A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. Noninterference through determinism. In D. Gollmann, editor, European Symposium on Research in Computer Security (ESORICS), LNCS 875, pages 33--53. Springer-Verlag, 1994.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....covert channels one can use the notion of noninterference (Goguen, Meseguer 1982; cf. e.g. J ur00] Secure communication over untrusted networks requires speci c mechanisms such as encryption and cryptographic protocols. There has been much work on security using formal methods (e.g. BAN89, RWW94, Low96, AJ00, J ur01c] mostly about security protocols or secure information ow. And94] suggests to use software engineering techniques to ensure security. DS00] proposes to extend the syntax and semantics of standards such as UML to address security concerns . We are not aware of any ....

A. Roscoe, J. Woodcock, and L. Wulf. Non-interference through determinism. In ESORICS 94, volume 875 of LNCS. Springer, 1994.

....the trust tags in the nonstandard dependence models used by rbaek [36] 2. 1 Introduction 15 Along the way we consider some relations to specific static analyses, such as the Secure Lambda Calculus [15] and an alternative semantic condition for secure information flow proposed by Leino and Joshi [25]. 2.1.5 Overview The rest of the paper is organised as follows. Section 2.2 shows how the per based condition for soundness of bindingtime analysis is also a model of secure information flow. We show how this provides insight into the treatment of higher order functions and structured data. ....

....of the deterministic case in the sense that it is termination sensitive, and does not have the shortcomings of the upper powerdomain interpretation. 2. 4 Relation to an Equational Characterisation In this section we relate the per based security condition to a proposal by Leino and Joshi [25]. As before, assume for simplicity we have programs with just two variables: h and l of high and low secrecy respectively. Assume that the state is simply a pair, where h refers to the first projection and l is the second projection. Leino and Joshi [25] define the security condition for a ....

[Article contains additional citation context not shown here]

A.W. Roscoe, J.C.P. Woodcock, and L. Wulf. Non-interference through Determinism. In Proceedings of the European Symposium on Research in Computer Security (ESORICS), LNCS 875, pages 33--53, Brighton, UK, November 7--9 1994. Springer.

....a definition of Non Interference given on CSP [39] It looks like SNNI with some side conditions on acceptable low level actions. This definition is recalled in [4] where a comparison with another information flow property is reported. More recent results based on the CSP model are contained in [56], where the authors introduce some information flow security properties based on the notion of deterministic views and show how to automatically verify them using the CSP model checker FDR [55] The most interesting property is lazy security (L Sec) which, however, requires the absence of ....

....of #B and since E # #B F # , we obtain that E # =# E ## but this is not possible since E # X ##. We obtain that F # X ## and so (#, X) # F . The symmetric case can be done for every (#, X) # F which must belong also to E. Lazy Security We now report the lazy security property [56] and we show that it can only deal with low deterministic processes, i.e. processes which have a deterministic behaviour with respect to low level actions. Here we do not consider the eager security property (introduced in [56] to deal with output actions) since it supposes that high level ....

[Article contains additional citation context not shown here]

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. "Non-interference through Determinism ". In Proceeding of European Symposium on Research in Computer Security

....introduced variations and extensions of their model for various purposes. Important successors were the intransitive versions of noninterference formulated by Haigh and Young [8] and Rushby [12] Roscoe, Woodcock and Wulf introduced a noteworthy formulation based on the CSP process algebra [11], which emphasizes determinism as an overriding principle. Recently, researchers have begun to apply noninterference concepts to model the integrity of embedded control systems. Dutertre and Stavridou developed an elegant noninterference model [5] having some similarities to our own. Their model ....

A.W. Roscoe, J.C.P. Woodcock, and L. Wulf. Non-interference through determinism. Journal of Computer Security, 4(1):27--53, 1996.

....can be true or false for a given set of traces. In a distributed setting, these traces can be viewed as sequences of events like, e.g. communication of local processes in a distributed network. Many different approaches to this type of general information flow control have been proposed (e.g. [13, 30, 12, 22, 16, 14, 33, 25, 26]) which increased the need to unify and to compare. This has led to uniform frameworks and detailed comparisons [23, 10, 34, 18] Another line of research that is becoming increasingly popular is information flow control in a setting of a concrete programming language. The efforts in this area ....

.... the properties of a particular scheduler) Although the determinism of bisimulation is the key feature to relating bisimulation based and trace based models, it is not crucial for the actual security definition of MWL (certain security properties can be defined through low determinism, as in [25, 24]) For example, if MWL had a nondeterministic choice operator 8 then the non deterministic program l : 0 8 l : 1 would be considered secure under Definition 7. However, the two security definitions (Definition 7 and Definition 2 for MWL thread pools) would be no longer equivalent. Indeed, at no ....

A. Roscoe, J. Woodcock, and L. Wulf. Non-interference through Determinism. In Proceedings of the European Symposium on Research in Computer Security (ESORICS), LNCS 875, pages 33--53, Brighton, UK, November 7--9 1994. Springer.

....as encryption and cryptographic protocols (e.g. to exchange encryption keys) Security protocols are very dicult to design correctly and there are numerous examples of published protocols found to be vulnerable. There has been much work on security using formal speci cations (e.g. BAN89, FG94, RWW94, Low96, LR97, FG97, Lot97, AG99, Low99, AJ00, J ur00a, Gut00, Syv00, RS01] mostly about security protocols or secure information ow. It has been suggested to use software engineering techniques (beyond traditional formal methods) to ensure security [And94] Speci cally, DS00] proposes to ....

A. Roscoe, J. Woodcock, and L. Wulf. Non-interference through determinism. In ESORICS 94, volume 875 of LNCS. Springer, 1994.

....In the simplest formulation of multilevel security we start with users that can be in one of two levels, either high or low, and we impose that there must be no information ow from users at the high level to users at the low level. Most of the de nitions proposed in the literature (see, e.g. [1, 2, 3, 4, 5, 7, 8]) aim at restricting the set of behaviors of a system so that any low level user cannot observe any of the operations performed at the high level. The main problem with such an approach is that the link between the de nitions and the fact that there is no information ow from high to low is not ....

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. \Non-interference through Determinism". In Proceeding of European Symposium on Research in Computer Security 1994 (ESORICS'94), pages 33-53. Springer-Verlag LNCS 875, 1994.

....respect. While we give some general rules for handling the Z part, we do not fully treat Z s mathematical tool kit. Translations of subsets of Z into functional programming languages have been studied before in [Goo96] First ideas on manual translations of Z and CSP OZ into CSP can be found in [MS98, RWW94]. The paper is structured as follows: In Section 2 we introduce CSP OZ and our running example, on which we demonstrate the translation and FDR s verification possibilities. Section 3 briefly describes FDR, as far as necessary for understanding the translation. In Section 4 the translation of ....

....translations. 1 URL: http: semantik.Informatik.Uni Oldenburg.DE fischer elev.zip 2 There an Object Z operation is mapped to more than one CSP event. Related Work We finish this paper with a short discussion of related work. The approaches most closest to ours are the ones of [MS98] and [RWW94]. Both have proposed a translation of (CSP) Z into CSP in order to show correctness of the specifications. Roscoe, Woodcock and Wulf first transform the Z specification itself in such a way that every operation performs an input or an output (i.e. a twoevent view is adopted) and afterwards the ....

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. Non-interference through determinism. In D. Gollmann, editor, ESORICS 94, volume 875 of LNCS, pages 33--54. Springer-Verlag, 1994.

....CSP OZ specifications. The first step in the verification of a given CSP OZ specification will be a translation into CSP 1 , to be precise, into the CSP dialect of the model checker FDR (Failure Divergence Refinement [9] This technique has been proposed in [8] extending previous ideas of [16, 19] to use FDR to check properties of (CSP )Z specifications. FDR CSP is a combination of CSP with a functional language in the style of Haskell and Miranda. The functional language can be used to encode the Z data descriptions. Due to the possibly large data domain specified in the This work was ....

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. Non-interference through determinism. In D. Gollmann, editor, ESORICS 94, volume 875 of LNCS, pages 33--54. Springer-Verlag, 1994.

.... process algebras which have been very successful in other areas of concurrency (e.g. deadlock detection) and security (e.g. cryptographic protocols) Since the natural translation of noninterference into CSP is not easily addressable by its model checker and to avoid the re nement paradox [RWW94, Ros95] introduces the approach of noninterference through determinism which however is too restrictive according to [Low99] who points out that the other de nitions up to that date for process algebras were also too weak or too strong. He argues that standard models of CSP are not sucient to ....

A. Roscoe, J. Woodcock, and L. Wulf. Non-interference through determinism. In ESORICS 94, volume 875 of LNCS. Springer, 1994.

....[Sch96] gives a con dentiality property preserved under re nement. However, cryptographic primitives are not considered and it is pointed out that their treatment may be less straightforward. For a discussion on re nement of secure information ow properties cf. GCS91, Mea92, McL94, McL96] RWW94] avoids the re nement paradox by giving a security property that requires systems to appear deterministic to the untrusted environment. Special re nement operators that preserve information ow security are considered e.g. in [Man00] A related problem is that formal speci cations involving ....

A. Roscoe, J. Woodcock, and L. Wulf. Non-interference through determinism. In ESORICS 94, volume 875 of LNCS. Springer, 1994.

....clearly. Given the automatability of the decision process, our conditions are capable of being applied to a wide variety of systems of a much larger size. Indeed we have already applied a prototype determinism checker to check security properties of communications protocols and a file system[15]. The fact that the algorithms are so closely related to those of FDR means that the security condition checking will be able to take advantage of features such as state machine compression when these are implemented for FDR. What our work really captures is how to characterise notions of ....

....ordinary behaviour, and feature interaction: showing that a pair of services added to (for example) a telephone exchange do not interact. Since the initial version of this paper was written, the methods developed in it have been applied to a variety of applications by the author and others. One, [15], studies how our techniques may be applied to state based systems specified in Z, using a file system as a case study. Others include encryption protocols, ATM security, and railway signalling systems. The relationships between our conditions and those of others (especially separability the ....

A.W. Roscoe, J.C.P. Woodcock and L. Wulf, Non-interference through determinism, Proc. ESORICS 94, Springer LNCS 875, pp 33-53.

....always preferred the processalgebra approach, since the essence of noninterference (or the lack of it) is in the interactions between a system and its users, and process algebras provide highlydeveloped theories specifically developed to handle the subtleties of interaction and communication. In [16] (and see also [14, 17] the first author and others proposed a definition of noninterference based on the determinism of the low level view: the actions of higherlevel users are turned into nondeterministic choices by means of abstraction mechanisms, and if the low level view is then ....

....creates di#culties for formulations of noninterference in either a state machine world or that of process algebra, but that the di#culties are less escapable in the latter mainly because it comes with more fixed notions of what things like refinement and process equivalence mean. In [16], an alternative CSP formulation of security was proposed, based explicitly on process algebraic ideas rather than being a translation of ones from elsewhere. This was to create, using abstraction operators, a process AH (P) that represents what a process P looks like to a user who cannot see ....

[Article contains additional citation context not shown here]

A.W. Roscoe, J.C.P. Woodcock, and L. Wulf. Non-interference through determinism. Journal of Computer Security, 4(1),

....the FDR model checker. In particular I will look at them in the context of the ongoing programme of work on the use of di#erent forms of CSP abstraction to characterise the views of (legitimate or otherwise) users of a system. The theory behind these abstractions has already been developed in [9, 7], where techniques for showing the absence of information flow are presented and applied. It is hard to be sure what the right specification of a key exchange protocol is in isolation. Most of the existing literature, for example [2, 3, 10] concentrates either on logics of knowledge or on tools ....

....We should note that in addition to proving that the intruder cannot disrupt communication between legitimate users, establishing this robustness property shows that he cannot establish any pseudo connection with one of them. Unfortunately, with confidentiality properties of the sort discussed in [9], we would be forced to take account of the changing span in the abstraction itself. There are two ways in which our intruder can gain information: he might obtain a key and thereby decrypt messages or he might gain some knowledge of what is happening because of an analysis of network tra#c. We ....

A.W. Roscoe, J.C.P. Woodcock and L. Wulf, Non-interference through determinism, Proc. ESORICS 94, Springer LNCS 875, pp 33-53.

....if LH (P) is deterministic is still safe even when P is not locally deterministic in L, but may well give false negative results. It regards all nondeterminism of this process as potentially conveying information about H , even though it may not. This is the formulation of security proposed in [32] with further development in [30, 31, 36] for example. There is a high degree of agreement that this is the right definition in the class LD of processes that are locally deterministic in L because many other formulations, whether in terms of behavioural models [30] or transition systems ....

A. W. Roscoe, J. C. P. Woodcock, L. Wulf. "Non-interference through Determinism " ESORICS 94, Springer LNCS 875 (1994), 33--53.

....the definition of a backwards normal form for data types. It is also possible to define a forwards normal form, in which any nondeterminism is resolved at the point of initialisation; this may prove useful in establishing that certain classes of processes are deterministic, a principal concern of [RWW94]. Acknowledgements The authors would like to thank Richard Bird, Colin O Halloran, Carroll Morgan, Jeff Sanders, and Andrew Simpson for their comments and suggestions regarding this work; their support and encouragement has been invaluable. We would also like to thank the anonymous referees for ....

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. Non-interference through determinism. In D. Gollman, editor, ESORICS '94, volume 875 of LNCS, pages 33 -- 54. Springer-Verlag, 1994.

No context found.

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. Noninterference through determinism. In D. Gollmann, editor, European Symposium on Research in Computer Security (ESORICS), LNCS 875, pages 33--53. Springer-Verlag, 1994.

No context found.

A.W. Roscoe, J.C.P. Woodcock, and L. Wulf. Non-interference through determinism. In European Symposium on Research in Computer Security, volume 875 of LNCS, 1994.

No context found.

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. Non-interference through determinism. In Proceedings of the European Symposium on Research in Computer Security, volume 875 of LNCS, pages 33--53. Springer-Verlag, Nov. 1994.

No context found.

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. Non-interference through determinism. In Proceeding of European Symposium on Research in Computer Security 1994.

No context found.

A. W. Roscoe, J. Woodcock, and L. Wulf. Non-interference through determinism. In D. Gollmann, editor, ESORICS 94, volume 875 of LNCS, pages 33--54. Springer-Verlag, 1994.

No context found.

A.W. Roscoe, J.C.P. Woodcock, and L. Wulf. Non-interference through determinism. In European Symposium on Research in Computer Security, volume 875 of LNCS, 1994.

No context found.

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. NonInterference through Determinism. In Proc. of the European Symposium on Research in Computer Security, volume 875 of LNCS, pages 33--53. Springer-Verlag, 1994.

No context found.

A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. Non-interference through determinism. Journal of Computer Security, 4(1):27--53, 1996.

No context found.

A.W. Roscoe, J.C.P. Woodcock, L. Wulf. Non-Interference Through Determinism. Journal of Computer Security, 4(1), 1996. 10

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC