Security Engineering in IIIf, Part II -- Shadowing the IIIf
Summary
The Isabelle Insider and Infrastructure framework (IIIf) is extended to address the "refinement paradox" in Information Flow Security (IFC), a challenge where refining a system specification can inadvertently compromise noninterference. This work generalizes Morgan's solution for sequential programs to the IIIf, which facilitates formal specification of actors, policies, and infrastructures within the Isabelle/HOL proof assistant. A Flightradar system serves as a key example, demonstrating how implicit information flows, such as a plane's circumvention of a critical location, can reveal sensitive data. To mitigate this, the IIIf incorporates security labels, specifically the Decentralized Label Model (DLM), and a "hiding" mechanism that records actual circumvention in a secret component ("critpos") while publicly displaying the plane as "on course." The paper introduces a "shadow" construct to define security-preserving refinements, proving its equivalence to Noninterference (NI) and establishing a theorem that ensures security preservation from abstract to concrete systems under specific compatibility conditions.
Key takeaway
For security engineers designing or refining complex systems with formal methods, this work provides a crucial mechanism to ensure information flow security. You should integrate the IIIf's extended capabilities, including DLM security labels and the "shadow" construct, into your specification refinement processes. This approach helps you formally prove that system refinements preserve noninterference, preventing implicit information leaks in critical applications like air traffic control.
Key insights
The IIIf framework now supports secure refinement of information flow properties using a "shadow" construct to preserve noninterference.
Principles
- Noninterference is not generally preserved by specification refinements.
- Security labels and hiding can prevent implicit information flows.
- "Ignorance preservation" (IFCσ) is equivalent to Noninterference.
Method
Generalize Morgan's "shadow" construct for refinement calculus to IIIf infrastructure specifications. This involves extending IIIf with IFC, security labels (DLM), and a hiding mechanism to prevent implicit flows.
In practice
- Apply DLM security labels to infrastructure components.
- Implement hiding mechanisms for sensitive state transitions.
- Use the "shadow" construct to verify secure refinements.
Topics
- Isabelle IIIf
- Information Flow Control
- Noninterference
- Security Refinement
- Decentralized Label Model
- Formal Verification
Code references
Best for: Research Scientist, AI Scientist, AI Security Engineer, Security Engineer
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.