Abstract
We propose a framework for reasoning about program security building on language-theoretic and coalgebraic concepts. The behaviour of a system is viewed as a mapping from traces of high (unobservable) events to low (observable) events: the less the degree of dependency of low events on high traces, the more secure the system. We take the abstract view that low events are drawn from a generic semiring, where they can be combined using product and sum operations; throughout the paper, we provide instances of this framework, obtained by concrete instantiations of the underlying semiring. We specify systems via a simple process calculus, whose semantics is given as the unique homomorphism from the calculus into the set of behaviours, i.e. formal power series, seen as a final coalgebra. We provide a compositional semantics for the calculus in terms of rational operators on formal power series and show that the final and the compositional semantics coincide. This compositional, syntax-driven framework lays a foundation for automation and abstraction of a quantified approach to flow security of system specifications.
Highlights
Security analysis of programs has traditionally been centered on a notion of noninterference [15]
We provide a simple process calculus to specify systems, equipped with an operational semantics given in terms of Moore automata
We provide a compositional semantics of the calculus in terms of rational operators on ’s, defined via behavioural differential equations ( ’s) [22]
Summary
Security analysis of programs has traditionally been centered on a notion of noninterference [15]. An attacker can perform observations upon the system only at prescribed times, e.g. only upon termination He can have the system re-execute as many times as he wishes: through these repeated executions, we assume the policy of the secret scheduler (high behaviour) remains fixed, while all the possibilities arising from the nondeterministic or probabilistic low behaviour of the system are observed. If L(P) is a constant, the observed low-event does not depend on the secret sequence of high-events: the system is perfectly secure (see [25] for a similar notion of security, formulated in a synchronous setting, Nondeducbility on Strategies) If this is not the case, the designer might at least be interested in learning how many equivalence classes the domain L(P) is partitioned into (that is the number of pre-images (L(P))−1(o), for o ranging over the observations): the fewer, the better.
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
