Qualitative and Quantitative Methods for Detection of Hidden ... - TEL

Qualitative and Quantitative Methods for Detection of Hidden Information Méthodes qualitatives et quantitatives pour la détection d’information cachée Mathieu Sassolas LIP6, Universit´ e Pierre et Marie Curie Soutenance de th` ese – 28 novembre 2011 Composition Catuscia Palamidessi Jean-Fran¸cois Raskin Philippe Darondeau Serge Haddad Fabrice Kordon B´ eatrice B´ erard

du jury Rapporteur Rapporteur Examinateur Examinateur Examinateur Directrice de th` ese http://upload.wikimedia.org/wikipedia/commons/a/ab/IDF_fla...

i

Safety of systems Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

,→

Objective: ensuring that systems behave as planned.

I For example, that a bug (error state) never occurs.

Introduction Channel synthesis for transducers Quantitative opacity

⇒

ITA Conclusion & perspectives

I This is usually guaranteed by verification of models of the system. I It can guarantee e.g. that the information handled by the system is consistent.

2 / 47

There is no guarantee that this information remains confidential.

Increasing needs for computer security Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Introduction Channel synthesis for transducers Quantitative opacity ITA Conclusion & perspectives

I The Internet is now everywhere (mobile devices. . . ) and is used for everything: • • • • • •

your public web page, your private e-mails, the confidential e-mails of your company, your private photos, your very private virtual medical record, your very private banking operations.

I The private and confidential use of the Internet should be secure. How can this security be ensured ? 3 / 47

How can security be ensured ? Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I By educating users: • Do not keep your password on a post-it by your computer. • Do not give your credit card number to everyone (phishing. . . ).

I By using “good” code: • Do not keep the password in clear text form. • Use cryptographic protocols.

I By implementing security policies [Bell and LaPadula, 1973]: users cannot read information at higher security level and cannot write at lower security levels. Is this enough ? 4 / 47

Beyond security policies Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I An attacker can use other kind of information to bypass security: • Electro-magnetic interferences: Soft tempest attacks [Khun and Anderson, 1998]. • Differences in response time: cryptographic keys can be obtained this way [Bernstein, 1994; Kocher, 1996]. • Some program inside the system (Trojan horse) may itself send the information. • Many other ways of getting information outside intended communication channels exist.

I These attacks can be seen as covert channels. How to detect and quantify this information leakage ? 5 / 47

The setting: active and passive attacks Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Introduction

I Do strategies exist for the Sender and the Receiver to transmit a message ? Attacker

Channel synthesis for transducers Quantitative opacity

System

Sender

Receiver


I What can the Observer deduce from (passive) observation of the system ? Attacker System

6 / 47

Observer

Contributions of this thesis Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


7 / 47

In the case of active attacks, we model the system, the sender, and the receiver by transducers and investigate the synthesis problem. 1

Joint work with Gilles Benattar, Béatrice Bérard, Didier Lime, John Mullins and Olivier H. Roux.





In the case of passive attacks, we define a quantitative notion of opacity for probabilistic systems. 2

Joint work with Béatrice Bérard and John Mullins.

7 / 47





In the case of passive attacks, we define a quantitative notion of opacity for probabilistic systems. 2

Joint work with Béatrice Bérard and John Mullins.

We investigate the model of Interrupt Timed Automata (ITA) with syntactic separation (“no read-up and no write-down”) of information on time elapsing. 3

7 / 47

Joint work with Béatrice Bérard and Serge Haddad.

Outline Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

1

Introduction Channel synthesis for transducers The model Decision problems

Channel synthesis for transducers The model Decision problems A necessary condition for synthesis The synthesis problem The general case The case of functional transducers

A necessary condition for synthesis The synthesis problem

Conclusion on channels synthesis with transducers

General case Functional case Intermediate conclusion

Quantitative opacity

2


3

Interrupt Timed Automata


8 / 47

Channel synthesis Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Introduction Channel synthesis for transducers

I Pipeline architecture with asynchronous transmission. I Simple external specification on finite binary messages : output message = input message (perfect data transmission).

The model Decision problems A necessary condition for synthesis The synthesis problem

Attacker


Quantitative opacity ITA Conclusion & perspectives

9 / 47

Input message

Sender

System

Receiver

Output message

Channel synthesis Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I Pipeline architecture with asynchronous transmission. I Simple external specification on finite binary messages : output message = input message (perfect data transmission). I All processes are finite transducers


Attacker



9 / 47

{0, 1}∗

Sender E ⊆ {0, 1}∗ × H ∗

H∗

{0, 1}∗ System L∗ Receiver D ⊆ L∗ × {0, 1}∗ M ⊆ H ∗ ×L∗

A small example of channel Ph.D. defense Mathieu Sassolas LIP6 – UPMC

OpenServer|OpenClient

28/11/2011

Introduction

LongData|ε

ShortData|ε

Channel synthesis for transducers The model

ε|Data1st

ε|Data

Decision problems A necessary condition for synthesis The synthesis problem General case Functional case Intermediate conclusion


10 / 47

Packet transmission system

ε|Data CloseServer|CloseClient

A small example of channel Ph.D. defense Mathieu Sassolas LIP6 – UPMC

OpenServer|OpenClient

28/11/2011

LongData|ε

Introduction

ShortData|ε

Channel synthesis for transducers The model

ε|Data1st

ε|Data

Decision problems A necessary condition for synthesis The synthesis problem

ε|Data CloseServer|CloseClient

Packet transmission system

General case Functional case

0|LongData

Intermediate conclusion


10 / 47

Data1st|ε ε|CloseServer

ε|OpenServer

Data|0

OpenClient|ε

CloseClient|ε

1|ShortData Data|1

Encoder

Decoder

Channels with transducers Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I A transducer is a finite automaton with set of labels Lab ⊆ A∗ × B ∗ ; it implements a rational relation. I The identity relation on A∗ is Id(A∗ ) = {(w , w ) | w ∈ A∗ }. I Rational relations can be composed: M · M0 .

The model Decision problems A necessary condition for synthesis The synthesis problem General case Functional case Intermediate conclusion


11 / 47

Definition A channel for a transducer M is a pair (E, D) of transducers such that E · M · D = Id({0, 1}∗ ). The definition can be relaxed to take into account bounded delays or errors: existence of such a channel implies existence of a perfect channel.

Decision problems and results Ph.D. defense Mathieu Sassolas

Decision problems

LIP6 – UPMC 28/11/2011

Introduction Channel synthesis for transducers The model

I Verification: Given transducers M, E, D, is (E, D) a channel for M ? I Synthesis: Given a transducer M, does there exist a channel (E, D) for M ?

Decision problems A necessary condition for synthesis The synthesis problem General case Functional case Intermediate conclusion


12 / 47

Results [FCS’09, AFL’11] I The channel verification problem is decidable in polynomial time. I The channel synthesis problem is undecidable. I If M is a functional transducer, the synthesis problem is decidable in polynomial time. Moreover, if a channel exists, it can be computed.

Verification problem Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Theorem The channel verification problem is decidable.

Introduction Channel synthesis for transducers The model Decision problems A necessary condition for synthesis The synthesis problem

Proof. Decision for the verification problem: given E, M and D 1. Decide whether E · M · D is functional [Sch¨ utzenberger, 1975; Béal, Carton, Prieur and Sakarovitch, 2000].



13 / 47

2. If not, it cannot be Id({0, 1}∗ ) which is a functional relation. 3. Otherwise decide whether E · M · D = Id({0, 1}∗ ), which can be done since both relations are functional.

A necessary condition for the existence of a channel Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


Definition An encoding state in a transducer is a (useful) state r such that: u1 |v1

u0 |v0

I there exist cycling paths: r ===⇒ r and r ===⇒ r , I the labels form codes: words in {u0 , u1 }∗ (resp. {v0 , v1 }∗ ) have a unique decomposition.


u1 |v1


s0


14 / 47

r

u 0 |v 0 f

u0 |v0


u|v

Theorem If a transducer admits a channel, then it has an encoding state.

An encoding state is not enough Ph.D. defense Mathieu Sassolas

s1 introduces errors. There is no channel.

LIP6 – UPMC 28/11/2011

Introduction

s0

Channel synthesis for transducers

u|v

u|v

The model Decision problems A necessary condition for synthesis The synthesis problem General case

s1 ε|v0

s2 ε|v1

ε|v0

Functional case Intermediate conclusion


15 / 47

u0 |ε s3

ε|v1 ε|v0

u1 |ε s4

ε|v1 u0 |ε u1 |ε

s5

s6

Undecidability of the synthesis problem Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Theorem The channel synthesis problem is undecidable.


The proof consists in encoding Post Correspondence Problem.



16 / 47

Given alphabet Σ = {1, . . . n}, an instance I = (x, y ) of PCP is a pair of morphisms Σ → A∗ Σ → A∗ x : and y : i 7→ yi i 7→ xi A solution is a non empty word σ ∈ Σ+ such that x(σ) = y (σ): x · · · xik σ = i1 · · · ik such that = i1 yi1 · · · yik

Undecidability (continued) Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

From I, we build a transducer MI reading on {>, ⊥} ] Σ and writing on {>, ⊥} ] A such that: MI has a channel iff I has a solution


Definition of MI MI (bσ) = A+ b ∪ (A+ \ {x(σ)})b ∪ (A+ \ {y (σ)})b MI is extended on ({>, ⊥}Σ∗ )∗ .


bσ


MI

(A+ b) w ∈ ∪ (A+ \ {x(σ)})b ∪ (A+ \ {y (σ)})b


17 / 47

Proposition The relation MI can be realized by a transducer.

Undecidability (finished) Ph.D. defense Mathieu Sassolas

MI (bσ) = (A+ b) ∪ (A+ \ {x(σ)})b ∪ (A+ \ {y (σ)})b

LIP6 – UPMC 28/11/2011


I If I has no solution, then for all σ 6= ε, x(σ) 6= y (σ) and MI (bσ) = A+ · {>, ⊥} so there is no channel. I If x(σ0 ) = y (σ0 ) = w for some σ0 , then MI (bσ0 ) = A+ · b ∪ A+ \ {w } · b



and bit b can be transmitted by detecting that w · b is missing.

Conclusion & perspectives

18 / 47

w |ε

0|⊥, 1|>

ITA

E:

D: ε|σ0

⊥|0, >|1

The case of functional transducers Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Introduction Channel synthesis for transducers The model Decision problems A necessary condition for synthesis The synthesis problem General case

A transducer M is functional if for every input word there is at most one output word: ∀u ∈ H ∗ , |M(u)| ≤ 1.

,→ The relation implemented by M is a function. Proposition If a functional transducer M has an encoding state, then there exists a channel for M.

Functional case Intermediate conclusion


Theorem The synthesis problem is decidable for functional transducers.


19 / 47

The decision procedure consists in finding an encoding state.

Conclusion on channels with transducers Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I The case of synthesis under study is very simple: • a simple model: transducers; • a simple specification: input = output.

But the problem is already undecidable !



20 / 47

I An even simpler case, namely functional transducers, is decidable, with polynomial complexity. I It can nonetheless be used to detect covert communication in systems with limited nondeterminism. I This study is only qualitative: quantitative information such as probabilities makes the problem much more difficult [Blondel and Canterini, 2003; Mohri, 2009].


Introduction

1



2

Quantitative opacity Context: Boolean Opacity Goal: Quantifying Opacity Conclusion on opacity

3

Interrupt Timed Automata

Quantitative opacity Boolean Opacity Quantifying Opacity Conclusion on opacity


21 / 47

The concept of opacity Ph.D. defense Mathieu Sassolas

Attacker

LIP6 – UPMC 28/11/2011


ϕ

System ρ ∈ Run(A)

O(ρ)

ϕ Observer

Quantitative opacity Boolean Opacity

Restricted space

Public space

Quantifying Opacity Conclusion on opacity


“Can the observer deduce the truth value of ϕ only through the partial observation O of the system’s behavior ?”

[Mazaré, 2004; Bryans, Koutny, Mazaré and Ryan, 2008] 22 / 47

Boolean opacity – Illustration Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Introduction Channel synthesis for transducers Quantitative opacity Boolean Opacity Quantifying Opacity Conclusion on opacity


(a) ϕ is (symmetrically) opaque on S w.r.t. O

ϕ 23 / 47

(b) ϕ is opaque but (c) ϕ is not (symmetnot symmetrically rically) opaque on opaque on S S w.r.t. O w.r.t. O

O−1 (o)

Classes leaking their inclusion into ϕ or into ϕ

Boolean opacity – Definition Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I S: a transition system. Run(S): the set of runs. I O : Run(S) → Obs : a surjective observation function. I ϕ ⊆ Run(S) : a predicate (the secret). Given an execution ρ ∈ ϕ, is there an execution ρ0 ∈ /ϕ observed similarly (O(ρ) = O(ρ0 ))?

Boolean Opacity Quantifying Opacity Conclusion on opacity


24 / 47

Definition ϕ is opaque on S w.r.t. O if, for any o ∈ Obs, O−1 (o) 6⊆ ϕ.

Boolean opacity – Definition Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I S: a transition system. Run(S): the set of runs. I O : Run(S) → Obs : a surjective observation function. I ϕ ⊆ Run(S) : a predicate (the secret). Given an execution ρ ∈ ϕ, is there an execution ρ0 ∈ /ϕ observed similarly (O(ρ) = O(ρ0 ))? What about ϕ ?



24 / 47

Definition ϕ is opaque on S w.r.t. O if, for any o ∈ Obs, O−1 (o) 6⊆ ϕ. ϕ is symmetrically opaque on S w.r.t. O if, for any o ∈ Obs, O−1 (o) 6⊆ ϕ and O−1 (o) 6⊆ ϕ.

Example – Non-interference [Goguen and Meseguer, 1982] Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Introduction

I O : Run(S) → {`1 , `2 }∗ is the projection of the trace onto {`1 , `2 } I ϕ = Σ∗ hΣ∗ : set of runs whose trace contains h (secret).


h


h

Boolean Opacity

Conclusion on opacity

ITA

`1

h

Quantifying Opacity

`1

`2

`1

`1

`2


`2 (e) S1 : opaque 25 / 47

`2

(f) S2 : non-opaque

How not opaque is the system? Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Introduction

I How to quantify information leaked out on S through O? I How bad is the security hole ? h


h

`1

`1



26 / 47

`2

`2



I How to quantify information leaked out on S through O? I How bad is the security hole ? h, 14 h, 14

`1 , 21

`1 , 1



26 / 47

`2 , 1

`2 , 1




`1 , 21

`1 , 1



26 / 47

`2 , 1

`2 , 1

ρ ρ1 = `1 `2 ρ2 = h`1 `2 ρ3 = h`2

P(ρ) ∈ ϕ? O(ρ) 1/2 0 `1 `2 1/4 1 `1 `2 1/4 1 `2




`1 , 21

`1 , 1



26 / 47

`2 , 1

ρ ρ1 = `1 `2 ρ2 = h`1 `2 ρ3 = h`2

P(ρ) ∈ ϕ? O(ρ) 1/2 0 `1 `2 1/4 1 `1 `2 1/4 1 `2

`2 , 1

Probability that an external observer of S cracks opacity of ϕ: 1 P(ρ3 ) = 4

How opaque is the system? Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I If a bip is in 99% of cases the result of an incoming message, an attacker can quasi-surely deduce from a bip that a message arrived. I How robust is the opacity of the system? I Some classes are nearly in ϕ. I Some classes are nearly in ϕ.



I Some classes are balanced. I This weakens opacity and symmetrical opacity differently. ,→ Measure this weakness on a per-class basis, then average.

Definition (In the asymmetrical case: harmonic means)

27 / 47

X P(O = o) 1 = P(ϕ | O = o) POA r (Π, ϕ, O) o∈Obs

Quantitative Opacity Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011



28 / 47

We define quantitative notions that I generalize those of: • asymmetric opacity: O−1 (o) * ϕ. • symmetric opacity: O−1 (o) * ϕ and O−1 (o) * ϕ.

I measure the opacity of a system in terms of • security hole: liberal opacity. • robustness: restrictive opacity.


Introduction






28 / 47

,→

We obtain 4 notions of quantitative opacity that express different properties.


Introduction






28 / 47

,→

We obtain 4 notions of quantitative opacity that express different properties.

I Other measures involving information theory can be defined. Their ties with opacity are looser.

Results [QEST’10] Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011



29 / 47

Theorem These measures are computable when the predicate and the finitely many observables correspond to regular subsets of runs. Instanciation of quantitative opacity: I Noninterference: the observation is the projection on low-level actions; the predicate is the presence of a high-level action. I Anonymity: Dining cryptographers protocol [Chaum, 1988]. Opacity (in this case symmetrical) is evaluated with respect to a bias on the coin. Crowds protocol [Reiter and Rubin, 1998]. Opacity (in this case asymmetrical) is evaluated with respect to the number of honest and corrupt users.

Summary on opacity Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I These measures generalize opacity in the setting of probabilistic systems. I They provide quantitative insight on security properties (anonymity, noninterference. . . ).



30 / 47

I They are set in a purely passive framework: adding non-determinism implies adding a scheduler – as an adversary – to resolve the choices. This renders the problem more difficult.



1


2


3

Interrupt Timed Automata The context: timed and hybrid systems The Interrupt Timed Automata Model Model checking real time properties Conclusion on ITA

Quantitative opacity ITA Timed and hybrid systems The ITA model The model checking problem Conclusion on ITA


31 / 47

Time as information in hybrid systems Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Introduction Channel synthesis for transducers Quantitative opacity ITA Timed and hybrid systems The ITA model The model checking problem Conclusion on ITA


32 / 47

Hybrid automaton = finite automaton + variables: I Variables evolve in states and can be tested (i.e. read) and updated (i.e. written) on transitions. I Clocks are variables with slope 1 in all states. I Stopwatches are variables with slope 0 or 1 [Cassez and Larsen, 2000].


Introduction Channel synthesis for transducers Quantitative opacity ITA Timed and hybrid systems


Example (The gas burner [Henzinger, 1996])

The ITA model The model checking problem Conclusion on ITA


32 / 47

Leaking x ≤1 y˙ = 1

x ≤ 1, stop, x := 0 Not leaking y˙ = 0

x ≥ 30, start, x := 0


Introduction Channel synthesis for transducers Quantitative opacity ITA Timed and hybrid systems


Example (The gas burner [Henzinger, 1996])



32 / 47

Leaking x ≤1 y˙ = 1

x ≤ 1, stop, x := 0 Not leaking y˙ = 0

x ≥ 30, start, x := 0

Timed automaton = finite automaton + clocks with guards x + c ./ 0 and resets x := 0 [Alur and Dill, 1990].

Motivations Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011



I For security’s sake: • to organize information about time elapsing in layers; • to implement a no read-up – no write down policy.

I For theoretical considerations: • to express more than timed automata; • to obtain decidability results.

I For ease of modeling: • in operating systems, tasks are scheduled according to their priority level; • a higher priority task can interrupt a lower priority task.

I There is only one clock per level. I An interrupt clock can be seen as a restricted type of stopwatch: only one clock evolves at a given time.

33 / 47

Clock interruptions Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

level 4


level 3


level 2

ITA Timed and hybrid systems

level 1



34 / 47

 x1 x2  x3 x4

 =0 = 0  = 0 =0


level 4


level 3


level 2


level 1



34 / 47

 x1 x2  x3 x4

   =0 1.5 0 = 0 1.5  −−→   0 = 0 =0 0


level 4


level 3


level 2


level 1



34 / 47

 x1 x2  x3 x4

   =0 1.5 0 = 0 1.5  −−→   0 = 0 =0 0


level 4


level 3


level 2


level 1



34 / 47

 x1 x2  x3 x4

     =0 1.5 1.5  0  2.1  0  = 0 1.5  −−→   −−→   0 2.1 = 0 =0 0 0


level 4


level 3


level 2


level 1



34 / 47

 x1 x2  x3 x4

     =0 1.5 1.5  0  2.1  0  = 0 1.5  −−→   −−→   0 2.1 = 0 =0 0 0


level 4


level 3


level 2


level 1



34 / 47

 x1 x2  x3 x4

       =0 1.5 1.5 1.5  0  2.1  0  1.7  0  = 0 1.5  −−→   −−→   −−→   0 2.1 2.1 = 0 =0 0 0 1.7


level 4


level 3


level 2


level 1

x4 := 0 x3 := 0 x2 := 0



34 / 47

 x1 x2  x3 x4

         =0 1.5 1.5 1.5 1.5  0  2.1  0  1.7  0  ε  0  = 0 1.5  −−→   −−→   −−→   −   0 2.1 2.1 →  0  = 0 =0 0 0 1.7 0


level 4


level 3


level 2


level 1

x4 := 0 x3 := 0 x2 := 0

...



34 / 47

 x1 x2  x3 x4

           =0 1.5 1.5 1.5 1.5 3.7  0  2.1  0  1.7  0  ε  0  2.2  0  = 0 1.5  −−→   −−→   −−→   −     0 2.1 2.1 →  0  −−→  0  = 0 =0 0 0 1.7 0 0

Interrupt Timed Automata Ph.D. defense Mathieu Sassolas

x1 + 2x2 = 2, b,

LIP6 – UPMC

q1 , 2, L

28/11/2011

Introduction

x1 < 1, a

Channel synthesis for transducers Quantitative opacity ITA Timed and hybrid systems The ITA model The model checking problem Conclusion on ITA


35 / 47

q0 , 1, D

x1 := 13 x2 := 12 x1 + 1

q2 , 2, U


x1 + 2x2 = 2, b,

LIP6 – UPMC

q1 , 2, L

28/11/2011

Introduction

ITA Timed and hybrid systems The ITA model The model checking problem Conclusion on ITA


35 / 47

q2 , 2, U

x1 < 1, a


x1 := 13 x2 := 12 x1 + 1

Level q0 , 1, D

Guard

Action

Update

Policy


q1 , 2, L

28/11/2011

Introduction

x1 := 13 x2 := 12 x1 + 1

x1 + 2x2 = 2, b,

LIP6 – UPMC

q2 , 2, U

x1 < 1, a


q0 , 1, D

x2

ITA Timed and hybrid systems The ITA model The model checking problem

1

Conclusion on ITA

x1 = 1


35 / 47

0

1

x1

+2 x2

=

2

2

x1


q1 , 2, L

28/11/2011

Introduction

x1 := 13 x2 := 12 x1 + 1

x1 + 2x2 = 2, b,

LIP6 – UPMC

q2 , 2, U

x1 < 1, a


q0 , 1, D

x2


1

Conclusion on ITA

x1 = 1


35 / 47

0

a

1

x1

+2 x2

=

2

2

x1


q1 , 2, L

28/11/2011

Introduction

x1 := 13 x2 := 12 x1 + 1

x1 + 2x2 = 2, b,

LIP6 – UPMC

q2 , 2, U

x1 < 1, a


q0 , 1, D

x2


1

Conclusion on ITA

x1 = 1


35 / 47

0

a

1

x1

+2 x2

=

2

2

x1


q1 , 2, L

28/11/2011

Introduction

x1 := 13 x2 := 12 x1 + 1

x1 + 2x2 = 2, b,

LIP6 – UPMC

q2 , 2, U

x1 < 1, a


q0 , 1, D

x2


1

b

Conclusion on ITA

x1 = 1


35 / 47

0

a

1

x1

+2 x2

=

2

2

x1

Untiming ITA languages Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011



36 / 47

I As in the region construction for TA, time can be abstracted from the automaton into a class graph [Bérard and Haddad, 2009]. I This yields: • regularity of the untimed language, • a procedure for reachability, • and decidability of CTL and LTL model-checking.

Example of class graph Ph.D. defense Mathieu Sassolas LIP6 – UPMC

q1 , 2, L

Channel synthesis for transducers Quantitative opacity ITA Timed and hybrid systems The ITA model The model checking problem Conclusion on ITA


37 / 47

q2 , 2, U

x1 < 1, a

28/11/2011

Introduction

x1 + 2x2 = 2, b

x1 q0 , 1, D 0

R00

1

2


q1 , 2, L

x1 + 2x2 = 2, b

q2 , 2, U

x1 < 1, a

28/11/2011



37 / 47

x1 q0 , 1, D 0

R00 R01

1

2


q1 , 2, L

x1 + 2x2 = 2, b

q2 , 2, U

x1 < 1, a

28/11/2011



37 / 47

x1 q0 , 1, D 0

R00 R01 R02

1

2


q1 , 2, L

x1 + 2x2 = 2, b

q2 , 2, U

x1 < 1, a

28/11/2011

Introduction Channel synthesis for transducers Quantitative opacity ITA Timed and hybrid systems The ITA model

x1 q0 , 1, D 0

R00 R01 R02

The model checking problem Conclusion on ITA


37 / 47

R03

1

2


q1 , 2, L

x1 + 2x2 = 2, b

q2 , 2, U

x1 < 1, a

28/11/2011


x1 q0 , 1, D 0

R00 R01 R02



37 / 47

R03 R04

1

2


q1 , 2, L

x1 + 2x2 = 2, b

q2 , 2, U

x1 < 1, a

28/11/2011


x1 q0 , 1, D 0

R00 R01 R02



37 / 47

R03 R04 R05

1

2


q1 , 2, L

x1 + 2x2 = 2, b

q2 , 2, U

x1 < 1, a

28/11/2011


x1 q0 , 1, D 0

R00 R01 R02



37 / 47

R03 R04 R05

1

2


q1 , 2, L

x1 + 2x2 = 2, b

x2 q2 , 2, U 0 − 1 x1 + 1 2

x1 < 1, a

28/11/2011


x1 q0 , 1, D 0

R00 R01 R02



37 / 47

R03 R04 R05

a

R11

1

2


q1 , 2, L

x1 + 2x2 = 2, b

x2 q2 , 2, U 0 − 1 x1 + 1 2

x1 < 1, a

28/11/2011


x1 q0 , 1, D 0

R01 R02



37 / 47

1

R00

R03 R04 R05

a

R11

q1 , Z1 0 < x2 < − 21 x1 + 1

2


q1 , 2, L

x1 + 2x2 = 2, b

x2 q2 , 2, U 0 − 1 x1 + 1 2

x1 < 1, a

28/11/2011


x1 q0 , 1, D 0

R01


37 / 47

a

R11

q1 , Z1 0 < x2 < − 21 x1 + 1

R02


1

R00

R03 R04 R05

q1 , Z1 0 < x2 = − 21 x1 + 1

2


q1 , 2, L

x1 + 2x2 = 2, b

x2 q2 , 2, U 0 − 1 x1 + 1 2

x1 < 1, a

28/11/2011


x1 q0 , 1, D 0

R01

a

R11

q1 , Z1 0 < x2 < − 21 x1 + 1

R14

q1 , Z1 0 < x2 = − 21 x1 + 1

R02



37 / 47

1

R00

R03 R04 R05

2


q1 , 2, L

x1 + 2x2 = 2, b

x2 q2 , 2, U 0 − 1 x1 + 1 2

x1 < 1, a

28/11/2011


x1 q0 , 1, D 0

R01

a

R11

q1 , Z1 0 < x2 < − 21 x1 + 1

R14

q1 , Z1 0 < x2 = − 21 x1 + 1

R02



37 / 47

1

R00

R03 R04 R05

b q2 , Z1 0 < x2 = − 21 x1 + 1

2


q1 , 2, L

x1 + 2x2 = 2, b

x2 q2 , 2, U 0 − 1 x1 + 1 2

x1 < 1, a

28/11/2011


x1 q0 , 1, D 0

R01

a

R11

q1 , Z1 0 < x2 < − 21 x1 + 1

R14

q1 , Z1 0 < x2 = − 21 x1 + 1

R02



37 / 47

1

R00

R03 R04 R05

b q2 , Z1 0 < x2 = − 21 x1 + 1

2

Timed temporal logics Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

,→ What about temporal logics with time constraints ?



38 / 47

I “No error in the first 50 time units” I “A safe state is reached when the value of clock at level 2 is greater than the one at level 1” I “Any request is answered within 7 time units” I “We never leave level 1 for more than 5 time units” Timed extensions can be built upon LTL or CTL. [Koymans, 1990; Alur, Courcoubetis and Dill, 1993; Henzinger, Nicollin, Sikakis and Yovine, 1994]

Timed extensions of LTL Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011



39 / 47

I Extensions add intervals to the modalities: G request ⇒ F answer (“Any request is answered

”)




39 / 47

I Extensions add intervals to the modalities: G request ⇒ F[0,7] answer (“Any request is answered within 7 time units”)




39 / 47

I Extensions add intervals to the modalities: G request ⇒ F[0,7] answer (“Any request is answered within 7 time units”) I MITL forbids point intervals: [a, a]. I Model-checking of MITL is decidable for TA [Alur, Feder and Henzinger, 1996]. I SCL is a fragment of MITL where formula can specify on the last time, /./a , (or next time, ../a ) a formula was (or will be) satisfied [Raskin and Schobbens, 1997].




I Extensions add intervals to the modalities: G request ⇒ F[0,7] answer (“Any request is answered within 7 time units”) I MITL forbids point intervals: [a, a]. I Model-checking of MITL is decidable for TA [Alur, Feder and Henzinger, 1996]. I SCL is a fragment of MITL where formula can specify on the last time, /./a , (or next time, ../a ) a formula was (or will be) satisfied [Raskin and Schobbens, 1997].

Theorem (FMSD’11) Model checking SCL formula on ITA is undecidable.

39 / 47

Timed CTL with internal clocks Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I Comparisons of system clocks as propositions: EFsafe ∧ x2 ≥ x1 (“A safe state is reached when the value of clock at level 2 is greater than the one at level 1”) I In general, comparison of linear expressions: X ai · xi + b ./ 0. i∈I


Theorem (TIME’10)



40 / 47

Model checking TCTL without external clocks on ITA can be done in 2-EXPSPACE and PSPACE when the number of clocks is fixed. I The truth value of the comparison can be abstracted by orderings on expressions as in the class graph. I A classical CTL model checking algorithm can be applied.

Timed CTL with restricted nesting Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


I CTL with conditions on the U modality: ¬error U≥50 > (“No error in the first 50 time units”) I There can be no imbrication of Untils. I It can express urgency (≤ b or < b) or delay (≥ b or > b).


Theorem (TIME’10) Model checking this fragment of TCTL on ITA is decidable.

Conclusion on ITA


41 / 47

,→ Four cases:

{E , A} × {urgency, delay}.

Summary on ITA Ph.D. defense Mathieu Sassolas

Stopwatch automata

LIP6 – UPMC

SWA

28/11/2011


TA Timed automata

ITA

Interrupt timed automata

Quantitative opacity ITA Timed and hybrid systems The ITA model The model checking problem Conclusion on ITA


42 / 47

I ITA model systems with layered information on time.


Stopwatch automata

LIP6 – UPMC

SWA

28/11/2011


TA

ITA

Timed automata


Quantitative opacity ITA Timed and hybrid systems The ITA model The model checking problem


Conclusion on ITA


42 / 47

I They represent systems with interruptions.


Stopwatch automata

LIP6 – UPMC

SWA

28/11/2011


TA

ITA

Timed automata


Quantitative opacity ITA Timed and hybrid systems The ITA model The model checking problem


Conclusion on ITA


42 / 47

I They represent systems with interruptions. I Its expressive power is incomparable with the TA model.


Stopwatch automata

LIP6 – UPMC

SWA

28/11/2011


TA

ITA

Timed automata


Quantitative opacity ITA

ITA+

Timed and hybrid systems The ITA model The model checking problem


Conclusion on ITA


42 / 47

I They represent systems with interruptions. I Its expressive power is incomparable with the TA model. I An ITA+ is a product of a TA and an ITA that combines an ITA and a TA at “level 0”.


Stopwatch automata

LIP6 – UPMC

SWA

28/11/2011


TA

ITA

Timed automata



ITA+

Timed and hybrid systems The ITA model The model checking problem Conclusion on ITA


42 / 47

I Unfortunately model-checking of SCL is undecidable.


Stopwatch automata

LIP6 – UPMC

SWA

28/11/2011


TA

ITA

Timed automata



ITA+



42 / 47

I Unfortunately model-checking of SCL is undecidable. I Some interesting fragments of timed CTL are decidable.


Stopwatch automata

LIP6 – UPMC

SWA

28/11/2011


TA

ITA

Timed automata



ITA+



I Unfortunately model-checking of SCL is undecidable. I Some interesting fragments of timed CTL are decidable. Can this model be used to hide information ?

42 / 47

Summary and open problems I Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


Perfect channel synthesis for transducers The problem is undecidable in general, but it becomes polynomial when the system is a functional transducer.

Open questions I The complexity gap gives hope for finding intermediate decidable classes: • of transducers (for example finite union of functions); • of specification.

I What happens in the case of several systems in sequence ? I Can we quantify the efficiency of the synthesized channel when the system contains probabilistic information about its behavior ? 43 / 47

Summary and open problems II Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011

Introduction Channel synthesis for transducers Quantitative opacity ITA

Quantitative opacity in probabilistic systems I We defined notions that measure either the size of a security breach or the strength of the security. I We showed that these measures are computable when the predicate and the observation function are regular. I These measures can be instantiated (like opacity) in order to obtain measures for particular security criteria.


Open questions I How to generalize these measures when the system is non-deterministic and scheduled by an adversary ? I Can we adapt these measures to diagnosability, which is, in the non-probabilistic case, dual to opacity ? 44 / 47

Summary and open problems III Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


Interrupt Timed Automata I Time information is syntactically layered. I This model, which generates regular untimed languages, has an expressiveness incomparable to the classical model of Timed automata, but lacks closure properties. I Verification of timed properties in ITA can be done in some fragments of TCTL, but not in SCL (hence MITL).

Open questions I To which extent are ITA secure ? Can the information layer be bypassed ? I What are the properties of extensions of ITA with timed automata (e.g. ITA+ )?

45 / 47

Long term perspectives Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


46 / 47

I How to combine time and probabilities as vectors of information? I How to take into account situations with more than two players (system vs attacker) ?

Publications Ph.D. defense Mathieu Sassolas LIP6 – UPMC 28/11/2011


47 / 47

With Gilles Benattar, Béatrice Bérard, Didier Lime, John Mullins and Olivier H. Roux. Covert channels with sequential transducers. Workshop on Foundations of Comp. Security, August 2009. Channel synthesis for finite transducers. Proceedings of AFL’11, August 2011. With Béatrice Bérard and John Mullins. Quantifying opacity. Proceedings of QEST’10, September 2010. With Béatrice Bérard and Serge Haddad. Real time properties for interrupt timed automata. Proceedings of TIME’10, September 2010. Interrupt timed automata. Accepted for publication to FMSD.

Qualitative and Quantitative Methods for Detection of Hidden ... - TEL

Qualitative and Quantitative Methods for Detection of Hidden ... - TEL

Suggest Documents

Mixing Qualitative and Quantitative Methods

Qualitative vs. Quantitative Methods

Qualitative, semi-quantitative and, quantitative methods for risk ...

Integrating qualitative and quantitative methods - Transport and

Integrating Qualitative and Quantitative Methods - Stanford University

QQML2009: Qualitative and Quantitative Methods in Libraries

Qualitative and Quantitative Methods in Libraries - CiteSeerX

QQML2009: Qualitative and Quantitative Methods in Libraries

Combining Qualitative and Quantitative Methods in

QQML2009: Qualitative and Quantitative Methods in Libraries

Using Qualitative and Quantitative Methods to ...

QQML2009: Qualitative and Quantitative Methods in Libraries

Qualitative, Quantitative, and Mixed Methods ...

Quantitative, Qualitative, and Mixed Research Methods in ...

QQML2009: Qualitative and Quantitative Methods in Libraries

QQML2009: Qualitative and Quantitative Methods in Libraries

Mixed Methods: Integrating Quantitative and Qualitative Data ...

QQML2009: Qualitative and Quantitative Methods in Libraries

QQML2009: Qualitative and Quantitative Methods in Libraries

QQML2009: Qualitative and Quantitative Methods in Libraries

Counseling Research: Quantitative, Qualitative, and Mixed Methods

Integrating Qualitative and Quantitative Methods - Stanford University

Bridging Qualitative and Quantitative Methods in Educational ...

QQML2009: Qualitative and Quantitative Methods in Libraries