Preserving information flow properties under refinement

In a stepwise development process, it is essential that system properties that have been already investigated in some phase need not be re-investigated in later phases. In formal developments, this corresponds to the requirement that properties are presented under refinement. While safety and liveness properties are indeed preserved under most standard forms of refinement, it is well known that this is, in general, not true for information flow properties, a large and useful class of security properties. We propose a collection of refinement operators as a solution to this problem. We prove that these operators preserve information flow as well as other system properties. Thus, information flow properties become compatible with stepwise development. Moreover we show that our operators are an optimal solution.

[1]  F. Javier Thayer,et al.  Security and the Composition of Machines , 1988, CSFW.

[2]  Axel Schairer,et al.  Verification of a Formal Security Model for Multiapplicative Smart Cards , 2000, ESORICS.

[3]  Jim Woodcock,et al.  Non-interference through Determinism , 1994, J. Comput. Secur..

[4]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[5]  Heiko Mantel,et al.  Unwinding Possibilistic Security Properties , 2000, ESORICS.

[6]  Jonathan K. Millen Unwinding Forward Correctability , 1995, J. Comput. Secur..

[7]  Jeff W. Sanders,et al.  On the refinement of non-interference , 1991, Proceedings Computer Security Foundations Workshop IV.

[8]  Colin O'Halloran,et al.  Refinement and Confidentiality , 1992, Refine.

[9]  J. Todd Wittbold,et al.  Information flow in nondeterministic systems , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[10]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  Colin O'Halloran,et al.  A Calculus of Information Flow , 1990, ESORICS.

[12]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[13]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[14]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[15]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[16]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[17]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[18]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[19]  Jan Jürjens,et al.  Secrecy-Preserving Refinement , 2001, FME.

[20]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[21]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.