Monitoring Information flow by Diagnosis Techniques

HAL Id: inria-00312747

https://hal.inria.fr/inria-00312747v2

Submitted on 26 Aug 2008

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

Monitoring Information flow by Diagnosis Techniques

Jérémy Dubreil, Thierry Jéron, Hervé Marchand

To cite this version:

Jérémy Dubreil, Thierry Jéron, Hervé Marchand. Monitoring Information flow by Diagnosis Tech-

niques. [Research Report] PI 1901, 2008, pp.15. �inria-00312747v2�

I ^R

^{I S}

A

IN S ^T

IT U T ^D E R

E C H ^E R ^C

H E ^E N I ^N

F O R M A ^T I ^{Q U}

E E ^T S ^YS

T È ^M ES ^A

LÉ A ^T O ^{IR E} S

P U B L I C A T I O N I N T E R N E

N ^o

I R I S A

CAMPUS UNIVERSITAIRE DE BEAULIEU - 35042 RENNES CEDEX - FRANCE

ISSN 1166-8687

1901

MONITORING INFORMATION FLOW BY DIAGNOSIS TECHNIQUES

JÉRÉMY DUBREIL, THIERRY JÉRON, HERVÉ MARCHAND

I NSTITUT DE R ECHERCHE EN I NFORMATIQUE ET S YSTÈMES A LÉATOIRES

Campus de Beaulieu – 35042 Rennes Cedex – France Tél. : (33) 02 99 84 71 00 – Fax : (33) 02 99 84 71 71 http://www.irisa.fr

Monitoring Information ow by Diagnosis Tehniques

Jérémy Dubreil, Thierry Jéron, Hervé Marhand

Systèmesommuniants

ProjetsVerTeCs

Publiation interne n1901 August2008 15 pages

Abstrat: Inthispaper, weareinterestedin onstruting monitors for the detetionofondential

information ow in the ontext of partially observable disrete event systems. We fous on the ase

wheretheseretinformationisgivenasaregularlanguage. Werstharaterizethesetofobservations

allowinganattakerto inferthe seretbehaviors. Weonsiderthegeneral asewhere theattakerand

theadministrator havedierentpartialviewsofthesystem. Further,basedonthediagnosisofdisrete

eventsystems,we provide neessaryandsuientonditions under whih detetionandpredition of

seret information ow an be ensuredand a onstrution ofa monitorensuring thistask.

Key-words: seurity, opaity, disrete event systems, partial observation, diagnosis, on-line dete-

tion.

(Résumé: tsvp)

Centre National de la Recherche Scientifique Institut National de Recherche en Informatique

( UMR 6074) Université de Rennes 1 – Insa de Rennes et en Automatique – unité de recherche de Rennes

Résumé : Nous nous intéressons à la onstrution de moniteurs permettant de déteter la fuite

d'information ondentiel le pour des systèmes partielleme nt observables, modélisés par des systèmes

de transition nis. Nous onsidérons le as où le seretpeut semodéliser par des langages réguliers.

Nousommençonspardénirlanotiond'opaitépourformaliserlafuited'informationetaratérisons

l'ensembledesobservationspourlesquellesunattaquantinfèredel'informationondentiel le. Ensuite,

onsidérant le as général où l'attaquant et l'administrateur ont des vues partielles potentiellement

diérentes du système, nous adaptons les tehniques de diagnosti sur des systèmes à événement

disrets, nous expliitons des onditions néessaires et susantes sur le système pour permettre la

détetion et/ou laprédition de ette fuite d'information et onstruisons un moniteur permettant un

administrateur d'assurer ettedétetion.

Mots lés : Séurité, opaité, systèmes à événements disrets, observation partielle, diagnosti,

détetion en ligne

1 Introdution

There hasbeen aninreasinginterestinresearhaboutomputerseurityin thepastdeades. Indeed,

theemergeneofwebserviesandtheimprovementsofthepossibilitiesofmobileandembeddedsystems

allowlots ofnewand interesting features. Butsome oftheseserviessuhasonlinepayment,medial

information storage or e-voting system may deal with some ritial information. In the meantime,

having more appliations and devies for aessing these servies also inreases the possibilities for

suh information to ow. To avoid seurity breah, using automati tools based on formal methods

for seurityanalysisanbebeneial. Inthisontext,therehasbeen agrowinginterestin veriation

[3, 10℄ and testing of seurity properties [5℄ and monitoring seurity properties [12℄ in past years. In

ordertospeifysuhautomatianalysismethods,seuritypropertiesaregenerallyseparatedintothree

dierentategories: availability(auseranalwaysperform theationsthatareallowedbytheseurity

poliy), integrity (something illegal annot be performed by a user) and ondentiality (some seret

information annotbe inferredbyauser) [4℄.

Inthispaper,we fouson ondential ityandmore partiularlyon the notionofopaityasdened

in [4℄. Thegeneral problemof ondentialityonsistsofdeterminingwhether anattaker having only

a partial observations of the system, isable or not to disover someseret behaviors (e.g. apassword

stored in a le, the value of some hidden variables, et) ourring during exeution. The motivation

of this paper isto provide an analysis method for deteting information ows. Therefore we proeed

rst from an attaker point of view, for generating the set of possible attaks, and seond from the

administrator point of viewinterested in monitoring this setof attaks.

Overview of the problem. We onsider three omponents: a system

G

^{, an attaker}

A

^{and a}

monitor

M

^{(modelling for examplethe} administrator ofthe systemor an intrusiondetetionsystem) (C.f. Figure1). Weassumethatthe system

G

^{ismodeledbyanitetransitionsystem. Usersinterat}

with

G

^{throughan interfae}

Π A

^, orrespondingto the inputs/outputs ofthe system.

Monitor Attacker

A

System

G

Π M Π A

M

Figure1: Arhiteture

For this system, one an dene some ondential i ty poliies. Following the approah of [8℄ for

the diagnosis and [1, 4℄, a seret is modeled by a property

ϕ

^{given as a regular language over the}

alphabet

Σ

^{of the system}

G

^{. The seret is preserved as far as the attaker annot surely infer that}

the property

ϕ

^{issatisedbythe urrentexeutionofthe systembasedonthe observations performed}

through the interfae

Π A

^{. We haraterize the set of} observations allowing the attaker

A

^{to infer}

the seret information. A ontrario, the monitor

M

^{tries to analyze the} information ow between the system

G

^{and the attaker}

A

^{in order to raise an alarm whenever the seret has been revealed.}

M

^{an also try to predit the} information ow. To do so, we assume that

M

^{knows the power of}

the attaker (i.e. he knows the model of the system

G

^{and the interfae}

Π A

^{of the attaker). He}

observesthesystemthroughtheinterfae

Π M

^{(wedonot assumeanylinkbetweenthetwo}interfaes).

Further, based on the set of observations allowing the attaker to infer the seret information, we

provide neessaryandsuient onditions underwhihdetetion andpreditionof seretinformation

owanbeensured,andonstrutamonitor

M

^allowinganadministrator todetettheattaks. This supervision isperformed on-line, the monitorraising analarm whenever aninformation owours.

Thestruture ofthe doument isasfollows: Insetion2,we dene the mathemati al terminology

and notionsusedthroughoutthe paper. InSetion 3,weshowhowto buildamonitorinhargeofthe

supervision ofthe systemaording to agiven property. InSetion 4,we dene the notion of opaity

PIn1901

formalizing information ow. With this notion, we an haraterize the set of observations for whih

an attaker an infer ondential information. In Setion 5, we use diagnosis tehniques to exhibit

neessaryandsuientonditionsunderwhihamonitorandiagnose and/orpreditthe information

ow. Finally, we study in Setion 6 howto deal with abstrations.

2 Models & Notations

Let

Σ

^{be a nite alphabet of events. A string is a} nite-length sequene of events in

Σ

^.

ǫ

^denotes

the empty string. Given a string

s

^{, the length of}

s

^{is denoted by}

|s|

^{. Theset of allstrings formed by}

eventsin

Σ

^{isdenoted by}

Σ ^∗

^{. Anysubsetof}

Σ ^∗

^{is alled alanguage over}

Σ

^{. Let}

L

^{be alanguage over}

Σ

^{. Givenastring}

s ∈ L

^,

L/s = ^∆ {t ∈ Σ ^∗ | s.t ∈ L}

^{isalled the}post-languageof

L

^after

s

^{and dened}

as

L/s

^.

L

^{issaid to be} extention-losed when

L.Σ ^∗ = L

^{. We assumethatthe systemsaremodeled as}

Labelled TransitionsSystems(LTSfor short). The formaldenitionof anLTSis asfollows.

Denition 1 (LTS) AnLTSover

Σ

^{isdenedbya4-tuple}

G = (Q

G

, Σ, →

^G

, q

G⁰

)

^where

Q

G

isanite

set of states,

Σ

^{is the set of events of}

G

^,

q

⁰

G

∈ Q

G

is the initial state, and

→

^G

⊆ Q

G

× Σ × Q

G is the

partial transitionrelation.

⋄

Notations Inthe remainder ofthis setion, we onsidera givenLTS

G = (Q

G

, Σ, →

G

, q

G⁰

)

^.

•

^Wewrite

q → ^a G q ^′

^if

(q, a, q ^′ ) ∈→ G

^and

q → ^a G

^for

∃q ^′ ∈ Q G

^,

q → ^a G q ^′

^{. We extend}

→

^{G to arbitrary}

sequenes bysetting:

q → ^ε

^G

q

^{for all states}

q

^{, and}

q → ^sσ

^G

q ^′

^whenever

q → ^s

^G

q ^′′

^and

q ^′′ → ^σ

^G

q ^′

^{, for}

some

q ^′′ ∈ Q

G .

• Σ(q) = ^∆ {a ∈ Σ | q → ^a

^G

}

^{orresponds to the set ofeventsadmissible in state}

q

^of

G

^.

G

^{is said to}

beomplete whenever

∀q ∈ Q

G

, Σ(q) = Σ

^{. Itis saidto be live if}

Σ(q) 6= ∅

^{, for eah}

q ∈ Q

G .

•

^Weset

∆

G

(q, l) = ^∆ {q ^′ ∈ Q

G

| q → ^l

^G

q ^′ }

^{. By aslight abuse ofnotation, for anylanguage}

L ⊆ Σ ^∗

^,

∆

^G

(q, L) = ^∆ {q ^′ ∈ Q

^G

| ∃s ∈ L, q → ^s

^G

q ^′ }

^{. For any}

X ⊆ Q

^G,

∆

^G

(X, L) = S

q ∈ X ∆

^G

(q, L)

^{. Also,}

X

is saidto bestable if

∆

G

(X, Σ ^∗ ) ⊆ X

^.

•

^{Wedenote by}

L(G) = {l ∈ Σ ^∗ , q _o → ^l

^G

}

^{the set of}trajetories ofthe system

G

^.

Given aspeial setof states

F

G

⊆ Q

G

, the notions above areextended in this settingbyletting

the language

L _F

G

(G) = {l ∈ Σ ^∗ | ∃q ∈ F

G

, q _o → ^l

^G

q}

^{be thesetof} trajetories thatendin astate

of

F G

^{. Note that}

F G

^{is stable if}

L F

G

(G)

^is extention-losed. Also, if

G

^{is omplete and}

F G

^is

stable, then

L F

G

(G)

^is extention-losed.

Wenowdene the synhronous produt oftwo LTSs.

Denition 2 (Synhronous produt) Let

G ⁱ = (Q ⁱ , Σ, → G ⁱ , q

⁰

_G i )

^,

i = 1, 2

^{be two LTSs. The syn-}

hronous produt between

G ¹

^and

G ²

^{is an LTS}

G ¹ × G ² = (Q ¹ × Q ² , Σ, → G ¹ × G ² , (q _G

⁰

1 , q _G

⁰

2 ))

^{, where}

(q ¹ , q ² ) → ^σ G ¹ × G ² (q ^{′ 1} , q ^′2 )

^whenever

q ¹ → ^σ G ¹ q ^′1

^and

q ² → ^σ G ² q ^′2

^.

Clearly,

L(G ¹ × G ² ) = L(G ¹ ) ∩ L(G ² )

^{and for}

F _i ⊆ Q ⁱ , i = 1, 2

^{, we also have}

L _{F 1} × F ₂ (G ¹ × G ² ) = L F ₁ (G ¹ ) ∩ L F ₂ (G ² )

^{. Also,iffor}

i = 1, 2

^{the set}

F i

^{isstable in}

G ⁱ

^,

F 1 × F 2

^{isstable in}

G ¹ × G ²

^.

Given a setof states

E ⊆ Q

G

of anLTS

G

^{, the operators}

pre ^∀

G

et

pre ^∃

G

aredened asfollows:

P re ^∃

G

(E) = {q ∈ Q | ∃a ∈ Σ, ∆

^G

(q, a) ∩ E 6= ∅}

P re ^∀

G

(E) = {q ∈ P re ^∃

G

(E) | ∀a ∈ Σ, ∆

G

(q, a) ⊆ E}

Irisa

The states belonging to

P re ^∀

G

(E)

^{are the states suh that all immediate suessors belong to}

E

^,

while the statesbelonging to

P re ^∃

M

(E)

^{aresuh thatat leastone immediatesuessor belongs to}

E

^.

Given a live LTS

G

^{, let}

Inev

^G

(E)

^{be the set of states that inevitably lead to a set}

E

^{in a nite}

number of steps and

CoReach

G

(E)

^{the set of states fromwhih}

E

^{is reahable. These sets aregiven}

bythe following leastx-points (

lf p

^):

Inev

^G

(E) = lf p(λX.E ∪ pre ^∀ _G (X)) CoReach

^G

(E) = lf p(λX.E ∪ pre ^∃ _G (X))

Observable behavior The key point of our approah onerns the ability of an user

U

^{to dedue}

information from a system by observing only a subset of the events or only an abstration of them.

For this purpose, we introdue the onept of observation mask. An observation mask is a funtion

Π U : Σ → Σ U ∪ {ǫ}

^{, where}

Π U

^{is dened for all}

σ ∈ Σ

^{. The set}

Σ U

^{is another event set alled the}

observed events . Wedenoteby

Σ ⁻ _U ¹ = {σ ∈ Σ | Π U (σ) 6= ǫ}

^{the setof}observab l e events ,i.e. theevents of

Σ

^{induing an}observation for

U

^{. The observation maskis extendedto anytrajetorybyassigning}

Π U (ǫ) = ǫ

^and

∀s ∈ Σ ^∗ , σ ∈ Σ

^,

Π U (sσ) = Π U (s)Π U (σ)

^{. This is further extended to any language}

L ⊆ Σ ^∗

^byletting:

Π U (L) = {Π ^U (s) | s ∈ L}

Theinverseobservation maskfor

T ⊆ Σ ^∗ _U

^{is givenby:}

Π ⁻ _U ¹ (T ) = {l ∈ Σ ^∗ | Π U (l) ∈ T }.

We saythat

G

^is

Σ U

^-liveif

∀q ∈ Q, ∃s ∈ Σ ^∗ , σ ∈ Σ ⁻ _U ¹ , q → ^sσ

^{, meaning thatthereis noterminal loop}

of eventsthat annotbe observed bythe observationmask.

Starting from a system

G

^{and a set of observable events}

Σ U

^{, the set of observed traes of}

G

^is

simply given by

T ^U (G) = Π U (L(G))

^.

Wedene thesemanti

[[µ]] U

^ofatrae

µ ∈ T (G)

^{asthe setof}trajetories of

G

^{thatareompatible}

with the trae

µ

^:

[[µ]] U ∆

=

Π ⁻ _U ¹ (µ) ∩ L(G) ∩ Σ ^∗ Σ ⁻ _U ¹

^if

µ 6= ǫ {ǫ}

^otherwise

.

Thismeansthat(exeptfortheemptytrae),trajetoriesompatiblewithatrae

µ

^aretrajetories of

G

^{endingwithanobservableeventandhavingtrae}

µ

^{. Thisisonsistentwithanon-line}observation performedbyauserofthe systemforwhom thesystemisonlyseenthroughtheinterfae givenbythe

observation mask

Π U

^{. We suppose thatthe observersare reatingfaster than the system. Therefore,}

when an observable event ours, observers an take a deision or raise an alarm before the system

proeeds with anyunobservable event. Thisexplains whywe do not onsidertrajetories ending with

unobservable eventsin the denitionof the semanti.

An LTS

G

^{is saidto be}deterministi iffor all

q ∈ Q

G

, for all

a ∈ Σ

^,

q → ^a

^G

q ^′

^and

q → ^a

^G

q ^′′

^implies

q ^′ = q ^′′

^.

Inordertobuildmonitorsinhargeoftheobservationofthesystem,wewillneedtobuild,starting

from a non-determi nisti LTS

G

^{, a} deterministi LTS

Det U (G)

^{over the alphabet}

Σ U

^{preserving the}

set oftraes, i.e.

L(Det U (G)) = T ^U (G)

^.

Denition 3 Let

G = (Q

G

, Σ, →

^G

, q

⁰G

)

^{bean LTSand}

Π U

^anobservation mask. Thedeterminizat ion of

G

^{with respetto}

Π U

^{is theLTS}

Det U (G) = (X , Σ U , → d , X

⁰

)

^where

X = 2 ^Q

^{G (theset ofsubsetsof}

Q

^{G alled}maro-states ),

X

⁰

= {q

G⁰

}

^and

→ d = {(X, Π U (a), ∆

^G

(X, (Σ\Σ ⁻ U ¹ ) ^∗ .a) | X ∈ X

^and

a ∈ Σ ⁻ U ¹ }

^.

Notie that this denition is onsistent with the above semanti of observations

[[.]] U

^{: the target}

maro-state

X ^′

^{of a transition}

X → ^σ d X ^′

^{is omposed of the set of states}

q ^′

^of

G

^{whih aretargets of}

sequenes of transitions

q ^s.a → q ^′

^{ending with anobservable event}

a

^suhthat

Π U (a) = σ

^{, with}

q ∈ X

^.

PIn1901

From the denition of

→ d

^{, we get}

∆ _{Det U (G)} (X

⁰

, µ) = {∆

^G

(q

⁰G

, [[µ]] U )}

^{. This means thata maro-}

state that is reahed from

X

^{0 by}

µ

ⁱⁿ

Det U (G)

^{is omposed of states that are reahed from}

q

⁰

G by

trajetories of

[[µ]] U

ⁱⁿ

G

^.

3 Inferene of properties under partial observation

In thissetion, we onsidera user

U

^{interating with asystemmodeled byaLTS}

G = (Q G , Σ, →, q _G ⁰ )

through aninterfae modeledbyanobservationmask

Π U

^{. We onsiderpropertiesmodeledbyregular}

languages over

Σ

^{thataredened asfollows.}

Denition 4 Apropertyisgivenbyamarkedlanguage

L F ψ (ψ) ⊆ Σ ^∗

^{ofaompleteand}deterministi LTS

ψ = (Q _ψ , Σ, → ψ , q _ψ ⁰ )

^{equipped with a} distinguishedset

F _ψ

^.

We saythata trajetory

s ∈ L(G)

^{isreognized by}

ψ

^{, noted}

s | = ψ

^whenever

s ∈ L _{F ψ} (ψ)

^{. As}

ψ

^is

omplete, we get

L(G × ψ) = L(G)

^and

L _Q ^G × F _ψ (G × ψ) = L(G) ∩ L F ψ (ψ)

^{is the setof} trajetories of

G

^satisfying

ψ

^.

Let

s ∈ L(G)

^{be a trajetory that has been triggered by the system. The user}

U

^{aims to infer}

whether

s

^{satises the property}

ψ

^{by observing}

µ = Π U (s) ∈ T U (G)

^{. However, the user annot}

distinguish

s

^{fromanytrajetory}

s ^′ ∈ [[µ]] U

^{ompatible withthe} observation

µ

^{. Thus,}

U

^{an onlyinfer}

partial information regarding

s | = ψ

^from

[[µ]] U

^{. For example,}

U

^{is surethat}

s | = ψ

^if

[[µ]] U ⊆ L _{F ψ} (ψ)

^.

Meanwhile, if there exists

s ^′ ∈ [[µ]] U

^and

s ^′ 6| = ψ

^{, then it is impossible for}

U

^{to know if the urrent}

trajetory is

s

^or

s ^′

^{and then}

U

^{annot infer whether}

s | = ψ

^{or not. To go further,}

U

^{might be also}

interested in the fat that after observing

µ

^,

ψ

^{will be inevitably satised, or will not be satised}

anymorebythe trajetories of

G

^extending

s

^.

Next, we formalize these ideas and propose a wayto build a funtion

O U ^ψ

^{, inspired by [8℄, whih}

gives aess, for eah observation

µ ∈ T (G)

^{to what a user}

U

^{an infer on}

s

^and

ψ

^{. Formally, if}

s

^is

the urrent exeution of the system and

µ = Π U (s)

^{is the} orresponding observation, the verdits we are interestedin aredened bythe following funtion:

O ^ψ U : Σ ^∗ U → V = {Y es, Inev, Inev

^_

Y es, N ever, N o, ?}

where the semanti ofthe verditsisasfollows:

1)

O U ^ψ (µ) = Y es

^if

U

^{knows thatfor the urrent exeution}

s

^(s.t.

Π U (s) = µ

^),

s | = ψ

^;

2)

O U (µ) = Inev

^if

U

^{knows that}

s 6| = ψ

^{butalso that}

ψ

^{willbeinevitablysatised byallthepossible}

extension of

s

^;

3)

O U ^ψ (µ) = Inev

^_

Y es

^if

U

^knowsthat

s | = ψ

^{or that}

ψ

^{will inevitably be satisedin the future but}

annot distinguishbetween the two ases sofar

4)

O U ^ψ (µ) = N ever

^if

U

^{knows that}

ψ

^{willnever be satisedbythe exeutionsof}

G

^extending

s

^;

5)

O U ^ψ (µ) = N o

^if

U

^{knows that}

s 6| = ψ

^{, but}

ψ

^{is neither} unavoidable nor impossible;

6)

O U ^ψ (µ) = ?

^{in alltheotherases,meaning that}

U

^{annotinferanyuseful}information with regards to

s

^and

ψ

^afterthe observation

µ = Π U (s)

^.

3.1 Constrution of

O U ^ψ

In this setion,wenowexplain how to onstrutthe funtion

O ^ψ U : Σ ^∗ U → V

^:

Irisa

Step 1. Construt the synhronous produt

G _ψ = G × ψ = (Q _{G ψ} , Σ, → G ψ , q _G

⁰

_ψ )

^{aswell asthe setof}

nal states

F _{G ψ} = Q ^G × F ψ

^{. By the property of the synhronous produt, and using the fat}

that

ψ

^{isomplete, weget}

L(G ψ ) = L(G)

^and

L F _Gψ (G ψ ) = L(G) ∩ L F ψ (ψ)

^{. Thus, the aepted}

trajetories of

G ψ

ⁱⁿ

F G ψ

^,

L F _Gψ (G ψ )

^{, areexatly the} trajetories of

G

^{aepted by}

ψ

^.

Step 2. Compute

Inev _{G ψ} (F _{G ψ} )

^on

G _ψ

^{and onsider the following partition:}

Q _{G ψ} = F _{G ψ} ∪ I _{G ψ} ∪ P G ψ ∪ N G ψ

^{, where}

• I G ψ = Inev G ψ (F G ψ ) \ F G ψ

^{is the set ofstates not belonging to}

F G ψ

^{but fromwhih}

F G ψ

^is

unavoidable;

• P _{G ψ} = Q _{G ψ} \ CoReach _{G ψ} (F _{G ψ} )

^{, i.e. the setof statesfromwhih}

F _{G ψ}

^isunreahable;

• N G ψ = Q G ψ \ (F G ψ ∪ I G ψ ∪ P G ψ )

^{isthe set ofall otherstates.}

Step 3. Build

χ ^ψ _U (G) = Det U (G _ψ ) = (X , Σ U , → d , X

⁰

)

^{. We thus have}

L(χ ^ψ _U (G)) = T ^U (G)

^{. For eah}

observation

µ ∈ T U (G)

^{, we get}

∆ _χ ψ

U (G) (X

⁰

, µ) = {∆ G ψ (q _G

⁰

ψ , [[µ]] U )}

^.

Step 4. Wenallyomputetheobservationfuntion

O ^ψ U

^from

χ ^ψ _U (G)

^andthesets

F _{G ψ} , I _{G ψ} , P _{G ψ} , N _{G ψ}

asfollows:

∀µ ∈ T ^U (G),

O U ^ψ (µ) =



 

 

 

 

 

 

 

 

 

 

 

 



 

 

 

 

 

 

 

 

 

 

 

 



Y es,

^if

∆ _χ ψ

U (G) (X ⁰ , µ) ⊆ F G _ψ

Inev,

^if

∆ _χ ψ

U (G) (X ⁰ , µ) ⊆ I _{G ψ} Inev

^_

Y es,

^if

∆ _χ ψ

U (G) (X ⁰ , µ) ⊆ (I _{G ψ} ∪ F _{G ψ} )

∧ ∆ _χ ψ

U (G) (X ⁰ , µ) ∩ I _{G ψ} 6= ∅

∧ ∆ _χ ψ

U (G) (X ⁰ , µ) ∩ F G _ψ 6= ∅ N o,

^if

∆ _χ ψ

U (G) (X ⁰ , µ) ⊆ N _{G ψ} N ever

^if

∆ _χ ψ

U (G) (X ⁰ , µ) ⊆ P _{G ψ}

?

^otherwise

.

Itiseasytohekthattheonstrutionof

O U ^ψ

^{onformstotheinformaldenitionpreviouslyintrodued.}

For example, for the verdit

Y es

^{, onsider an exeution}

s ∈ L(G)

^{together with its} orresponding observation

µ = Π U (s)

^and

O ^ψ U (µ) = Y es

^{. We thus have}

∆ _χ ψ

U (G) (X ⁰ , µ) ⊆ F G _ψ

^{. Now, aording to}

the denition of

χ ^ψ _U (G)

^{, for all}

s ^′ ∈ [[µ]] U

^,

∆ _{S ψ} (q _G

⁰

ψ , s ^′ ) ⊆ ∆ _χ ψ

U (G) (X ⁰ , µ) ⊆ F _{G ψ}

^{, thus}

s ^′ | = ψ

^{. Hene,}

for alltrajetories

s ^′ ∈ [[µ]] U

^,

s ^′ | = ψ

^{and in partiular}

s | = ψ

^{. Similarlyfor}

O U ^ψ (µ) = Inev

^{. Itimplies}

that

∆ S _ψ (q _G

⁰

ψ , [[µ]] U ) ⊆ I G _ψ

^{. Then, the} trajetories in

[[µ]] U

^{arefor sure not satisfying}

ψ

^{and all their}

ontinuations will inevitably satisfy

ψ

^{. Then this alsoholds for}

s

^.

To onlude thissetion, given asystem

G

^{thatis observed bya user}

U

^{through the interfae}

Π U

^,

we know howto onstrut a funtion

O U ^ψ : Σ _U ^∗ → V

^{that gives aessto all the} information that the user

U

^{an deduewith respetto the exeutionsof}

G

^{and the property}

ψ

^.

PIn1901

4 Charaterization and veriation of opaity

Assume nowthat the attaker

A

^{isa user of a system}

G

^{trying to infer ondential} information. We assume that the attaker perfetly knows the modelof

G

^{, but only observes it through the interfae}

Π A

^{. We now onsider a seret}

ϕ

^{given bya marked language of a omplete} deterministi LTS,

ϕ = (Q ϕ , q _ϕ ⁰ , Σ, →, F ϕ )

^{. We do assumethat}

A

^{knows howto build an} observationalfuntion as desribed in the preeding setion and our aim is to know ifthe attaker an know that the urrent exeution

s ∈ L(G)

^{reveals the seret}

ϕ

^{. Here isa verysimple example to illustrate the approah.}

Example 1 Let

G

^{be a}

LT S

^with

Σ = {h, p, l 1 , l 2 , l 3 }

^,

Σ A = {l 1 , l 2 , l 3 }

^{(the observation Mask is}

redued to the natural projetion). The seret under onsideration is the ourrene of the event

p

^.

This should not be revealed to the users of the system, knowing that

p

^{is not} observable. However,

l 3

h p

l 2

l 1

l 1

l 3 l 3

Figure2: An exampleof interferene

users aninferthat

p

^{hasourredbyobservingthe event}

l ₂

^{. Suhasystemisthennotseurebeause}

the fat that

p

^{ours during exeution is modifying what}

A

^{an observe. Note however that for a}

dierent observation mask suh that

Π A (l ₁ ) = Π A (l ₂ )

^{, then the ourrene of}

p

^{does not hange the}

observations and

G

^{is safe.}

⋄

4.1 Denition of Opaity

Intuitively, aseret

ϕ

^{issaid to be opaquewith respettoa system}

G

^andan observationmask

Π A

^if

the attaker

A

^{an never be sure thatthe urrent exeution of}

G

^satisfy

ϕ

^{[1, 4, 2℄.}

Denition 5 [Opaity℄ Given asystem

G

^{anda seret}

ϕ

^,

ϕ

^{issaid to be opaquew.r.t.}

G

^and

Π A

^if

∀s ∈ L(S), [[Π A (s)]] A 6⊆ L F ϕ (ϕ)

⁽¹⁾

In otherwords,

ϕ

^{isopaque w.r.t.}

G

^and

Π A

^{ifand only if}

∀µ ∈ T A (G), [[µ]] A 6⊆ L _{F ϕ} (ϕ),

and

ϕ

^{is non-opaquew.r.t.}

G

^and

Π A

^{ifand only if}

∃µ ∈ T ^A (G), [[µ]] A ⊆ L F ϕ (ϕ)

Based on the semantis of

O A ^ϕ

^{desribed in the preeding setion, one an saythat}

ϕ

^{isopaque with}

respetto

G

^and

Π A

^if

∀s ∈ L(G), O A ^ϕ (Π A (s)) 6= Y es

Irisa

4.2 Veriation of Opaity

In this setion, we are interested in heking whether a seret

ϕ

^{is opaque with respet to a system}

G

^{and an interfae}

Π A

^{. This happens to be a partiular ase of the inferene of property that we}

presented in Setion 3. To do so, onsider

χ ^ϕ A (G) = Det A (G × ϕ) = (X , Σ A , → d , X

⁰

)

^{equipped with}

the set ofnal states

F = 2 ^{Q G × F ϕ}

^{. By onstrution of}

χ ^ϕ A (G)

^{, wegetthe following property}

[[L F (χ ^ϕ A (G))]] A = {s ∈ L(S) ∩ Σ.Σ A ^{− 1} | [[Π A (s)]] A ⊆ L F ϕ (ϕ)}

whih givesaharaterizat ion of opaity:

Proposition 1

ϕ

^{isopaquewith respet to}

G

^{andthe interfae}

Π A

^{if and onlyif}

L F (χ ^ϕ A (G)) = ∅. ⋄

Hene, heking the opaityof aseret

ϕ

^{onsistsofheking thatthe setof states}

F

^{isnot reahable}

in

χ ^ϕ _A (G)

^{. Ifitisreahable, then}

ϕ

^{isnotopaqueandthereexistsatleastone}observationallowing the attaker to inferthat

ϕ

^{issatised. Inotherwords,}

L F (χ ^ϕ A (G))

^{orrespondsto theset of}observations for whih the attaker

A

^{knows that the urrent exeution reveals}

ϕ

^{. In that ase, the attaker}

A

^,

based on the preeding tehniques, an ompute the LTS

χ ^ϕ _A (G)

^{and deduean} observation funtion

O A ^ϕ

^{suhthat, for agiven} observation

µ

^of

T (S)

^:

•

^if

O ^ϕ A (µ) = Y es

^{, then}

µ ∈ L F (χ ^ϕ _A (G))

^and

[[µ]] A ⊆ L F ϕ (ϕ)

^{; the attaker, based on this observa-}

tion, an deduethat

ϕ

^{issatised on}

G

^{andthere isan} information ow;

•

^if

O ^ϕ A (µ) =? A

^,

A

^{annot dedue}

ϕ

^{and there is no} information ow, where

? A = {N o, Inev, Inev

^_

Y es, N ever, ?}

^1.

Example 2 Considerthesystem

G

^{desribedinFig.3(a). Thealphabetof}

G

^is

Σ = {a, b, c, X, Y, Z, a ϕ , τ, δ}

^.

WeassumeherethattheseretpropertyisgivenbytheLTSdesribedinFig.3(b);Themarkedstate

is represented by the blak state. In this example, the attaker tries to infer the ourrene of the

event

a ϕ

^{in the system.}

c a c

X X a

Y Z

Z b

a b

(b)Theopaityproperty

ϕ δ

a ϕ

a _ϕ τ

δ δ

δ a _ϕ

(a)Thesystem

G

Σ \ {a ϕ } a ϕ

Σ

Figure3:

G

^and

ϕ

For simpliity, we assume that the projetion mask is redued to the natural projetion. The

interfae oftheattakerisreduedto

Σ A = {a, b, c, δ}

^{. Theobserver}

O ^ϕ A

^{thattheattaker}

A

^anbuild

is givenbythe LTSdepited in Fig. 4.

If

A

^observes

a.b.δ ^∗

^then

ϕ

^{is revealed}

A

^{isthen sure that the event}

a _ϕ

^{ourred in}

S

^{(the set of}

ompatible trajetories is

a.X.Z.a ϕ .b.δ ^∗

^and

X.a ϕ .a.b.Z.δ ^∗

^{). A ontrario, if}

A

^{simply observes}

a

^or

a.c.δ ^∗

^{, then he is not sure that}

ϕ

^{is satised or not. Some of the ompatible} trajetories satisfy the seret andsome other donot, thus

A

^{annotinfer the seret.}

Remark 1 It isalso possible to onsiderotherkinds ofopaity:

1

Compared with(1), we onsiderhere that theattaker

A

is onlyinterestedby thedetetion ofthe satisfa tionof theseret.

PIn1901

c a b

000 000 000 000 111 111 111 111

000 000 000 000 111 111 111 111

?: Adoesn'tknow

ϕ δ

Yes: Aknows

ϕ δ

δ

Figure 4: Thefuntion

O ^ϕ A

^basedon

χ ^A _ϕ

•

^Insomeases,

A

^{mightbe interestedbythe}information: "

ϕ

^{issatisedbytheurrentexeution}

of the system

G

^{or will inevitably be in the} future" . Inthat ase, we will saythat the seretis opaque ifand only if

∀µ ∈ T ^A (G), [[µ]] A 6⊆ L _{Inev Sϕ (F Sϕ )} (S ϕ )

^{. The veriation of opaity and the}

onstrution ofthe assoiated observer aresimilar.

•

^{It isalsopossibleto onsiderthe asewhere thereisan} information owassoonasthe attaker knowsthateither

ϕ

^issatisedor

¬ϕ

^{issatised(.f.[1℄). Inotherwords, beingopaque(forthis}

denition), meansthat

ϕ

^{hasto be opaqueaswellas}

¬ϕ

^{(aording to denition5).}

The assoiated observer willhave threeverdits

{Y es, N o A , ? A }

^{,where the verdit}

Y es

^orre-

spondstotheverditdesribedin(1),theverdit

N o A

^{enompassestheverdits}

N o, Inev, N ever

whereas

? A

^{orrespondsto the other ases.}

⋄

5 Monitoring Opaity

Given a seret

ϕ

^{, based on the tehniques desribed in the preeding setions, it is possible to hek}

whether

ϕ

^{isopaquew.r.t.}

G

^{andthe interfae}

Π A

^{. When}

ϕ

^{isnotopaque,itan beimportant foran}

administrator to supervisethe systemon-linebymeansofamonitor

M

^{andraiseanalarm assoonas}

an information owours.

Forthis,weassumethat

M

^{knowsthemodelofthe system}

G

^{andobservesitthroughtheinterfae}

Π M

^{. Moreover,}

M

^{knows the ability of the attaker}

A

^{, meaning that the monitor knows that}

A

observesthe systemvia the interfae

Π A

^{and that he an onstrut an} observation funtion

O A ^ϕ

^{. We}

donotassumeanyrelationbetween

Π A

^and

Π M

^{. Thus,}

M

^{hastoinfertheattaker'sknowledgebased}

on the observationof

T ^M (G) ⊆ Σ ^∗ _M

^.

If

ϕ

^{is not opaque w.r.t. the system}

G

^{and the interfae}

Π A

^{, an} administrator an build an observation funtion to diagnose the fat that the seret has been revealed. One an also be more

aurate and try to predit the fatthat the seret will be inevitably known by the attaker stritly

beforethe information ow, or thatthe seretwill never berevealed anymore.

Notethatit isnot neessaryto diagnose the fatthatthe systemperformeda sequenesatisfying

the seret if this sequene does not orrespond to a non-opaque exeution (this sequene does not

reveal anything to the attaker); only the exeutions that lead to an information ow have to be

taken into aount. Indeed, the seret

ϕ

^{is revealed to the attaker by an exeution}

s ∈ L(G)

^if

and only if

Π A (s) ∈ L F (χ ^ϕ _M (G))

^{. In other words, we are interested in diagnosing the property:}

"The seret

ϕ

^{hasbeen revealedtothe} attaker",whihorrespondsto theextention-losedlanguage:

Π ⁻ A ¹ (L F (χ ^ϕ M (G))) · Σ ^∗

^{. This language an be reognized by an LTS}

Ω

^{, equipped with a set of nal}

states

F _Ω

^suhthat:

L F _Ω (Ω) = Π ⁻ _A ¹ (L F (χ ^ϕ _M (G))) · Σ ^∗

⁽²⁾

Example 3 To illustrate the omputation of(2), letus ome baktoExample 2. Theorresponding

LTS

Ω

^{isshownin Fig. 5:}

Irisa

c

Dump

a b

Σ a \ {δ}

Σ \ Σ a

Σ a \ {a} Σ a \ {b, c} δ, Σ \ Σ a

Σ Σ \ Σ a Σ

Figure5: The LTS

Ω

^{omputed from}

χ ^ϕ _A (G))

5.1 Supervision of Information Flow

Givena system

G

^{,an attaker}

A

^observing

G

^{viathe interfae}

Π A

^{and aseret}

ϕ

^{(that we assumeto}

benon-opaque),wedesribenowamethodallowinganadministrator

M

^observing

G

^{viathe interfae}

Π M

^{to know whether there is an} information ow or not. We assume that the monitor in harge of

the supervision hasafull knowledgeof

G

^{and knows the} observationmask

Π A

^.

As mentioned in the introdution of this setion,

M

^{does not diretly observe}

ϕ

^{. Only the tra-}

jetories ausing an information owhave to be supervised. We onsider then the stableproperty

Ω

orresponding to the trajetories of

G

^{induing an} information owfrom

G

^to

A

^{(see (2)).}

Inorder to onstrutthe observer

O M ^Ω

^{in hargeof the} supervisionof

Ω

^(i.e. orresponding to the information leak of

ϕ

^{), we rst build}

G _Ω = G × Ω

^{and the sets}

F G _Ω

^,

I G _Ω

^,

P G _Ω

^,

N G _Ω

^{(as desribed in}

Step 2.,Setion 3.1).

Now, basedon the tehniques ofthe setion 3.1, one an ompute the LTS

χ ^Ω M (G)

^over

Σ M

^from

whih we an derive anobserver

O ^Ω M

^{with the following verdits: for}

µ ∈ T ^M (G)

^,

• O M ^Ω (µ) = Y es

^:

M

^infersthat

Ω

^{issatised and thus an deduethat}

A

^knows

ϕ

^;

• O M ^Ω (µ) = N o

^:

M

^{knows that}

A

^{doesnot know}

ϕ

^{but might knowitin the future;}

• O M ^Ω (µ) = Inev

^:

M

^{knows that}

A

^{will inevitably know}

ϕ

^{butdoesnot knowit yet;}

• O M ^Ω (µ) = Inev

^_

Y es

^:

M

^{knows that}

A

^{already knows or willknow}

ϕ

^;

• O M ^Ω (µ) = N ever

^:

M

^{knows that}

A

^{will never know}

ϕ

^.

• O M ^Ω (µ) =?

^{means that}

M

^{annotdedue anythingabout the knowledge of}

A

^.

Unfortunately, the ase

O ^Ω M (µ) =?

^{does not imply that the attaker}

A

^{does not know}

ϕ

^{. As}

M

and

A

^{observe the system via dierent interfaes, it might be the ase that}

A

^{already knows}

ϕ

^and

that

M

^{willneverinferthis}information. Thisorrespondsto thenon-diagnosabi lityof

Ω

^{[8℄. Thisan}

ourwhenthereexisttwoarbitrarilylongtrajetories

s

^and

s ^′

orrespondingtothesameobservation

µ

^suhthat

s ∈ L F _Ω (Ω)

^{(thus anon-opaquetrajetoryof}

ϕ

^{) and}

s ^′ 6∈ L F _Ω (Ω)

^{. Inthe next setion, we}

will give neessaryandsuient onditions under whihthis asedoesnot our.

5.2 Neessary and suient onditions for detetion/predition of information

ow

Consider the system

G

^{aswell asthe property}

Ω

^{desribed in the previous setion.}

PIn1901

5.2.1 Diagnosability

Intuitively,

G

^is

Ω

-diagnosable ([11, 8℄) ifthere exists

n ∈ N

suhthat for anytrajetory

s

^of

G

^suh

that

s | = Ω

^,

Ω

^{beomes non-opaqueafter waiting for at most}

n

observations. This an be formalized asfollows

Denition 6 Givena system

G

^{, astableproperty}

Ω

^{and aninterfae}

Π M

^,

G

^is

Ω

-diagnosable if,

∃n ∈ N , ∀s ∈ L(G) ∩ L F _Ω (Ω) ∩ Σ ^∗ .Σ ⁻ M ¹ ,

∀t ^′ ∈ L(G), t ^′ = s · t ∧ |Π ^M (t)| ≥ n ⇒ [[Π M (s · t)]] M ⊆ L F _Ω (Ω)

trajectoires

observations compatible

t ∈ L(G)/s Π M

Π M (s) ∈ T M (G)

kΠ M (t)k ≥ n

[[ Π M ( s. t )] ] M ∈ L F Ω (Ω )

s ∈ L F Ω (Ω)

Figure6: Intuition ofthe diagnosabilityproperty

The

Ω

-diagnosability property means that whenever a trajetory

s

^{of the system satises}

Ω

^{, then}

whatever the extension

t

^of

s

^,

t

^{having at least}

n

^{observable events w.r.t.}

Π M

^{, all the} trajetories ompatible with the observation

Π M (s.t)

^satisfy

Ω

^.

Intheaseofmonitoring opaity,thismeansthatwhenthe monitorisobservingatraein

L F _Ω (Ω)

^,

aYes answershouldbeprodued bytheobserverafternitelymanyobservedevents. Hene,ifthere

exists

s ∈ L(G)

^{triggeredbythe systemsuh that}

ϕ

^{is non-opaquefor}

A

^{, then}

M

^{will surely knowit}

at most

n

^{observedeventsafterthe} observation of

Π M (s)

^.

5.2.2 Preditability

If the system is

Ω

-diagnosable, then it might be interesting to rene the verdit by prediting the satisfationofthepropertystritlybeforeitsatualourrene[7℄. Roughlyspeaking,

Ω

^ispreditable

if it is always possible to detet the future satisfation of

Ω

^{, stritly before this happens, only based}

on the observations.

Denition 7 Givena system

G

^{, aproperty}

Ω

^{and aninterfae}

Π M

^,

G

^is

Ω

-preditableif

∃n ∈ N , ∀s ∈ L(G) ∩ L _{F Ω} (Ω) ∩ Σ ^∗ .Σ ⁻ _M ¹ ,

∃t ∈ (L(G) ∩ Σ ^∗ .Σ ⁻ _M ¹ ) ∪ {ǫ}, t < s ∧ t / ∈ L F _Ω (Ω)

^s.t.

∀u ∈ [[Π M (t)]] M , ∀v ∈ L(G)/u, |Π M (v)| ≥ n ⇒ u.v ∈ L _{F Ω} (Ω)

This property means that for any trajetory

s

^{that satises}

Ω

^{, there exists a strit prex}

t

^that

does not satisfy

Ω

^{, suh that any trajetory}

u

^{ompatible with} observation

Π M (t)

^{will inevitably be}

extended into atrajetory

u.v

^satisfying

Ω

^2.

In our setting, this means that

M

^{an always predit that}

A

^{will know}

ϕ

^{and then the system}

operator an be warnedin time tohalt the systemor an take ounter-measures in orderto avoidthe

seret to be revealed. In other words, if

M

^{observes a trae}

µ ∈ T M (G)

^{suh that}

µ = Π M (t)

^{, then}

M

^{knowsthat the seretisnot revealedto}

A

^{, but will be after atmost}

n

^{observations.}

2

Notethatpreditabilityimpliesdiagnosabili ty[7℄.

Irisa

u ∈ [[Π M (t)]]

Observations Compatible

trajetories

v ∈ L(G)/u s ∈ L F Ω (Ω) t / ∈ L F Ω (Ω), t < s

Π M (.)

kΠ M (v)k ≥ n

Figure7: Intuitionof the

Ω

-preditabil ity

Remark 2 Thereisanalgorithmofpolynomialomplexityforverifyingthatasystem

G

^is

Ω

-diagnosable or

Ω

-preditable. More details an be found in [8, 7℄.

Example 4 To illustrate this setion, we still onsider the system

G

^{and the seret}

ϕ

^{dened in}

Example 2. Theproperty

Ω

^{andthe setofnon-opaque}trajetories(i.e. the onesthatrevealtheseret

ϕ

^{) aregiven bythe LTSdesribed in Fig.5.}

Y X

Y Z ^{00 00}

00 11 11 11

(

A

^{willneverknow}

ϕ

⁾

Yes:Mknowsthat

(

A

^knows

ϕ

⁾

(

A

^{knowsorwillknow}

ϕ

⁾

(a) Σ M = {Z, Y, δ}

δ

δ δ δ

Never:

M

^knowsthat

Yes:Mknowsthat Pred:Mknowsthat

(

A

^{willbutdoesnotknowyet}

ϕ

⁾

(b) Σ M = {X, Y, δ}

δ δ

Never:

M

^knowsthat

δ

δ

(

A

^knows

ϕ

⁾

(

A

^{willneverknow}

ϕ

⁾

Yes:Mknowsthat

Figure 8: Observationfuntion

O M ^Ω

^{w.r.t. twodierent interfaes}

Assume that the interfae of the monitor

M

^{is redued to}

Σ M = {Z, Y, δ}

^{. Then, one an show}

that

G

^is

Ω

-diagnosable, but not

Ω

-preditable. Theorresponding

O ^Ω M

^isrepresented in Figure 8(a).

A ontrario, ifthe interfae of the monitor

M

^is

Σ M = {X, Y, δ}

^{, then the system is}

Ω

-preditable.

Indeed, after the observation of

X

^,

M

^{knows that all the possible extensionswill satisfy}

Ω

^{and thus}

that the seretwill be revealed(C.f. Figure 8(b)).

6 Constrution of Monitors Using Abstrations

Untilthen,wemadetheassumptionthattheattaker

A

^{knowsamodelperfetlyreetingthebehavior}

ofthesystem. Thisentailsthatalltheattaksenariosthat

A

^{anomputeorrespondtorealattaks.}

Espeially, the opaity of the model implies the opaity of the system. But the methods presented

abovemaybenoteetivefor thekindofmodelswemightbeinterestedin formodellingrealsystems.

Forexample,ourapproahreliesonreahabilityanalysisanddeterminiza tionwhihareingeneral not

possible for innite systems. Moreover, even for nite LTS, the determiniza tion has an exponential

omplexityinthenumberofstateswhihanbeintratableforlargeLTS.Itisthenrealistitoonsider

an attaker reasoningon anite state abstration of the system.

Unfortunately, as we will see later, opaity is not preserved by abstration. Then abstration

annot be used to infer that a system is opaque when the abstration is. Also, reasoning on the

abstration, there an beases ofinformation ow whih arenot possible on the system. Then using

abstration to verify opaity is not relevant for aepting or rejeting systems. Nevertheless, we will

see howabstrations an helpan attaker to inferseret information and the administrator to detet

the attaks.

PIn1901