Compositional noninterference from first principles

The recently formulated Shadow Semantics for noninterference-style security of sequential programs avoids the Refinement Paradox by preserving demonic nondeterminism in those cases where reducing it would compromise security. The construction (originally) of the semantic domain for The Shadow, and the interpretation of programs in it, relied heavily on intuition, guesswork and the advice of others. That being so, it is natural after the fact to try to reconstruct an idealised “inevitable” path from first principles to where we actually ended up: not only does one learn (more) about semantic principles by doing so, but the “rational reconstruction” helps to expose the choices made, along the way, and to legitimise the decisions that resolved them. Unlike our other papers on noninterference, this one does not contain a significant case study: instead its aim is to provide the most accessible account we can of the methods we use and why our model, in its details, has turned out the way it has. In passing, it might give some insight into the general role and significance of compositionality and testing-with-context for program semantics. Finally, a technical contribution here is a new “Transfer Principle” that captures uniformly a large class of classical refinements that remain valid when noninterference is taken into account in our style.

[1]  Annabelle McIver,et al.  Abstraction, Refinement and Proof for Probabilistic Systems , 2004, Monographs in Computer Science.

[2]  Carroll Morgan,et al.  Programming from specifications (2nd ed.) , 1994 .

[3]  Edsger W. Dijkstra,et al.  A Discipline of Programming , 1976 .

[4]  Joseph M. Morris,et al.  A Theoretical Basis for Stepwise Refinement and the Programming Calculus , 1987, Sci. Comput. Program..

[5]  Jeremy L. Jacob,et al.  Security specifications , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[6]  Ronald L. Rivest Unconditionally Secure Commitment and Oblivious Transfer Schemes Using Private Channels and a Truste , 1999 .

[7]  David Chaum,et al.  The dining cryptographers problem: Unconditional sender and recipient untraceability , 1988, Journal of Cryptology.

[8]  Ian J. Hayes,et al.  Specification case studies , 1987 .

[9]  Annabelle McIver,et al.  Compositional refinement in agent-based security protocols , 2011, Formal Aspects of Computing.

[10]  Annabelle McIver,et al.  Sums and Lovers: Case Studies in Security, Compositionality and Refinement , 2009, FM.

[11]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[12]  Niklaus Wirth,et al.  Program development by stepwise refinement , 1971, CACM.

[13]  Annabelle McIver,et al.  Probabilistic predicate transformers , 1996, TOPL.

[14]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[15]  C. A. R. Hoare,et al.  An axiomatic basis for computer programming , 1969, CACM.

[16]  Carroll Morgan How to Brew-up a Refinement Ordering , 2009, Electron. Notes Theor. Comput. Sci..

[17]  Carroll Morgan The Shadow Knows: Refinement and security in sequential programs , 2009, Sci. Comput. Program..

[18]  Annabelle McIver The Secret Art of Computer Programming , 2009, ICTAC.

[19]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[20]  Pavol Cerný,et al.  Preserving Secrecy Under Refinement , 2006, ICALP.

[21]  Annabelle McIver,et al.  Probabilistic Models for the Guarded Command Language , 1997, Sci. Comput. Program..

[22]  Annabelle McIver,et al.  Compositional Closure for Bayes Risk in Probabilistic Noninterference , 2010, ICALP.

[23]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[24]  Carroll Morgan The Shadow Knows: Refinement of Ignorance in Sequential Programs , 2006, MPC.