maintaining Information Flow Security Under Refinement and Transformation

We address the problem of maintaining information flow security under refinement and transformation. To this end we define a schema for the specification of secure information flow properties and show that all security properties defined in the schema are preserved by a notion of refinement. Refinement is a process that requires human guidance and is in general not subject for automation. A transformation on the other hand, is an executable function mapping specifications to specifications. We define an interpretation of transformations and propose a condition under which transformations maintain security.

[1]  Manfred Broy,et al.  Specification and Development of Interactive Systems , 2001, Monographs in Computer Science.

[2]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[3]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[4]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[5]  Ketil Stølen,et al.  Information flow property preserving transformation of UML interaction diagrams , 2006, SACMAT '06.

[6]  Ketil Stølen,et al.  STAIRS - Steps to Analyze Interactions with Refinement Semantics , 2003, UML.

[7]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[8]  Peter Fettke,et al.  Model Driven Architecture (MDA) , 2003, Wirtsch..

[9]  Maritta Heisel,et al.  Confidentiality-preserving refinement , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[10]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[11]  Ketil Stølen,et al.  STAIRS towards formal design with sequence diagrams , 2005, Software & Systems Modeling.

[12]  Øystein Haugen,et al.  Refining UML Interactions with Underspecification and Nondeterminism , 2005, Nord. J. Comput..

[13]  Jeff W. Sanders,et al.  On the refinement of non-interference , 1991, Proceedings Computer Security Foundations Workshop IV.

[14]  Kai Engelhardt,et al.  Data Refinement: Model-Oriented Proof Methods and their Comparison , 1998 .

[15]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[16]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[17]  van GlabbeekRob,et al.  Refinement of actions and equivalence notions for concurrent systems , 2001 .

[18]  C. A. R. Hoare,et al.  Prespecification in Data Refinement , 1987, Inf. Process. Lett..

[19]  Ketil Stølen,et al.  Why Timed Sequence Diagrams Require Three-Event Semantics , 2003, Scenarios: Models, Transformations and Tools.

[20]  Ursula Goltz,et al.  Refinement of actions and equivalence notions for concurrent systems , 2001, Acta Informatica.

[21]  Manfred Broy,et al.  Specification and development of interactive systems: focus on streams, interfaces, and refinement , 2001 .

[22]  Jan Jürjens,et al.  Secrecy-Preserving Refinement , 2001, FME.

[23]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[24]  Heiko Mantel,et al.  Preserving information flow properties under refinement , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[25]  José Nuno Oliveira,et al.  FME 2001: Formal Methods for Increasing Software Productivity , 2001, Lecture Notes in Computer Science.

[26]  Riccardo Focardi,et al.  Refinement operators and information flow security , 2003, First International Conference onSoftware Engineering and Formal Methods, 2003.Proceedings..