A Formal Framework for Confidentiality-Preserving Refinement

Based on a system model consisting of processes describing the machine, the honest users and the adversary, this paper introduces an abstract framework of refinement relations preserving existential confidentiality properties for nondeterministic, probabilistic systems. It allows a refinement step to trade functionality between the machine and its environment, thus shifting the conceptual boundary between machine and environment. A refinement also permits the realization to extend the observational means of an adversary. A confidentiality-preserving refinement relation is defined in terms of another, more basic relation that considers deterministic probabilistic processes. An instantiation with an entropy-based confidentiality property illustrates the use of this framework. The relationship to other concepts of secure refinement, in particular to reactive simulatability, is discussed.

[1]  Cliff B. Jones,et al.  Systematic software development using VDM (2. ed.) , 1990, Prentice Hall International Series in Computer Science.

[2]  Jan Jürjens,et al.  Secrecy-Preserving Refinement , 2001, FME.

[3]  John Derrick,et al.  Refinement in Z and Object-Z , 2001 .

[4]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[5]  Eerke Albert Boiten,et al.  Refinement in Z and Object-Z: Foundations and Advanced Applications , 2001 .

[6]  Frank Ciesinski,et al.  On Probabilistic Computation Tree Logic , 2004, Validation of Stochastic Systems.

[7]  Birgit Pfitzmann,et al.  A Composable Cryptographic Library with Nested Operations (Extended Abstract) , 2003 .

[8]  John McLean,et al.  A General Theory of Composition for a Class of "Possibilistic'' Properties , 1996, IEEE Trans. Software Eng..

[9]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[10]  Heiko Mantel,et al.  Preserving information flow properties under refinement , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[11]  David J. C. MacKay,et al.  Information Theory, Inference, and Learning Algorithms , 2004, IEEE Transactions on Information Theory.

[12]  Thomas Santen,et al.  Probabilistic Confidentiality Properties based on Indistinguishability , 2005, Sicherheit.

[13]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[14]  Maritta Heisel,et al.  Confidentiality-preserving refinement , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[15]  Jim Woodcock,et al.  Non-interference through Determinism , 1994, J. Comput. Secur..

[16]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[17]  Heiko Mantel A uniform framework for the formal specification and verification of information flow security , 2003 .

[18]  Maritta Heisel,et al.  Confidentiality-Preserving Refinement is Compositional - Sometimes , 2002, ESORICS.

[19]  Jeff W. Sanders,et al.  On the refinement of non-interference , 1991, Proceedings Computer Security Foundations Workshop IV.

[20]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[21]  Michael Jackson,et al.  Four dark corners of requirements engineering , 1997, TSEM.

[22]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[23]  Jeannette M. Wing,et al.  A behavioral notion of subtyping , 1994, TOPL.

[24]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[25]  Paul Benoit,et al.  Météor: A Successful Application of B in a Large Project , 1999, World Congress on Formal Methods.

[26]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[27]  Annabelle McIver,et al.  Refinement-oriented probability for CSP , 1996, Formal Aspects of Computing.

[28]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[29]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[30]  James W. Gray Toward a Mathematical Foundation for Information , 1992, J. Comput. Secur..

[31]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[32]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[33]  Birgit Pfitzmann,et al.  A composable cryptographic library with nested operations , 2003, CCS '03.

[34]  Birgit Pfitzmann,et al.  Secure Asynchronous Reactive Systems , 2004 .

[35]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.