Security Engineering in IIIf, Part II -- Shadowing the IIIf

· Source: cs.SE updates on arXiv.org · Field: Technology & Digital — Cybersecurity & Data Privacy, Software Development & Engineering, Artificial Intelligence & Machine Learning · Depth: Expert, extended

Summary

The Isabelle Insider and Infrastructure framework (IIIf) is extended to address the "refinement paradox" in Information Flow Security (IFC), a challenge where refining a system specification can inadvertently compromise noninterference. This work generalizes Morgan's solution for sequential programs to the IIIf, which facilitates formal specification of actors, policies, and infrastructures within the Isabelle/HOL proof assistant. A Flightradar system serves as a key example, demonstrating how implicit information flows, such as a plane's circumvention of a critical location, can reveal sensitive data. To mitigate this, the IIIf incorporates security labels, specifically the Decentralized Label Model (DLM), and a "hiding" mechanism that records actual circumvention in a secret component ("critpos") while publicly displaying the plane as "on course." The paper introduces a "shadow" construct to define security-preserving refinements, proving its equivalence to Noninterference (NI) and establishing a theorem that ensures security preservation from abstract to concrete systems under specific compatibility conditions.

Key takeaway

For security engineers designing or refining complex systems with formal methods, this work provides a crucial mechanism to ensure information flow security. You should integrate the IIIf's extended capabilities, including DLM security labels and the "shadow" construct, into your specification refinement processes. This approach helps you formally prove that system refinements preserve noninterference, preventing implicit information leaks in critical applications like air traffic control.

Key insights

The IIIf framework now supports secure refinement of information flow properties using a "shadow" construct to preserve noninterference.

Principles

Method

Generalize Morgan's "shadow" construct for refinement calculus to IIIf infrastructure specifications. This involves extending IIIf with IFC, security labels (DLM), and a hiding mechanism to prevent implicit flows.

In practice

Topics

Code references

Best for: Research Scientist, AI Scientist, AI Security Engineer, Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.