HAL Id: inria-00312747
https://hal.inria.fr/inria-00312747v2
Submitted on 26 Aug 2008
HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers.
L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.
Monitoring Information flow by Diagnosis Techniques
Jérémy Dubreil, Thierry Jéron, Hervé Marchand
To cite this version:
Jérémy Dubreil, Thierry Jéron, Hervé Marchand. Monitoring Information flow by Diagnosis Tech-
niques. [Research Report] PI 1901, 2008, pp.15. �inria-00312747v2�
I R
I S
A
IN S T
IT U T D E R
E C H E R C
H E E N I N
F O R M A T I Q U
E E T S YS
T È M ES A
LÉ A T O IR E S
P U B L I C A T I O N I N T E R N E
N o
I R I S A
CAMPUS UNIVERSITAIRE DE BEAULIEU - 35042 RENNES CEDEX - FRANCE
ISSN 1166-8687
1901
MONITORING INFORMATION FLOW BY DIAGNOSIS TECHNIQUES
JÉRÉMY DUBREIL, THIERRY JÉRON, HERVÉ MARCHAND
I NSTITUT DE R ECHERCHE EN I NFORMATIQUE ET S YSTÈMES A LÉATOIRES
Campus de Beaulieu – 35042 Rennes Cedex – France Tél. : (33) 02 99 84 71 00 – Fax : (33) 02 99 84 71 71 http://www.irisa.fr
Monitoring Information ow by Diagnosis Tehniques
Jérémy Dubreil, Thierry Jéron, Hervé Marhand
Systèmesommuniants
ProjetsVerTeCs
Publiation interne n1901 August2008 15 pages
Abstrat: Inthispaper, weareinterestedin onstruting monitors for the detetionofondential
information ow in the ontext of partially observable disrete event systems. We fous on the ase
wheretheseretinformationisgivenasaregularlanguage. Werstharaterizethesetofobservations
allowinganattakerto inferthe seretbehaviors. Weonsiderthegeneral asewhere theattakerand
theadministrator havedierentpartialviewsofthesystem. Further,basedonthediagnosisofdisrete
eventsystems,we provide neessaryandsuientonditions under whih detetionandpredition of
seret information ow an be ensuredand a onstrution ofa monitorensuring thistask.
Key-words: seurity, opaity, disrete event systems, partial observation, diagnosis, on-line dete-
tion.
(Résumé: tsvp)
Centre National de la Recherche Scientifique Institut National de Recherche en Informatique
( UMR 6074) Université de Rennes 1 – Insa de Rennes et en Automatique – unité de recherche de Rennes
Résumé : Nous nous intéressons à la onstrution de moniteurs permettant de déteter la fuite
d'information ondentiel le pour des systèmes partielleme nt observables, modélisés par des systèmes
de transition nis. Nous onsidérons le as où le seretpeut semodéliser par des langages réguliers.
Nousommençonspardénirlanotiond'opaitépourformaliserlafuited'informationetaratérisons
l'ensembledesobservationspourlesquellesunattaquantinfèredel'informationondentiel le. Ensuite,
onsidérant le as général où l'attaquant et l'administrateur ont des vues partielles potentiellement
diérentes du système, nous adaptons les tehniques de diagnosti sur des systèmes à événement
disrets, nous expliitons des onditions néessaires et susantes sur le système pour permettre la
détetion et/ou laprédition de ette fuite d'information et onstruisons un moniteur permettant un
administrateur d'assurer ettedétetion.
Mots lés : Séurité, opaité, systèmes à événements disrets, observation partielle, diagnosti,
détetion en ligne
1 Introdution
There hasbeen aninreasinginterestinresearhaboutomputerseurityin thepastdeades. Indeed,
theemergeneofwebserviesandtheimprovementsofthepossibilitiesofmobileandembeddedsystems
allowlots ofnewand interesting features. Butsome oftheseserviessuhasonlinepayment,medial
information storage or e-voting system may deal with some ritial information. In the meantime,
having more appliations and devies for aessing these servies also inreases the possibilities for
suh information to ow. To avoid seurity breah, using automati tools based on formal methods
for seurityanalysisanbebeneial. Inthisontext,therehasbeen agrowinginterestin veriation
[3, 10℄ and testing of seurity properties [5℄ and monitoring seurity properties [12℄ in past years. In
ordertospeifysuhautomatianalysismethods,seuritypropertiesaregenerallyseparatedintothree
dierentategories: availability(auseranalwaysperform theationsthatareallowedbytheseurity
poliy), integrity (something illegal annot be performed by a user) and ondentiality (some seret
information annotbe inferredbyauser) [4℄.
Inthispaper,we fouson ondential ityandmore partiularlyon the notionofopaityasdened
in [4℄. Thegeneral problemof ondentialityonsistsofdeterminingwhether anattaker having only
a partial observations of the system, isable or not to disover someseret behaviors (e.g. apassword
stored in a le, the value of some hidden variables, et) ourring during exeution. The motivation
of this paper isto provide an analysis method for deteting information ows. Therefore we proeed
rst from an attaker point of view, for generating the set of possible attaks, and seond from the
administrator point of viewinterested in monitoring this setof attaks.
Overview of the problem. We onsider three omponents: a system
G
, an attakerA
and amonitor
M
(modelling for examplethe administrator ofthe systemor an intrusiondetetionsystem) (C.f. Figure1). Weassumethatthe systemG
ismodeledbyanitetransitionsystem. Usersinteratwith
G
throughan interfaeΠ A
, orrespondingto the inputs/outputs ofthe system.Monitor Attacker
A
System
G
Π M Π A
M
Figure1: Arhiteture
For this system, one an dene some ondential i ty poliies. Following the approah of [8℄ for
the diagnosis and [1, 4℄, a seret is modeled by a property
ϕ
given as a regular language over thealphabet
Σ
of the systemG
. The seret is preserved as far as the attaker annot surely infer thatthe property
ϕ
issatisedbythe urrentexeutionofthe systembasedonthe observations performedthrough the interfae
Π A
. We haraterize the set of observations allowing the attakerA
to inferthe seret information. A ontrario, the monitor
M
tries to analyze the information ow between the systemG
and the attakerA
in order to raise an alarm whenever the seret has been revealed.M
an also try to predit the information ow. To do so, we assume thatM
knows the power ofthe attaker (i.e. he knows the model of the system
G
and the interfaeΠ A
of the attaker). Heobservesthesystemthroughtheinterfae
Π M
(wedonot assumeanylinkbetweenthetwointerfaes).Further, based on the set of observations allowing the attaker to infer the seret information, we
provide neessaryandsuient onditions underwhihdetetion andpreditionof seretinformation
owanbeensured,andonstrutamonitor
M
allowinganadministrator todetettheattaks. This supervision isperformed on-line, the monitorraising analarm whenever aninformation owours.Thestruture ofthe doument isasfollows: Insetion2,we dene the mathemati al terminology
and notionsusedthroughoutthe paper. InSetion 3,weshowhowto buildamonitorinhargeofthe
supervision ofthe systemaording to agiven property. InSetion 4,we dene the notion of opaity
PIn1901
formalizing information ow. With this notion, we an haraterize the set of observations for whih
an attaker an infer ondential information. In Setion 5, we use diagnosis tehniques to exhibit
neessaryandsuientonditionsunderwhihamonitorandiagnose and/orpreditthe information
ow. Finally, we study in Setion 6 howto deal with abstrations.
2 Models & Notations
Let
Σ
be a nite alphabet of events. A string is a nite-length sequene of events inΣ
.ǫ
denotesthe empty string. Given a string
s
, the length ofs
is denoted by|s|
. Theset of allstrings formed byeventsin
Σ
isdenoted byΣ ∗
. AnysubsetofΣ ∗
is alled alanguage overΣ
. LetL
be alanguage overΣ
. Givenastrings ∈ L
,L/s = ∆ {t ∈ Σ ∗ | s.t ∈ L}
isalled thepost-languageofL
afters
and denedas
L/s
.L
issaid to be extention-losed whenL.Σ ∗ = L
. We assumethatthe systemsaremodeled asLabelled TransitionsSystems(LTSfor short). The formaldenitionof anLTSis asfollows.
Denition 1 (LTS) AnLTSover
Σ
isdenedbya4-tupleG = (Q
G, Σ, →
G, q
G0)
whereQ
Gisanite
set of states,
Σ
is the set of events ofG
,q
0G
∈ Q
Gis the initial state, and
→
G⊆ Q
G× Σ × Q
G is thepartial transitionrelation.
⋄
Notations Inthe remainder ofthis setion, we onsidera givenLTS
G = (Q
G, Σ, →
G, q
G0)
.•
Wewriteq → a G q ′
if(q, a, q ′ ) ∈→ G
andq → a G
for∃q ′ ∈ Q G
,q → a G q ′
. We extend→
G to arbitrarysequenes bysetting:
q → ε
Gq
for all statesq
, andq → sσ
Gq ′
wheneverq → s
Gq ′′
andq ′′ → σ
Gq ′
, forsome
q ′′ ∈ Q
G .• Σ(q) = ∆ {a ∈ Σ | q → a
G}
orresponds to the set ofeventsadmissible in stateq
ofG
.G
is said tobeomplete whenever
∀q ∈ Q
G, Σ(q) = Σ
. Itis saidto be live ifΣ(q) 6= ∅
, for eahq ∈ Q
G .•
Weset∆
G(q, l) = ∆ {q ′ ∈ Q
G| q → l
Gq ′ }
. By aslight abuse ofnotation, for anylanguageL ⊆ Σ ∗
,∆
G(q, L) = ∆ {q ′ ∈ Q
G| ∃s ∈ L, q → s
Gq ′ }
. For anyX ⊆ Q
G,∆
G(X, L) = S
q ∈ X ∆
G(q, L)
. Also,X
is saidto bestable if
∆
G(X, Σ ∗ ) ⊆ X
.•
Wedenote byL(G) = {l ∈ Σ ∗ , q o → l
G}
the set oftrajetories ofthe systemG
.Given aspeial setof states
F
G⊆ Q
G, the notions above areextended in this settingbyletting
the language
L F
G
(G) = {l ∈ Σ ∗ | ∃q ∈ F
G, q o → l
Gq}
be thesetof trajetories thatendin astateof
F G
. Note thatF G
is stable ifL F
G(G)
is extention-losed. Also, ifG
is omplete andF G
isstable, then
L F
G(G)
is extention-losed.Wenowdene the synhronous produt oftwo LTSs.
Denition 2 (Synhronous produt) Let
G i = (Q i , Σ, → G i , q
0G i )
,i = 1, 2
be two LTSs. The syn-hronous produt between
G 1
andG 2
is an LTSG 1 × G 2 = (Q 1 × Q 2 , Σ, → G 1 × G 2 , (q G
01 , q G
02 ))
, where(q 1 , q 2 ) → σ G 1 × G 2 (q ′ 1 , q ′2 )
wheneverq 1 → σ G 1 q ′1
andq 2 → σ G 2 q ′2
.Clearly,
L(G 1 × G 2 ) = L(G 1 ) ∩ L(G 2 )
and forF i ⊆ Q i , i = 1, 2
, we also haveL F 1 × F 2 (G 1 × G 2 ) = L F 1 (G 1 ) ∩ L F 2 (G 2 )
. Also,iffori = 1, 2
the setF i
isstable inG i
,F 1 × F 2
isstable inG 1 × G 2
.Given a setof states
E ⊆ Q
Gof anLTS
G
, the operatorspre ∀
Get
pre ∃
Garedened asfollows:
P re ∃
G(E) = {q ∈ Q | ∃a ∈ Σ, ∆
G(q, a) ∩ E 6= ∅}
P re ∀
G
(E) = {q ∈ P re ∃
G
(E) | ∀a ∈ Σ, ∆
G(q, a) ⊆ E}
Irisa
The states belonging to
P re ∀
G(E)
are the states suh that all immediate suessors belong toE
,while the statesbelonging to
P re ∃
M
(E)
aresuh thatat leastone immediatesuessor belongs toE
.Given a live LTS
G
, letInev
G(E)
be the set of states that inevitably lead to a setE
in a nitenumber of steps and
CoReach
G(E)
the set of states fromwhihE
is reahable. These sets aregivenbythe following leastx-points (
lf p
):Inev
G(E) = lf p(λX.E ∪ pre ∀ G (X)) CoReach
G(E) = lf p(λX.E ∪ pre ∃ G (X))
Observable behavior The key point of our approah onerns the ability of an user
U
to dedueinformation from a system by observing only a subset of the events or only an abstration of them.
For this purpose, we introdue the onept of observation mask. An observation mask is a funtion
Π U : Σ → Σ U ∪ {ǫ}
, whereΠ U
is dened for allσ ∈ Σ
. The setΣ U
is another event set alled theobserved events . Wedenoteby
Σ − U 1 = {σ ∈ Σ | Π U (σ) 6= ǫ}
the setofobservab l e events ,i.e. theevents ofΣ
induing anobservation forU
. The observation maskis extendedto anytrajetorybyassigningΠ U (ǫ) = ǫ
and∀s ∈ Σ ∗ , σ ∈ Σ
,Π U (sσ) = Π U (s)Π U (σ)
. This is further extended to any languageL ⊆ Σ ∗
byletting:Π U (L) = {Π U (s) | s ∈ L}
Theinverseobservation maskfor
T ⊆ Σ ∗ U
is givenby:Π − U 1 (T ) = {l ∈ Σ ∗ | Π U (l) ∈ T }.
We saythat
G
isΣ U
-liveif∀q ∈ Q, ∃s ∈ Σ ∗ , σ ∈ Σ − U 1 , q → sσ
, meaning thatthereis noterminal loopof eventsthat annotbe observed bythe observationmask.
Starting from a system
G
and a set of observable eventsΣ U
, the set of observed traes ofG
issimply given by
T U (G) = Π U (L(G))
.Wedene thesemanti
[[µ]] U
ofatraeµ ∈ T (G)
asthe setoftrajetories ofG
thatareompatiblewith the trae
µ
:[[µ]] U ∆
=
Π − U 1 (µ) ∩ L(G) ∩ Σ ∗ Σ − U 1
ifµ 6= ǫ {ǫ}
otherwise.
Thismeansthat(exeptfortheemptytrae),trajetoriesompatiblewithatrae
µ
aretrajetories ofG
endingwithanobservableeventandhavingtraeµ
. Thisisonsistentwithanon-lineobservation performedbyauserofthe systemforwhom thesystemisonlyseenthroughtheinterfae givenbytheobservation mask
Π U
. We suppose thatthe observersare reatingfaster than the system. Therefore,when an observable event ours, observers an take a deision or raise an alarm before the system
proeeds with anyunobservable event. Thisexplains whywe do not onsidertrajetories ending with
unobservable eventsin the denitionof the semanti.
An LTS
G
is saidto bedeterministi iffor allq ∈ Q
G, for all
a ∈ Σ
,q → a
Gq ′
andq → a
Gq ′′
impliesq ′ = q ′′
.Inordertobuildmonitorsinhargeoftheobservationofthesystem,wewillneedtobuild,starting
from a non-determi nisti LTS
G
, a deterministi LTSDet U (G)
over the alphabetΣ U
preserving theset oftraes, i.e.
L(Det U (G)) = T U (G)
.Denition 3 Let
G = (Q
G, Σ, →
G, q
0G)
bean LTSandΠ U
anobservation mask. Thedeterminizat ion ofG
with respettoΠ U
is theLTSDet U (G) = (X , Σ U , → d , X
0)
whereX = 2 Q
G (theset ofsubsetsofQ
G alledmaro-states ),X
0= {q
G0}
and→ d = {(X, Π U (a), ∆
G(X, (Σ\Σ − U 1 ) ∗ .a) | X ∈ X
anda ∈ Σ − U 1 }
.Notie that this denition is onsistent with the above semanti of observations
[[.]] U
: the targetmaro-state
X ′
of a transitionX → σ d X ′
is omposed of the set of statesq ′
ofG
whih aretargets ofsequenes of transitions
q s.a → q ′
ending with anobservable eventa
suhthatΠ U (a) = σ
, withq ∈ X
.PIn1901
From the denition of
→ d
, we get∆ Det U (G) (X
0, µ) = {∆
G(q
0G, [[µ]] U )}
. This means thata maro-state that is reahed from
X
0 byµ
inDet U (G)
is omposed of states that are reahed fromq
0G by
trajetories of
[[µ]] U
inG
.3 Inferene of properties under partial observation
In thissetion, we onsidera user
U
interating with asystemmodeled byaLTSG = (Q G , Σ, →, q G 0 )
through aninterfae modeledbyanobservationmask
Π U
. We onsiderpropertiesmodeledbyregularlanguages over
Σ
thataredened asfollows.Denition 4 Apropertyisgivenbyamarkedlanguage
L F ψ (ψ) ⊆ Σ ∗
ofaompleteanddeterministi LTSψ = (Q ψ , Σ, → ψ , q ψ 0 )
equipped with a distinguishedsetF ψ
.We saythata trajetory
s ∈ L(G)
isreognized byψ
, noteds | = ψ
whenevers ∈ L F ψ (ψ)
. Asψ
isomplete, we get
L(G × ψ) = L(G)
andL Q G × F ψ (G × ψ) = L(G) ∩ L F ψ (ψ)
is the setof trajetories ofG
satisfyingψ
.Let
s ∈ L(G)
be a trajetory that has been triggered by the system. The userU
aims to inferwhether
s
satises the propertyψ
by observingµ = Π U (s) ∈ T U (G)
. However, the user annotdistinguish
s
fromanytrajetorys ′ ∈ [[µ]] U
ompatible withthe observationµ
. Thus,U
an onlyinferpartial information regarding
s | = ψ
from[[µ]] U
. For example,U
is surethats | = ψ
if[[µ]] U ⊆ L F ψ (ψ)
.Meanwhile, if there exists
s ′ ∈ [[µ]] U
ands ′ 6| = ψ
, then it is impossible forU
to know if the urrenttrajetory is
s
ors ′
and thenU
annot infer whethers | = ψ
or not. To go further,U
might be alsointerested in the fat that after observing
µ
,ψ
will be inevitably satised, or will not be satisedanymorebythe trajetories of
G
extendings
.Next, we formalize these ideas and propose a wayto build a funtion
O U ψ
, inspired by [8℄, whihgives aess, for eah observation
µ ∈ T (G)
to what a userU
an infer ons
andψ
. Formally, ifs
isthe urrent exeution of the system and
µ = Π U (s)
is the orresponding observation, the verdits we are interestedin aredened bythe following funtion:O ψ U : Σ ∗ U → V = {Y es, Inev, Inev
_Y es, N ever, N o, ?}
where the semanti ofthe verditsisasfollows:
1)
O U ψ (µ) = Y es
ifU
knows thatfor the urrent exeutions
(s.t.Π U (s) = µ
),s | = ψ
;2)
O U (µ) = Inev
ifU
knows thats 6| = ψ
butalso thatψ
willbeinevitablysatised byallthepossibleextension of
s
;3)
O U ψ (µ) = Inev
_Y es
ifU
knowsthats | = ψ
or thatψ
will inevitably be satisedin the future butannot distinguishbetween the two ases sofar
4)
O U ψ (µ) = N ever
ifU
knows thatψ
willnever be satisedbythe exeutionsofG
extendings
;5)
O U ψ (µ) = N o
ifU
knows thats 6| = ψ
, butψ
is neither unavoidable nor impossible;6)
O U ψ (µ) = ?
in alltheotherases,meaning thatU
annotinferanyusefulinformation with regards tos
andψ
afterthe observationµ = Π U (s)
.3.1 Constrution of
O U ψ
In this setion,wenowexplain how to onstrutthe funtion
O ψ U : Σ ∗ U → V
:Irisa
Step 1. Construt the synhronous produt
G ψ = G × ψ = (Q G ψ , Σ, → G ψ , q G
0ψ )
aswell asthe setofnal states
F G ψ = Q G × F ψ
. By the property of the synhronous produt, and using the fatthat
ψ
isomplete, wegetL(G ψ ) = L(G)
andL F Gψ (G ψ ) = L(G) ∩ L F ψ (ψ)
. Thus, the aeptedtrajetories of
G ψ
inF G ψ
,L F Gψ (G ψ )
, areexatly the trajetories ofG
aepted byψ
.Step 2. Compute
Inev G ψ (F G ψ )
onG ψ
and onsider the following partition:Q G ψ = F G ψ ∪ I G ψ ∪ P G ψ ∪ N G ψ
, where• I G ψ = Inev G ψ (F G ψ ) \ F G ψ
is the set ofstates not belonging toF G ψ
but fromwhihF G ψ
isunavoidable;
• P G ψ = Q G ψ \ CoReach G ψ (F G ψ )
, i.e. the setof statesfromwhihF G ψ
isunreahable;• N G ψ = Q G ψ \ (F G ψ ∪ I G ψ ∪ P G ψ )
isthe set ofall otherstates.Step 3. Build
χ ψ U (G) = Det U (G ψ ) = (X , Σ U , → d , X
0)
. We thus haveL(χ ψ U (G)) = T U (G)
. For eahobservation
µ ∈ T U (G)
, we get∆ χ ψ
U (G) (X
0, µ) = {∆ G ψ (q G
0ψ , [[µ]] U )}
.Step 4. Wenallyomputetheobservationfuntion
O ψ U
fromχ ψ U (G)
andthesetsF G ψ , I G ψ , P G ψ , N G ψ
asfollows:
∀µ ∈ T U (G),
O U ψ (µ) =
Y es,
if∆ χ ψ
U (G) (X 0 , µ) ⊆ F G ψ
Inev,
if∆ χ ψ
U (G) (X 0 , µ) ⊆ I G ψ Inev
_Y es,
if∆ χ ψ
U (G) (X 0 , µ) ⊆ (I G ψ ∪ F G ψ )
∧ ∆ χ ψ
U (G) (X 0 , µ) ∩ I G ψ 6= ∅
∧ ∆ χ ψ
U (G) (X 0 , µ) ∩ F G ψ 6= ∅ N o,
if∆ χ ψ
U (G) (X 0 , µ) ⊆ N G ψ N ever
if∆ χ ψ
U (G) (X 0 , µ) ⊆ P G ψ
?
otherwise.
Itiseasytohekthattheonstrutionof
O U ψ
onformstotheinformaldenitionpreviouslyintrodued.For example, for the verdit
Y es
, onsider an exeutions ∈ L(G)
together with its orresponding observationµ = Π U (s)
andO ψ U (µ) = Y es
. We thus have∆ χ ψ
U (G) (X 0 , µ) ⊆ F G ψ
. Now, aording tothe denition of
χ ψ U (G)
, for alls ′ ∈ [[µ]] U
,∆ S ψ (q G
0ψ , s ′ ) ⊆ ∆ χ ψ
U (G) (X 0 , µ) ⊆ F G ψ
, thuss ′ | = ψ
. Hene,for alltrajetories
s ′ ∈ [[µ]] U
,s ′ | = ψ
and in partiulars | = ψ
. SimilarlyforO U ψ (µ) = Inev
. Itimpliesthat
∆ S ψ (q G
0ψ , [[µ]] U ) ⊆ I G ψ
. Then, the trajetories in[[µ]] U
arefor sure not satisfyingψ
and all theirontinuations will inevitably satisfy
ψ
. Then this alsoholds fors
.To onlude thissetion, given asystem
G
thatis observed bya userU
through the interfaeΠ U
,we know howto onstrut a funtion
O U ψ : Σ U ∗ → V
that gives aessto all the information that the userU
an deduewith respetto the exeutionsofG
and the propertyψ
.PIn1901
4 Charaterization and veriation of opaity
Assume nowthat the attaker
A
isa user of a systemG
trying to infer ondential information. We assume that the attaker perfetly knows the modelofG
, but only observes it through the interfaeΠ A
. We now onsider a seretϕ
given bya marked language of a omplete deterministi LTS,ϕ = (Q ϕ , q ϕ 0 , Σ, →, F ϕ )
. We do assumethatA
knows howto build an observationalfuntion as desribed in the preeding setion and our aim is to know ifthe attaker an know that the urrent exeutions ∈ L(G)
reveals the seretϕ
. Here isa verysimple example to illustrate the approah.Example 1 Let
G
be aLT S
withΣ = {h, p, l 1 , l 2 , l 3 }
,Σ A = {l 1 , l 2 , l 3 }
(the observation Mask isredued to the natural projetion). The seret under onsideration is the ourrene of the event
p
.This should not be revealed to the users of the system, knowing that
p
is not observable. However,l 3
h p
l 2
l 1
l 1
l 3 l 3
Figure2: An exampleof interferene
users aninferthat
p
hasourredbyobservingthe eventl 2
. Suhasystemisthennotseurebeausethe fat that
p
ours during exeution is modifying whatA
an observe. Note however that for adierent observation mask suh that
Π A (l 1 ) = Π A (l 2 )
, then the ourrene ofp
does not hange theobservations and
G
is safe.⋄
4.1 Denition of Opaity
Intuitively, aseret
ϕ
issaid to be opaquewith respettoa systemG
andan observationmaskΠ A
ifthe attaker
A
an never be sure thatthe urrent exeution ofG
satisfyϕ
[1, 4, 2℄.Denition 5 [Opaity℄ Given asystem
G
anda seretϕ
,ϕ
issaid to be opaquew.r.t.G
andΠ A
if∀s ∈ L(S), [[Π A (s)]] A 6⊆ L F ϕ (ϕ)
(1)In otherwords,
ϕ
isopaque w.r.t.G
andΠ A
ifand only if∀µ ∈ T A (G), [[µ]] A 6⊆ L F ϕ (ϕ),
and
ϕ
is non-opaquew.r.t.G
andΠ A
ifand only if∃µ ∈ T A (G), [[µ]] A ⊆ L F ϕ (ϕ)
Based on the semantis of
O A ϕ
desribed in the preeding setion, one an saythatϕ
isopaque withrespetto
G
andΠ A
if∀s ∈ L(G), O A ϕ (Π A (s)) 6= Y es
Irisa
4.2 Veriation of Opaity
In this setion, we are interested in heking whether a seret
ϕ
is opaque with respet to a systemG
and an interfaeΠ A
. This happens to be a partiular ase of the inferene of property that wepresented in Setion 3. To do so, onsider
χ ϕ A (G) = Det A (G × ϕ) = (X , Σ A , → d , X
0)
equipped withthe set ofnal states
F = 2 Q G × F ϕ
. By onstrution ofχ ϕ A (G)
, wegetthe following property[[L F (χ ϕ A (G))]] A = {s ∈ L(S) ∩ Σ.Σ A − 1 | [[Π A (s)]] A ⊆ L F ϕ (ϕ)}
whih givesaharaterizat ion of opaity:
Proposition 1
ϕ
isopaquewith respet toG
andthe interfaeΠ A
if and onlyifL F (χ ϕ A (G)) = ∅. ⋄
Hene, heking the opaityof aseret
ϕ
onsistsofheking thatthe setof statesF
isnot reahablein
χ ϕ A (G)
. Ifitisreahable, thenϕ
isnotopaqueandthereexistsatleastoneobservationallowing the attaker to inferthatϕ
issatised. Inotherwords,L F (χ ϕ A (G))
orrespondsto theset ofobservations for whih the attakerA
knows that the urrent exeution revealsϕ
. In that ase, the attakerA
,based on the preeding tehniques, an ompute the LTS
χ ϕ A (G)
and deduean observation funtionO A ϕ
suhthat, for agiven observationµ
ofT (S)
:•
ifO ϕ A (µ) = Y es
, thenµ ∈ L F (χ ϕ A (G))
and[[µ]] A ⊆ L F ϕ (ϕ)
; the attaker, based on this observa-tion, an deduethat
ϕ
issatised onG
andthere isan information ow;•
ifO ϕ A (µ) =? A
,A
annot dedueϕ
and there is no information ow, where? A = {N o, Inev, Inev
_Y es, N ever, ?}
1.Example 2 Considerthesystem
G
desribedinFig.3(a). ThealphabetofG
isΣ = {a, b, c, X, Y, Z, a ϕ , τ, δ}
.WeassumeherethattheseretpropertyisgivenbytheLTSdesribedinFig.3(b);Themarkedstate
is represented by the blak state. In this example, the attaker tries to infer the ourrene of the
event
a ϕ
in the system.c a c
X X a
Y Z
Z b
a b
(b)Theopaityproperty
ϕ δ
a ϕ
a ϕ τ
δ δ
δ a ϕ
(a)Thesystem
G
Σ \ {a ϕ } a ϕ
Σ
Figure3:
G
andϕ
For simpliity, we assume that the projetion mask is redued to the natural projetion. The
interfae oftheattakerisreduedto
Σ A = {a, b, c, δ}
. TheobserverO ϕ A
thattheattakerA
anbuildis givenbythe LTSdepited in Fig. 4.
If
A
observesa.b.δ ∗
thenϕ
is revealedA
isthen sure that the eventa ϕ
ourred inS
(the set ofompatible trajetories is
a.X.Z.a ϕ .b.δ ∗
andX.a ϕ .a.b.Z.δ ∗
). A ontrario, ifA
simply observesa
ora.c.δ ∗
, then he is not sure thatϕ
is satised or not. Some of the ompatible trajetories satisfy the seret andsome other donot, thusA
annotinfer the seret.Remark 1 It isalso possible to onsiderotherkinds ofopaity:
1
Compared with(1), we onsiderhere that theattaker
A
is onlyinterestedby thedetetion ofthe satisfa tionof theseret.PIn1901
c a b
000 000 000 000 111 111 111 111
000 000 000 000 111 111 111 111
?: Adoesn'tknow
ϕ δ
Yes: Aknows
ϕ δ
δ
Figure 4: Thefuntion
O ϕ A
basedonχ A ϕ
•
Insomeases,A
mightbe interestedbytheinformation: "ϕ
issatisedbytheurrentexeutionof the system
G
or will inevitably be in the future" . Inthat ase, we will saythat the seretis opaque ifand only if∀µ ∈ T A (G), [[µ]] A 6⊆ L Inev Sϕ (F Sϕ ) (S ϕ )
. The veriation of opaity and theonstrution ofthe assoiated observer aresimilar.
•
It isalsopossibleto onsiderthe asewhere thereisan information owassoonasthe attaker knowsthateitherϕ
issatisedor¬ϕ
issatised(.f.[1℄). Inotherwords, beingopaque(forthisdenition), meansthat
ϕ
hasto be opaqueaswellas¬ϕ
(aording to denition5).The assoiated observer willhave threeverdits
{Y es, N o A , ? A }
,where the verditY es
orre-spondstotheverditdesribedin(1),theverdit
N o A
enompassestheverditsN o, Inev, N ever
whereas
? A
orrespondsto the other ases.⋄
5 Monitoring Opaity
Given a seret
ϕ
, based on the tehniques desribed in the preeding setions, it is possible to hekwhether
ϕ
isopaquew.r.t.G
andthe interfaeΠ A
. Whenϕ
isnotopaque,itan beimportant foranadministrator to supervisethe systemon-linebymeansofamonitor
M
andraiseanalarm assoonasan information owours.
Forthis,weassumethat
M
knowsthemodelofthe systemG
andobservesitthroughtheinterfaeΠ M
. Moreover,M
knows the ability of the attakerA
, meaning that the monitor knows thatA
observesthe systemvia the interfae
Π A
and that he an onstrut an observation funtionO A ϕ
. Wedonotassumeanyrelationbetween
Π A
andΠ M
. Thus,M
hastoinfertheattaker'sknowledgebasedon the observationof
T M (G) ⊆ Σ ∗ M
.If
ϕ
is not opaque w.r.t. the systemG
and the interfaeΠ A
, an administrator an build an observation funtion to diagnose the fat that the seret has been revealed. One an also be moreaurate and try to predit the fatthat the seret will be inevitably known by the attaker stritly
beforethe information ow, or thatthe seretwill never berevealed anymore.
Notethatit isnot neessaryto diagnose the fatthatthe systemperformeda sequenesatisfying
the seret if this sequene does not orrespond to a non-opaque exeution (this sequene does not
reveal anything to the attaker); only the exeutions that lead to an information ow have to be
taken into aount. Indeed, the seret
ϕ
is revealed to the attaker by an exeutions ∈ L(G)
ifand only if
Π A (s) ∈ L F (χ ϕ M (G))
. In other words, we are interested in diagnosing the property:"The seret
ϕ
hasbeen revealedtothe attaker",whihorrespondsto theextention-losedlanguage:Π − A 1 (L F (χ ϕ M (G))) · Σ ∗
. This language an be reognized by an LTSΩ
, equipped with a set of nalstates
F Ω
suhthat:L F Ω (Ω) = Π − A 1 (L F (χ ϕ M (G))) · Σ ∗
(2)Example 3 To illustrate the omputation of(2), letus ome baktoExample 2. Theorresponding
LTS
Ω
isshownin Fig. 5:Irisa
c
Dump
a b
Σ a \ {δ}
Σ \ Σ a
Σ a \ {a} Σ a \ {b, c} δ, Σ \ Σ a
Σ Σ \ Σ a Σ
Figure5: The LTS
Ω
omputed fromχ ϕ A (G))
5.1 Supervision of Information Flow
Givena system
G
,an attakerA
observingG
viathe interfaeΠ A
and aseretϕ
(that we assumetobenon-opaque),wedesribenowamethodallowinganadministrator
M
observingG
viathe interfaeΠ M
to know whether there is an information ow or not. We assume that the monitor in harge ofthe supervision hasafull knowledgeof
G
and knows the observationmaskΠ A
.As mentioned in the introdution of this setion,
M
does not diretly observeϕ
. Only the tra-jetories ausing an information owhave to be supervised. We onsider then the stableproperty
Ω
orresponding to the trajetories of
G
induing an information owfromG
toA
(see (2)).Inorder to onstrutthe observer
O M Ω
in hargeof the supervisionofΩ
(i.e. orresponding to the information leak ofϕ
), we rst buildG Ω = G × Ω
and the setsF G Ω
,I G Ω
,P G Ω
,N G Ω
(as desribed inStep 2.,Setion 3.1).
Now, basedon the tehniques ofthe setion 3.1, one an ompute the LTS
χ Ω M (G)
overΣ M
fromwhih we an derive anobserver
O Ω M
with the following verdits: forµ ∈ T M (G)
,• O M Ω (µ) = Y es
:M
infersthatΩ
issatised and thus an deduethatA
knowsϕ
;• O M Ω (µ) = N o
:M
knows thatA
doesnot knowϕ
but might knowitin the future;• O M Ω (µ) = Inev
:M
knows thatA
will inevitably knowϕ
butdoesnot knowit yet;• O M Ω (µ) = Inev
_Y es
:M
knows thatA
already knows or willknowϕ
;• O M Ω (µ) = N ever
:M
knows thatA
will never knowϕ
.• O M Ω (µ) =?
means thatM
annotdedue anythingabout the knowledge ofA
.Unfortunately, the ase
O Ω M (µ) =?
does not imply that the attakerA
does not knowϕ
. AsM
and
A
observe the system via dierent interfaes, it might be the ase thatA
already knowsϕ
andthat
M
willneverinferthisinformation. Thisorrespondsto thenon-diagnosabi lityofΩ
[8℄. Thisanourwhenthereexisttwoarbitrarilylongtrajetories
s
ands ′
orrespondingtothesameobservationµ
suhthats ∈ L F Ω (Ω)
(thus anon-opaquetrajetoryofϕ
) ands ′ 6∈ L F Ω (Ω)
. Inthe next setion, wewill give neessaryandsuient onditions under whihthis asedoesnot our.
5.2 Neessary and suient onditions for detetion/predition of information
ow
Consider the system
G
aswell asthe propertyΩ
desribed in the previous setion.PIn1901
5.2.1 Diagnosability
Intuitively,
G
isΩ
-diagnosable ([11, 8℄) ifthere existsn ∈ N
suhthat for anytrajetorys
ofG
suhthat
s | = Ω
,Ω
beomes non-opaqueafter waiting for at mostn
observations. This an be formalized asfollowsDenition 6 Givena system
G
, astablepropertyΩ
and aninterfaeΠ M
,G
isΩ
-diagnosable if,∃n ∈ N , ∀s ∈ L(G) ∩ L F Ω (Ω) ∩ Σ ∗ .Σ − M 1 ,
∀t ′ ∈ L(G), t ′ = s · t ∧ |Π M (t)| ≥ n ⇒ [[Π M (s · t)]] M ⊆ L F Ω (Ω)
trajectoires
observations compatible
t ∈ L(G)/s Π M
Π M (s) ∈ T M (G)
kΠ M (t)k ≥ n
[[ Π M ( s. t )] ] M ∈ L F Ω (Ω )
s ∈ L F Ω (Ω)
Figure6: Intuition ofthe diagnosabilityproperty
The
Ω
-diagnosability property means that whenever a trajetorys
of the system satisesΩ
, thenwhatever the extension
t
ofs
,t
having at leastn
observable events w.r.t.Π M
, all the trajetories ompatible with the observationΠ M (s.t)
satisfyΩ
.Intheaseofmonitoring opaity,thismeansthatwhenthe monitorisobservingatraein
L F Ω (Ω)
,aYes answershouldbeprodued bytheobserverafternitelymanyobservedevents. Hene,ifthere
exists
s ∈ L(G)
triggeredbythe systemsuh thatϕ
is non-opaqueforA
, thenM
will surely knowitat most
n
observedeventsafterthe observation ofΠ M (s)
.5.2.2 Preditability
If the system is
Ω
-diagnosable, then it might be interesting to rene the verdit by prediting the satisfationofthepropertystritlybeforeitsatualourrene[7℄. Roughlyspeaking,Ω
ispreditableif it is always possible to detet the future satisfation of
Ω
, stritly before this happens, only basedon the observations.
Denition 7 Givena system
G
, apropertyΩ
and aninterfaeΠ M
,G
isΩ
-preditableif∃n ∈ N , ∀s ∈ L(G) ∩ L F Ω (Ω) ∩ Σ ∗ .Σ − M 1 ,
∃t ∈ (L(G) ∩ Σ ∗ .Σ − M 1 ) ∪ {ǫ}, t < s ∧ t / ∈ L F Ω (Ω)
s.t.∀u ∈ [[Π M (t)]] M , ∀v ∈ L(G)/u, |Π M (v)| ≥ n ⇒ u.v ∈ L F Ω (Ω)
This property means that for any trajetory
s
that satisesΩ
, there exists a strit prext
thatdoes not satisfy
Ω
, suh that any trajetoryu
ompatible with observationΠ M (t)
will inevitably beextended into atrajetory
u.v
satisfyingΩ
2.In our setting, this means that
M
an always predit thatA
will knowϕ
and then the systemoperator an be warnedin time tohalt the systemor an take ounter-measures in orderto avoidthe
seret to be revealed. In other words, if
M
observes a traeµ ∈ T M (G)
suh thatµ = Π M (t)
, thenM
knowsthat the seretisnot revealedtoA
, but will be after atmostn
observations.2
Notethatpreditabilityimpliesdiagnosabili ty[7℄.
Irisa
u ∈ [[Π M (t)]]
Observations Compatible
trajetories
v ∈ L(G)/u s ∈ L F Ω (Ω) t / ∈ L F Ω (Ω), t < s
Π M (.)
kΠ M (v)k ≥ n
Figure7: Intuitionof the
Ω
-preditabil ityRemark 2 Thereisanalgorithmofpolynomialomplexityforverifyingthatasystem
G
isΩ
-diagnosable orΩ
-preditable. More details an be found in [8, 7℄.Example 4 To illustrate this setion, we still onsider the system
G
and the seretϕ
dened inExample 2. Theproperty
Ω
andthe setofnon-opaquetrajetories(i.e. the onesthatrevealtheseretϕ
) aregiven bythe LTSdesribed in Fig.5.Y X
Y Z 00 00
00 11 11 11
(
A
willneverknowϕ
)Yes:Mknowsthat
(
A
knowsϕ
)(
A
knowsorwillknowϕ
)(a) Σ M = {Z, Y, δ}
δ
δ δ δ
Never:
M
knowsthatYes:Mknowsthat Pred:Mknowsthat
(
A
willbutdoesnotknowyetϕ
)(b) Σ M = {X, Y, δ}
δ δ
Never:
M
knowsthatδ
δ
(
A
knowsϕ
)(
A
willneverknowϕ
)Yes:Mknowsthat
Figure 8: Observationfuntion
O M Ω
w.r.t. twodierent interfaesAssume that the interfae of the monitor
M
is redued toΣ M = {Z, Y, δ}
. Then, one an showthat
G
isΩ
-diagnosable, but notΩ
-preditable. TheorrespondingO Ω M
isrepresented in Figure 8(a).A ontrario, ifthe interfae of the monitor
M
isΣ M = {X, Y, δ}
, then the system isΩ
-preditable.Indeed, after the observation of
X
,M
knows that all the possible extensionswill satisfyΩ
and thusthat the seretwill be revealed(C.f. Figure 8(b)).
6 Constrution of Monitors Using Abstrations
Untilthen,wemadetheassumptionthattheattaker
A
knowsamodelperfetlyreetingthebehaviorofthesystem. Thisentailsthatalltheattaksenariosthat
A
anomputeorrespondtorealattaks.Espeially, the opaity of the model implies the opaity of the system. But the methods presented
abovemaybenoteetivefor thekindofmodelswemightbeinterestedin formodellingrealsystems.
Forexample,ourapproahreliesonreahabilityanalysisanddeterminiza tionwhihareingeneral not
possible for innite systems. Moreover, even for nite LTS, the determiniza tion has an exponential
omplexityinthenumberofstateswhihanbeintratableforlargeLTS.Itisthenrealistitoonsider
an attaker reasoningon anite state abstration of the system.
Unfortunately, as we will see later, opaity is not preserved by abstration. Then abstration
annot be used to infer that a system is opaque when the abstration is. Also, reasoning on the
abstration, there an beases ofinformation ow whih arenot possible on the system. Then using
abstration to verify opaity is not relevant for aepting or rejeting systems. Nevertheless, we will
see howabstrations an helpan attaker to inferseret information and the administrator to detet
the attaks.
PIn1901