P. Y. A. Ryan, A CSP Formulation of Non-Interference and Unwinding, Cipher (1991) 19-27.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....perform the race freedom analysis on the original source program if the original program is race free, all of its simulations are too. 6 Related work There has been a long history of information flow research based on trace models of computer systems [14, 23, 16, 25, 47] and process algebras [34, 39, 35]. Early programming languages work in this area was initiated by Denning [8] and Reynolds [31] A few researchers have investigated noninterferencebased type systems for concurrent languages and process calculi. Smith and Volpano have assumed a fixed number of threads and a uniform thread ....

P. Ryan. A CSP formulation of non-interference and unwinding. Cipher, pages 19--30, 1991.

....noninterference in that purge functions are not used. The combination of taking states modulo equivalence and traces up to stutterequivalence, yields essentially the same result. Equivalence relations over states appear in all of these formulations in the guise of unwinding relations [8, 20, 13, 12] and the closely related notion of simulation relations [10] The difference between unwinding relations and views is that rather than starting with an event system and trying to find a consistent unwinding relation as a means of establishing a security property, we start with a view of the system ....

P. Ryan. A CSP formulation of non-interference and unwinding. Cipher, pages 19--30, 1991.

....noninterference in that purge functions are not used. The combination of taking states modulo # equivalence and traces up to stutterequivalence, yields essentially the same result. Equivalence relations over states appear in all of these formulations in the guise of unwinding relations [8, 20, 13, 12] and the closely related notion of simulation relations [10] The difference between unwinding relations and views is that rather than starting with an event system and trying to find a consistent unwinding relation as a means of establishing a security property, we start with a view of the system ....

P. Ryan. A CSP formulation of non-interference and unwinding. Cipher, pages 19--30, 1991.

....safety and liveness properties [McL94] As expected, this makes it dicult to prove that a system is secure for such a property. Thus, it is especially desirable to have unwinding conditions which simplify such proofs. Nevertheless, unwinding of possibilistic security has been mostly neglected (see [GCS91,Rya91,Mil94] for exceptions) This article seeks to ll the gap by deriving unwinding conditions for a large class of possibilistic security properties. All unwinding conditions presented are sucient to guarantee security and some are also necessary. One novelty is that the unwinding conditions are based on ....

....two unwinding conditions are similar to our output step consistency and locally respects. A di erence is that the equivalence relation is de ned which is less exible than specifying it, as in our approach (for the ordering) An unwinding theorem is provided but no completeness results. Ryan [Rya91] presented unwinding conditions which are also based on equivalence relations. He derived correctness as well as completeness results for a single possibilistic security property in the framework of CSP. Interestingly, these results were later re proved in a slightly di erent setting by exploiting ....

P.Y.A. Ryan. A CSP Formulation of Non-Interference and Unwinding. Cipher, pages 19-30, Winter 1991.

....composition in these di erent semantic frameworks will be di erent to each other, and it is not clear how to compare them, or how to apply results from one approach to another. 5. 2 Process algebras There are also a number of approaches which make use of process algebraic techniques, based on CSP [15,14,6], CCS [1] or the (asynchronous) calculus [5] These are often concerned with issues such as nondeterminism, and generally use failures information (traces together with possible refusals) or bisimulation information (whether processes can match executions by passing through matching states) to ....

....traces hi and hl i is compatible with each of its high level traces hi and hhi. Some information other than traces is required to identify the possibility of information ow via the refusal. Ryan proposed a generalisation of the Goguen and Meseguer unwinding characterisation of non interference, [15] by stipulating that the set of refusal events and the set of possible next events for any state of the process do not change on occurrence of a high level event. This property is violated by P , since initially it cannot refuse l , but it can refuse l after occurrence of the rst h. More ....

P. Y. A. Ryan. A CSP formulation of non-interference and unwinding. Cipher, 1991.

....can be used to reason about security protocols. This makes available all the theory, tools and experience built up in this area. It also has the advantage that we don t have to rely on intuitions about, for example, the meaning of authentication. Various people, including one of the authors, [PYAR], have used CSP to formulate security properties such as non interference, non deducability etc. In this CSP had shown itself well suited. Add to this the observation that CSP is ideally suited (by construction) to modelling and analysing systems interacting via messages (i.e. protocols) and we ....

P Y A RYAN. A CSP Formulation of Non-interference and Unwinding. Presented at the CSFW 1990 and published in Cipher Winter 1990/1.

....as various forms of testing equivalence. 3.2. CSP Formulations In an attempt to resolve the problems associated with drawing input output distinctions as well as address the issue of non deterministic systems, one of the authors proposed a recasting of the Goguen Meseguer formulation into CSP [14]. Again the notation is tweaked slightly from the original 1990 presentation to make it more compatible with the rest of this paper. 8 tr; tr 0 : traces(S) tr tr 0 ) refusals(S=tr) L = refusals(S= tr 0 ) L) 2) where tr tr 0 , tr L = tr 0 L. refusals(S=tr) denotes the ....

....it turns out that, although CSP doesn t draw such distinctions, we can nonetheless use the framework, given in equation 2, to distinguish at least the High (abstracted) input output events. This ability to distingiush inputs outputs in CSP arises from our use of the more symmetric formulation of [14] instead of the more traditional form in which an arbitrary trace is compared to its purge. A consequence of this is that in this formulation it is not guaranteed that the purge of an arbitrary trace is itself a valid trace of the system. At first glance this appears to be a flaw as it seems to ....

[Article contains additional citation context not shown here]

P. Y. A. Ryan. A CSP formulation of non-interference and unwinding. Presented at CSFW'90 and published in Cipher Winter90/91, 1990.

No context found.

P. Y. A. Ryan, A CSP Formulation of Non-Interference and Unwinding, Cipher (1991) 19-27.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC