Comparing Two Information Flow Security Properties - Semantic Scholar

In Proceedings of Ninth IEEE Computer Security Foundations Worhshop (CSFW’96), IEEE Press, Kenmare (Ireland), June 1996.

Comparing Two Information Flow Security Properties Riccardo Focardi Dipartimento di Scienze dell’Informazione Universit`a di Bologna via mura A. Zamboni 7, I-40127, Bologna, Italy [email protected]

Abstract

setting, a system is low-deterministic if after a certain low level trace , no low level action l can be both accepted and refused. We have that every L-Sec system is lowdeterministic. It is interesting to observe how these two properties, which are based on quite different underlying intuitions, become the same when dealing with processes which are low-deterministic and non-divergent. The paper is organized as follows. In Section 2 we present SPA and semantic equivalences. In Section 3 we define L-Sec in the SPA setting showing that its action is restricted to low-deterministic processes. Section 4 describes the failure and bisimulation based Non Deducibility on Composition. Section 5 compares L-Sec and BNDC in the class of low-deterministic and non-divergent systems. Finally, Section 6 contains some concluding remarks on the automatic verification of the two compared security properties.

In this paper we compare two information flow security properties: the lazy security (L-Sec) [11] and the Bisimulation Non-deducibility on Compositions (BNDC) [4]. To make this we define the Failure Non-deducibility on Compositions, a failure semantics version of the BNDC. The common specification language used for the comparison is the Security Process Algebra [4], an extension of CCS [8] which permits to describe systems where actions belong to two different levels of confidentiality. We prove that BNDC applied to a restricted class of systems, the low-deterministic and non-divergent ones, is equal to L-Sec. So these two properties, which are based on quite different underlying intuitions, become the same if we add some conditions to BNDC.

1 Introduction

2 SPA and Semantic Equivalences

In this paper we compare two information flow security properties: the lazy security (L-Sec) [11] and the Bisimulation Non-deducibility on Compositions (BNDC) [4]. Intuitively, the first one requires that the obscuring of high level actions by interleaving does not introduce any nondeterminism in the system; the second one implies that high level users cannot modify what a low level user can see of the system. To make this we introduce the Failure Non-deducibility on Compositions (FNDC), a failure semantics version of BNDC. The specification language used to compare the properties is the Security Process Algebra (SPA), an extension of CCS [8]. This language permits to describe systems where actions belong to two different levels of confidentiality, and it has been introduced in [4] in order to compare and classify a number of information flow security properties. The main result in this work is that BNDC is equal to L-Sec, when applied to a particular class of systems: the low-deterministic and non-divergent ones. In the failure

In the following, systems will be specified using the Security Process Algebra, an extension of Milner’s CCS [8]. SPA has two additional operators, namely the hiding operator E=L of CSP [7] and the (new) input restriction operator E nI L, which are useful in characterizing some security properties in an algebraic style. Moreover the set of visible actions is partitioned into high and low level actions in order to specify multilevel systems. 1 SPA syntax is based on the following elements: a set I = fa; b; : : :g of input actions, a set O = fa; b; : : :g of output actions, a set L = I [ O of visible actions, ranged over by , and the usual function : L ! L such that a 2 I =) a 2 O and a 2 O =) a = a 2 I ; two sets ActH and ActL of high and low level actions such that ActH = ActH , ActL = ActL , ActH [ ActL = L 1 Actually, only two-level systems can be specified. Note that this is not a real limitation because it is always possible to deal with the multilevel case by grouping – in several ways – the various levels in two clusters.

1

ActH \ ActL = ; where L def = fa : a 2 Lg; a set Act = L [ f g of actions ( is the internal, invisible action), ranged over by ; a set K of constants, ranged over by Z . The syntax of SPA agents is defined as follows: E ::= 0 j :E j E + E j E jE j E n L j E nI L j j E=L j E[f] j Z where L L and f : Act ! Act is such that f( ) = f(); f() = . Moreover, for every constant Z there def must be the corresponding definition: Z = E . The meandef ing of 0, :E , E +E , E jE , E n L, E[f] and Z = E is as for

that it can execute. The set of traces is defined as follows:

def traces(E) = f 2 L j 9E 0 : E =) E 0 g.

and

Definition 2.2 If 2 traces(E) and if, after executing , E can refuse all the actions in set X L, then we say that the pair ( ; X) is a failure of the process E . Formally we have that:

= f( ; X) L P(L) j 9E 0 such that X E = ) E 0 and E 0 6)g When failures(E) = failures(F) we write E F F (failure failures(E)

equivalence).

CCS [8]. Intuitively, 0 is the empty process, which cannot do any action; :E can do an action and then behaves like E ; E1 + E2 can alternatively choose 2 to behave like E1 or E2; E1jE2 is the parallel composition of E1 and E2, where the executions of the two systems are interleaved, possibly synchronized on complementary input/output actions, producing an internal . E n L can execute all the actions E is , while able to do, provided that they do not belong to L [ L E nI L requires that the actions of E do not belong to L \ I ; E=L turns all the actions in L into internal ’s; if E can execute action , then E[f] performs f(); finally, Z does def what E does, when Z = E . Let E be the set of SPA agents, ranged over by E , F . Let L(E) denote the sort of E , i.e., the set of the (possibly executable) actions occurring syntactically in E . The sets of high level agents and low level ones are dedef fined as EH = fE 2 E j L(E) ActH [ f gg and EL def = fE 2 E j L(E) ActL [ f gg, respectively. The operational semantics of SPA is given (as usual) associating to each agent a particular state of the labelled transition system (E ; Act; !) where ! E Act E and, intuitively, E ! E 0 means that agent E can execute moving to E 0 (see [4] for more details). In the following the expression E =) E 0 is a short hand for E(!) E1 ! E2 (!) E 0 , where (!) denotes a (possibly empty) sequence of labelled transitions. More-

We identify a process E with its failure set. So if ( ; X) 2 failures(E) we write ( ; X) 2 E . Note that 2 traces(E) if and only if ( ; ;) 2 E . So E F F implies traces(E) = traces(F). We also recall the definition of weak bisimulation [8]. In ^ the following the expression E =) E 0 stands for E =) E 0 0 if 2 L, and for E (!) E if = (note that (!) means “zero or more labelled transitions” while =) requires at least one labelled transition).

Definition 2.3 A relation R E E is a weak bisimulation if (E; F) 2 R implies, for all 2 Act,

2

P

B F implies E F F .

3 Lazy Security In this Section we report the lazy security property [11] and we show that it can only deal with low-deterministic processes, i.e., processes which have a deterministic behaviour with respect to low level actions. Here we do not consider the eager security property (introduced in [11] to deal with output actions) since it supposes that high level actions happen instantaneously while in SPA, which has synchronous communications, both input and output actions can be delayed by users. We start with a formal definition of determinism.

1

Definition 2.1 A trace of a process is a sequence of actions notational convenience, we use sometimes the represent a general n-ary (or even infinitary) sum operator.

conversely, whenever

It is easy to prove that E

We recall here the definition of traces and failure equivalence [1]

2 For

F 0 2 E such

relation.

K

1

whenever E ?! E 0 then there exists ^ that F =) F 0 and (E 0 ; F 0) 2 R;

F 0 then there exists F ?! ^ 0 E 0 2 E such that E =) E and (E 0 ; F 0) 2 R. Two SPA agents E; F 2 E are observational equivalent, notation E B F , if there exists a weak bisimulation containing the pair (E; F). Note that B is an equivalence

E 6) means that @E 0 such that E =) E 0 and E 6) with K L stands for 8 2 K; E 6). We also extend

the ‘=)’ notation to sequences of actions; E =) E 0 with +

2 L ; = 1 2 : : : n means that 9E1 ; E2; : : :; En?1

n

n? such that E =) E1 =) : : : =) En?1 =) E 0. For hi the empty sequence hi we have that E =) E 0 stands for ) E 0. E(!

over

def

Definition 3.1 E is deterministic (E 2 Det) if and only if whenever a 2 traces(E) then ( ; fag) 62 E .

operator to

2

L-Sec also requires that E jjjRUNH is non-divergent. 3 This is equivalent to requiring that E is non-divergent, because RUN H is non-divergent and the jjj operator does not allow synchronizations (which could generate new actions).

So a process is deterministic if after every trace it cannot both accept and refuse a certain action a. We give another characterization for determinism. A system E is deterministic if and only if whenever it can move to two different processes E 0 and E 00 executing a certain trace , such processes are failure equivalent.

Definition 3.4

Proposition 3.2 E 2 Det if and only if for all 2

traces(E) we have that E =) E 0 , E =) E 00 implies E 0 F E 00 .

E 2 L-Sec , E jjjRUNH 2 Det \ Nondiv.

In the following we want to show that L-Sec can only analyze systems which are low-deterministic, i.e., where after any low level trace no low level action l can be both accepted and refused. The low-determinism requirement is not strictly necessary to avoid information flows from high to low level. So, in some cases, L-Sec is too strong. As an example consider the following non-deterministic sysdef tem without high level actions: E = l:l0 :0 + l:l00 :0. It is obviously secure but it is not low-deterministic and so it is not L-Sec. Formally we have that:

PROOF. ()) Let E 2 Det, E =) E 0, E =) E 00 and (; K) 2 E 0 . We want to prove that (; K) 2 E 00. Since

E =) E 0 , we have that ( ; K) 2 E . By E 2 Det we obtain that 8a 2 K; a is not a trace for E . We also have that is a trace for E 00; in fact, if E 00 can execute only a prefix of , i.e. E 00 =) E 000 with = b , we have that E can execute trace b (through E 0) and can refuse b after

(through E 00 ) contradicting the determinism hypothesis. Now, since 8a 2 K; a 62 traces(E), we also have that 8a 2 K; a 62 traces(E 00) and so (; K) 2 E 00. (() Trivial.

Definition 3.5 E is low-deterministic (E only if E n ActH 2 Det.

2 Lowdet) if and

The following holds:

Corollary 3.3 If E =) E 0 and E 2 Det then E 0 2 Det. PROOF. We have to prove that E 0 =) E 00 and E 0 =) E 000

implies E 00 F E 000. Consider E =) E 00 and E =) E 000 then by E 2 Det we have that E 00 F E 000.

Theorem 3.6 L-Sec Lowdet.

PROOF. Let E 2 L-Sec. Consider a trace a of E n ActH and suppose that ( ; fag) 2 E n ActH . So there exists E 0 such

a

that E n ActH =) E 0 n ActH and such that E 0 n ActH 6). Since RUN H cannot execute the low level action a then

a

In the following we will also use the E jjjF expression (interleaving without communication) as a shorthand for (E[A=L(E)] j F[B=L(F)])[L(E)=A; L(F)=B] where A; B L; A \ B = ;. Moreover, A=L(E) is a bijective function which maps all the actions executable by E (the actions in L(E)) into actions in A. Finally, L(E)=A is the inverse of A=L(E) (the same holds for B=L(F) and L(F)=B ). This expression means that the actions in E and F are first relabelled using the two disjoint sets A and B , then interleaved (no communication is possible) and finally renamed to their original labels. We will also say that a process is divergent if it can execute an infinite sequence of internal actions . As an exdef ample consider the agent A = :A + b:0 which can execute an arbitrary number of actions. We define Nondiv as the set of all the non-divergent processes. We can now present the lazy security property [11]. This property implies that the obscuring of high level actions by interleaving does not introduce any non-determinism. The obscuring of high level actions of process E by interleaving def is obtained considering process E jjjRUNH where RUN H = h2ActH h:RUNH . In such a process an outside observer is not able to tell if a certain high level action cames from E or from RUN H .

we have that E 0jjjRUNH 6) and so ( ; fag) 2 E jjjRUNH

because E jjjRUNH =) E 0 jjjRUNH . Since a is a trace for E n ActH then it is also a trace for E jjjRUNH and we obtain that E jjjRUNH is not deterministic, contradicting the hypothesis. So ( ; fag) 62 E n ActH and E 2 Lowdet.

4 Bisimulation and Failure Non Deducibility on Compositions In [4] we proposed a notion of information flow security: Bisimulation Non Deducibility on Compositions. A system E is BNDC if for every high level process a low level user cannot distinguish between processes E and (E j) n ActH . In other words, a system E is BNDC if what a low level user sees of the system is not modified by composing any high level process to E .

E 2 BNDC if and only if 8 2 EH we have E=ActH B (E j ) n ActH .

Definition 4.1

P

3 Note that in [11] the non-divergence requirement is inside the deterministic one. This is because the authors use the failure-divergence semantics [2]. In this work we use the failure equivalence which does not deal with divergences. So, in order to obtain exactly the L-Sec property, we require the non-divergence condition explicitly.

3

FSNNI BSNNI FNDC BNDC SFSNNI SBSNNI

Figure 1. Failure based and bisimulation based properties. Theorem 4.6 SFSNNI FNDC FSNNI.

A static characterization of BNDC – which does not involve composition with every processes – is not immediate. As a matter of fact, this problem is still open. In [6] we proposed the SBSNNI property which is static, compositional (i.e., if two systems are SBSNNI their composition is SBSNNI) and strictly stronger than BNDC. We first define the Bisimulation Strong Non-deterministic Non Interference (BSNNI). Definition 4.2

E2

BSNNI

PROOF. (SFSNNI FNDC) Let E be a SFSNNI process. We have to prove that (E j) n ActH F E=ActH for every high level process . We first prove that ( ; K) 2 (E j) n ActH implies ( ; K) 2 E=ActH . Consider ( ; K) 2 (E j) n ActH , then 9E 0 ; 0

K

(E j) n ActH = ) (E 0 j0 ) n ActH 6). Hence K E 0 nActH 6) because traces(E 0 nActH ) traces((E 0 j0)n ActH ). Now, since E 2 SFSNNI then E 0 n ActH F K E 0 =ActH ; hence E 0 =ActH 6). Note that E=ActH = ) E 0 =ActH , hence ( ; K) 2 E=ActH . We now prove that ( ; K) 2 E=ActH implies ( ; K) 2 (E j) n ActH . Consider ( ; K) 2 E=ActH . By hypothesis we have that ( ; K) 2 E n ActH and so 9E 0 such that K E n ActH = ) E 0 n ActH 6). Since E 2SFSNNI then K K E 0 =ActH 6). Hence we also have that (E 0 j) n ActH 6) because traces((E 0 j) n ActH ) traces(E 0 =ActH ). Since

we have that E n ActH =) E 0 n ActH then (E j) n

ActH =) (E 0 j) n ActH and so ( ; K) 2 (E j) n ActH . def The inclusion is strict because agent E = l:h:l:0+l:0 +l:l:0 such that

, E=ActH B E n ActH .

Now we can define the Strong BSNNI. Definition 4.3 A system E 2 SBSNNI if and only if for all E 0 such that 9 : E = ) E 0 we have E 0 2 BSNNI. The following holds [4]. Theorem 4.4 SBSNNI BNDC BSNNI. Now we define the failure based security properties by simply substituting B with F in all the bisimulation based properties previously defined. Definition 4.5 (Failure based properties)

is FNDC but not SFSNNI. (FNDC FSNNI) It is sufficient to consider = 0. We have that (E j0) n ActH F E n ActH and so, since (E j0) n ActH F E=ActH we have E=ActH F E n ActH .

(i) E 2 FNDC , E=ActH F (E j ) n ActH , for all 2 EH ; (ii) E 2 FSNNI , E=ActH F E n ActH ; (iii) E 2 SFSNNI , 8E 0 such that 9 : E = ) E 0 we have E 0 2 FSNNI.

The inclusion is strict because agent E l:l:l:0 is FSNNI but not FNDC.

= l:h:l:h0:l:0 +l:0 +

def

Figure 1 summarizes the inclusions between the presented security properties. It can be drawn using the previous inclusion results and the following remarks: BNDC 6 SFSNNI, in fact agent l:h:l:0 + l:0 + l:l:0 is BNDC but not SFSNNI; we also have that BSNNI 6 FNDC because of agent h:l:h0:l:0 + l:l:0; finally SFSNNI 6 BSNNI because of agent h:l:(l0:0 + l00 :0) + l:l0 :0 + l:l00:0.

Since bisimulation equivalence is stronger than failure equivalence, it can be proved that each of these new property is weaker then its corresponding bisimulation based one. E.g. BNDC FNDC. Moreover we prove that the results of Theorem 4.4 can be extended also to these new properties. 4

This means that in order to execute i , process Ei0?1 =ActH executes some hidden high level actions h1 : : :hk . So Ei0?1 h1=:::h)k i Ei0 . If we execute such high level ac-

The next theorem shows that under the low-determinism assumption the properties SFSNNI and FNDC collapse into the same one. We need the following Lemma.

2 Det, E = ) E 0 , E~ = ) E~ 0 and E~ 0. ~0. PROOF. We prove that if (; K) 2 E 0 then (; K) 2 E ~ we Let (; K) 2 E 0 . Then ( ; K) 2 E and by E F E ~ . So 9E~ 00; E~ 000 such that E~ = ) obtain that ( ; K) 2 E K E~ 000 6) ~ 00. Since E~ 2 Det then E~ 00 =) , hence (; K) 2 E ~ 00 F E~ 0 by Proposition 3.2 and hypothesis we have that E 0 ~ . We can prove in the same way that if and so (; K) 2 E (; K) 2 E~ 0 then (; K) 2 E 0. So E 0 F E~ 0 Theorem 4.8 FNDC \ Lowdet SFSNNI. PROOF. Since FNDC FSNNI and E 2 FNDC, we have that E n ActH F E=ActH . By E 2 Lowdet we obtain E=ActH 2 Det. Now consider E = ) E 0. We have to prove that E 0 =ActH F E 0 n ActH . Let 0 be the high ~ Lemma 4.7 If E; E E F E~ then E 0 F

i

1

level process which executes exactly the complement of the high level projection of , i.e. the complement of the subsequence of composed by all the high level actions in

. If 0 is the low level projection of we have that (E j0) n

0

ActH = ) (E 0 j0) n 0ActH F E 0 n ActH . Since E = ) E 0 then E=ActH = ) E 0=ActH . By hypothesis we have that (E j0 ) n ActH F E=ActH . Since E=ActH 2 Det then, by Lemma 4.7, we have that E 0 =ActH F (E 0 j0) n ActH F E 0 n ActH . Corollary 4.9 FNDC \ Lowdet = SFSNNI \ Lowdet. PROOF. Trivial by Theorems 4.8 and 4.6.

5 Comparison In this section we show that under the low-determinism and the non-divergence assumption the BNDC property is equal to L-Sec. We start proving this result for FNDC. Theorem 5.1 L-Sec SFSNNI.

PROOF. Let E 2 L-Sec. Then we have to prove that if E = ) E 0 then E 0 n ActH F E 0 =ActH . We first prove that if (; K) 2 E 0 =ActH then (; K) 2 E 0 n ActH . Consider (; K) 2 E 0=ActH . Then we have that 9E 00 such that

K

E 0=ActH =) E 00 =ActH 6).

Now we want to prove that is a trace also for E 0 n ActH . Let = 1 2 : : :n and consider the execution n E 00=Act . Suppose E 0=ActH =) E10 =ActH =) : : : =) H that i is the first action in that E 0 n ActH is not able to 1

2

1

1

a

So let a 2 ActL . Suppose E jjjRUNH =) E 0 jjjRUNH 6) and consider the sequence 0 obtained removing all the

i

? 0 E 0 n ActH =) E10 n ActH =) : : : =i) Ei?1 n ActH 6) 2

1

cause in such a case it can always be executed by RUN H .

execute. In other words we have that 1

1 :::i?1 h1 :::hk

=) Ei0?1jjjRUNH . Since Ei0?1 n ActH 6) and i 2 ActL then we obtain that ( 1 : : :i?1 h1 : : :hk ; fig) 2 E jjjRUNH . Moreover, if we execute actions h1 : : :hk with Ei0?1 we

:::i? h :::hk i 0 =) Ei jjjRUNH and so have that E jjjRUNH

1 : : :i?1 h1 : : :hk i is a trace for E jjjRUNH . This means that E jjjRUNH 62 Det hence E 62 L-Sec. We obtain a contradiction, so no i can be refused by E 0 n ActH and is a trace for such process. So we have that E 0 n ActH =) E 000 n ActH . Now we want to prove that (; K) 2 E 0 n ActH . Let E 0 n ActH =) E 000 n ActH and suppose that E 000 n ActH can execute a certain action a 2 K \ ActL (the actions in K \ ActH cannot be executed by such process) then a is a trace for E jjjRUNH . Now consider the sequence 0 obtained by adding to all the high level action executed by E 0 in order to reach E 00 in the transition E 0 =ActH =) E 00 =ActH ; 0 0 i.e. E 0 =) E 00. Then we will have that E 0 jjjRUNH =) a K E 00jjjRUNH and since E 00 =ActH 6) then E 00jjjRUNH 6) and so ( 0 ; fag) 2 E jjjRUNH . Now if a is a trace for E jjjRUNH then also 0 a is, and so, again, we obtain thata E jjjRUNH 62 Det and E 62 L-Sec. Hence E 000 n ActH 6) for every a 2 K and so (; K) 2 E 0 n ActH . Now we prove that if (; K) 2 E 0 n ActH then (; K) 2 0 E =ActH . Suppose (; K) 2 E 0 n ActH . Then we have K that 9E 00 such that E 0 n ActH =) E 00 n ActH 6). Hence also E 0=ActH =) E 00=ActH . Suppose that E 00=ActH can execute a certain a 2 K \ ActL then consider 0 obtained by adding to all the high level actions executed by E 0 a before a in the transition E 0 =ActH =) E 00=ActH =) E 000=ActH , i.e., such that 0a is a trace for E 0 . We have that 0 a is a trace for E jjjRUNH . Now, (; fag) 2 E 0 n ActH with a 2 ActL and so (; fag) 2 E 0 jjjRUNH which implies that ( 0; fag) 2 E 0 jjjRUNH and finally ( 0; fag) 2 E jjjRUNH .a This contradict the fact that E 2 L-Sec and so E 00=ActH 6); 8a 2 K . Hence (; K) 2 E 0 =ActH . Theorem 5.2 SFSNNI \ Lowdet \ Nondiv L-Sec. PROOF. Let E 2 SFSNNI \ Lowdet \ Nondiv and a be a trace for process E jjjRUNH . We want to prove that ( ; fag) 62 E jjjRUNH . It trivially holds if a 2 ActH betions with RUN H we obtain that E jjjRUNH

high level actions from . Then 5

0 E=ActH = ) E 0=ActH

FNDC BNDC SFSNNI SBSNNI

L-Sec

Nondiv

Lowdet

Figure 2. Relations between properties.

E 0 =ActH Fa E 0 n ActH . Sincea E 0jjjRUNH 6) then E 0 n ActH 6) and so E 0=ActH 6) and ( 0 ; fag) 2 E=ActH . Since E 2 SFSNNI we obtain that ( 0 ; fag) 2 E n ActH . Now a is a trace for E jjjRUNH and so 0 a must be a trace for E=ActH this means that 0 a is also a trace for E n ActH . Since E 2 Lowdet then E n ActH is deterministic. However we found that 0 a is a trace for E n ActH and ( 0 ; fag) 2 E n ActH obtaining a contradiction. So E 0 jjjRUNH cannot refuse a and ( ; fag) 62 E jjjRUNH . Hence E jjjRUNH 2 Det and since E 2 Nondiv we also have that E jjjRUNH 2 Nondiv Corollary 5.3 SFSNNI \ Lowdet \ Nondiv = L-Sec.

Now we prove that L-Sec SBSNNI \ Lowdet \ Nondiv. If E 2 L-Sec then by Corollary 5.3 we have that E 2

SFSNNI\Lowdet\Nondiv. So 8E 0 such that 9 : E =) E 0 0 0 we have E n ActH F E =ActH with E n ActH 2 Det. In particular we also have that E nActH F E=ActH and since E n ActH 2 Det, we obtain that E=ActH 2 Det. Note that

and by hypothesis

a

0

E=ActH = ) E 0 =ActH where 0 is the sequence obtained removing all the high level actions from . Hence, by Corollary 3.3, E 0=ActH 2 Det. Finally, by Proposition 5.4 we obtain that E 0 n ActH B E 0 =ActH . (BNDC \ Lowdet \ Nondiv = SBSNNI \ Lowdet \ Nondiv) Trivial by SBSNNI BNDC FNDC and since SBSNNI \ Lowdet \ Nondiv = L-Sec = FNDC \ Lowdet \ Nondiv.

PROOF. By Theorems 3.6 and 5.1 and by Definition 3.4 we find that L-Sec SFSNNI \ Lowdet \ Nondiv. Finally by Theorem 5.2 we obtain the thesis.

Figure 2 summarizes the relations between various properties and conditions. def Consider the following agent: E = l:l0 :0 + l:l00:0 + h:(l:l0:0 + l:l00:0). It is SBSNNI but not L-Sec because it is not Lowdet. In [10] systems like this are considered not secure because they have a not secure refinement. As an def example for E we have the refinement E 0 = l:l0 :0 +h:l:l00:0 which is clearly not secure.

Note that by Corollary 4.9 we also have that FNDC \ Lowdet \ Nondiv = L-Sec. Now we show that this result also hold for SBSNNI and BNDC. We first prove that for deterministic processes F becomes equal to B .

E 2 Det; E F F =) E B F . PROOF. If E 2 Det and E F F we also have that F 2 Det. Now it is sufficient to consider the relation R E E defined as follows: (E 0; E 00) 2 R if and only if 9 : E = ) E 0, E = ) E 00. It is easy to show that R is a Proposition 5.4

6 Conclusion We have shown that BNDC and SBSNNI are equal to LSec when dealing with low-deterministic and non-divergent processes. In [6, 5] we introduced the Security Checker (SC), a tool based on Concurrency Workbench [3], which is able to automatically check the SBSNNI property over finite state agents. This implies that for low-deterministic, non-divergent and finite-state processes it is possible to use the SC in order to verify the L-Sec property. Moreover, SC offers an automatic compositional checking (see [5] for more details) which reduces the exponential state explosion

weak bisimulation.

Finally, the following holds. Theorem 5.5 BNDC \ Lowdet Lowdet \ Nondiv = L-Sec.

\ Nondiv =

SBSNNI

\

PROOF. (SBSNNI \ Lowdet \ Nondiv = L-Sec). We have that SBSNNI \ Lowdet \ Nondiv SFSNNI \ Lowdet \ Nondiv because SBSNNI SFSNNI. So by Theorem 5.2 SBSNNI \ Lowdet \ Nondiv L-Sec. 6

due to parallel composition operator by exploiting the compositionality of security properties. A security property is compositional if it is closed with respect to j and n operators. The basic idea of the compositional verification is the following: if we have to check if agent (E jF) n L is secure we simply check the security of E and F . If it is satisfied then we conclude that (E jF) n L is secure, otherwise we check the security of the whole agent. Note that this strategy can be used to check SBSNNI, since in [6] it has been proved that SBSNNI is compositional. In [11] it is shown how to use the FDR tool [9] to check the L-Sec property. Note that it would be interesting to compare the performance of FDR and SC for the verification of such a property. We also want to point out that SBSNNI \ Lowdet can extend in a fair manner the L-Sec property to divergent processes. L-Sec assumes that processes cannot diverge. The semantics used by authors to define L-Sec is the failuredivergence one [2]. Failure-divergence semantics gives a catastrophic interpretation of divergences, since in the presence of divergences a process may show any behaviour. For example, consider agents A and C defined as follows: A def = a:B with B def = :B + b:0 and C def = a:D with def D = :D+d:0. They are failure-divergence equivalent, but they are not trace equivalent, in fact A can only execute a and ab while C can only execute a and ad. Technically, this is obtained by inserting a completely non deterministic behaviour every time we have a divergence. On the other hand, weak bisimulation gives a fair interpretation of divergences. As an example the agents A and C are not weak bisimulation def equivalent. Moreover consider agent A0 = a:b:0. We have 0 that A and A are weak bisimulation equivalent but they are not failure-divergence equivalent because of the divergence in agent A. The basic idea is that the -loop in B is executed an arbitrary but finite number of times. So in A action b will eventually be enabled, and this makes A equivalent to A0 and not equivalent to C . This is useful, for example, if we want to model a fair communication media, where a -loop represents the unbounded but finite losses of messages. So the property SBSNNI \ Lowdet can be seen as an extension of L-Sec which gives a fair interpretation of divergences.

[2] S. D. Brookes and A. W. Roscoe. “An Improved Failures Model for Communicating Processes”. In Proceedings of the Pittsburgh seminar on concurrency, pages 281–305. Springer-Verlag, LNCS 197, 1985. [3] R. Cleaveland, J. Parrow, and B. Steffen. “The Concurrency Workbench: a Semantics Based Tool for the Verification of Concurrent Systems”. ACM Transactions on Programming Languages and Systems, Vol. 15 No. 1:36–72, Jan. 1993. [4] R. Focardi and R. Gorrieri. “A Classification of Security Properties for Process Algebras”. Journal of Computer Security, 3(1):5–33, 1994/1995. [5] R. Focardi and R. Gorrieri. “Automatic Compositional Verification of Some Security Properties”. In Proceedings of Second International Workshop on Tools and Algorithms for the Construction and Analysis of Systems (TACAS’96), pages 167–186, Passau (Germany), March 1996. Springer-Verlag, LNCS 1055. [6] R. Focardi, R. Gorrieri, and V. Panini. “The Security Checker: a Semantics-based Tool for the Verification of Security Properties”. In Proceedings Eight IEEE Computer Security Foundation Workshop, (CSFW’95) (Li Gong Ed.), pages 60–69, Kenmare (Ireland), June 1995. IEEE Press. [7] C. A. R. Hoare. Communicating Sequential Processes. Prentice-Hall, 1985. [8] R. Milner. Communication and Concurrency. Prentice-Hall, 1989. [9] A. W. Roscoe. “Model Checking CSP”. In A. W. Roscoe (ed) A Classical Mind. Prentice Hall, 1994. [10] A. W. Roscoe. “CSP and Determinism in Security Modelling”. In Proceedings, 1995 IEEE Symposium on Security and Privacy, pages 114–127. IEEE Computer Society Press, 1995. [11] A. W. Roscoe, J. C. P. Woodcock, and L. Wulf. “Noninterference through Determinism”. In Proceeding of European Symposium on Research in Computer Security 1994 (ESORICS’94), pages 33–53. Springer-Verlag LNCS 875, 1994.

Acknowledgements We would like to thank the anonymous referees for helpful comments and suggestions.

References [1] S. D. Brookes, C. A. R. Hoare, and A. W. Roscoe. “A Theory of Communicating Sequential Processes”. Journal of the Association for Computing Machinery, 31(3):560–599, July 1984.

7