47 lines
1.4 KiB
Plaintext
47 lines
1.4 KiB
Plaintext
#import "../common.typ": *
|
|
#import "@preview/prooftrees:0.1.0": *
|
|
#show: doc => conf("Language-Based Security", doc)
|
|
|
|
Security labels
|
|
|
|
Flow relations
|
|
|
|
- If $l_1 subset.sq.eq l_2$ then information is allowed to flow from $l_1$ to $l_2$
|
|
- This should be reflexive and transitive
|
|
- *NOT* be symmetric
|
|
- This is known as a _pre-order_
|
|
- We may also want to add anti-symmetry, which makes it a _partial order_
|
|
|
|
- Actually, we could use a join-semi-lattice. (Denning 1978)
|
|
- _Unique_ least upper bound operation
|
|
- If we didn't have least upper bound, then $c = a plus.circle b ; d_1 = c; d_2 = c$ may not work
|
|
|
|
More general form of non-interference:
|
|
|
|
- Lattice $(Lambda, subset.sq.eq)$ of security levels
|
|
- Using this, Program $c$ is non-interfering if:
|
|
- $forall sigma_1, sigma_2, sigma'_1, sigma'_2, l in Lambda => \
|
|
"if" sigma_1 op(=)_l sigma_2 "and" angle.l c, sigma_1 angle.r arrow.b.double sigma'_1 "and" angle.l c, sigma_2 angle.r arrow.b.double sigma'_2 \
|
|
"then" sigma'_1 op(=)_l sigma'_2$
|
|
|
|
=== Threat model
|
|
|
|
Information channels convey information
|
|
|
|
Categorized into (Lampson 1973)
|
|
|
|
- Legitimate channels
|
|
- Covert channels (and side channels)
|
|
|
|
=== Interaction
|
|
|
|
Adding to IMP:
|
|
|
|
$
|
|
x := ... | "input from" l | "output" x "to" l \
|
|
"Trace" in.rev tau ::= epsilon | tau dot "in"(n, l) | tau dot "out"(n, l)
|
|
$
|
|
|
|
Trace is a sequence of events
|
|
|
|
New non-interference, based on traces. The execution trace needs to be the same! |