An Iterative Approach for the Satisfaction of Security Using the Intransitive Non-interference Property

In this paper, we derive an iterative approach for the design of systems and protocols that are secure, with respect to intransitive non-interference (INI), a basic security property, assuring the non-devulgation of information through covert channels. Obviously, a system that does not satisfy INI, is, in some ways, not secure. Our iterative approach is composed of three steps : system design and modeling (1), INI verification (2), and INI satisfaction (3). The basic idea, is that a system's designer during the first step of design, is focused on developing the core and necessary functionality, perhaps, while paying little attention to INI. Then, security of the system is verified, and if INI is not satisfied, the system must be modified in order it to make it secure. These modifications must be carried out, in a minimal way, as to preserve, in as much as possible, its core behavior. Our approach uses formulas for computing the minimal superlangage satisfying the INI property. We also investigate the implementation of these formulas based on automata models. Our approach can be applied to all systems and protocols with a three level security lattice, typically, sufficient for systems using cryptographic protocols. We also give a case study that illustrates our approach applicability to to cryptographic protocols and systems.


INTRODUCTION
As we depend more and more on computers, the issue of computer systems and networks security is becoming become crucial for the design of such systems.Indeed the literature dealing with security issues in computer systems and networks is extensive.Namely, it is important to guarantee that no information, about confidential/private data, can be seen by an external viewer.From a purely security perspective, several information flow security properties have already been proposed; namely, noninterference (Rushby 1992), non-inference (Halloran 1990), non-deducibility (Sutherland 1986), and opacity (Mazare 2004).
In fact, Intransitive non-interference (INI), has been proposed in the literature (Goguen 1982), as a more practical extension to non-interference.INI has been formally defined in (Rushby 1992).The widely used paradigm for INI is a three level security system (Nejib Ben Hadj-Alouane 2005), modeling a typical cryptosystem, with a secret or high level, a public or low level, and an in between cipher channel, the so-called downgrading level.The basic idea behind INI is that any information flow from the high level to the low level can only occur after being explicitly downgraded, that is, after transiting through the downgrading level (for example, to encrypt the information).
In addition to its use in the control of discrete-event systems, observability, the fundamental property in supervisory control of discrete event systems, has been used to characterize information flows between different parts of a security system.However, this characterization is not captured by a simple projection, as in the case of supervisory control, but by a purge function iP , since security is more complex.Therefore, the standard definition of observability is needed to be extended in order to encompass the security of systems and protocols.
In (Nejib Ben Hadj-Alouane 2005), we propose to characterize INI using an extended version of observability called iP -observability.This approach translates the problem of checking INI, to the problem of checking iP -observability for systems with three security domains, where the domains typically designate users, channels or the different parts of the system, among which the control of information flow is needed.These results are generalized in (Nejib Ben Hadj-Alouane 2005) for checking INI in systems with an arbitrary number of security domains governed by a security lattice, characterizing all possible information flows.
If a system does not satisfy INI, however, then we propose to secure it, by modifying it in a "minimal" way.This is done by either enlarging the system behavior or reducing it (Yeddes 2008).For systems with three security domains, the problem is solved in (Yeddes 2008) by translating an iP -observability problem into a set of P -observability problems.This paper is an extension of our developed approach for the satisfaction of the INI property in systems and security protocols having three or fewer security domains (Ben Said 2011).In this work, we derive a new iterative approach for system and protocol design.Our approach is composed of three main steps: the design of the system (1), security verification (2) and security satisfaction based on the INI property (3).Our aim is to derive formulas to cover the step of INI satisfaction.During this step, the system's designer is looking to modify the behavior of the system, in order to make it satisfy the INI property.
Our approach works iteratively by modifying, at each step, the system's behavior, in a "minimal" way; thereby resulting in a system satisfying INI.The modifications are performed via an algorithm that enlarges the system's behavior.Our approach is practical in the sense that it does not require that the initial design of the system satisfies INI.It rather enables an iterative design process, where the system's designer starts by capturing the core and necessary functionality, perhaps while paying little attention to INI, and then uses our method to complement the system's behavior, as to make it secure.
In this paper, we propose and prove a new formula for computing the infimal observable superlanguage, based on a generalized definition of observability.With this new formula, we develop an algorithm for constructing an automaton generating the infimal observable super-language, from the automaton of the original, given language.Next, we apply the formula and the algorithm, for computing the infimal iP -observable super-language.This enables us to concretely secure systems by modifying their behavior to satisfy INI.This paper is organized as follows: In Section 2, we briefly review INI and some related results.In Section 3, we give the generalized formula characterizing the infimal observable super-language and the computation algorithm.In Section 4, we apply the results of Section 3 to INI, and compute the infimal iP -observable super-language.Finally, in section 5, we present our approach and we apply our results to study an INI satisfaction problem for an example of electronic paiement protocol.
Due to space limitation, all the proofs are omitted.They can be found, however, in (Ben Said 2011).

INTANSITIVE NON-INTERFERENCE
In this section, we briefly review intransitive noninterference in multi-level systems as well as its characterization through iP − observability as has been shown in (Nejib Ben Hadj-Alouane 2005).The property of non-interference, introduced by Goguen and Meseguer (Goguen 1982), can be simply stated as follows: The behavior of a given entity is said not to interfere with the behavior of a given second entity, if no action performed by the first can influence subsequent outputs seen by the second.The property of intransitive noninterference introduced by Rushby (Rushby 1992) extends basic non-interference, which requires that there is no unintended flow of information.It enables the specification of a more practical class of security policies that deal with channel control mechanisms, in-line with the following paradigm that promotes downgrading and controlled information flow: Given a system with three channels A, B, and C, information is allowed to flow from A to C only after passing trough B, and never directly (intransitivity); B is seen here as some kind of a downgrading channel.In terms of non-interference, the event stream generated by A is allowed to interfere with the event stream generated by C, indirectly, only through B events.This property have been used as a basis for specifying and analyzing several practical and modern security issues in many systems and protocols.
To formally define INI, we first describe a multilevel security system as follows: Given a set D of security domains and a set of events Σ partitioned over these domains, the operator dom : Σ → D is used to capture this partition: to every domain U ∈ D, the set Σ U = {σ ∈ Σ | dom(σ) = U } specifies the events associated with U .The domains are interpreted to represent the security channels, users, or system components, for which we shall define non-interference requirements.We also consider an interference relation ⊂ D×D defined over D: given domains U , U , the domain U is allowed to interfere with the domain U whenever U U .
We assume that the combined system behavior associated with all the domains is modeled by a language K ⊆ Σ * .K is generated by a finite deterministic automaton G = (Σ, X, δ, x 0 ); i.e., K = L(G), the language generalized or recognized by the automaton G.In G, Σ is a finite set of events as defined above; X is a finite set of states; δ : Σ × X → X is the (deterministic) transition function; and x 0 is the initial state.Since To formally define INI, a string reduction function, iP , operating on strings s ∈ Σ * , called intransitive purge, is introduced in (Rushby 1992).It removes, from a string, every event from domains that are not allowed to interfere with the given domain.
The iP function is defined using the function sources : Σ * × D → D which is given as follows ( ε is the empty string.): sources( , U ) = {U }, and, Intuitively, sources captures the set of domains which are allowed to interfere throughout every step of the execution of a string.This set of domains is determined backwards (i.e., starting from the end of the string).Moreover, the fact that a given domain V is in sources(s, U ), means either that V = U or that there is a subsequence σ 1 , σ 2 , σ 3 ...σ n of the string s, such that dom(σ 1 ) dom(σ 2 ) dom(σ 3 )...dom(σ n ) with V = dom(σ 1 ) and dom(σ n ) U .
Using the function sources, we define iP : Σ * × D → Σ * as follows: iP ( , U ) = , and, Based on the above, INI is defined as follows (Rushby 1992): Definition 1 A language K satisfies the property of intransitive non-interference if, To present an observability characterization of INI, we first generalize the notion of observability introduced by Lin and Wonham (Lin 1996).Let Σ o be the set of observable events.We define the usual string projection, P : Σ * → Σ * o , as follows: otherwise.
Throughout the rest of the paper, we shall use M to describe the largest possible behavior for a system; and, we shall assume that M is prefixclosed.Obviously, in many cases, M = Σ * .
Generalized observability is defined as follows: Definition 2 Let M ⊆ Σ * be prefix closed, and Intuitively, P -observability declares that if two traces are perceived in the same way, then for any event σ ∈ Σ U , when it is permitted by M to follow one of the two strings, it must be permitted to follow the other.
It should be noted that K is said to be observable in the sense of (Lin 1996), if it is P -observable with respect to (M, Σ).
Now we extend P -Observability to iP -Observability, by replacing the projection P with the purge function iP as follows.
Definition 3 Let M ⊆ Σ * be prefix closed and The following theorem, proved in (Nejib Ben Hadj-Alouane 2005), states that the problem of verifying INI in a multi-level security system, can be reduced to the problem of checking iP -observability.
The above theorem translates the INI verification problem into an iP -observability verification problem.
For systems with three security domains, the iPobservability verification problem is further reduced to a P -observability verification problem (Nejib Ben Hadj-Alouane 2005,Y).
We shall further investigate P -observability in the next section, and in Section 4, and we shall come back to iP -observability.

A FORMULA FOR CHARACTERIZING THE INFIMAL OBSERVABLE SUPERLANGUAGE
In this section, observability refers to generalized observability, i.e., P -observability.
As noted in the previous section, the observability given in (Lin 1996) is a special case of Pobservability.It coincides with P -observability with respect to (M, Σ).A formula characterizing the infimal P -observable superlanguage, with respect to (M, Σ), is given in (Rudie 1990).This formula uses a modified projection P : Σ * → Σ * defined as follows: We extend P to languages and define the inverse mapping P −1 in the usual way.
Theorem 2 The infimal, prefix-closed and Pobservable superlanguage, with respect to (M, Σ), of a prefix-closed language K ⊆ M , is given by, The above theorem is given in (Rudie 1990).The formula, however, does not work for an arbitrary Σ U = Σ.Therefore, we extend it for generalized observability.
Theorem 3 The infimal, prefix-closed and Pobservable superlanguage with respect to (M, Σ U ), of a prefix-closed language K ⊆ M , is given by, For the INI problem to be discussed next, M = Σ * .In this case, the formula given by Equation1, can be simplified as follows: Corollary 1 If M = Σ * , then the infimal, prefixclosed and P -observable superlanguage, with respect to (M, Σ U ), of a prefix-closed language K ⊆ Σ * is given by, where (.) c denotes the complement operator.
Let us now implement Equation 2 by constructing the corresponding automata from a given automaton G : marking the langage k, such us K = L(G).Please note that no implementation of Equation 1 is given in (Rudie 1990).
In the following, we give our algorithm for the computation of the infimal superlangage.Our algorithm consists of eight steps, presented as follows: Algorithm : Computation of the infimal P − observable superlanguage Step 1: Computation of P (L).
We construct G P as follows: where S = {u, o} such that : • u : is a label to describe an unobservable event in Σ.
• o : is a label to describe an observable event in Σ .
The states space Y is the reachable part of X * S and the initial state is y 0 = (x 0 , o).The transition function Step 2 : Construction of the automaton G nd P −1 , marking the language P −1 ( P (K)): such us H = {m, n} : • m : is a label to describe a marked state, • n : is a label to describe a unmarked state.
U m = {(y i , m)|y i ∈ Y } is the set of marked states and u 0 = (y 0 , m).The transition function δ nd P −1 is computed using the algorithm 1.
Step 3 : Computation of the automaton G P −1 , the deterministic version of G nd P −1 , by applying the customary procedures.
Step 4 : Computation of the automaton G c , describing the complement language of L(G P −1 ).
Step 5 : Computation of the automaton G nd c omc, concatenating L(G c ) with Σ * .
Step 6 : Computation of the automaton G comc , the deterministic version of G nd comc, by applying the customary procedures.
Step 7 : Computation of the automaton G concat by concatenating L(G) with Σ * o .
Step 8 : Computation the automaton G H by taking the intersection between G comc and G concat .We note that the intersection, concatenation and complement, used in the above algorithm, are standard operations of automaton theory.
A Complexity Note : The algorithm presented in this section is of exponential complexity.The major contributions to this complexity are from steps 3 and 6, where the automaton is converted to a deterministic version, with a complexity of O(2 |X| ).
It should be noted, however, that, in practice, there are speedy techniques for performing this standard determinisation operation.

INFIMAL SUPERLANGUAGE SATISFYING INTANSITIVE NON-INTERFERENCE
We now apply the results in the previous section to the INI problem.In particular, we compute infimal superlanguage satisfying INI.We consider systems with three security domains: D = {H, D, L}, where H is a high security domain (classified), L is a low security domain (unclassified), and D is the downgrading domain.The non-interference relation is such that: that is, only H L is not allowed (H L).For this three-domain system, we only need to check iP -observable of K ⊆ Σ * with respect to (Σ * , Σ L ), that is, whether, To calculate the infimal iP -observable superlanguage of K, denoted by inf O iP super (K), we first consider languages without downgrading events: L that erases the high-level events.Then the P -observability of J with respect to ((Σ H ∪ Σ L ) * , Σ L ) is reduced to the following.
From now on, P -observability will always be with respect to ((Σ H ∪ Σ L ) * , Σ L ).The infimal P -observable superlanguage of J, denoted by inf O P super (J), is given by Equation 2 as: We now consider downgrading events.We would like to separate high-level and low-level behavior between two downgrading events.Therefore, we define the set of strings in K that either is the empty string or ends with a downgrading event as: For each s ∈ D(K), we define its continuation in (Σ H ∪ Σ L ) * as follows: where K/{s} = {t ∈ Σ * : st ∈ K} is the set of all continuations of s in K.As shown in (Yeddes 2008), An Iterative Approach for the Satisfaction of Security Using the Intransitive Non-Interference Property Ben Said • Ben Hadj-Alouane • Yeddes • Lin language K can be decomposed as follows: The following formula is derived in (Yeddes 2008) to compute the infimal iP -observable superlanguage of K: {s} inf O P super (C HL (s, K)).
To implement the above formula, we note that the set D(K) may be infinite if the automaton G for K has loops.However, we do not need to compute infinitely many of inf O P super (C HL (s, K)) because finite of them are distinct.To formalize our approach, for each s ∈ D(K), let us look it path in G. Let us remove all loops in the path.Denote the resulting string s.In other words, δ(x 0 , s) = δ(x 0 , s) and s does not visit any state more than once.Clearly, C HL (s, K) = C HL (s, K).There is only finite distinct s and hence finite distinct C HL (s, K).They can all be calculated using Equation 3. Finally, Let us now implement the above equation by constructing the corresponding automata from the automaton G describing a three domains systems : G = (Σ, X, δ, x 0 ) Algorithm : Computation of the Infimal iP − observable Superlangage Step 1 : Computation the set D(K) ⊆ D(K) containing strings from K which was either is the empty string or ends with a downgrading event.
The set of tarces D(K) could be infinit, if the automaton G marking the language K contains some loops.So, we should compute a subset D(K) ⊂ D(K), based on the minimal traces of K.The notion of minimal traces is detailed in (Nejib Ben Hadj-Alouane 2005).
To find the set of all minimal subtraces of K with respect to G, we construct an acyclic automaton G , that is the depth-first expansion of G as follows: Let K n be the set of traces in K of length at most n, where n is the cardinality of the state space of G (that is, n = |X|).Then, G is defined as follows: where the operator Ac gives the accessible (reachable) part of the G; the transition function δ is defined, recursively, starting from the initial state, as follows: For the initial state (x 0 , ε, {x 0 }) and σ ∈ Σ, For a state (x, s, Y ) already in the rang of δ and σ ∈ Σ, ∈ Y, undefined otherwise.So, the event set D(K) is then given as follows, based on the previous notion of minimal subtraces : Step 2 : Construction of C HL (s, K) for all s ∈ D(K) Given s ∈ D(K), so, we define G C HL (s,K) = {Σ , X , δ , x 0 } the automaton that marks the language C HL (s, K) as follows: where x 0 = δ(x 0 , s), X ⊂ X and δ ⊂ δ and the transition function δ h,l is defined recursively as follows: for a transition (x , σ, x ) ∈ δ : Step 3 : Computation of inf O P super (G C HL (s,K) ) for all s ∈ D(K), by applying the algorithm presented in the previous section We will have as result the automaton G inf (s) = {Σ , Q, δ inf , q 0 } Step 4 : Computation of G"(s) from G inf (s) for all s ∈ D(K), on projecting the set Q onto X Step 5 : Construction of G iP −O sup that marks the infimal and iP − Observable superlanguage of G : In this final step, we will make the union of all the enlarged languages described by the automatons G (s) for all s ∈ D(K) of the given language K = L(G).

AN ITERATIVE APPROACH AND AN EXAMPLE
To better illustrate the execution of the previous algorithm, we shall apply it to the problem of INI satisfaction for an electronic payment protocol.This protocol implements a credit card based transaction between a customer A and a merchant B, using the existing financial network for clearance and authorization.After the customer and merchant agree upon the transaction, B uses the information obtained from A in order to request an authorization and clearance from an acquired ACQ (for example a bank), for the payment, by forwarding the encrypted information obtained from A.
where n is A's credit card number, k is the acquired public encryption key, and resp is the acquired response, hence resp = ok or resp = notok, and {n} k stands for n encrypted by k.
The total protocol is specified as product of the concurrent principals: Based on the equivalence between process algebra and state machine models, our system can be easily converted into a deterministic generator G, as described in Figure 2. We note that in this model, message1({n} k ), and message2(A, {n} k ), are downgrading events, since the secret value, n, is encrypted.Furthermore, clearing(A, n), is a highlevel event, since n appears within its parameters.Finally, message3(ok), and message3(notok), are low-level events, since these messages are typically exchanged over public channels, and can be intercepted by any intruder.Hence, wehave, It is clear that our protocol is invalid in terms of IN I. Indeed, we take the two traces s = msg1({n} K )msg2(A, {n} K )Clearing(A, n) and s = msg1({n} K )msg2(A, {n} K ).We have P (s) = P (s ) and smsg3(OK) ∈ L(G) and s = msg3(OK) notinL(G).This system has a leak of information that can be exploited by an intruder (or even a seller B) that can send messages (A{n} K ) with different values of n , and possibly deduct if n is a number of electronic payment card valid or not, through the reception of messages msg3(OK) and msg3(N otOK).To overcome this problem we will calculate the minimum super-language verify the intransitive noninterference.
At first, let us compute the set of all minimal traces of G by constructing G .This automaton is not shown since it can be easily deduced from G. Based on G , we will compute the set D(K).In our example, the generator G is not containing any cycle so that we have D(K) = DK.So, we obtain : After that, for all s ∈ D(K), we compute Here, we have just to compute C HL (msg1({n} K )msg2(A, {n} K ), L(G)).This automaton is escribed in Figure 3 :  On the fourth step, we construct the automaton G"(msg1({n} K )msg2(A, {n} K )) given in Figure 5 :  Our system is now secure as the intruder will not be able to perform his attacks to deduce information about the validity of the card number submitted.In fact, the two messages msg3(OK) and msg3(N otOK), have no longer any interest because they no longer describe the response of the validation unit about the number n introduced.So the resulting system meets both the technical requirements imposed by the manufacturer and also preserving the validity of information flows imposed by the property of Intransitive Non-interference.

CONCLUSION
In this paper, we derive a new iterative approach for system construction composed of three steps: conception, INI verification and INI validation.We First derived formulas for computing the infimal superlanguage satisfying INI property, under a general definition of observability.We also show how these formulas can be implemented on automata.This have never been done before in INI literature.Our approach is algorithmic: we developed an algorithm based on automata representing the system/protocol behavior that can be used to compute the best system's behavior not only, having necessary functionalities, but also satisfying INI property.

Figure 2 :
Figure 2: Generator, G Modeling the Process P .