Lecture Notes in Computer Science 5511 CommencedPublicationin1973 FoundingandFormerSeriesEditors: GerhardGoos,JurisHartmanis,andJanvanLeeuwen EditorialBoard DavidHutchison LancasterUniversity,UK TakeoKanade CarnegieMellonUniversity,Pittsburgh,PA,USA JosefKittler UniversityofSurrey,Guildford,UK JonM.Kleinberg CornellUniversity,Ithaca,NY,USA AlfredKobsa UniversityofCalifornia,Irvine,CA,USA FriedemannMattern ETHZurich,Switzerland JohnC.Mitchell StanfordUniversity,CA,USA MoniNaor WeizmannInstituteofScience,Rehovot,Israel OscarNierstrasz UniversityofBern,Switzerland C.PanduRangan IndianInstituteofTechnology,Madras,India BernhardSteffen UniversityofDortmund,Germany MadhuSudan MicrosoftResearch,Cambridge,MA,USA DemetriTerzopoulos UniversityofCalifornia,LosAngeles,CA,USA DougTygar UniversityofCalifornia,Berkeley,CA,USA GerhardWeikum Max-PlanckInstituteofComputerScience,Saarbruecken,Germany Pierpaolo Degano Luca Viganò (Eds.) Foundations and Applications of Security Analysis Joint Workshop onAutomated Reasoning for Security ProtocolAnalysis and Issues in theTheory of Security,ARSPA-WITS 2009 York, UK, March 28-29, 2009 Revised Selected Papers 1 3 VolumeEditors PierpaoloDegano UniversitàdiPisa,DipartimentodiInformatica LargoBrunoPontecorvo,3,56127Pisa,Italy E-mail:[email protected] LucaViganò UniversitàdiVerona,DipartimentodiInformatica StradaLeGrazie15,37134Verona,Italy E-mail:[email protected] LibraryofCongressControlNumber:2009933043 CRSubjectClassification(1998):D.4.6,K.6.5,C.2,H.2.7,K.4.4 LNCSSublibrary:SL4–SecurityandCryptology ISSN 0302-9743 ISBN-10 3-642-03458-6SpringerBerlinHeidelbergNewYork ISBN-13 978-3-642-03458-9SpringerBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable toprosecutionundertheGermanCopyrightLaw. springer.com ©Springer-VerlagBerlinHeidelberg2009 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India Printedonacid-freepaper SPIN:12725595 06/3180 543210 Preface The Joint Workshop on “Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security” (ARSPA-WITS 2009) was held in York, UK, March 28–29,2009, in association with ETAPS 2009. ARSPA is a series of workshopson “Automated Reasoningfor Security Pro- tocol Analysis,” bringing together researchers and practitioners from both the securityandtheformalmethodscommunities,fromacademiaandindustry,who are working on developing and applying automated reasoning techniques and tools for the formal specification and analysis of security protocols. The first two ARSPA workshopswere held as satellite events of the Second International JointConferenceonAutomatedReasoning(IJCAR2004)andofthe32ndInter- nationalColloquiumonAutomata,LanguagesandProgramming(ICALP2005), respectively.ARSPA then joinedforceswith the workshopFCS(Foundations of Computer Security): FCS-ARSPA 2006 was affiliated with LICS 2006, in the contextofFLoC2006,andFCS-ARSPA2007wasaffiliatedwithLICS2007and ICALP 2007. WITSistheofficialannualworkshoporganizedbytheIFIPWG1.7on“The- oretical Foundations of Security Analysis and Design,” established to promote the investigationonthe theoreticalfoundationsof security,discoveringandpro- moting new areas of application of theoretical techniques in computer security and supporting the systematic use of formal techniques in the development of security-related applications. This is the ninth meeting in the series. In 2008, ARSPA and WITS joined with the workshop on Foundations of Computer Se- curityFCSforajointworkshop,FCS-ARSPA-WITS2008,associatedwithLICS 2008 and CSF 21. In 2009, ARSPA and WITS again joined forces with the aim to provide a forum for continued activity in different areas of computer security, bringing computersecurityresearchersinclosercontactwiththeETAPScommunityand givingETAPSattendeesanopportunitytotalkto expertsincomputersecurity, onthe onehand,andto contribute tobridgingthe gapbetweenlogicalmethods and computer security foundations, on the other. There were 27 submissions of high quality, from countries in Asia, Europe, andNorthAmerica.Allthesubmissionswereevaluatedbyatleastthreereferees and the Program Committee then selected the 15 research contributions that were presented at the workshop. Out of these, 12 were further revised by their authors and are included in this volume. The workshop program was enriched by invited talks by Peter Ryan and David Sands, whose contributions are also included here. We wouldliketo thankallthe peoplewho contributedto the organizationof the ARSPA-WITS 2009Workshop,andacknowledgethe supportfromthe IFIP WG 1.7, the AVANTSSAR Project (FP7-ICT-2007-1, Project No. 216471), and VI Preface the SENSORIAProject(EU-FETPI GlobalComputing ProjectIST-2005-16004). In particular, we are deeply indebted to the other members of the Program Committee and the additional referees, who allowed us to review the papers in a very short time, while maintaining a very high standard: their help has been invaluable. We are also grateful to Andrei Voronkov, who allowed us to use the free conference softwaresystem EasyChair,which greatly simplified the work of the Program Committee. Last but not least, warm thanks to the organizers of ETAPS 2009. June 2009 Pierpaolo Degano Luca Vigan`o Organization Program Committee Lujo Bauer CMU, USA Luca Compagna SAP Research, France Veronique Cortier LORIA INRIA-Lorraine, France Pierpaolo Degano (Chair) Universita` di Pisa, Italy Sandro Etalle Technical University of Eindhoven, The Netherlands Riccardo Focardi Universit`a di Venezia, Italy Dieter Gollman Technische Universita¨t Hamburg-Harburg, Germany Roberto Gorrieri Universita` di Bologna, Italy Joshua Guttman MITRE, USA Jerry den Hartog Technical University of Eindhoven, The Netherlands Jan Ju¨rjens The Open University, UK Gavin Lowe Oxford University, UK Catherine Meadows Naval Research Laboratory,USA Jonathan Millen MITRE, USA Sebastian Mo¨dersheim IBM Zurich Research Lab, Switzerland Mark Ryan University of Birmingham, UK Luca Vigan`o (Chair) Universita` di Verona, Italy Additional Reviewers Misha Aizatulin Francois Dupressoir Ben Smyth Alessandro Aldini Deepak Garg Bruno Pontes Andreas Bauer Claudio Guidi Soares Rocha Giampaolo Bella Volkmar Lotz Fred Spiessens Mario Bravetti Ilaria Matteucci Angelo Troina Roberto Carbone Toby Murray Mathieu Turuani Kostas Chatzikokolakis Arnab Roy Tjark Weber St´ephanie Delaune Theoodor Scholte Alessandra Di Pierro Boris Skoric Table of Contents A Policy Model for Secure Information Flow......................... 1 Adedayo O. Adetoye and Atta Badii A General Framework for Nondeterministic, Probabilistic, and Stochastic Noninterference ........................................ 18 Alessandro Aldini and Marco Bernardo Validating Security Protocols under the General Attacker ............. 34 Wihem Arsac, Giampaolo Bella, Xavier Chantry, and Luca Compagna Usage Automata................................................. 52 Massimo Bartoletti Static Detection of Logic Flaws in Service-OrientedApplications....... 70 Chiara Bodei, Linda Brodo, and Roberto Bruni Improving the Semantics of Imperfect Security....................... 88 Niklas Broberg and David Sands Analysing PKCS#11 Key Management APIs with Unbounded Fresh Data ........................................................... 92 Sibylle Fro¨schle and Graham Steel Transformations between Cryptographic Protocols ................... 107 Joshua D. Guttman Formal Validation of OFEPSP+ with AVISPA....................... 124 Jorge L. Hernandez-Ardieta, Ana I. Gonzalez-Tablas, and Benjamin Ramos On the Automated Correction of Protocols with Improper Message Encoding ....................................................... 138 Dieter Hutter and Rau´l Monroy Finite Models in FOL-Based Crypto-ProtocolVerification............. 155 Jan Ju¨rjens and Tjark Weber Towards a Type System for Security APIs........................... 173 Gavin Keighren, David Aspinall, and Graham Steel Separating Trace Mapping and Reactive Simulatability Soundness: The Case of Adaptive Corruption ...................................... 193 Laurent Mazar´e and Bogdan Warinschi X Table of Contents How Many Election Officials Does It Take to Change an Election? ..... 211 P.Y.A. Ryan Author Index.................................................. 223 A Policy Model for Secure Information Flow AdedayoO.AdetoyeandAttaBadii SchoolofSystemsEngineering,UniversityofReading,Whiteknights,Berkshire,RG66AY,UK [email protected], [email protected] Abstract. Whenacomputerprogramrequireslegitimateaccesstoconfidential data,thequestionariseswhethersuchaprogrammayillegallyrevealsensitivein- formation.Thispaperproposesapolicymodeltospecifywhatinformationflow ispermittedinacomputationalsystem.Thesecuritydefinition,whichisbasedon ageneralnotionofinformationlattices,allowsvariousrepresentationsofinfor- mationtobeusedintheenforcementofsecureinformationflowindeterminis- ticornondeterministicsystems.Aflexiblesemantics-basedanalysistechniqueis presented,whichusestheinput-outputrelationalmodelinducedbyanattacker’s observational power,tocomputetheinformationreleasedbythecomputational system.Anillustrativeattacker modeldemonstrates theuseofthetechniqueto developatermination-sensitiveanalysis.Thetechniqueallowsthedevelopment ofvariousinformationflowanalyses,parametrisedbytheattacker’sobservational power,whichcanbeusedtoenforcewhatdeclassificationpolicies. 1 Introduction The problem of secure information flow arises when a computer program must be grantedlegitimateaccesstoconfidentialdata.Whensuchaprogram,whichmighthave accesstoanetworkorthatmightotherwisebeabletotransmitconfidentialinformation to unauthorised observers, is executed, we want assurances that only the information that we wish to reveal is released. An information flow policy expresses our security concernabouttheinformationreleasethatweconsiderassafe.Thisleadstotheques- tionofhowtospecifywhatinformationreleaseissafe.Thetraditionalapproachtothe specificationofinformationrelease,orrather,thelackofit,isthroughthenoninterfer- encerequirement[7].Noninterferencepreventsanyflowofsecretinformationtopublic areas in a multi-level security system, where informationmust not flow from high to low.Thus,noninterferenceisveryrestrictiveanditsusefulnessingeneralpracticehas beenargued[13].Inpractice,forexample,duringencryption,authentication,orstatis- ticalanalysis,weoftenwanttoreleasesomelevelofinformation.Thisrequiresamore generalpolicymodelbywhichwecanspecifywhatisthesafelevelofinformationto bereleased.Thispaperproposesalatticemodeltocapturethisproperty. In [16], a taxonomy of declassification mechanisms is introduced based on what, where, when andbywhom informationis released.Thispaperis concernedaboutthe what dimension of information flow, where we want to express the property that the information released by a system does not exceed certain allowed limits. Based on thisobservation,a definitionofsecurity is given,which capturesthe idea thata given informationflowissafe. P.DeganoandL.Vigano`(Eds.):ARSPA-WITS2009,LNCS5511,pp.1–17,2009. ©Springer-VerlagBerlinHeidelberg2009 2 A.O.AdetoyeandA.Badii 1.1 Contributions This paper contributes to the theory of secure information flow through a systematic study of lattices of information as a tool for the enforcement of what declassifica- tionpolicies.Althoughlattice-basedapproachesareoftenusedinlanguage-basedsecu- rity[14],theselatticesareusuallyofsecurityclassesina multi-levelsecuritysystem, ratherthanlattices ofinformation.We demonstratethatvariousrepresentationsof in- formationsuch as partialequivalencerelations, familiesof sets, information-theoretic characterisation,andclosureoperatorsfitintothe latticemodelofinformation,unify- ing the various definitions under the lattice model. This means that the same partial order-basedenforcementtechniquecanbeappliedtoalltherepresentations. Another contribution to the theory is an input-outputrelation model, presented as a primitive for the semantic analysis of information flow. A systematic approach to deriving the relational model from the operational semantics, which is parametric to a chosen attacker’s observational power, is presented. The relational model accounts wellforinformationflowduetonontermination,andthespecifictermination-sensitive analysispresenteddemonstratesthecorrectanalysisofdivergingprogramsbyusingthe relationalmodel. 1.2 PlanofthePaper InSection2 the lattice modelof informationismotivated,anda securitydefinitionis givenwhichusesthelatticemodeltoenforcewhatdeclassificationpolicies.Section3 introducestherelationalmodelprimitiveasatoolforstudyinginformationflowinmod- els of deterministic or nondeterministic systems. Section 4 uses the relational model to develop a representation of information, based on PERs, for the analysis of deter- ministic system models. A language-based analysis technique is presented for While programs with outputs to illustrate how to derive the relational model under a given attackermodelinalanguage-basedsetting.SimilarlytoSection4,Section5appliesthe relationalmodeltechniqueto developa representationofinformation,basedonfami- liesofsets,whichcapturestheinformationthattheattackermaygainwhenthesystem can be run repeatedly under fixed inputs. An extension of the While language with a nondeterministicconstructshows the use of this informationrepresentationfor infor- mationflowanalysisinanondeterministiclanguagesetting.Wecompareourapproach withrelatedworksinSection6.Section7concludesthepaper. 2 Secure InformationFlow The concept of secure information flow suggests an understanding of the notions of informationand informationflow. A fundamentalpropertyof informationis the intu- itivenotionofinformationlevels,wherewesaythatonepieceofinformationisgreater ormoreinformativethananother.Thissuggestsanorderingofinformation,whichwe shallexploitinourinformationmodelandsecuritydefinition.Forthisreasonweshall modelinformationaslattices,wheretheassociatedpartialordercapturesthenotionof informationlevels.