Bisimulation for Secure Information Flow Analysis of Multi-Threaded Programs

Preserving the confidentiality of information is a growing concern in software development. Secure information flow is intended to maintain the confidentiality of sensitive information by preventing them from flowing to attackers. This paper discusses how to ensure confidentiality for multi-threaded programs through a property called observational determinism. Operational semantics of multi-threaded programs are modeled using Kripke structures. Observational determinism is formalized in terms of divergence weak low-bisimulation. Bisimulation is an equivalence relation associating executions that simulate each other. The new property is called bisimulation-based observational determinism. Furthermore, a model checking method is proposed to verify the new property and ensure that secure information flow holds in a multi-threaded program. The model checking method successively refines the Kripke model of the program until the quotient of the model with respect to divergence weak low-bisimulation is reached. Then, bisimulation-based observational determinism is checked on the quotient, which is a minimized model of the concrete Kripke model. The time complexity of the proposed method is polynomial in the size of the Kripke model. The proposed approach has been implemented on top of PRISM, a probabilistic model checking tool. Finally, a case study is discussed to show the applicability of the proposed approach.

[1]  Marieke Huisman,et al.  Effective verification of confidentiality for multi-threaded programs , 2014, J. Comput. Secur..

[2]  David Sands,et al.  Probabilistic noninterference for multi-threaded programs , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[3]  Alejandro Russo,et al.  Closing Internal Timing Channels by Transformation , 2006, ASIAN.

[4]  Bernd Finkbeiner,et al.  Monitoring Hyperproperties , 2017, RV.

[5]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[6]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[7]  Christel Baier,et al.  Principles of model checking , 2008 .

[8]  Dilsun Kirli Kaynar,et al.  On Adversary Models and Compositional Security , 2011, IEEE Security & Privacy.

[9]  Andrew C. Myers,et al.  Observational determinism for concurrent program security , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[10]  Tri Minh Ngo Qualitative and quantitative information flow analysis for multi-thread programs , 2014 .

[11]  Anna Philippou,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 2018, Lecture Notes in Computer Science.

[12]  Heiko Mantel,et al.  Flexible Scheduler-Independent Security , 2010, ESORICS.

[13]  Jan Friso Groote,et al.  An Efficient Algorithm for Branching Bisimulation and Stuttering Equivalence , 1990, ICALP.

[14]  Stephen N. Freund,et al.  Thread-Modular Verification for Shared-Memory Programs , 2002, ESOP.

[15]  Michele Pasqua,et al.  Statically analyzing information flows: an abstract interpretation-based hyperanalysis for non-interference , 2019, SAC.

[16]  Christopher Hahn,et al.  Constraint-Based Monitoring of Hyperproperties , 2019, TACAS.

[17]  Gregor Snelting,et al.  A new algorithm for low-deterministic security , 2014, International Journal of Information Security.

[18]  Geoffrey Smith,et al.  Probabilistic noninterference through weak probabilistic bisimulation , 2003, 16th IEEE Computer Security Foundations Workshop, 2003. Proceedings..

[19]  Dennis Volpano,et al.  Probabilistic noninterference in a concurrent language , 1999 .

[20]  Musard Balliu,et al.  Logics for Information Flow Security:From Specification to Verification , 2014 .

[21]  Marieke Huisman,et al.  A temporal logic characterisation of observational determinism , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[22]  Geoffrey Smith,et al.  Principles of Secure Information Flow Analysis , 2007, Malware Detection.

[23]  Amir Pnueli,et al.  The temporal logic of programs , 1977, 18th Annual Symposium on Foundations of Computer Science (sfcs 1977).

[24]  Marieke Huisman,et al.  Model-Checking Secure Information Flow for Multi-threaded Programs , 2011, TOSCA.

[25]  Jaco van de Pol,et al.  1 Motivation : A Modular , High-Performance Model Checker , 2010 .

[26]  Mohammad Abdollahi Azgomi,et al.  Formal Aspects of Computing Model Checking the Observational Determinism Security Property Using Promela and Spin , 2022 .

[27]  Gregor Snelting,et al.  Low-deterministic security for low-nondeterministic programs , 2018, J. Comput. Secur..

[28]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[29]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[30]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[31]  Bernd Finkbeiner,et al.  Temporal Logics for Hyperproperties , 2013, POST.

[32]  Tachio Terauchi,et al.  A Type System for Observational Determinism , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[33]  Pedro R. D'Argenio,et al.  Secure information flow by self-composition , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[34]  Ilaria Castellani,et al.  Noninterference for concurrent programs and thread systems , 2002, Theor. Comput. Sci..

[35]  Marta Z. Kwiatkowska,et al.  PRISM 4.0: Verification of Probabilistic Real-Time Systems , 2011, CAV.