Enforcement of opacity by public and private insertion functions

Abstract

We study the enforcement of opacity, an information-flow security property, using insertion functions that insert fictitious events at the output of the system. The intruder is characterized as a passive external observer whose malicious goal is to infer system secrets from observed traces of system events. We consider the problems of enforcing opacity under the assumption that the intruder either knows or does not know the structure of the insertion function; we term this requirement as public–private enforceability. The case of private enforceability alone, where the intruder does not know the form of the insertion function, is solved in our prior work. In this paper, we address the stronger requirement of public–private enforceability, that requires opacity be preserved even if the intruder knows or discovers the structure of the insertion function. We formulate the concept of public–private enforceability by defining the notion of public safety. This leads to the notion of public–private enforcing (PP-enforcing) insertion functions. We then identify a necessary and sufficient condition for an insertion function to be PP-enforcing. We further show that if opacity is privately enforceable by the insertion mechanism, then it is also public–private enforceable. Using these results, we present a new algorithm to synthesize PP-enforcing insertion functions by a greedy-maximal strategy. This algorithm is the first of its kind to guarantee opacity when insertion functions are made public or discovered by the intruder.