An Information Flow Security Property for CCS

Multilevel security has been introduced to limit the activity of Trojan Horses (malicious programs which try to broadcast secret information). Every information is classified with a security level and the multilevel secure system must guarantee that information cannot flow from one level to a lower one. So a Trojan Horse, which operates at a certain level, has no way to downgrade information and the effect of its execution is restricted into such a level. In this paper, a formal property of security, called Non Deducibility of Compositions (NDC), is proposed and defined on CCS agents. We assume, for the sake of simplicity, to have two security levels only: high and low. In this context, a Trojan Horse is a high level process which tries to pass information to the low level. NDC is based on the following intuition: a system is NDC secure if, when connected to all possible high level processes, the computations of the low level users are not affected. So, such a property guarantees that no information flow from the high level to the low one can occur. An alternative formulation of NDC, which exploits only local information, is presented. It has the merits of being agorithmically testable for finite-state systems. Moreover, it is useful for modular verification of secure systems, as NDC is a composable property w.r.t. the CCS operators of parallel composition and restriction. Finally, we show that NDC, based on trace semantics, may be insufficient in some cases. Hence, NDC is assumed also assuming the finer (weak) bisimulation as basic underlying semantics.