State-oriented Noninterference for CCS
نویسنده
چکیده
We address the question of typing noninterference (NI) in Milner’s Calculus of Communicating Systems (CCS), in such a way that Milner’s translation of a standard parallel imperative language into CCS preserves both an existing NI property and the associated type system. Recently, Focardi, Rossi and Sabelfeld have shown that a variant of Milner’s translation, restricted to the sequential fragment of the language, maps a time-sensitive NI property to that of Persistent Bisimulation-based Non Deducibility on Compositions (PBNDC) on CCS. However, since CCS was not equipped with a security type system, the question of whether the translation preserves types could not be addressed. We extend Focardi, Rossi and Sabelfeld’s result by showing that a slightly different variant of Milner’s translation preserves a time-insensitive NI property on the full parallel language, by mapping it again to PBNDC. As a by-product, we formalise a folklore result, namely that Milner’s translation preserves a natural behavioural equivalence on programs. We present a type system ensuring the PBNDC-property on CCS, inspired from type systems for the π-calculus. Unfortunately, this type system as it stands is too restrictive to grant the expected type preservation result. We sketch a solution to overcome this problem. Key-words: Noninterference, type systems, parallel imperative languages, process calculi, bisimulation. Non-interférence orientée-états pour CCS Résumé : Nous nous intéressons à la question du typage de la propriété de non-interférence (NI) dans le calcul CCS (Calculus of Communicating Systems) de Milner. Le but recherché est de prouver que la traduction de Milner d’un langage impératif parallèle vers CCS préserve à la fois une propriété de non-interférence connue et l’un des systèmes de types associés. Récemment, Focardi, Rossi et Sabelfeld ont montré qu’une variante de la traduction de Milner, restreinte au fragment séquentiel du langage, préserve une propriété de NI sensible au temps en lui faisant correspondre une propriété de sécurité existante pour CCS, appelée Non Deductibilité Persistante par Compositions basée sur la Bisimulation (PBNDC). Toutefois, CCS n’ayant pas été préalablement équipé d’un système de types pour la sécurité, la question de la préservation des types par la traduction ne pouvait être posée. Nous étendons le résultat de Focardi, Rossi et Sabelfeld en montrant qu’une nouvelle variante de la traduction de Milner préserve une propriété de NI insensible au temps sur l’ensemble du langage, en l’envoyant également sur la propriété de PBNDC. Au passage, nous formalisons un résultat appartenant au folklore, notamment que la traduction de Milner préserve une équivalence comportementale sur les programmes. Nous présentons un système de types pour CCS garantissant la propriété de PBNDC. Ce système est inspiré de systèmes de types précédemment proposés pour le π-calcul. Malheureusement, notre système de types s’avère trop restrictif pour refléter l’un des systèmes de types existants pour le langage impératif. Nous esquissons une solution à ce problème. Mots-clés : Non-interférence, systèmes de types, langages impératifs avec parallélisme, calculs de processus, bisimulation. State-oriented noninterference for CCS 3
منابع مشابه
A Theory of Noninterference for the π-calculus
We develop a theory of noninterference for a typed version of the πcalculus where types are used to assign secrecy levels to channels. We provide two equivalent characterizations of noninterference based on a typed behavioural equivalence relative to a security level σ, which captures the idea of external observers of level σ. The first characterization involves a universal quantification over ...
متن کاملNote on a simple type system for non-interference
We consider CCS with value passing and elaborate a notion of noninterference for the process calculi, which matches closely that of the programming language. The idea is to view channels as information carriers rather than as “events”, so that emitting a secret on output channel can considered safe, while inputting a secret may lead to some kind of leakage. This is in contrast with the standard...
متن کاملChecking probabilistic noninterference using JOANA
JOANA is a tool for software security analysis, checking up to 100kLOC of full multi-threaded Java. JOANA is based on sophisticated program analysis techniques and thus very precise. It includes a new algorithm guaranteeing probabilistic noninterference, named RLSOD. JOANA needs few annotations and has a nice GUI. The tool is open source and was applied in several case studies. The article pres...
متن کاملNoninterference Security in Communicating Sequential Processes
An extension of classical noninterference security for deterministic state machines, as introduced by Goguen and Meseguer and elegantly formalized by Rushby, to nondeterministic systems should satisfy two fundamental requirements: it should be based on a mathematically precise theory of nondeterminism, and should be equivalent to (or at least not weaker than) the classical notion in the degener...
متن کاملType Abstraction for Relaxed Noninterference
Information-flow security typing statically prevents confidential information to leak to public channels. The fundamental information flow property, known as noninterference, states that a public observer cannot learn anything from private data. As attractive as it is from a theoretical viewpoint, noninterference is impractical: real systems need to intentionally declassify some information, se...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید
ثبت ناماگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید
ورودعنوان ژورنال:
- Electr. Notes Theor. Comput. Sci.
دوره 194 شماره
صفحات -
تاریخ انتشار 2007