Analysis and Automatic Detection of Information Flows in Systems and Networks

In the last years, there has been an increasing diffusion of distributed systems where resources and data are shared among users located everywhere in the world. It is clear that the connection to a wide area network highly increases the possibility of an intrusion in a system. Moreover, it is likely that a user gets some malicious programs from an untrusted source on the net and executes them inside its own system with unpredictable results. Moreover, it is possible that a system is completely secure inside but the mechanism it uses for remote connections is weak. This becomes more crucial if we want to use the network for some critical activity such as electronic commerce or home banking. All of these arguments and many others have recently focused the attention of many researches on security issues. One of the most interesting challenges is to find a way of guaranteeing that a certain security policy, protocol or, in general, mechanism reaches the aim for which it was designed. For this reason, recently the interest on formal methods for the specification and analysis of security properties has enormously increased. In this thesis we present a particular class of security properties, the so called "information flow properties", which can be successfully applied to both system and network security. In particular in the first part of the thesis we show how they can be exploited in order to guarantee the absence of unwanted information flows in a system. In the second part, we see how we can apply the same model and ideas for the specification and analysis of security protocols. All the properties we will present and apply to the analysis of systems and protocols are based on the "Security Process Algebra" (SPA, for short) language. SPA is an extension of CCS, a language proposed to specify concurrent systems, whose programs are terms of an algebra comprising some operators for building systems bottom-up from smaller subsystems. The basic building blocks are the atomic activities, simply called actions; unlike CCS, in SPA actions belong to two different levels of confidentiality, thus allowing the specification of multilevel (actually, two-level) systems. The "information flow properties" properties capture the existence of information flows between groups of users. We will see that such properties are all of a particular algebraic form which makes them parametric w.r.t. the chosen notion of semantic equivalence among process terms. We analyze which kinds of flows are detectable by the various properties through the running example of an access monitor. In particular, we try to show that certain properties are not appropriate to deal with some kinds of information flows and so it is necessary to strengthen them by choosing a finer equivalence notion or, if this is not enough, to follow a different approach. We present a tool called "Compositional Security Checker" (CoSeC, for short) which can be used to check automatically (finite state) SPA spec