Confidentiality Annotations for Circus Michael J. Banks 20th - PowerPoint PPT Presentation

Confidentiality Annotations for Circus Michael J. Banks 20th October 2011

Stepwise software development FuncR

Stepwise software development P 0 FuncR

Stepwise software development verify F P 0 FuncR

Stepwise software development (abstract design) verify F FuncR P 0 P i (concrete design) P n

Stepwise software development (abstract design) verify F FuncR P 0 ⊑ F P i ⊑ F (concrete design) P n ⊑ F = better functionality (more defined behaviour)

Stepwise software development verify F P 0 FuncR ⊑ F P i ⊑ F trans F P n Code ⊑ F = better functionality (more defined behaviour)

Stepwise software development verify F P 0 FuncR ⊑ F P i ⊑ F ConfR trans F P n Code ⊑ F = better functionality (more defined behaviour)

Working example Consider a sealed bid auction between Alice and Bob Functionality requirements ◮ Each person submits a single bid to the system ◮ The person with the larger bid is the winner ◮ If bids are tied, the system chooses the winner

Formalising the example: functionality using Circus (Woodcock and Cavalcanti, 2002; Oliveira et al., 2009) BIDDER ::= Alice | Bob channel bidAlice , bidBob : N 1 channel winner : BIDDER process Auction � begin state ST � [ a , b : N ] BidAlice � bidAlice ? n → a := n ? BidBob � bidBob ? n → b := n ? Submit � ( BidAlice ; BidBob ) ⊓ ( BidBob ; BidAlice )   a > b & winner ! Alice → Stop   a < b & winner ! Bob → Stop ✷  � �  Declare �   winner ! Alice → Stop a = b & ✷ ⊓ winner ! Bob → Stop • Submit ; Declare end

Confidentiality Inference user’s knowledge of process design + user’s interaction with process ↓ all process behaviours consistent with interaction Security Must not reveal secret information to untrusted users � �� � � �� � what? who?

Working example Recall the Auction process Confidentiality requirements ◮ Values of Bob’s bid over £ 100 are secret ◮ Identity of first bidder is secret Does Auction satisfy these requirements?

Working example Recall the Auction process Confidentiality requirements ◮ Values of Bob’s bid over £ 100 are secret ◮ Identity of first bidder is secret Does Auction satisfy these requirements? ◮ Informal interpretation is unsatisfactory!

Confidentiality annotations Specify an upper bound on user’s inferences about the state Values of Bob’s bid over £ 100 are secret BidBob ′ � bidBob ? n → b := n ? ; � b > 100 ⇒ � b ≤ 100 � Identity of first bidder is secret � � BidAlice ; BidBob ; f := Alice ; BidBob ; BidAlice ; f := Bob ⊓ Submit ′′ � � � ( f = Alice ⇒ � f = Bob ) ( f = Bob ⇒ � ∧ f = Alice )

Confidentiality annotations Specify an upper bound on user’s inferences about the state Values of Bob’s bid over £ 100 are secret BidBob ′ � bidBob ? n → b := n ? ; � b > 100 ⇒ � b ≤ 100 � Identity of first bidder is secret � � BidAlice ; BidBob ; f := Alice ; BidBob ; BidAlice ; f := Bob ⊓ Submit ′′ � � � ( f = Alice ⇒ � f = Bob ) ( f = Bob ⇒ � ∧ f = Alice )

Verification Question How can we verify that a process is secure? Problem ◮ Confidentiality annotations are specified locally ◮ But apply to the whole of a process Solution Distribute confidentiality annotations throughout a process

Verifying the example: by intuition Assume Alice observes bidAlice and winner channels Bob’s bids over £ 100 are secret: ◮ Suppose Alice bids > £ 100, but Bob wins auction ◮ Alice can infer that Bob’s bid > £ 100 ◮ Alice learns the secret

Verifying the example: by intuition Assume Alice observes bidAlice and winner channels Bob’s bids over £ 100 are secret: ◮ Suppose Alice bids > £ 100, but Bob wins auction ◮ Alice can infer that Bob’s bid > £ 100 ◮ Alice learns the secret

Verifying the example: by intuition Assume Alice observes bidAlice and winner channels Bob’s bids over £ 100 are secret: ◮ Suppose Alice bids > £ 100, but Bob wins auction ◮ Alice can infer that Bob’s bid > £ 100 ◮ Alice learns the secret

Verifying the example: formally Bob’s bids over £ 100 are secret:   a = � a  a ≥ � a ≤ �  Q = ∧ ( a ≥ b ⇒ � b ) ∧ ( a ≤ b ⇒ � b ) b > 100 ⇒ � ∧ b ≤ 100 Suppose a > 100 and a < b : ( a > 100 ∧ a < b ) ⇒ Q a ∧ a ≤ � b ∧ � = ( a > 100 ∧ a < b ) ⇒ ( a = � b ≤ 100 ) a ∧ a ≤ � b ∧ � = ( a > 100 ∧ a < b ) ⇒ ( a = � b ≤ 100 ∧ a ≤ 100 ) = ( a > 100 ∧ a < b ) ⇒ false An inconsistency between functionality and confidentiality!

Verifying the example: formally Bob’s bids over £ 100 are secret:   a = � a  a ≥ � a ≤ �  Q = ∧ ( a ≥ b ⇒ � b ) ∧ ( a ≤ b ⇒ � b ) b > 100 ⇒ � ∧ b ≤ 100 Suppose a > 100 and a < b : ( a > 100 ∧ a < b ) ⇒ Q a ∧ a ≤ � b ∧ � = ( a > 100 ∧ a < b ) ⇒ ( a = � b ≤ 100 ) a ∧ a ≤ � b ∧ � = ( a > 100 ∧ a < b ) ⇒ ( a = � b ≤ 100 ∧ a ≤ 100 ) = ( a > 100 ∧ a < b ) ⇒ false An inconsistency between functionality and confidentiality!

Secure software development verify F P 0 FuncR ⊑ F P i ⊑ F trans F P n Code

Secure software development verify F P 0 FuncR ⊑ F P i ⊑ F ConfR trans F P n Code

Secure software development verify F P 0 FuncR ⊑ F P i ⊑ F verify C ConfR trans F P n Code

Secure software development verify F P 0 FuncR ⊑ F P i ⊑ FC verify C ConfR trans FC P n Code

Conclusion Contributions ◮ A novel construct for specifying confidentiality ◮ A method for verifying confidentiality In the paper ◮ Integrating confidentiality with the Circus semantics ◮ More examples!

That’s all. . . Questions?

Semantics Confidentiality annotations make a process secure. . . a := 1 ; � a = 0 ⇒ � a > 0 � = ? a := 0 ; � a = 0 ⇒ � a > 0 � = ?

Semantics Confidentiality annotations make a process secure. . . a := 1 ; � a = 0 ⇒ � a > 0 � = a := 1 a := 0 ; � a = 0 ⇒ � a > 0 � = ?

Semantics Confidentiality annotations make a process secure. . . a := 1 ; � a = 0 ⇒ � a > 0 � = a := 1 a := 0 ; � a = 0 ⇒ � a := 0 ; � false � a > 0 � = = � false � . . . but may make the process impossible to implement

References Marcel Oliveira, Ana Cavalcanti, and Jim Woodcock. A UTP semantics for Circus. Formal Aspects of Computing , 21(1):3–32, February 2009. doi: 10.1007/s00165-007-0052-5 . Jim Woodcock and Ana Cavalcanti. The semantics of Circus. In ZB 2002: Formal Specification and Development in Z and B , volume 2272 of Lecture Notes in Computer Science , chapter 10, pages 184–203. Springer Berlin / Heidelberg, 2002. doi: 10.1007/3-540-45648-1 10 .