ebook img

DTIC ADA465146: A General Theory of Composition for Trace Sets Closed Under Selective Interleaving Functions PDF

16 Pages·0.31 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview DTIC ADA465146: A General Theory of Composition for Trace Sets Closed Under Selective Interleaving Functions

A General Theory of Composition for Trace Sets (cid:3) Closed Under Selective Interleaving Functions John McLean Center for High Assurance Computer Systems Naval Research Laboratory Washington D.C. 20375 Abstract Restrictiveness [8] and Noninference [14, 16] are pre- 1 Thispaperpresentsageneraltheoryofsystemcom- served by generalcompositionorhookup ,thatNond- position for \possibilistic" security properties. We educibility on Strategies [17] is preserved by asyn- see that these properties fall outside of the Alpern- chronous composition [15], and that many properties Schneider safety/liveness domain and hence, are not are not preserved by general composition. However, subject to the Abadi-Lamport Composition Princi- we know nothing about the composabilityof Restric- ple. We then introduce a set of trace constructors tiveness, Noninference, or Nondeducibility on Strate- called selective interleaving functions and show that gies with properties besides themselves, and we know possibilistic security properties are closure properties nothing about the composability of other properties with respect to di(cid:11)erent classes of selective interleav- beyond the fact that they are not preserved by gen- ing functions. This provides a uniformframeworkfor eral composition with themselves. For example, we analyzing these properties and allows us to construct do not know what properties would be satis(cid:12)ed by a a partial ordering for them. We present a number of system in which a component satisfying Deducibility compositionconstructs,showtheextenttowhicheach Security [19] was cascaded with a component satisfy- preserves closurewithrespect todi(cid:11)erentclassesofse- ing Restrictiveness. As a result, we use Restrictive- lective interleaving functions, and show that they are ness or Noninference in cases where better properties su(cid:14)cient for forming the general hook-up construc- (either simpler and just as secure in the case of Re- tion. We see that although closure under a class of strictiveness, or just as simple yet more secure in the selective interleaving functions is generally preserved case of Noninference) may work. As new properties byproductandcascading,itisnotgenerallypreserved are developed, the situation willdeteriorate further. by feedback, internal system composition constructs, For this reason general theories of system compo- or re(cid:12)nement. We examinethe reason for this. sition, such as the one developed by Abadi and Lam- port [1], are extremely appealing. A number of re- searchers in the security community are attempting 1 Introduction to use the Abadi-Lamport Composition Principle to develop a general theory of composition for con(cid:12)den- tialityproperties. However,theAbadi-LamportCom- The abilitytobuildsystemsthat satisfyagivenprop- position Principle is restricted to the class of proper- erty from a selected set of speci(cid:12)ed components is tiesthatarede(cid:12)nablewithinthe safety/livenessprop- a requisite for the production of networks, the pro- erty framework originally presented by Alpern and duction of systems using o(cid:11)-the-shelf products, and Schneider in [2]. Since \possibilistic"security proper- the production of systems from veri(cid:12)ed components. ties (a class of properties which includes Generalized However, a general ability to build composite high- Noninterference, Restrictiveness, Noninference,Nond- assurancesystemspresupposes ageneraltheoryofsys- educibility on Strategies, and Deducibility Security) tem composition. Such a theory provides insight into fall outside this domain,the Abadi-Lamport Compo- why certain properties are preserved or not preserved sition Principle is not directly applicable. by certain forms of composition. More importantly, Thispaperpresentsageneraltheoryofsystemcom- for a large class of properties and a variety of com- position for a class of \possibilistic" properties. In position constructs, it answers questions of the form: Section 2 we introduce a system model and a set of \Ifasystem satisfyingproperty Xis composedwitha trace constructors called selective interleaving func- system satisfying property Y using composition con- tions. Themodelspace,aninstantiationoftheAlpern struct Z, what properties will the composite system and Schneider framework,is extendible to probabilis- satisfy?". A general theory of system composition is clearly 1 lacking for con(cid:12)dentiality properties. We know that Given two systems, their hookup is the compositesystem whereeachcomponentsystemcancommunicate(receiveinput (cid:3) ForthcominginProceedings of the 1994 IEEE Symposium fromandsendoutputto)withboththeothercomponentsystem on Research inSecurity and Privacy. andtheoutsideworld. 1 Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 1994 2. REPORT TYPE 00-00-1994 to 00-00-1994 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER A General Theory of Composition for Trace Sets Closed Under Selective 5b. GRANT NUMBER Interleaving Functions 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION Naval Research Laboratory,Center for High Assurance Computer REPORT NUMBER Systems,4555 Overlook Avenue, SW,Washington,DC,20375 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 15 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 tic model spaces, e.g., as found in [5]. We consider composition more thoroughly and to provide better the standard possibilistic security properties and two alternatives to the models than are currently avail- new ones: Generalized Noninference, which is an ex- able. tension of Noninference, and Separability, which has a(cid:14)nitiesboth toRushby’sSeparation Kernel [18]and to Nondeducibility on Strategies. We show that all of 2 System Model and System Proper- these properties are closure properties withrespect to ties classes of selective interleaving functions. This pro- vides a uniformframeworkfor analyzingsuch proper- ties and allows us to construct a partial ordering for In Section 2.1 we de(cid:12)ne the notion of a system state them. andusethisde(cid:12)nitiontopresenttheAlpern-Schneider In Section 3.1 we present three external composi- concepts of a property, of a system, and of a prop- tion constructs: product, cascade, and feedback. We erty holdingfor a system. We also see how these con- show the extent to which each of these preserves clo- ceptsareembeddedintheAbadi-Lamportconcepts of sure withrespect todi(cid:11)erent classes ofselective inter- a speci(cid:12)cation and of a system satisfying a speci(cid:12)ca- leavingfunctionsandshowthatproduct andfeedback tion. We then examine the limitationsof the Alpern- are su(cid:14)cient for forming the general hook-up con- Schneider framework for analyzing possibilistic secu- struction. WeseethatSeparabilityprovidesacompos- rity properties and their composition. In Section 2.2 able alternative to Restrictiveness and Noninference, weextend theAlpern-Schneider concept ofaproperty whichissimplerthantheformerandmoresecurethan by introducing the trace set property of being closed the latter. under a class of selective interleaving functions. This In particular we shall see that the product of two providesaframeworkforexaminingpossibilisticsecu- systems behaves quite well with respect to security rityproperties. Wegoontoestablishsomeelementary properties. Further, when two systems are cascaded: facts about such properties and their relationships. (cid:15) Separabilityis preserved when composed with it- 2.1 The Alpern-Schneider Framework self; and Its Limitations (cid:15) Noninference is preserved when composed with itself and with Separability; The Alpern-Schneider framework is transparent with respect to any particular notion of system state. To (cid:15) Generalized Noninterference is preserved when makethingsmoreconcrete, weintroducethefollowing composed with itself and with Separability;and characterization: (cid:15) GeneralizedNoninference ispreserved when com- De(cid:12)nition 2.1 (StateSpace)Fornonnegativeinte- posed withitself,withNoninference, withGener- gersmandn,lethin1;:::;inmibeatupleofmdistinct alized Noninterference, and with Separability. input variablesandhout1;:::;outnibe atupleofndis- tinct output variables such that the ith input variable Weshallalsosee thatwhentwosystemsarecomposed ranges over somealphabet Ii and the ith output vari- with a feedback construction: ablerangesoversomealphabetOi. Astatespaceisthe set fhhin1;:::;inmi;hout1;:::;outniij ini 2 Ii ^outi 2 (cid:15) Separabilityis preserved when composed with it- Oig. An element of a state space is called a system self; and state. 2 (cid:15) Noninference is preserved when composed with As an example, consider the state space whose itself and with Separability. states are of the form hhin1;:::;inmi;hout1;:::;outmii The extent to which other properties are preserved where for all 1 (cid:20) i (cid:20) m: Ii = Oi = f0;1;(cid:21)g. As- when composed with the feedback construction de- sume that for some 1 (cid:20) n < m: in1;:::;inn and pends onthe particulars ofthe system. In Section 3.2 inn+1;:::;inm are input channels that contain the in- we see that this is also true for internal composition puts of H = n distinct high-level users and L = (union,intersection,andset di(cid:11)erence) andforre(cid:12)ne- m(cid:0)n distinct low level users, respectively, and that ment. InSection4weshallshallgainsomeinsightinto out1;:::;outnandoutn+1;:::;outmareoutputchannels why feedback and internal composition causes prob- that contain the outputs to these same users. Of lems for possibilistic security properties. course, some of the high-level users may be Trojan Thispaperisnotmeanttobeanargumentforusing Horses operating on behalf of some of the low-level possibilisticsecurity models. Ihavediscussed the lim- users. If there is no current input or output on a par- itationsofsuchmodelselsewhere [10,13]andshallnot ticular channel, the channel takes on the value (cid:21). In re-visitthese issues here. However,when comparedto the future we shall refer to this state space with H their probabilistic counterparts, such as [5, 10], pos- high-level users and L low-level users as the two level sibilistic security models provide us with a relatively security state space, which we denote by (cid:6)^. We shall simple model for building systems and have, for this denote hin1;:::;inni, hinn+1;:::;inmi, hout1;:::;outni, reason, enjoyed agreat deal ofpopularity. Thispaper andhoutn+1;:::;outmibyhighin,lowin,highout,and is an attempt to understand these models and their lowout, respectively. 2 In the case of trace((cid:6)^), we shall use highin(t), Notationfor Tuples: Givena set (cid:27), we shalluse lowin(t), highout(t), and lowout(t) to refer to n the notation (cid:27) to denote (cid:27)’s nth-iterated Cartesian in[1:::n](t), in[(m (cid:0) n):::m](t), out[1:::n](t), and 2 product(cid:27)(cid:2):::(cid:2)(cid:27),andgiventhesymbol(cid:11),weshalluse out[(m(cid:0)n):::m](t),respectively. n (cid:11) to denote the n-tuple h(cid:11);:::;(cid:11)i. Given tuples x = hx1;:::;xmi and y = hy1;:::;yni, we shall use x[i] to Following Alpern and Schneider, a property and a denote xi and hx :yi to denote hx1;:::;xm;y1;:::;yni. system are both trace sets, and a property holds fora 2 system ifand onlyifthe system is a re(cid:12)nement ofthe property [2]. Intuitively, a property trace set consists De(cid:12)nition 2.2 (Trace Set) Given a state space, ofthose traces that satisfy the property and a system (cid:6), (cid:6)’s trace space, written trace((cid:6)), is the set tracesetconsistofthosetracesthatthesystemcanex- fhs1;s2;:::ijsi 2 (cid:6)g. An element of a trace space is hibit. Abadi and Lamport add to this frameworkthe called a trace. A subset of a trace space is called a concept of a speci(cid:12)cation, which is a property formed trace set. A trace set (cid:27)1 is a re(cid:12)nement of a trace set 2 by taking the union of the set of traces that conform (cid:27)2 if and only if (cid:27)1(cid:18)(cid:27)2. to a system’s desired behavior and the set of traces As an example,consider (cid:6)^ introduced above. The thatcontainviolationsofasystem’sinputrestrictions [1]. Thelattersetre(cid:13)ects assumptionsabouttheenvi- trace space trace((cid:6)^) is the set of traces of the form ronmentinwhichthesystemistobe run. The former setre(cid:13)ects requirementsabouthowasystemcanreact t = hhhhighin1 :lowin1i;hhighout1 :lowout1ii; when placed inan environmentthat satis(cid:12)es its input restrictions. A program satis(cid:12)es a speci(cid:12)cation if the hhhighin2 :lowin2i;hhighout2 :lowout2ii;:::i; speci(cid:12)cation holds for the program. where highini, lowini, highouti, and lowouti repre- TheAlpern-Schneider frameworkisveryappealing. sent the high-level and low-level input to and output The conception of property as a set of traces has the fromthe system at time i. theoretical consequence of makingevery property the By eliminatingtraces, re(cid:12)nements of trace((cid:6)^) can intersection of a safety property and a liveness prop- erty [2], and the conception of an implementation as reduce nondeterminism and limit the input domain. re(cid:12)nement seems very natural given the fact, noted However, since re(cid:12)nements cannot introduce new be- above, that re(cid:12)nement preserves properties of traces. haviors, any property that is satis(cid:12)ed by every trace Further,theabilitytospecifyinputrestrictionsmakes of a subset of trace((cid:6)^) is preserved by every trace of it unnecessary to reason about a system’s reaction to anyre(cid:12)nementofthatsubset. So,forexample,ifevery an environment that fails to satisfy its restrictions. trace insometrace set (cid:27)(cid:18)trace((cid:6)^) hasthe proprety This isin contrast to the assumptionof inputtotality that highouti =highini+lowini, then every trace in usuallymadein the security community,for example, any re(cid:12)nement of (cid:27) also has this property. in [8, 19]. Finally, the Abadi-Lamport Composition As another example of a trace set we shall (cid:12)nd Principle makes it possible to determine fromcompo- useful, consider the state space fhhini;houtiij in 2 nent speci(cid:12)cations whether or not a composite com- I^out2Og where I =O. We shall call the trace set prising those components satis(cid:12)es its speci(cid:12)cation. ^I = fhhhin1i;hout1ii;hhin2i;hout2ii;:::ij ini = outig A limitationof the Alpern-Schneider framework is the identity system. thatnoteverysystempropertyofinterestisaproperty oftraces. For example,Abadiand Lamportnote that Notationfor Traces: Given a trace average response time over all possible executions is 1 1 1 1 not a property of traces. They do not seem to regard t = hhhin1;:::;inji;hout1;:::;outkii; this as a serious limitation of the Alpern-Schneider 2 2 2 2 framework, however, since there is a trace property hhin1;:::;inji;hout1;:::;outkii;:::i; that approximatesit (viz.,average response timeover we shall use the followingnotationalconventions: long sequences of events within a single trace) [1]. However, there are system properties for which it i i i i t[i] = hhin1;:::;inji;hout1;:::;outkii; is unclear that such \nice" trace-level approximations i i i i exist. Forexample,consider amulti-levelsystem that t[i:::n] = hhhin1;:::;inji;hout1;:::;outkii;:::; takes a set of integers as input ini and returns some n n n n hhin1;:::;inji;hout1;:::;outkiii; permutationofthe set as outputouti. Con(cid:12)dentiality 1 1 2 2 considerations may lead to the requirement that the in(t) = hhin1;:::;inji;hin1;:::;inji;:::i; permutation a low-level user sees cannot be a(cid:11)ected 1 1 2 2 by high-level input (i.e., any legal low-level permu- out(t) = hhout1;:::;outki;hout1;:::;outki;:::i; tation is co-possible with any legal high-level input). l l m m in(t)[l:::m] = hhin1;:::;inji;:::;hin1 ;:::;inj ii; Integrity considerations may lead to the requirement l l m m thatthepermutationthatahigh-leveluserseescannot out(t)[l:::m] = hhout1;:::;outki;:::;hout1 ;:::;outkii; bea(cid:11)ectedbylow-levelinput(i.e.,anylegalhigh-level 1 1 2 2 in[l:::m](t) = hhinl;:::;inmi;hinl;:::;inmi;:::i; permutationisco-possible withany legallow-levelin- 1 1 2 2 put). Availability considerations may lead to the re- out[l:::m](t) = hhoutl;:::;outmi;houtl;:::;outmi;:::i; quirement that if a system’s high-level response time slowsdown,thedelaycannothavebeencausedbylow- 3 level behavior (i.e, any legal high-level delay must be co-possible with any legal low-levelinput). 2.2 Security Models and Selective Inter- The fact that possibilistic properties are not prop- leaving Functions erties oftraces followsimmediatelyfromthe fact that 2 they are not preserved by trace subsetting [12]. For Ifpossibilisticsecurityproperties arenotproperties of example,considerthetwousersecuritystatespace,(cid:6)^, traces, i.e., trace sets, what are they? The answer is and the con(cid:12)dentialityproperty P that any legallow- thattheyare properties oftrace sets, i.e.,sets oftrace level behavior must be co-possible with all legalhigh- sets. For example, consider the purge function that level behaviors. If P were a property of traces, there sets all high-level input and output in a trace t to (cid:21), wouldbeaset(cid:27) consistingofthosetraces oftrace((cid:6)^) i.e., the function purge : trace((cid:6)^) ! trace((cid:6)^), such thatsatisfyP andsystemswouldsatisfyP onlyinthe that sense that they were subsets of (cid:27). Since a system (cid:27)1 consistingofalltracestriviallysatis(cid:12)esP,(cid:27)1wouldbe asubsetof(cid:27). However,asystem(cid:27)2consistingofthose H H purge(t)=hhh(cid:21) :lowin(t)[1]i;h(cid:21) :lowout(t)[1]ii; traces t of (cid:27)1 in which high-levelinput highin(t)[i] is H H echoed as low-level output lowout(t)[i+1] does not hh(cid:21) :lowin(t)[2]i;h(cid:21) :lowout(t)[2]ii;:::i: satisfy P and, therefore, would not be a subset of (cid:27). Hence, if P were a property of traces, we would Noninference, originallydue to O’Halloran[16],is the be faced with the contradiction that (cid:27)1 would be a property that is satis(cid:12)ed by a trace set (cid:27) if and only 4 subset of (cid:27), yet (cid:27)2 would not be a subset of (cid:27) even if (cid:27) is closed under purge. though (cid:27)2(cid:18)(cid:27)1. Similararguments apply for each of For deterministic systems, Noninference is equiva- the properties listed above since each requires that a lent to Goguen and Meseguer’s Noninterference [3] if systemmustexhibitcertainbehaviors(notinthelive- weassumethathigh-leveloutputcannotbe generated ness sense ofsayingthatthe behaviormusteventually whenthereisnohigh-levelinput. Hence,fordetermin- happen, but in the possibilistic sense that the system istic systems satisfyingthis assumption,Noninference could have done otherwise). shares Noninterference’s property of being practically Nor do these properties seem to have \nice" trace- perfect [10]. Further, Noninference is more general levelproperties that approximatethem. Forexample, than Noninterference in that the latter fails to be di- it may be possible to form a trace-level approxima- rectly applicable to nondeterministic systems. How- tion by borrowing techniques from the theory of Kol- ever, as noted in [13], Noninference is too strong for mogorov complexity and say that a trace is secure if systems in which high-level output can exist without knowledge of its low-level events does not help us to high-level input and too weak, in general, since it al- determine its high-level input [7]. However, such an lowslow-leveloutputtobein(cid:13)uencedbytheinsertion approach would clearly sacri(cid:12)ce the relative simplic- of high-level input. ity possibilisticsecurity modelsenjoy over their prob- By generalizing the notion of purge, we obtain a abilistic counterparts [5, 10]. nondeterministic formulation of Noninterference that Although the fact that these security properties does not contain the assumption that high-level out- are not preserved by re(cid:12)nement implies the fact that put can be generated only when there is high-level these properties are not properties of traces, the two input. Say that f : trace((cid:6)^) ! trace((cid:6)^) is an points are distinct and deserve to be separated. Re- input purge if and only if f(s) = t implies that turning to property P, the former point shows that H H H highin(t) = h(cid:21) ;(cid:21) ;(cid:21) ;:::i, lowin(t) = lowin(s), functionally correct implementations of speci(cid:12)cations 3 and lowout(t) = lowout(s). In other words, a func- that satisfy P do not necessarily preserve P. The tion f is an input purge if it sets all high-level inputs latter point is more fundamental. It shows that P to (cid:21) and does not alter low-level inputs or outputs. is not de(cid:12)nable within the Alpern-Schneider frame- Two input purges may di(cid:11)er in what they assign to work to begin with. Hence, we may be able to write high-level outputs, however. For example, the func- speci(cid:12)cations that satisfy P, but we cannot reason tion purge de(cid:12)ned above is the input purge that sets about them or their composition within the Alpern- all high-level outputs to (cid:21), but there are other input Schneider framework. Nor can we apply composition purges. Saythatasystemsatis(cid:12)esGeneralizedNonin- principles, such as Abadi and Lamport’s [1], that are ference if and only if the system is closed under some limitedto Alpern-Schneider properties. input purge. 2 A formulation of Noninterference that does not The factthatmanycon(cid:12)dentialitypropertiesare notpre- employ purge functions but, instead, a more gen- servedbythestandardnotionofre(cid:12)nementhasbeennotedby eral concept of trace interleaving is derivative of McCullough[8] andaddressed,tosomeextent,in[4], [6],[11], and Section 3.2 of this paper. The fact that these properties Sutherland’s notion of Deducibility Security [19]. arenottracesetsisadistinctpoint,(cid:12)rstpointedouttomeby Consider the function interleave : trace((cid:6)^) (cid:2) Jim Gray, althoughGray’s originalargumentdi(cid:11)ers from the 4 onepresentedhere. A set (cid:27) is closed under a functionf if and only if s 2 (cid:27) 3 Thisisnotsimplybecauselowerlevelimplementationdetail impliesthatf(s)2(cid:27). By analogy,we shallextendthenotion mayintroducenewchannels,butbecauseeliminationofpossible to multi-argumentfunctions. For example, (cid:27) is closed under system output may turn zero capacity channels into positive f : (cid:27)(cid:2)(cid:27) ! (cid:27) if and only if s1 2 (cid:27) and s2 2 (cid:27) impliesthat capacitychannels. f(s1;s2)2(cid:27). 4 SEPARABILITY trace((cid:6)^) ! trace((cid:6)^) such that interleave(t1;t2) = t implies that highin(t) = highin(t1), lowin(t) = GENERALIZED NONINFERENCE lowin(t2), highout(t)=highout(t1), and lowout(t)= NONINTERFERENCE lowout(t2). Say that a system satis(cid:12)es Separability if and only if it is closed under interleave. Separa- GENERALIZED bility is preferable to Sutherland’s Deducibility Se- NONINFERENCE curity, which requires only that a high-level history can be inserted somewhere in a low-level history, since Deducibility Security is extremely weak [13]. In Figure 1: Partial Ordering of Possibilistic Security fact, in many ways Separability more closely resem- Models. bles Rushby’s notion of a Separation Kernel [18] and WittboldandJohnson’sNondeducibilityonStrategies [17]. Separability is also stronger than Noninference respect toinput(output)channelssuchthati[x](j[x]) and Generalized Noninference. In fact, its combina- is equal to 2. Distinct selective interleaving functions tion of strength and simplicitymake it close to being of type Fi;j di(cid:11)er on what they assign to input chan- an ideal security property for nondeterministic sys- nels such that i[x]=0 and output channels such that tems,althoughitislimitedtosystemswhere low-level 5 j[x]=0. Hence, giveni andj such that for no xdoes events cannot a(cid:11)ect high-level events. i[x]=0orj[x]=0,Fi;j containsexactlyonemember. Aproperty thatallowslow-levelevents toin(cid:13)uence For example, Separability’s function interleave high level events can be obtained by generalizing the is the single selective interleaving function of type foufnicntpiount pinutregrelseagveeneirnalitzhees stahmeefuwncatyiotnhapturtghee.clSaasys Fh1H:2Li;h1H:2Li : trace((cid:6)^) (cid:2) trace((cid:6)^) ! trace((cid:6)^), that f : trace((cid:6)^)(cid:2)trace((cid:6)^) ! trace((cid:6)^) is an input and Noninference’s purge is the one argument function one obtains by restricting Separability’s interleaving if and only if f(t1;t2) = t implies that H+L H+L interleave to the domain fhh(cid:21) ;(cid:21) i;:::ig (cid:2) highin(t) = highin(t1), lowin(t) = lowin(t2), and lowout(t)=lowout(t2). Generalized Noninterference, trace((cid:6)^). Generalized Noninterference’s input in- originallydue to McCullough[8],is the property that terleavings are the class of selective interleaving a system possesses if it is closed under some input functions of type Fh1H:2Li;h0H:2Li : trace((cid:6)^) (cid:2) 6 interleaving. trace((cid:6)^) ! trace((cid:6)^), and Generalized Noninfer- What all of these security properties have in com- ence’s input purges are Generalized Noninterfer- mon is that each is a closure property with respect ence’s input interleavings restricted to the domain tosomefunctionthattakes twotraces andinterleaves fhh(cid:21)H+L;(cid:21)H+Li;:::ig(cid:2)trace((cid:6)^). them to form a third trace. This observation moti- From this it is clear that for any system that vates the followingde(cid:12)nition: H+L H+L contains hh(cid:21) ;(cid:21) i;:::i, Separability is strictly De(cid:12)nition 2.3 (Selective strongerthanNoninferenceandGeneralizedNoninter- Interleaving Functions) Let (cid:6) be the state space ference isstrictly stronger thanGeneralized Noninfer- fhhin1;:::;inmi;hout1;:::;outniij ini 2Ii^outi 2Oig, ence. Further,sinceanyselectiveinterleavingfunction let i 2 f0;1;2gm, and let j 2 f0;1;2gn. A func- oftypeFh1H:2Li;h1H:2Li is alsooftype Fh1H:2Li;h0H:2Li, tion f : trace((cid:6)) (cid:2) trace((cid:6)) ! trace((cid:6)) is a se- we see that Separability is strictly stronger than lective interleaving function of type Fi;j if and only Generalized Noninterference and that Noninference if f(t1;t2) = t implies that for all x such that is strictly stronger than Generalized Noninference. i[x] = 1 : in[x](t) = in[x](t1), for all x such that Hence, Separabilityis the strongest of our properties, i[x] = 2 : in[x](t) = in[x](t2), for all x such that andGeneralizedNoninferenceistheweakest. General- j[x] = 1 : out[x](t) = out[x](t1), and for all x such ized Noninterference andNoninference fallinbetween that j[x]=2: out[x](t)=out[x](t2). 2 these two, but are not comparable with each other. (See Figure 1 .) It is obvious that closure under a class of selec- Intuitively,a selective interleaving function of type tive interleaving functions is not generally preserved Fi;j takes its two argument traces and forms a new by re(cid:12)nement. However, we shall see some conditions trace that agrees with the (cid:12)rst argument trace with underwhichitispreservedinSection3.2. Itisalsoob- respect toinput(output)channelssuchthati[x](j[x]) vious that every system is closed under the selective isequalto1andwiththe second argumenttrace with interleaving function of type Fh1;:::;1i;h1;:::;1i and the 5 This limitation is not as stringent as it may (cid:12)rst appear selective interleaving function of type Fh2;:::;2i;h2;:::;2i since high-level users can be allowed to read low-level input and that given a trace space (cid:6), only the trace sets fg andoutputchannels. However,itpreventsasystem,e.g.,from andtrace((cid:6))areclosedunderallselectiveinterleaving recordinglow-leveleventsinanaudit(cid:12)lethatistobesentout functions of type Fh0;:::;0i;h0;:::;0i. The following theo- onahigh-levelchannel. 6 rems are also worth noting. The (cid:12)rst shows that if ThisversionofGeneralizedNoninterferenceisweakerthan a trace set is closed under one selective interleaving McCullough’s by not requiring that high-level output can be altered only at a point after which high-level input has been function, then it is closed under, at least, one other. altered. However,thisdi(cid:11)erencedoesnota(cid:11)ectanyofthecom- Thesecondshowsthattheidentitysystem,^I,isclosed positionresultsthatfollow,anditsimpli(cid:12)esthepresentation. under a variety of selective interleaving functions. 5 Theorem 2.4 Given s = hs1;:::;sni 2 f0;1;2gn, let s1 0 0 0 0 0 s denote hs1 ;:::;sni where 0 = 0, 1 = 2, and 0 2 = 1. Given any state space (cid:6) and any trace set (cid:27) (cid:18)trace((cid:6)),if(cid:27) isclosedunder someselective inter- s2 leaving function f of type Fi;j then it is closed under 0 0 0 some selective interleaving function f of type Fi;j . Proof: For all x such that i[x] = 0: let in(f0(s1;s2))[x] = in(f(s2;s1))[x] and for all x Figure 2: Product of (cid:27)1 and (cid:27)2 0 such that j[x] = 0: let out(f (s1;s2))[x] = 0 out(f(s2;s1))[x]. Note that f (s1;s2) = f(s2;s1). 0 is not used. Hence f is obviouslya selective interleavingfunction 0 0 oftypeFi;j . Since(cid:27)isclosedunderf,itisalsoclosed 0 2 under f . 3.1.1 Product Theorem 2.5 (Identity Theorem) For each x 2 f1;2g, the identity system, ^I, is closed under the se- We begin by considering the product of two systems, lective interleavingfunction of type Fhxi;hxi. It is also i.e., the composition where two systems (cid:27)1(cid:18)(cid:6)1 and closed under, at least, one selective interleaving func- (cid:27)2(cid:18)(cid:6)2aresimplyregardedasasinglesystem(cid:27) (cid:18)(cid:6). tionoftypeFhxi;h0i,atleast,oneselectiveinterleaving (See Figure 2 .) functionoftypeFh0i;hxi,andatleast,twoselective in- terleaving functions of type Fh0i;h0i. De(cid:12)nition 3.1 (Product) Let (cid:6)1 and (cid:6)2 be any two state spaces of the form 1 1 1 1 1 1 1 1 Proof: The case for Fhxi;hxi is obvious. For a se- fhhin1;:::;inji;hout1;:::;outkiij ini 2Ii ^outi 2Oig 2 2 2 2 2 2 2 lective interleaving function f of type Fhxi;h0i or of andfhhin1;:::;inmi;hout1;:::;outniijini 2Ii ^outi 2 2 type Fh0i;hxi, consider the selective interleaving func- Oig, respectively. Given any two trace sets (cid:27)1 (cid:18) (cid:6)1 tion f(s1;s2) = sx. For a selective interleaving func- and (cid:27)2(cid:18)(cid:6)2, (cid:27)1(cid:2)(cid:27)2 is the trace set tionoftypeFh0i;h0i,consider theselective interleaving 1 1 (cid:27) = fsj (9s12(cid:27)1)(9s2 2(cid:27)2) functionf suchthatf (s1;s2)=s1andtheselective interleaving function f2 such that f2(s1;s2)=s2. 2 (in[1:::j](s)=in(s1)^ in[(j+1):::(j+m)](s)=in(s2)^ out[1:::k](s)=out(s1)^ 3 System Composition out[(k+1):::(k+n)](s)=out(s2)g: (cid:27) is called the product of (cid:27)1 and (cid:27)2. 2 Inthissectionweconsiderthecompositionofsystems. We (cid:12)rst consider external compositionconstructs, i.e. Theorem 3.2 (CompositionTheoremforProd- constructs used tocomposeanetworkofsystemsfrom ucts)Let (cid:27) =(cid:27)1(cid:2)(cid:27)2. Then (cid:27)1 isclosed under some 1 individualsystems. Wethen consider internalcompo- selective interleaving function f of type Fi1;j1 and (cid:27)2 2 sitionconstructs, i.e.,constructs used tocomposeand isclosed under someselective interleavingfunctionf re(cid:12)ne policies within one system. of type Fi2;j2 if and only if (cid:27) is closed under some selective interleaving function f of type Fhi1:i2i;hj1:j2i. 3.1 External Composition Constructs Proof: For any s 2 (cid:27) and t 2 (cid:27), let s(cid:27)1 be that In this section we de(cid:12)ne three external composition part of s that is in (cid:27)1 and s(cid:27)2 be that part of s that constructs: product, cascade, and feedback. We ex- isin(cid:27)2, andlet t(cid:27)1 be that part oftthat isin (cid:27)1and amine the extent to which a system’s closure prop- t(cid:27)2 be that part of t that is in (cid:27)2. Going fromleft to 1 2 erties with respect to classes of selective interleaving right assume f (s(cid:27)1;t(cid:27)1) = u1 and f (s(cid:27)2;t(cid:27)2) = u2. functions are preserved by each construct and show We can then let that product and feedback are su(cid:14)cient for perform- 7 ing general composition. . Our reason for separating cascade from feedback is to examine the behavior of f(s;t) = hhhin(u1)[1]:in(u2)[1]i; con(cid:12)dentiality properties under di(cid:11)erent composition hout(u1)[1]:out(u2)[1]ii; constructs. Feedback is not always necessary, and as hhin(u1)[2]:in(u2)[2]i; weshallseeinSection4,itshouldbeavoidedwhenever possible. Hence, itis useful to knowhow con(cid:12)dential- hout(u1)[2]:out(u2)[2]ii;:::i; ity properties behave in compositionswhere feedback and we are done. Going from right to left, assume 7 This has also been noted by Millen, who attributes it to s 2(cid:27)1 and t 2(cid:27)1. Pick some arbitrary trace r 2 (cid:27)2, Rushby,althoughMillen’sconstructiondi(cid:11)ersfromours[15] and let 6 I s1 s2 s2 s1 Figure 3: Cascade of (cid:27)1 and (cid:27)2 I Figure4: Using^Iandthecascadeconstructiontoform a general cascade of (cid:27)1 and (cid:27)2 u = hhhin(s)[1]:in(r)[1]i; hout(s)[1]:out(r)[1]ii; 1 1 hhin(s)[2]:in(r)[2]i; fhhin1;:::;inki;hout1;:::;outmiij ini 2Ii ^outi 2Oig 2 hout(s)[2]:out(r)[2]ii;:::i; and fhhin1;:::;inmi;hout1;:::;outniij ini 2Ii ^outi 2 2 1 2 Oig, respectively, such that Oi (cid:18) Ii. Given two and trace sets (cid:27)1 (cid:18) (cid:6)1 and (cid:27)2 (cid:18) (cid:6)2 where for every trace s1 2 (cid:27)1 there is a trace s2 2 (cid:27)2 such that v = hhhin(t)[1]:in(r)[1]i; out(s1)=in(s2), (cid:27)=(cid:27)1(cid:14)(cid:27)2 is the trace set hout(t)[1]:out(r)[1]ii; hhin(t)[2]:in(r)[2]i; (cid:27) = fsj (9s12(cid:27)1)(9s22(cid:27)2)(in(s)=in(s1)^ hout(t)[2]:out(r)[2]ii;:::i: out(s1)=in(s2)^out(s2)=out(s)g: Letting w=f(u;v), we can then let (cid:27) is called the cascade of (cid:27)1 and (cid:27)2. 2 1 f (s;t) = hhin[1:::j](w)[1];out[1:::k](w)[1]i; Our de(cid:12)nition of cascade assumes that (cid:27)1 has the hin[1:::j](w)[2];out[1:::k](w)[2]i;:::i: samenumberofoutputchannelsas(cid:27)2hasinputchan- nels with all of (cid:27)1’s output going into (cid:27)2 as input The proof for s2(cid:27)2 and t2(cid:27)2 is analogous,and we and all of (cid:27)2’s input coming from (cid:27)1. However, this are done. 2 assumption is not necessary. We can use the Com- position Theorem for Products to append the identity Corollary 3.3 Let (cid:27) be closed under some selective system,^I, to (cid:27)1 so that the environment can provide interleavingfunction of type Fi;j, and let x2f0;1;2g input to (cid:27)2 (via^I) and to append (cid:27)2 to^I so that (cid:27)1 and y 2 f0;1;2g be such that either x = 0, y = 0 or can provide output to the environment (also via ^I). x = y. Then (cid:27)(cid:2)^I is closed under, at least, one se- We call ((cid:27)1(cid:2)^I)(cid:14)(^I(cid:2)(cid:27)2) the general cascade of (cid:27)1 lective interleavingfunctionoftype Fhi:hxii;hj:hyii,and and (cid:27)2. (See Figure 4 .) By Corollary 3.3 if (cid:27)1(cid:14)(cid:27)2 ^I(cid:2)(cid:27)isclosedunder,atleast,oneselectiveinterleaving is closed under some selective interleaving function of function if type Fhhxi:ii;hhyi:ji. 2 type Fi;j then the general cascade of (cid:27)1 and (cid:27)2 is closed under an analogous selective interleaving func- Proof: Use the Identity Theorem with the Com- tion, unless i = h1;:::;1i and j = h2;:::;2i or vice position Theorem for Products. 2 versa. Theorem 3.5 (Composition Theorem for Cas- cades) Consider any two trace sets (cid:27)1 and (cid:27)2 as described in De(cid:12)nition 3.4, closed under selective in- 3.1.2 Cascade 1 2 terleaving functions f of type Fi1;j1 and f of type Fi2;j2 respectively. For any trace (cid:11) 2 (cid:27), let (cid:11)(cid:27)1 be A more interesting type of system compositionis cas- a trace in (cid:27)1 and (cid:11)(cid:27)2 be a trace in (cid:27)2 such that cading. (See Figure 3 .) Cascades are formed by tak- in((cid:11))=in((cid:11)(cid:27)1), out((cid:11)(cid:27)1)=in((cid:11)(cid:27)2), and out((cid:11)(cid:27)2)= ing two systems (cid:27)1 and (cid:27)2 and passing (cid:27)1’s output out((cid:11)). (Note that (cid:11)(cid:27)1 and (cid:11)(cid:27)2 exist by the de(cid:12)ni- as input to (cid:27)2. Although we assume that (cid:27)1’s output tion of cascade.) Assume that for every s and t in (cid:27), 1 meets any environment restrictions assumed by (cid:27)2’s f (s(cid:27)1;t(cid:27)1)=u1 impliesthat there is a trace u2 2(cid:27)2 input, i.e., that (cid:27)1’s output is acceptable input for such that (1) out(u1) = in(u2) and (2) for all x such 2 (cid:27)2, this assumption is used only in Corollary 3.7. Its that j2[x] 6= 0 : out[x](u2) = out[x](f (s(cid:27)2;t(cid:27)2)). purpose is to guarantee that if we the place the cas- Then the function f, such that in(f(s;t)) = in(u1) cade of (cid:27)1 and (cid:27)2 into an environment that satis(cid:12)es and out(f(s;t)) = out(u2), is a selective interleaving the input restrictions of (cid:27)1, the resulting system will function of type Fi1;j2 and (cid:27) is closed under f. be well-behaved. Proof: For any s and t in (cid:27), let s(cid:27)1, s(cid:27)2, t(cid:27)1, De(cid:12)nition 3.4 (Cascade) Let (cid:6)1 and (cid:6)2 be state t(cid:27)2, u1, u2, and f be as described in the statement of spaces of the form the theorem. Also, let v be that sequence such that 7 1 2 in(v) = u1 and out(v) = u2. Since by the assump- Corollary 3.6 Let(cid:27),(cid:27)1,(cid:27)2,f ,f ,Fi1;j1,andFi2;j2 tions of the theorem out(u1) = in(u2), we know that be as described in the Composition Theorem for Cas- v 2(cid:27). Hence, (cid:27) isclosed under f. Weshallshowthat cades. Given any s and t in (cid:27), let s(cid:27)1, s(cid:27)2, t(cid:27)1, t(cid:27)2, f is a selective interleaving function of type Fi1;j2. and u1 also be as described in that theorem. If for To this end, note that for all x such that i1[x] = 1: all 1 (cid:20) x (cid:20) m: j1[x] = i2[x] 6= 0, then there is a se- in[x](v) = in[x](u1) = in[x](s(cid:27)1) = in[x](s) and that lective interleavingfunction f of type Fi1;j2 such that 2 for all x such that i1[x] = 2: in[x](v) = in[x](u1) = in(f(s;t)) = in(u1), out(f(s;t)) = out(f (s(cid:27)2;t(cid:27)2)), in[x](t(cid:27)1)=in[x](t). Similarly,notethatforallxsuch and (cid:27) is closed under f. 2 that j2[x]=1: out[x](v)=out[x](u2)=out[x](s(cid:27)2)= out[x](s) and that for all x such that j2[x] = 2: Proof: Note that the restrictions on j1 and i2 im- 2 out[x](v) = out[x](u2) = out[x](t(cid:27)2) = out[x](t). ply that f (s(cid:27)2;t(cid:27)2) meets the conditions on u2 re- Hence, f meets all the conditions necessary to be a quired by the Composition Theorem for Cascades. 2 selective interleaving function of type Fi1;j2, and we are done. 2 As an application of Corollary 3.6, consider any trace sets (cid:27) (cid:18)trace((cid:6)^) and (cid:27)2(cid:18)trace((cid:6)^) such that As an application of the Composition Theorem for (cid:27) = (cid:27)1 (cid:14) (cid:27)2 is de(cid:12)ned. Our corollary tells us the Cascades, consider two systems (cid:27)1 (cid:18) trace((cid:6)^) and followingfacts: (cid:27)2(cid:18)trace((cid:6)^) such that (cid:15) If (cid:27)1 and (cid:27)2 satisfy Separability,then so does (cid:27). (cid:15) If(cid:27)1and(cid:27)2satisfyNoninference, thensodoes(cid:27). (cid:27)1 = fsj lowout(s)=lowin(s)^ (cid:15) If one of f(cid:27)1;(cid:27)2g satis(cid:12)es Noninference and the (i)(highout(s)[i] =highin(s)[i]+lowin(s)[i])g other satis(cid:12)es Separability, then (cid:27) satis(cid:12)es Non- H+L H+L inference if hh(cid:21) ;(cid:21) i;:::i2(cid:27). and (cid:15) If (cid:27)1 satis(cid:12)es Separability and (cid:27)2 satis(cid:12)es Gen- eralized Noninterference, then (cid:27) satis(cid:12)es Gener- (cid:27)2 = fsj lowout(s)=lowin(s)^ alized Noninterference. (i)(highout(s)[i] =highin(s)[i](cid:2)lowin(s)[i])g: (cid:15) If(cid:27)1satis(cid:12)esNoninferenceand(cid:27)2satis(cid:12)esGener- Note that (cid:27)1 is closed under f1 of type Fh1;2i;h0;2i alized Noninference, then (cid:27) satis(cid:12)es Generalized Noninference. where (cid:15) If(cid:27)1satis(cid:12)es Separabilityand(cid:27)2satis(cid:12)es Gener- alized Noninference, then (cid:27) satis(cid:12)es Generalized f1(s;t)[i] = hhhighin(s)[i];lowin(t)[i]i; Noninference if hh(cid:21)H+L;(cid:21)H+Li;:::i2(cid:27). hhighin(s)[i]+lowin(t)[i];lowout(t)[i]ii 1 2 Corollary 3.6 requires that f and f must agree 2 and be fully speci(cid:12)ed with respect to interface chan- and (cid:27)2 is closed under f of type Fh1;2i;h0;2i where 8 nels, i.e., that for all x : i2[x] = j1[x] 6= 0. As a consequence, although the corollary tells us about 2 f (s;t)[i] = hhhighin(s)[i];lowin(t)[i]i; compositionswhere(cid:27)1satis(cid:12)esSeparabilityorNonin- hhighin(s)[i](cid:2)lowin(t)[i];lowout(t)[i]ii: ference, it tells us nothing about compositions where (cid:27)1 satis(cid:12)es Generalized Noninference or Generalized Noninterference. For such compositions we need the Hence, both (cid:27)1 and (cid:27)2 satisfy Generalized Noninter- following: ference. By the Composition Theorem for Cascades, (cid:27) is closed under f of type Fh1;2i;h0;2i, where 1 2 Corollary 3.7 Let(cid:27),(cid:27)1,(cid:27)2,f ,f ,Fi1;j1,andFi2;j2 be as described in the Composition Theorem for Cas- cades and assume that for no x does i2[x] = 0. If f(s;t)[i] = hhhighin(s)[i];lowin(t)[i]i; either h(highin(s)[i]+lowin(t)[i])(cid:2)lowin(t)[i]; lowout(t)[i]ii: (1) ((1(cid:20)x(cid:20)m^j1[x]6=i2[x])!i2[x]=1)^ (1(cid:20)x(cid:20)n!j2[x]6=1) Hence, (cid:27)satis(cid:12)es GeneralizedNoninterference aswell. or AlthoughtheCompositionTheoremforCascadesis verygeneral,itissometimesdi(cid:14)culttoapplysinceits (2) ((1(cid:20)x(cid:20)m^j1[x]6=i2[x])!i2[x]=2)^ application depends upon knowledge of system func- (1(cid:20)x(cid:20)n!j2[x]6=2); tionalitytodeterminewhether u2 exists in(cid:27)2. Asim- 8 pler tool, which depends solely on the types of the AlthoughbyTheorem2.4,thecorollaryalsoappliestocases 0 relevant selective interleaving functions, is the follow- where i2[x] = j1 [x]. A similar observationapplies to all our ing: theoremsandcorollaries. 8 s in1 out1 in2 out2 thenthereisaselective interleavingfunctionf oftype 2 Fi1;j2, such that (cid:27) is closed under f. Proof: For any s and t in (cid:27), let s(cid:27)1, s(cid:27)2, t(cid:27)1, t(cid:27)2, s1 in1 out1 in2 out2 in3 out3 in4 out4 and u1 be as in the proof of the Composition The- orem for Cascades. Note that although u1 satis(cid:12)es the conditions necessary for it to serve as the input s2 in1 out1 in2 out2 part of f(s;t), this case di(cid:11)ers from the case of the 2 Corollary 3.6 in that we cannot use f (s(cid:27)2;t(cid:27)2) as the output part of the trace since we cannot guar- antee that out(u1) = in(f2(s(cid:27)2;t(cid:27)2)). However, by Figure 5: (cid:27) as the Feedback of (cid:27)1 and (cid:27)2 the interface requirement in the de(cid:12)nition of cascade (cid:3) we know that there is some trace u 2 (cid:27)2 such that (cid:3) out(u1) = in(u ). Assume condition (1) of the theo- response to the input from(cid:27)2 (at time2 of (cid:27)1’s local rem holds and let u2 = f2(u(cid:3);t(cid:27)2). Note that for all clock, but still time 1 of the user’s local clock). The 1 (cid:20) x (cid:20) m : if i2[x]= 1 then in[x](u2) = in[x](u(cid:3)) = user thenprovidesthe nextinputto(cid:27)1(time2bythe out[x](u1) by construction of u(cid:3), and if i2[x] = 2 user’s clock, but now time3 by (cid:27)1’s local clock). The then in[x](u2) = in[x](t(cid:27)2) = out[x](u1) by the re- process continues with the user providing (cid:27)1 with its lationship between t(cid:27)1 and t(cid:27)2. Also, note that for oddinputsat(cid:27)1localtime(cid:28) (where(cid:28) isodd)anduser all 1 (cid:20) x (cid:20) n such that j[x] = 2 : out[x](u2) = localtime((cid:28)+1)=2andreceiving(cid:27)1’sevenoutputsat out[x](t(cid:27)2) = out[x](t). Since j2 has no 1’s, u2 ful(cid:12)lls (cid:27)1 local time (cid:28) (where (cid:28) is even) and user local time all the conditions required by the Composition Theo- (cid:28)=2. In the meantime,(cid:27)1 sends its odd outputs to (cid:27)2 rem for Cascades. Condition (2) follows by an anal- at (cid:27)1 local time(cid:28) (where (cid:28) is odd) and (cid:27)2 local time 2 (cid:3) ((cid:28) +1)=2 and receives its even inputs from (cid:27)2 at (cid:27)1 ogous argument where u2 = f (s(cid:27)2;u ), and we are 2 local time(cid:28) (where (cid:28) is even) and (cid:27)2 local time(cid:28)=2. done. As in cascading, we assumethat (cid:27)1’s(odd) output Asanapplicationofournewcorollaryconsider any meets any environment restrictions assumed by (cid:27)2’s trace sets (cid:27) (cid:18)trace((cid:6)^) and (cid:27)2(cid:18)trace((cid:6)^) such that input. Wealsoassumethatthe outputofthose traces of (cid:27)2 that take input from (cid:27)1 meet any environment (cid:27) = (cid:27)1(cid:14)(cid:27)2 is de(cid:12)ned. Our theorem tells us the fol- restrictions assumed by (cid:27)1’s (even) input. Although lowingnew facts: theseassumptionsarenotnecessaryfortheproofspre- sented in this section, they will reappear in Section 4 (cid:15) If(cid:27)1 and(cid:27)2 satisfyGeneralized Noninterference, whenwediscuss thepossibilityofafeedbackanalogue then so does (cid:27). forCorollary3.7. Asinthede(cid:12)nitionofcascade,their (cid:15) If (cid:27)1 and (cid:27)2 satisfy Generalized Noninference, purpose is to guarantee that the feedback of (cid:27)1 and then so does (cid:27). (cid:27)2 will be well-behaved if placed in an environment that satis(cid:12)es (cid:27)1’s (odd) input restrictions. (cid:15) If one of f(cid:27)1;(cid:27)2g satis(cid:12)es Generalized Noninfer- To formalize these interface assumptions, we can- enceandtheothersatis(cid:12)esGeneralizedNoninter- not simply require that for every s1 2 (cid:27)1 there is a ference, then(cid:27) satis(cid:12)esGeneralizedNoninference trace s2 2 (cid:27)2 such that for all odd (cid:28) : out(s1)[(cid:28)] = H+L H+L if hh(cid:21) ;(cid:21) i;:::i2(cid:27). in(s2)[((cid:28) + 1)=2] and for all even (cid:28) : in(s1)[(cid:28)] = out(s2)[(cid:28)=2] since, in general, such a requirement is These twofactssupport the following,rather interest- too strong. For example, although it is reasonable ing,observationaboutcascades: apossiblisticsecurity to require that for every trace s1 2 (cid:27)1 there is some propertyseemstobepreservedbybeingcascadedwith trace s2 2 (cid:27)2 such that out(s1)[1] = in(s2)[1] and to (cid:3) itself or with any property that is stronger than it. require that there is some trace s1 2 (cid:27)1 such that (cid:3) (cid:3) s1 [1] = s1[1] ^ in(s1 )[2] = out(s2)[1], we cannot (cid:3) guarantee that s1 = s1 since in(s1)[2] maynot be a 3.1.3 Feedback possible output for (cid:27)2. What we need to say is that if two traces s1 2 (cid:27)1 and s2 2 (cid:27)2 have interfaced correctly up to (cid:27)2 local time (cid:28), then each trace has a Another type of composition consists of a system (cid:27)1 \continuation"thatwillinterface correctlyat(cid:27)2local serving as afront end to a system (cid:27)2 or,equivalently, time(cid:28). (cid:27)2 serving as aback end to(cid:27)1. The essential element of this connection is that (cid:27)2 provides feedback to (cid:27)1. De(cid:12)nition 3.8 (Interface Condition for Feed- (SeeFigure5.) Inthiscasewhenauserprovidesinput back) Let (cid:6)1 and (cid:6)2 be state spaces of the form to (cid:27)1 (for example, at time 1 according to the user’s 1 1 fhhin1;:::;inni;hout1;:::;outmiijini 2Ii ^outi 2Oig and (cid:27)1’s local clocks), the output generated by this 2 input is taken as input by (cid:27)2 (also at time 1 by (cid:27)2’s an2d fhhin1;:::;inmi;hout1;:::;outniij ini 2Ii ^outi 2 localclock). This input to (cid:27)2 generates output which Oig, respectively, such that for all 1 (cid:20) i (cid:20) m : 1 2 2 1 is read as new input by (cid:27)1 (at time 1 of (cid:27)2’s local Oi (cid:18) Ii and for all 1 (cid:20) i (cid:20) n : Oi (cid:18) Ii. For clock, but now time 2 of (cid:27)1’s local clock). The user any trace s1 2 (cid:27)1 (cid:18) trace((cid:6)1) and s2 2 (cid:27)2 (cid:18) then receives from(cid:27)1 the output that is generated in trace((cid:6)2) let the relation downconnect(1;s1;s2) =d 9

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.