Measuring Confinement via Weak Bisimulation

It is well known that observability is closely related to vulnerability against confidentiality attacks: once a low level process is able to observe differences in the behaviour of a high level process it is able to deduce information about its secrets, and confidentiality is thus at least partially violated. However, if whatever the high level secrets are, the behaviours of the observed processes are all equivalent, then a potential attacker cannot reveal any secret information. The recent literature has shown that perfect confinement is a requirement which is hardly met by the real-world systems. With this motivation, in previous work [1, 2], we began looking at approximative notions of confinement. This research is based on the study of quantitative versions of various process equivalences by re-casting them in terms of linear operators. It turned out that process equivalences such as tree isomorphism and bisimulation can be understood in terms of Probabilistic Abstract Interpretation [3]. In particular, two processes are equivalent if there exists a common probabilistic abstraction of both for an appropriate class of abstractions which depend on the notion of observation we are interested in. Within this setting we were then able to formulate approximate notions of these process equivalences. This leads naturally to the definition of corresponding approximate notions of confinement. Each notion has a quantity ε associated to it which lends itself to a statistical interpretation in terms of the effort needed to an attacker to break a system. This gives a measure of the confinement of the system. The current work aims in extending this approach to accommodate another important notion of observability, namely probabilistic weak bisimulation. Weak bisimulation is of particular importance in the context of security as it is quite natural to assume that the actions of high level principals cannot be observed directly by the low level processes. The high level behaviour is thus modelled by τ actions, see e.g. [4, 5].