Table Of ContentLecture Notes in Computer Science 5511
CommencedPublicationin1973
FoundingandFormerSeriesEditors:
GerhardGoos,JurisHartmanis,andJanvanLeeuwen
EditorialBoard
DavidHutchison
LancasterUniversity,UK
TakeoKanade
CarnegieMellonUniversity,Pittsburgh,PA,USA
JosefKittler
UniversityofSurrey,Guildford,UK
JonM.Kleinberg
CornellUniversity,Ithaca,NY,USA
AlfredKobsa
UniversityofCalifornia,Irvine,CA,USA
FriedemannMattern
ETHZurich,Switzerland
JohnC.Mitchell
StanfordUniversity,CA,USA
MoniNaor
WeizmannInstituteofScience,Rehovot,Israel
OscarNierstrasz
UniversityofBern,Switzerland
C.PanduRangan
IndianInstituteofTechnology,Madras,India
BernhardSteffen
UniversityofDortmund,Germany
MadhuSudan
MicrosoftResearch,Cambridge,MA,USA
DemetriTerzopoulos
UniversityofCalifornia,LosAngeles,CA,USA
DougTygar
UniversityofCalifornia,Berkeley,CA,USA
GerhardWeikum
Max-PlanckInstituteofComputerScience,Saarbruecken,Germany
Pierpaolo Degano Luca Viganò (Eds.)
Foundations and
Applications of
Security Analysis
Joint Workshop onAutomated Reasoning
for Security ProtocolAnalysis
and Issues in theTheory of Security,ARSPA-WITS 2009
York, UK, March 28-29, 2009
Revised Selected Papers
1 3
VolumeEditors
PierpaoloDegano
UniversitàdiPisa,DipartimentodiInformatica
LargoBrunoPontecorvo,3,56127Pisa,Italy
E-mail:degano@di.unipi.it
LucaViganò
UniversitàdiVerona,DipartimentodiInformatica
StradaLeGrazie15,37134Verona,Italy
E-mail:luca.vigano@univr.it
LibraryofCongressControlNumber:2009933043
CRSubjectClassification(1998):D.4.6,K.6.5,C.2,H.2.7,K.4.4
LNCSSublibrary:SL4–SecurityandCryptology
ISSN 0302-9743
ISBN-10 3-642-03458-6SpringerBerlinHeidelbergNewYork
ISBN-13 978-3-642-03458-9SpringerBerlinHeidelbergNewYork
Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis
concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting,
reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication
orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965,
initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Violationsareliable
toprosecutionundertheGermanCopyrightLaw.
springer.com
©Springer-VerlagBerlinHeidelberg2009
PrintedinGermany
Typesetting:Camera-readybyauthor,dataconversionbyScientificPublishingServices,Chennai,India
Printedonacid-freepaper SPIN:12725595 06/3180 543210
Preface
The Joint Workshop on “Automated Reasoning for Security Protocol Analysis
and Issues in the Theory of Security” (ARSPA-WITS 2009) was held in York,
UK, March 28–29,2009, in association with ETAPS 2009.
ARSPA is a series of workshopson “Automated Reasoningfor Security Pro-
tocol Analysis,” bringing together researchers and practitioners from both the
securityandtheformalmethodscommunities,fromacademiaandindustry,who
are working on developing and applying automated reasoning techniques and
tools for the formal specification and analysis of security protocols. The first
two ARSPA workshopswere held as satellite events of the Second International
JointConferenceonAutomatedReasoning(IJCAR2004)andofthe32ndInter-
nationalColloquiumonAutomata,LanguagesandProgramming(ICALP2005),
respectively.ARSPA then joinedforceswith the workshopFCS(Foundations of
Computer Security): FCS-ARSPA 2006 was affiliated with LICS 2006, in the
contextofFLoC2006,andFCS-ARSPA2007wasaffiliatedwithLICS2007and
ICALP 2007.
WITSistheofficialannualworkshoporganizedbytheIFIPWG1.7on“The-
oretical Foundations of Security Analysis and Design,” established to promote
the investigationonthe theoreticalfoundationsof security,discoveringandpro-
moting new areas of application of theoretical techniques in computer security
and supporting the systematic use of formal techniques in the development of
security-related applications. This is the ninth meeting in the series. In 2008,
ARSPA and WITS joined with the workshop on Foundations of Computer Se-
curityFCSforajointworkshop,FCS-ARSPA-WITS2008,associatedwithLICS
2008 and CSF 21.
In 2009, ARSPA and WITS again joined forces with the aim to provide a
forum for continued activity in different areas of computer security, bringing
computersecurityresearchersinclosercontactwiththeETAPScommunityand
givingETAPSattendeesanopportunitytotalkto expertsincomputersecurity,
onthe onehand,andto contribute tobridgingthe gapbetweenlogicalmethods
and computer security foundations, on the other.
There were 27 submissions of high quality, from countries in Asia, Europe,
andNorthAmerica.Allthesubmissionswereevaluatedbyatleastthreereferees
and the Program Committee then selected the 15 research contributions that
were presented at the workshop. Out of these, 12 were further revised by their
authors and are included in this volume. The workshop program was enriched
by invited talks by Peter Ryan and David Sands, whose contributions are also
included here.
We wouldliketo thankallthe peoplewho contributedto the organizationof
the ARSPA-WITS 2009Workshop,andacknowledgethe supportfromthe IFIP
WG 1.7, the AVANTSSAR Project (FP7-ICT-2007-1, Project No. 216471), and
VI Preface
the SENSORIAProject(EU-FETPI GlobalComputing ProjectIST-2005-16004).
In particular, we are deeply indebted to the other members of the Program
Committee and the additional referees, who allowed us to review the papers in
a very short time, while maintaining a very high standard: their help has been
invaluable. We are also grateful to Andrei Voronkov, who allowed us to use the
free conference softwaresystem EasyChair,which greatly simplified the work of
the Program Committee. Last but not least, warm thanks to the organizers of
ETAPS 2009.
June 2009 Pierpaolo Degano
Luca Vigan`o
Organization
Program Committee
Lujo Bauer CMU, USA
Luca Compagna SAP Research, France
Veronique Cortier LORIA INRIA-Lorraine, France
Pierpaolo Degano (Chair) Universita` di Pisa, Italy
Sandro Etalle Technical University of Eindhoven,
The Netherlands
Riccardo Focardi Universit`a di Venezia, Italy
Dieter Gollman Technische Universita¨t Hamburg-Harburg,
Germany
Roberto Gorrieri Universita` di Bologna, Italy
Joshua Guttman MITRE, USA
Jerry den Hartog Technical University of Eindhoven,
The Netherlands
Jan Ju¨rjens The Open University, UK
Gavin Lowe Oxford University, UK
Catherine Meadows Naval Research Laboratory,USA
Jonathan Millen MITRE, USA
Sebastian Mo¨dersheim IBM Zurich Research Lab, Switzerland
Mark Ryan University of Birmingham, UK
Luca Vigan`o (Chair) Universita` di Verona, Italy
Additional Reviewers
Misha Aizatulin Francois Dupressoir Ben Smyth
Alessandro Aldini Deepak Garg Bruno Pontes
Andreas Bauer Claudio Guidi Soares Rocha
Giampaolo Bella Volkmar Lotz Fred Spiessens
Mario Bravetti Ilaria Matteucci Angelo Troina
Roberto Carbone Toby Murray Mathieu Turuani
Kostas Chatzikokolakis Arnab Roy Tjark Weber
St´ephanie Delaune Theoodor Scholte
Alessandra Di Pierro Boris Skoric
Table of Contents
A Policy Model for Secure Information Flow......................... 1
Adedayo O. Adetoye and Atta Badii
A General Framework for Nondeterministic, Probabilistic, and
Stochastic Noninterference ........................................ 18
Alessandro Aldini and Marco Bernardo
Validating Security Protocols under the General Attacker ............. 34
Wihem Arsac, Giampaolo Bella, Xavier Chantry, and
Luca Compagna
Usage Automata................................................. 52
Massimo Bartoletti
Static Detection of Logic Flaws in Service-OrientedApplications....... 70
Chiara Bodei, Linda Brodo, and Roberto Bruni
Improving the Semantics of Imperfect Security....................... 88
Niklas Broberg and David Sands
Analysing PKCS#11 Key Management APIs with Unbounded Fresh
Data ........................................................... 92
Sibylle Fro¨schle and Graham Steel
Transformations between Cryptographic Protocols ................... 107
Joshua D. Guttman
Formal Validation of OFEPSP+ with AVISPA....................... 124
Jorge L. Hernandez-Ardieta, Ana I. Gonzalez-Tablas, and
Benjamin Ramos
On the Automated Correction of Protocols with Improper Message
Encoding ....................................................... 138
Dieter Hutter and Rau´l Monroy
Finite Models in FOL-Based Crypto-ProtocolVerification............. 155
Jan Ju¨rjens and Tjark Weber
Towards a Type System for Security APIs........................... 173
Gavin Keighren, David Aspinall, and Graham Steel
Separating Trace Mapping and Reactive Simulatability Soundness: The
Case of Adaptive Corruption ...................................... 193
Laurent Mazar´e and Bogdan Warinschi
X Table of Contents
How Many Election Officials Does It Take to Change an Election? ..... 211
P.Y.A. Ryan
Author Index.................................................. 223
A Policy Model for Secure Information Flow
AdedayoO.AdetoyeandAttaBadii
SchoolofSystemsEngineering,UniversityofReading,Whiteknights,Berkshire,RG66AY,UK
a.o.adetoye@reading.ac.uk, atta.badii@reading.ac.uk
Abstract. Whenacomputerprogramrequireslegitimateaccesstoconfidential
data,thequestionariseswhethersuchaprogrammayillegallyrevealsensitivein-
formation.Thispaperproposesapolicymodeltospecifywhatinformationflow
ispermittedinacomputationalsystem.Thesecuritydefinition,whichisbasedon
ageneralnotionofinformationlattices,allowsvariousrepresentationsofinfor-
mationtobeusedintheenforcementofsecureinformationflowindeterminis-
ticornondeterministicsystems.Aflexiblesemantics-basedanalysistechniqueis
presented,whichusestheinput-outputrelationalmodelinducedbyanattacker’s
observational power,tocomputetheinformationreleasedbythecomputational
system.Anillustrativeattacker modeldemonstrates theuseofthetechniqueto
developatermination-sensitiveanalysis.Thetechniqueallowsthedevelopment
ofvariousinformationflowanalyses,parametrisedbytheattacker’sobservational
power,whichcanbeusedtoenforcewhatdeclassificationpolicies.
1 Introduction
The problem of secure information flow arises when a computer program must be
grantedlegitimateaccesstoconfidentialdata.Whensuchaprogram,whichmighthave
accesstoanetworkorthatmightotherwisebeabletotransmitconfidentialinformation
to unauthorised observers, is executed, we want assurances that only the information
that we wish to reveal is released. An information flow policy expresses our security
concernabouttheinformationreleasethatweconsiderassafe.Thisleadstotheques-
tionofhowtospecifywhatinformationreleaseissafe.Thetraditionalapproachtothe
specificationofinformationrelease,orrather,thelackofit,isthroughthenoninterfer-
encerequirement[7].Noninterferencepreventsanyflowofsecretinformationtopublic
areas in a multi-level security system, where informationmust not flow from high to
low.Thus,noninterferenceisveryrestrictiveanditsusefulnessingeneralpracticehas
beenargued[13].Inpractice,forexample,duringencryption,authentication,orstatis-
ticalanalysis,weoftenwanttoreleasesomelevelofinformation.Thisrequiresamore
generalpolicymodelbywhichwecanspecifywhatisthesafelevelofinformationto
bereleased.Thispaperproposesalatticemodeltocapturethisproperty.
In [16], a taxonomy of declassification mechanisms is introduced based on what,
where, when andbywhom informationis released.Thispaperis concernedaboutthe
what dimension of information flow, where we want to express the property that the
information released by a system does not exceed certain allowed limits. Based on
thisobservation,a definitionofsecurity is given,which capturesthe idea thata given
informationflowissafe.
P.DeganoandL.Vigano`(Eds.):ARSPA-WITS2009,LNCS5511,pp.1–17,2009.
©Springer-VerlagBerlinHeidelberg2009
2 A.O.AdetoyeandA.Badii
1.1 Contributions
This paper contributes to the theory of secure information flow through a systematic
study of lattices of information as a tool for the enforcement of what declassifica-
tionpolicies.Althoughlattice-basedapproachesareoftenusedinlanguage-basedsecu-
rity[14],theselatticesareusuallyofsecurityclassesina multi-levelsecuritysystem,
ratherthanlattices ofinformation.We demonstratethatvariousrepresentationsof in-
formationsuch as partialequivalencerelations, familiesof sets, information-theoretic
characterisation,andclosureoperatorsfitintothe latticemodelofinformation,unify-
ing the various definitions under the lattice model. This means that the same partial
order-basedenforcementtechniquecanbeappliedtoalltherepresentations.
Another contribution to the theory is an input-outputrelation model, presented as
a primitive for the semantic analysis of information flow. A systematic approach to
deriving the relational model from the operational semantics, which is parametric to
a chosen attacker’s observational power, is presented. The relational model accounts
wellforinformationflowduetonontermination,andthespecifictermination-sensitive
analysispresenteddemonstratesthecorrectanalysisofdivergingprogramsbyusingthe
relationalmodel.
1.2 PlanofthePaper
InSection2 the lattice modelof informationismotivated,anda securitydefinitionis
givenwhichusesthelatticemodeltoenforcewhatdeclassificationpolicies.Section3
introducestherelationalmodelprimitiveasatoolforstudyinginformationflowinmod-
els of deterministic or nondeterministic systems. Section 4 uses the relational model
to develop a representation of information, based on PERs, for the analysis of deter-
ministic system models. A language-based analysis technique is presented for While
programs with outputs to illustrate how to derive the relational model under a given
attackermodelinalanguage-basedsetting.SimilarlytoSection4,Section5appliesthe
relationalmodeltechniqueto developa representationofinformation,basedonfami-
liesofsets,whichcapturestheinformationthattheattackermaygainwhenthesystem
can be run repeatedly under fixed inputs. An extension of the While language with a
nondeterministicconstructshows the use of this informationrepresentationfor infor-
mationflowanalysisinanondeterministiclanguagesetting.Wecompareourapproach
withrelatedworksinSection6.Section7concludesthepaper.
2 Secure InformationFlow
The concept of secure information flow suggests an understanding of the notions of
informationand informationflow. A fundamentalpropertyof informationis the intu-
itivenotionofinformationlevels,wherewesaythatonepieceofinformationisgreater
ormoreinformativethananother.Thissuggestsanorderingofinformation,whichwe
shallexploitinourinformationmodelandsecuritydefinition.Forthisreasonweshall
modelinformationaslattices,wheretheassociatedpartialordercapturesthenotionof
informationlevels.
