Lecture 012

Assumption:

Observationally Equivalence

Observationally Equivalence for Security: as far as the attacker can see, if the starting program state is the same, the state after program execution must also be the same.

\Sigma \models \omega_1 \approx_L \omega_2 if two states \omega_1 and \omega_2 are observationally equivalent at level L with respect to security policy \Sigma.

Noninterference: high security variable should not affect low security variables.

\Sigma \models \omega_1 \approx_L \omega_2 \land \omega_1 [[\alpha]] \nu_1 \land \omega_2 [[\alpha]] \nu_2 \implies \Sigma \models \nu_1 \approx_L \nu_2

Above definition relies on deterministic language. "In a nondeterministic language we would need to compare sets of possible low-observable (when observing only at low-security level) outcomes, not just a single run from each initial state. Noninterference also does not talk about the case where there is no final state, which is why this condition is called termination-insensitive noninterference."

Note that y := (x - x)+ 1 satisfies noninterference. The proposed type system is incomplete because static type system often have to make sound (and decidable) approximation of often undecidable semantic properties.

\Sigma \models \omega_1 \approx_L \omega_2 \iff (\forall x)(\Sigma(x) \sqsubseteq l \implies \omega_1(x) = \omega_2(x))

Soundness and Completeness

The rule is incomplete. We can prove soundness by proving in one direction \Sigma \models \alpha \ \text{ secure } \ \implies \Sigma \models \alpha \ \text{ secure }.

Prove Confidentiality

To prove confidentiality, we prove

Q \to [\alpha ; \alpha ']Q

where Q = \bigwedge_{\Sigma(x) = L} (x = x'). This can be done by finding \text{wlp}:

\text{wlp}(\alpha ; \alpha ')Q

Integrity

Confidentiality: no information flow from high security variable to low security variable.

Integrity: no information flow from low security variable to high security variable.

Table of Content