oplss2024/chong/notes.typ
2024-06-12 09:22:36 -04:00

47 lines
No EOL
1.4 KiB
Text

#import "../common.typ": *
#import "@preview/prooftrees:0.1.0": *
#show: doc => conf("Language-Based Security", doc)
Security labels
Flow relations
- If $l_1 subset.sq.eq l_2$ then information is allowed to flow from $l_1$ to $l_2$
- This should be reflexive and transitive
- *NOT* be symmetric
- This is known as a _pre-order_
- We may also want to add anti-symmetry, which makes it a _partial order_
- Actually, we could use a join-semi-lattice. (Denning 1978)
- _Unique_ least upper bound operation
- If we didn't have least upper bound, then $c = a plus.circle b ; d_1 = c; d_2 = c$ may not work
More general form of non-interference:
- Lattice $(Lambda, subset.sq.eq)$ of security levels
- Using this, Program $c$ is non-interfering if:
- $forall sigma_1, sigma_2, sigma'_1, sigma'_2, l in Lambda => \
"if" sigma_1 op(=)_l sigma_2 "and" angle.l c, sigma_1 angle.r arrow.b.double sigma'_1 "and" angle.l c, sigma_2 angle.r arrow.b.double sigma'_2 \
"then" sigma'_1 op(=)_l sigma'_2$
=== Threat model
Information channels convey information
Categorized into (Lampson 1973)
- Legitimate channels
- Covert channels (and side channels)
=== Interaction
Adding to IMP:
$
x := ... | "input from" l | "output" x "to" l \
"Trace" in.rev tau ::= epsilon | tau dot "in"(n, l) | tau dot "out"(n, l)
$
Trace is a sequence of events
New non-interference, based on traces. The execution trace needs to be the same!