非传递广义无干扰属性符号化算术验证方法

广义无干扰属性规约了多级安全系统中具有传递性质的安全策略,而对于不满足传递性的策略则无法刻画.文中首先对广义无干扰属性进行扩展,提出了非传递广义无干扰属性的概念,进而可以规约无传递性的安全策略.文中提出了一种可符号化实现的非传递广义无干扰属性验证方法.该方法主要基于证伪和证真的基本验证策略,通过集成反例搜索和归纳证明完...     

On the verification of intransitive noninterference in mulitlevel security.

We propose an algorithmic approach to the problem of verification of the property of intransitive noninterference (INI), using tools and concepts of discrete event systems (DES). INI can be used to characterize and solve several important security problems in multilevel security systems. In a previous work, we have established the notion of iP-observability, which precisely captures the property of INI. We have also developed an algorithm for checking iP-observability by indirectly checking P-observability for systems with at most three security levels. In this paper, we generalize the results for systems with any finite number of security levels by developing a direct method for checking iP-observability, based on an insightful observation that the iP function is a left congruence in terms of relations on formal languages. To demonstrate the applicability of our approach, we propose a formal method to detect denial of service vulnerabilities in security protocols based on INI. This method is illustrated using the TCP/IP protocol. The work extends the theory of supervisory control of DES to a new application domain.     

Characterizing intransitive noninterference for 3-domain security policies with observability

This note introduces a new algorithmic approach to the problem of checking the property of intransitive noninterference (INI) using discrete-event systems (DESs) tools and concepts. INI property is widely used in formal verification of security problems in computer systems and protocols. The approach consists of two phases: First, a new property called iP-observability (observability based on a purge function) is introduced to capture INI. We prove that a system satisfies INI if and only if it is iP-observable. Second, a relation between iP-observability and P-observability (observability as used in DES) is established by transforming the automaton modeling a system/protocol into an automaton where P-observability (and, hence, iP-observability) can be determined. This allows us to check INI by checking P-observability, which can be done efficiently. Our approach can be used for all systems/protocols with three domains or levels, which is sufficient for most noninterference problems for cryptographic protocols and systems.     

基于信息流的多级动态可信度量模型

系统运行时受环境和各种外界因素影响,加之内部多实体间信息流相互干扰,可能会破坏系统的可信性,最终导致产生非预期输出。现有研究主要针对初始化可信硬件环境下实体的完整性度量,未能考虑机密性带来的可信影响,同时对于实体可信度量的频率未能与实体推进时机同步。基于此提出一种基于信息流传递理论的多级动态可信度量模型,该模型以信息流的非传递无干扰理论为依据,通过引入可信代理模块,设计一种多级安全访问控制策略,分别从实体完整性和机密性两方面对系统中实体进行动态可信性度量。最后给出该模型的形式化描述和可信证明,结合抽象系统实例来说明该模型的有效性,相比现有研究,所提模型具有更好的度量实时性,是一种上下文感知的细粒度可信度量模型。     

Verification and falsification of programs with loops using predicate abstraction

Predicate abstraction is a major abstraction technique for the verification of software. Data is abstracted by means of Boolean variables, which keep track of predicates over the data. In many cases, predicate abstraction suffers from the need for at least one predicate for each iteration of a loop construct in the program. We propose to extract looping counterexamples from the abstract model, and to parametrise the simulation instance in the number of loop iterations. We present a novel technique that speeds up the detection of long counterexamples as well as the verification of programs with loops.     

Verifying Haskell programs by combining testing, model checking and interactive theorem proving

We propose a program verification method that combines random testing, model checking and interactive theorem proving. Testing and model checking are used for debugging programs and specifications before a costly interactive proof attempt. During proof development, testing and model checking quickly eliminate false conjectures and generate counterexamples which help to correct them. With an interactive theorem prover we also ensure the correctness of the reduction of a top level problem to subproblems that can be tested or proved. We demonstrate the method using our random testing tool and binary decision diagrams-based (BDDs) tautology checker, which are added to the Agda/Alfa interactive proof assistant for dependent type theory. In particular we apply our techniques to the verification of Haskell programs. The first example verifies the BDD checker itself by testing its components. The second uses the tautology checker to verify bitonic sort together with a proof that the reduction of the problem to the checked form is correct.     

Secure Information Flow via Linear Continuations

Security-typed languages enforce secrecy or integrity policies by type-checking. This paper investigates continuation-passing style (CPS) as a means of proving that such languages enforce noninterference and as a first step towards understanding their compilation. We present a low-level, secure calculus with higher-order, imperative features and linear continuations.Linear continuations impose a stack discipline on the control flow of programs. This additional structure in the type system lets us establish a strong information-flow security property called noninterference. We prove that our CPS target language enjoys the noninterference property and we show how to translate secure high-level programs to this low-level language. This noninterference proof is the first of its kind for a language with higher-order functions and state.     

基于限界约束的安全相关性质的推理证明

安全相关的性质如访问控制等在复杂环境下有十分重要的作用。从程序验证方面来说,不仅考虑安全性和活性的验证,还要考虑一些安全策略的性质,如非干涉性,这些不能用一般的性质来描述的安全策略可以被看作"超安全性质"。限界约束可通用地表示不同程度的访问频次限制,是安全相关性质验证中有效的辅助方法之一,在无线传感器网络协议、嵌入式系统等重要领域的性质验证方面具有广泛的应用价值。主要研究网络安全策略中的安全相关性质的限界表达及基于该限界约束的验证规则。     

Noninterference in a predicative polymorphic calculus for access control

Polymorphic programming languages have been adapted for constructing distributed access control systems, where a program represents a proof of eligibility according to a given policy. As a security requirement, it is typically stated that the programs of such languages should satisfy noninterference. However, this property has not been defined and proven semantically. In this paper, we first propose a semantics based on Henkin models for a predicative polymorphic access control language based on lambda-calculus. A formal semantic definition of noninterference is then proposed through logical relations. We prove a type soundness theorem which states that any well-typed program of our language meets the noninterference property defined in this paper. In this way, it is guaranteed that access requests from an entity do not interfere with those from unrelated or more trusted entities.     

Bounded Model Checking of CTL

Bounded Model Checking has been recently introduced as an efficient verification method for reactive systems. This technique reduces model checking of linear temporal logic to propositional satisfiability. In this paper we first present how quantified Boolean decision procedures can replace BDDs. We introduce a bounded model checking procedure for temporal logic CTL＊ which reduces model checking to the satisfiability of quantified Boolean formulas. Our new technique avoids the space blow up of BDDs, and extends the concept of bounded model checking.     

一个完整的无干扰模型

本文提出了基于主体行为的视图的新无干扰概念，描述了一个完整的、基于新概念的信息流安全模型。在模型中把计算机系统中的操作抽象为读和写两种访问模式并定义了相应的转换规则。该模型主要特点有：用于分析系统的安全性；支持多安全策略。     

Counterexample-guided predicate abstraction of hybrid systems

Predicate abstraction has emerged to be a powerful technique for extracting finite-state models from infinite-state systems, and has been recently shown to enhance the effectiveness of the reachability computation techniques for hybrid systems. Given a hybrid system with linear dynamics and a set of linear predicates, the verifier performs an on-the-fly search of the finite discrete quotient whose states correspond to the truth assignments to the input predicates. The success of this approach depends on the choice of the predicates used for abstraction. In this paper, we focus on identifying these predicates automatically by analyzing spurious counterexamples generated by the search in the abstract state-space. We present the basic techniques for discovering new predicates that will rule out closely related spurious counterexamples, optimizations of these techniques, implementation of these in the verification tool, and case studies demonstrating the promise of the approach.     

A simplification of a real‐time verification problem

We revisit the problem of real‐time verification with dense‐time dynamics using timeout and calendar‐based models and simplify this to a finite state verification problem. We introduce a specification formalism for these models and capture their behaviour in terms of semantics of timed transition systems. We discuss a technique, which reduces the problem of verification of qualitative temporal properties on infinite state space of a large fragment of these timeout and calender‐based transition systems into that on clock‐less finite state models through a two‐step process comprising of digitization and finitary reduction. This technique enables us to verify safety invariants for real‐time systems using finite state model checking avoiding the complexity of infinite state (bounded) model checking and scale up models without applying techniques from induction‐based proof methodology. In the same manner, we verify timeliness properties. Moreover, we can verify liveness for real‐time systems, which are not possible by using induction with infinite state model checkers. Copyright © 2016 John Wiley & Sons, Ltd.     

Efficient software product-line model checking using induction and a SAT solver

Software product line (SPL) engineering is increasingly being adopted in safety-critical systems. It is highly desirable to rigorously show that these systems are designed correctly. However, formal analysis for SPLs is more difficult than for single systems because an SPL may contain a large number of individual systems. In this paper, we propose an efficient model-checking technique for SPLs using induction and a SAT (Boolean satisfiability problem) solver. We show how an induction-based verification method can be adapted to the SPLs, with the help of a SAT solver. To combat the state space explosion problem, a novel technique that exploits the distinguishing characteristics of SPLs, called feature cube enlargement, is proposed to reduce the verification efforts. The incremental SAT mechanism is applied to further improve the efficiency. The correctness of our technique is proved. Experimental results show dramatic improvement of our technique over the existing binary decision diagram (BDD)-based techniques.     

A novel logic-based automatic approach to constructing compliant security policies

It is significant to automatically detect and resolve the incompliance in security policy.Most existing works in this field focus on compliance verification,and few of them provide approaches to automatically correct the incompliant security policies.This paper proposes a novel approach to automatically transform a given security policy into a compliant one.Given security policy Π and delegation policy M declared by logic programs,the approach automatically rewrites Π into a new one ΠM which is compliant with M and is readable by the humans.We prove that the algorithm is sound and complete under noninterference assumption.Formally,we show that the security policy query evaluation algorithm with conflict and unsettlement resolution still works very well on ΠM.The approach is automatic,so it doesn’t require a administrator with excess abilities.In this sense,our proposal can help us to save much manpower resource in security management and improves the security assurance abilities.     

基于精化的可信执行环境内存隔离机制验证

可信执行环境(trusted execution environment, TEE)基于硬件隔离机制,为安全敏感应用提供隔离的执行环境,保护敏感数据的安全性.内存隔离机制是TEE的关键机制之一,用于对安全内存和非安全内存进行隔离,并对安全内存实施访问控制,如果其安全性不能保证,可能造成存储在安全内存中的敏感数据泄露.为验证TEE内存隔离机制的安全性,针对基于ARM TrustZone技术构建的TEE,提出一种基于精化的可信执行环境内存隔离机制安全性验证方法.建立抽象模型和具体模型,并定义两种模型之间的精化关系,在证明精化关系成立和抽象模型满足信息流安全性的前提下,验证具体模型的信息流安全性.具体模型建模了TEE内存隔离机制的关键硬件和软件,包括TrustZone地址空间控制器、MMU和TrustZone monitor等,在定理证明器Isabelle/HOL中,验证了该模型满足无干扰、无泄露、无影响等信息流安全属性.     

Information flow control on encrypted data for service composition among multiple clouds

Homomorphic encryption allows the direct operations on encrypted data, which provides a promising way to protect outsourcing data in clouds. However, it can not guarantee the end-to-end data security if different cloud services are composed together. Especially for the operations on encrypted data, it may violate the standard noninterference, which can not be solved by traditional information flow control approaches. In order to analyze the information flow with encrypted data, we define a new type of flow called the encryption flow to describe the dependence relationship among different encrypted data objects across multiple services. Based on the new definition on encrypted flow, we propose the secure information flow verification theorem and specify the improved security constraints on each service component. Then a distributed information flow control framework and algorithm are designed for verification on regular and encrypted flow across multiple clouds. Through the experiments, we can obtain that our approach is more appropriate for the verification across multiple clouds and provides a more effective way compared with centralized verification approaches.     

An Effective Algorithm for the Futile Questioning Problem

In the futile questioning problem, one must decide whether acquisition of additional information can possibly lead to the proof of a conclusion. Solution of that problem demands evaluation of a quantified Boolean formula at the second level of the polynomial hierarchy. The same evaluation problem, called Q-ALL SAT, arises in many other applications. In this paper, we introduce a special subclass of Q-ALL SAT that is at the first level of the polynomial hierarchy. We develop a solution algorithm for the general case that uses a backtracking search and a new form of learning of clauses. Results are reported for two sets of instances involving a robot route problem and a game problem. For these instances, the algorithm is substantially faster than state-of-the-art solvers for quantified Boolean formulas.     

Security invariants in discrete transition systems

The Shadow semantics is a qualitative model for noninterference security for sequential programs. In this paper, we first extend the Shadow semantics to Event-B, to reason about discrete transition systems with noninterference security properties. In particular, we investigate how these security properties can be specified and proved as machine invariants. Next we highlight the role of security invariants during refinement and identify some common patterns in specifying them. Finally, we propose a practical extension to the supporting Rodin platform of Event-B, with the possibility of having some properties to be invariants-by-construction.     

On cross-correlation indicators of an S-box

Substitution boxes (S-boxes) are often used as the most important nonlinear components in many symmetric encryption algorithms. The cryptographic properties of an S-box directly affect the security of the whole cipher system. Recently, generalized global avalanche characteristics (GGAC) were introduced to measure the correlation between two arbitrary Boolean functions. In this paper, to better evaluate the security of an S-box, we present two cross-correlation indicators for it. In addition, by studying the related properties of the cross-correlation between two balanced Boolean functions, we propose the lower bounds on the sum-of-squares indicator related to GGAC for two balanced functions and also for an S-box.