Supervisory Control for Opacity

In the field of computer security, a problem that received little attention so far is the enforcement of confidentiality properties by supervisory control. Given a critical system <i>G</i> that may leak confidential information, the problem consists in designing a controller <i>C</i>, possibly disabling occurrences of a fixed subset of events of <i>G</i>, so that the closed-loop system <i>G</i>/<i>C</i> does not leak confidential information. We consider this problem in the case where <i>G</i> is a finite transition system with set of events ¿ and an inquisitive user, called the adversary, observes a subset ¿<i>a</i> of ¿. The confidential information is the fact (when it is true) that the trace of the execution of <i>G</i> on ¿* belongs to a regular set <i>S</i> ¿ ¿*, called the secret. The secret <i>S</i> is said to be opaque w.r.t. <i>G</i> (respectively, <i>G</i>/<i>C</i>) and ¿<i>a</i> if the adversary cannot safely infer this fact from the trace of the execution of <i>G</i> (respectively, <i>G</i>/<i>C</i>) on ¿<i>a</i>*. In the converse case, the secret can be disclosed. We present an effective algorithm for computing the most permissive controller <i>C</i> such that <i>S</i> is opaque w.r.t. <i>G</i>/<i>C</i> and ¿<i>a</i> . This algorithm subsumes two earlier algorithms working under the strong assumption that the alphabet ¿<i>a</i> of the adversary and the set of events that the controller can disable are comparable.

[1]  S.L. Ricker A question of access: decentralized control and communication strategies for security policies , 2006, 2006 8th International Workshop on Discrete Event Systems.

[2]  M. Bouaziz,et al.  An Introduction to Computer Security , 2012 .

[3]  W. M. Wonham,et al.  The control of discrete event systems , 1989 .

[4]  P. Darondeau,et al.  Opacity enforcing control synthesis , 2008, 2008 9th International Workshop on Discrete Event Systems.

[5]  Gurvan Le Guernic Information flow testing: the third path towards confidentiality guarantee , 2007 .

[6]  Steve A. Schneider,et al.  CSP and Anonymity , 1996, ESORICS.

[7]  Gavin Lowe,et al.  Towards a completeness result for model checking of security protocols , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[8]  Martín Abadi,et al.  Automated verification of selected equivalences for security protocols , 2005, 20th Annual IEEE Symposium on Logic in Computer Science (LICS' 05).

[9]  Christos G. Cassandras,et al.  Introduction to Discrete Event Systems , 1999, The Kluwer International Series on Discrete Event Dynamic Systems.

[10]  Benoît Caillaud,et al.  Concurrent Secrets , 2007, 2006 8th International Workshop on Discrete Event Systems.

[11]  Shigemasa Takai,et al.  A Formula for the Supremal Controllable and Opaque Sublanguage Arising in Supervisory Control , 2008 .

[12]  Pavol Cerný,et al.  Preserving Secrecy Under Refinement , 2006, ICALP.

[13]  Roland Groz,et al.  Test Generation for Network Security Rules , 2006, TestCom.

[14]  Maciej Koutny,et al.  Opacity generalised to transition systems , 2005, International Journal of Information Security.

[15]  Laurent Mazare,et al.  Using Unification For Opacity Properties , 2004 .

[16]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[17]  Christoforos N. Hadjicostis,et al.  Notions of security and opacity in discrete event systems , 2007, 2007 46th IEEE Conference on Decision and Control.

[18]  Thierry Jéron,et al.  Monitoring Information flow by Diagnosis Techniques , 2007 .

[19]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[20]  A. Saboori,et al.  Verification of initial-state opacity in security applications of DES , 2008, 2008 9th International Workshop on Discrete Event Systems.

[21]  P. Ramadge,et al.  Supervisory control of a class of discrete event processes , 1987 .

[22]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[23]  Nejib Ben Hadj-Alouane,et al.  On the verification of intransitive noninterference in mulitlevel security , 2005, IEEE Transactions on Systems, Man, and Cybernetics, Part B (Cybernetics).

[24]  Stéphane Lafortune,et al.  Failure diagnosis using discrete event models , 1994, Proceedings of 1994 33rd IEEE Conference on Decision and Control.

[25]  H. Marchand,et al.  Supervision patterns in discrete event systems diagnosis , 2006, 2006 8th International Workshop on Discrete Event Systems.

[26]  Olivier Roux,et al.  Synthesis of non-interferent distributed systems , 2007 .