Semiring-based Specification Approaches for Quantitative Security

Our goal is to provide different semiring-based formal tools for the specification of security requirements: we quantitatively enhance the open-system approach, according to which a system is partially specified. Therefore, we suppose the existence of an unknown and possibly malicious agent that interacts in parallel with the system. Two specification frameworks are designed along two different (but still related) lines. First, by comparing the behaviour of a system with the expected one, or by checking if such system satisfies some security requirements: we investigate a novel approximate behavioural-equivalence for comparing processes behaviour, thus extending the Generalised Non Deducibility on Composition (GNDC) approach with scores. As a second result, we equip a modal logic with semiring values with the purpose to have a weight related to the satisfaction of a formula that specifies some requested property. Finally, we generalise the classical partial model-checking function, and we name it as quantitative partial model-checking in such a way to point out the necessary and sufficient conditions that a system has to satisfy in order to be considered as secure, with respect to a fixed security/functionality threshold-value.

[1]  Fabio Martinelli,et al.  From Qualitative to Quantitative Enforcement of Security Policy , 2012, MMM-ACNS.

[2]  Simon N. Foley,et al.  Semiring-based frameworks for trust propagation in small-world networks and coalition formation criteria , 2010, Secur. Commun. Networks.

[3]  Ugo Montanari,et al.  Quantitative mu-calculus and CTL defined over constraint semirings , 2005, Theor. Comput. Sci..

[4]  Robin Milner,et al.  Communicating and mobile systems - the Pi-calculus , 1999 .

[5]  J. Golan Semirings and Affine Equations over Them: Theory and Applications , 2003 .

[6]  Peter Buchholz,et al.  Quantifying the Dynamic Behavior of Process Algebras , 2001, PAPM-PROBMIV.

[7]  Axel Legay,et al.  Model Checking Quantitative Linear Time Logic , 2008, QAPL.

[8]  Fabio Martinelli,et al.  An Approach for the Specification, Verification and Synthesis of Secure Systems , 2007, VODCA@FOSAD.

[9]  Henrik Reif Andersen,et al.  Partial model checking , 1995, Proceedings of Tenth Annual IEEE Symposium on Logic in Computer Science.

[10]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[11]  Ian Molloy,et al.  Trading in risk: using markets to improve access control , 2009, NSPW '08.

[12]  Lea Fleischer Semirings And Affine Equations Over Them Theory And Applications , 2016 .

[13]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[14]  Fabio Massacci,et al.  Predictability of Enforcement , 2011, ESSoS.

[15]  Fabio Martinelli,et al.  Cost-Aware Runtime Enforcement of Security Policies , 2012, STM.

[16]  Marino Miculan,et al.  Weak bisimulations for labelled transition systems weighted over semirings , 2013, ArXiv.

[17]  Ezio Bartocci,et al.  On the Robustness of Temporal Properties for Stochastic Models , 2013, HSB.

[18]  Davide Sangiorgi,et al.  Communicating and Mobile Systems: the π-calculus, , 2000 .

[19]  Stefano Bistarelli,et al.  A semiring-based framework for the deduction/abduction reasoning in access control with weighted credentials , 2012, Comput. Math. Appl..

[20]  Huaiqing Wang,et al.  A Behavioral Distance for Fuzzy-Transition Systems , 2011, IEEE Transactions on Fuzzy Systems.

[21]  Fabio Martinelli,et al.  A Uniform Approach for the Definition of Security Properties , 1999, World Congress on Formal Methods.

[22]  Claudia Keser,et al.  Fuzzy Multi-Level Security: An Experiment on Quantified Risk-Adaptive Access Control , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[23]  Pasquale Malacaria,et al.  Quantitative Security Analysis (Dagstuhl Seminar 12481) , 2012, Dagstuhl Reports.

[24]  Roberto Gorrieri,et al.  Classification of Security Properties - Part II: Network Security , 2002, FOSAD.

[25]  Francesca Rossi,et al.  Semiring-based constraint satisfaction and optimization , 1997, JACM.

[26]  Alessandro Aldini,et al.  Estimating the maximum information leakage , 2008, International Journal of Information Security.

[27]  Fabio Gadducci,et al.  Enhancing Constraints Manipulation in Semiring-Based Formalisms , 2006, ECAI.

[28]  Antoine Girard,et al.  Approximation Metrics for Discrete and Continuous Systems , 2006, IEEE Transactions on Automatic Control.

[29]  Sushil Jajodia,et al.  Toward information sharing: benefit and risk access control (BARAC) , 2006, Seventh IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'06).

[30]  Gabriele Lenzini,et al.  A Uniform Approach to Security and Fault-Tolerance Specification and Analysis , 2009, WADS.

[31]  Sergiu Rudeanu,et al.  Semirings in Operations Research and Computer Science: More Algebra , 2004, Fundam. Informaticae.