Analysing Cryptographically-Masked InformationFlows in D-MILS Architectures— Preliminary Results —
Thomas Noll ([email protected])
MOVES Sollerhaus Workshop; March 4, 2015
MOVES Sollerhaus Workshop; March 4, 2015
The D-MILS Project
Content
The D-MILS Project
Information Flow Security
The Type Checking Approach
The Slicing Approach
2 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Distributed MILS
2 fortiss
n Funded by the 7th Framework Programme of the European Commission n Website d-mils.org n Project consortium
Architectural Refinement
D-MILS Design Flow
11 fortiss
MILS AADL
Performance Analysis
MILS AADL
MILS AADL
Security Analysis
Safety Analysis
MILS Technical Platform
Node1 Node2 Node3
Configurations / Schedules / Communication Routes
Configuration Compiler
App A Level B Classified
App B Level C Unclassified
App C Level A Top Secret
C Code
C Code
Ada Code
Autofocus Model
Autocode
Simulink Model
Autocode
A B
C
Implements/ Satisfies
MILS Policy Architecture
C2
C4 C1
C3
C5
Circles represent���architectural���components ���(subjects /���objects)
Arrows represent���interactions
Suitability of the architecture for some purpose���presumes that the architect’s assumptions are met���in the implementation of the architecture diagram.
C6
The absence of an ���arrow is as significant���as the presence of one
This component���has no interaction ���with any other
Components are���assumed to perform���the functions specified���by the architect���(trusted���components enforce���a local policy)
The architecture���expresses an ���interaction policy���among a collection ���of components
Trusted Subject
© 2013 D-MILS Project 3
MILS Platform – Provides Straightforward Realization of Policy Architecture
Architecture
Realization SK, with other MILS ���foundational components,���form the MILS Platform���allowing operational���components to share���physical resources while���enforcing Isolation and ���Information Flow Control
Validity of the architecture���assumes that the only���interactions of the circles ���(operational components) is through the arrows ���depicted in the diagram
R 1
R 2
R 3 R 5
R 4
MILS Platform
© 2013 D-MILS Project 6
Distributed MILS (D-MILS): Policy architecture deployment spanning nodes
Node Hardware SK
MNS
Node Hardware SK
MNS
Node Hardware
SK ⊕ MNS ���Foundational Plane + →
Node Hardware
Subjects Subjects Subjects
MNS – MILS Networking System SK – Separation Kernel D-MILS Project Overview 10 © 2015 D-MILS Project
D-MILS Research and Technology Development Areas
Architecture Analysis and
Design Language
MILS-AADL
Inter- mediate
Languages
Verification Framework
MILS Platform Configuration
Compiler
D-MILS Platform target
Extended Separation
Kernel
Ext. Time Triggered Ethernet
Target Configuration
tools
Assurance Framework
Goal Structuring Notation
Behavior Annotation Property
Annotation
D-MILS Platform
Configuration Synthesis
Integration GSN & AADL
Graphical & Declarative Languages
Compositional Verification
Compositional Assurance Case
Representation Semantics and Transformations
Pre-existing products LSK TTE
D-MILS Project Overview 9 © 2015 D-MILS Project
Information Flow Security
Content
The D-MILS Project
Information Flow Security
The Type Checking Approach
The Slicing Approach
9 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information flow security
VERIMAG 2 Munich Meeting 22-23 Mars 2014
n Non-interference property includes: t Confidentiality (secrets kept) t Integrity (data not corrupted)
low-out
high-out
low-in
High-in
low-out
high-out
x low-in
high-in
x
component1 component2
Non-interference:“High-security inputs have no effects on low-security outputs”
Information Flow Security
Some Security Concepts
• Here: two security levels L (low/public) and H (high/confidential/secret/private)– partial order L v H (“can flow to”)– extension to multi-level security by generalisation to lattice
• Analysis (can be) based on event traces in Evt∗
– security assignment σ : Evt → {L, H}– projection t|E for t ∈ Evt∗, E ⊆ Evt– t1, t2 ∈ Evt∗ called E-equivalent (t1 ∼E t2) iff t1|E = t2|E
Definition (Non-interference [Goguen/Meseguer 1982])
Let Evt = In ] Out and T ⊆ Evt∗. Security assignment σ ensures (event)non-interference if, for all t1, t2 ∈ T ,
t1 ∼In∩σ−1(L) t2 =⇒ t1 ∼Out ∩σ−1(L) t2
Interpretation: behaviour seen by “low” observer unaffected by changes in “high”behaviour
11 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Some Security Concepts
• Here: two security levels L (low/public) and H (high/confidential/secret/private)– partial order L v H (“can flow to”)– extension to multi-level security by generalisation to lattice
• Analysis (can be) based on event traces in Evt∗
– security assignment σ : Evt → {L, H}– projection t|E for t ∈ Evt∗, E ⊆ Evt– t1, t2 ∈ Evt∗ called E-equivalent (t1 ∼E t2) iff t1|E = t2|E
Definition (Non-interference [Goguen/Meseguer 1982])
Let Evt = In ] Out and T ⊆ Evt∗. Security assignment σ ensures (event)non-interference if, for all t1, t2 ∈ T ,
t1 ∼In∩σ−1(L) t2 =⇒ t1 ∼Out ∩σ−1(L) t2
Interpretation: behaviour seen by “low” observer unaffected by changes in “high”behaviour
11 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Some Security Concepts
• Here: two security levels L (low/public) and H (high/confidential/secret/private)– partial order L v H (“can flow to”)– extension to multi-level security by generalisation to lattice
• Analysis (can be) based on event traces in Evt∗
– security assignment σ : Evt → {L, H}– projection t|E for t ∈ Evt∗, E ⊆ Evt– t1, t2 ∈ Evt∗ called E-equivalent (t1 ∼E t2) iff t1|E = t2|E
Definition (Non-interference [Goguen/Meseguer 1982])
Let Evt = In ] Out and T ⊆ Evt∗. Security assignment σ ensures (event)non-interference if, for all t1, t2 ∈ T ,
t1 ∼In∩σ−1(L) t2 =⇒ t1 ∼Out ∩σ−1(L) t2
Interpretation: behaviour seen by “low” observer unaffected by changes in “high”behaviour
11 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Cryptographically-Masked Information Flow
• Observation: encryption breaks traditional non-interference• Public ciphertexts do depend on confidential contents!
Example (Password encryption)
• In = {pwd1H, pwd2H}, Out = {enc1L, enc2L}• t1 = pwd1 · enc1, t2 = pwd2 · enc2• t1|In∩ s−1(L) = ε = t2|In∩ s−1(L), but t1|Out ∩ s−1(L) = enc1 6= enc2 = t2|Out ∩ s−1(L)
⇒ Interference
Common approach: declassification• Allows security level of incoming information to be lowered (here: password)• Categorisation according to where/who/when/what [Sabelfeld/Sands 2005]• Problems:
– exceptions to security policy might introduce unforeseen information release– systematic handling of re-classification unclear
12 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Cryptographically-Masked Information Flow
• Observation: encryption breaks traditional non-interference• Public ciphertexts do depend on confidential contents!
Example (Password encryption)
• In = {pwd1H, pwd2H}, Out = {enc1L, enc2L}• t1 = pwd1 · enc1, t2 = pwd2 · enc2• t1|In∩ s−1(L) = ε = t2|In∩ s−1(L), but t1|Out ∩ s−1(L) = enc1 6= enc2 = t2|Out ∩ s−1(L)
⇒ Interference
Common approach: declassification• Allows security level of incoming information to be lowered (here: password)• Categorisation according to where/who/when/what [Sabelfeld/Sands 2005]• Problems:
– exceptions to security policy might introduce unforeseen information release– systematic handling of re-classification unclear
12 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Cryptographically-Masked Information Flow
• Observation: encryption breaks traditional non-interference• Public ciphertexts do depend on confidential contents!
Example (Password encryption)
• In = {pwd1H, pwd2H}, Out = {enc1L, enc2L}• t1 = pwd1 · enc1, t2 = pwd2 · enc2• t1|In∩ s−1(L) = ε = t2|In∩ s−1(L), but t1|Out ∩ s−1(L) = enc1 6= enc2 = t2|Out ∩ s−1(L)
⇒ Interference
Common approach: declassification• Allows security level of incoming information to be lowered (here: password)• Categorisation according to where/who/when/what [Sabelfeld/Sands 2005]• Problems:
– exceptions to security policy might introduce unforeseen information release– systematic handling of re-classification unclear
12 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Adapting Non-Interference
• Non-interference: if a program is run in two low-equivalent environments, the resultingenvironments are low-equivalent• Confidentiality thus requires: attacker may not distinguish between ciphertexts• Naive approach: all ciphertexts are indistinguishable• But: enables occlusion (i.e., security leaks by implicit data flow)
Example (Occlusion)
m0 -[then low1 := encrypt(val, key)]-> m1;m1 -[when high then low2 := encrypt(val, key)]-> m2;m1 -[when not high then low2 := low1]-> m2;
Cannot distinguish between low1 and low2 even though (in-)equality reflects high
Wanted: notion of low-equivalence that semantically rejects occlusion withoutpreventing intuitively secure uses
13 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Adapting Non-Interference
• Non-interference: if a program is run in two low-equivalent environments, the resultingenvironments are low-equivalent• Confidentiality thus requires: attacker may not distinguish between ciphertexts• Naive approach: all ciphertexts are indistinguishable• But: enables occlusion (i.e., security leaks by implicit data flow)
Example (Occlusion)
m0 -[then low1 := encrypt(val, key)]-> m1;m1 -[when high then low2 := encrypt(val, key)]-> m2;m1 -[when not high then low2 := low1]-> m2;
Cannot distinguish between low1 and low2 even though (in-)equality reflects high
Wanted: notion of low-equivalence that semantically rejects occlusion withoutpreventing intuitively secure uses
13 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Adapting Non-Interference
• Non-interference: if a program is run in two low-equivalent environments, the resultingenvironments are low-equivalent• Confidentiality thus requires: attacker may not distinguish between ciphertexts• Naive approach: all ciphertexts are indistinguishable• But: enables occlusion (i.e., security leaks by implicit data flow)
Example (Occlusion)
m0 -[then low1 := encrypt(val, key)]-> m1;m1 -[when high then low2 := encrypt(val, key)]-> m2;m1 -[when not high then low2 := low1]-> m2;
Cannot distinguish between low1 and low2 even though (in-)equality reflects high
Wanted: notion of low-equivalence that semantically rejects occlusion withoutpreventing intuitively secure uses
13 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Possibilistic Non-Interference [McCullough 1988]
• Encryption non-deterministically calculates a ciphertext out of a set• Encrypted values low-equivalent if sets of possible results coincide
Definition
∼L is a low-equivalence relation on ciphertexts if ∀v1, v2, k1, k2:1. safe usage: ∀u1 ∈ encrypt(v1, k1).∃u2 ∈ encrypt(v2, k2) : u1 ∼L u2
2. prevent occlusion: ∃u1 ∈ encrypt(v1, k1), u2 ∈ encrypt(v2, k2) : u1 6∼L u2
• Lifted to low-equivalence relation ∼L on values and environments
Definition (Possibilistic non-interference (informal))
If a program is run in two low-equivalent environments, there exists a possibility thateach environment produced from the first environment is low-equivalent to some thatcan be produced from the second environment
14 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Possibilistic Non-Interference [McCullough 1988]
• Encryption non-deterministically calculates a ciphertext out of a set• Encrypted values low-equivalent if sets of possible results coincide
Definition
∼L is a low-equivalence relation on ciphertexts if ∀v1, v2, k1, k2:1. safe usage: ∀u1 ∈ encrypt(v1, k1).∃u2 ∈ encrypt(v2, k2) : u1 ∼L u2
2. prevent occlusion: ∃u1 ∈ encrypt(v1, k1), u2 ∈ encrypt(v2, k2) : u1 6∼L u2
• Lifted to low-equivalence relation ∼L on values and environments
Definition (Possibilistic non-interference (informal))
If a program is run in two low-equivalent environments, there exists a possibility thateach environment produced from the first environment is low-equivalent to some thatcan be produced from the second environment
14 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Possibilistic Non-Interference [McCullough 1988]
• Encryption non-deterministically calculates a ciphertext out of a set• Encrypted values low-equivalent if sets of possible results coincide
Definition
∼L is a low-equivalence relation on ciphertexts if ∀v1, v2, k1, k2:1. safe usage: ∀u1 ∈ encrypt(v1, k1).∃u2 ∈ encrypt(v2, k2) : u1 ∼L u2
2. prevent occlusion: ∃u1 ∈ encrypt(v1, k1), u2 ∈ encrypt(v2, k2) : u1 6∼L u2
• Lifted to low-equivalence relation ∼L on values and environments
Definition (Possibilistic non-interference (informal))
If a program is run in two low-equivalent environments, there exists a possibility thateach environment produced from the first environment is low-equivalent to some thatcan be produced from the second environment
14 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Possibilistic Non-Interference and Safe Usage of Encryption
Example (Safe usage of encryption)
m0 -[then low := encrypt(high, key)]-> m1;
• Let σ(high) = H and σ(key) = σ(low) = L
• Let environments η1, η2 with η1 ∼L η2 such that1. η1(high) = v1, η1(key) = k2. η2(high) = v2, η2(key) = k• Execution respectively yields
1. E ′1 = {η1[low 7→ u1] | u1 ∈ encrypt(v1, k)}2. E ′2 = {η2[low 7→ u2] | u2 ∈ encrypt(v2, k)}• Now ∀u1 ∈ encrypt(v1, k1).∃u2 ∈ encrypt(v2, k2) : u1 ∼L u2 implies that∀η′1 ∈ E ′1.∃η′2 ∈ E ′2 : η′1 ∼L η
′2
⇒ Possibilistic non-interference
15 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
Information Flow Security
Possibilistic Non-Interference and Occlusion
Example (Occlusion)
m0 -[then low1 := encrypt(val, key)]-> m1;
m1 -[when high then low2 := encrypt(val, key)]-> m2;
m1 -[when not high then low2 := low1]-> m2;
• Let σ(high) = σ(val) = H and σ(key) = σ(low1) = σ(low2) = L• Let environments η1, η2 with η1 ∼L η2 such that
1. η1(high) = true, η1(val) = v1, η1(key) = k2. η2(high) = false, η2(val) = v2, η2(key) = k• Execution respectively yields
1. E ′1 = {η1[low1 7→ u1, low2 7→ u2] | u1 ∈ encrypt(v1, k), u2 ∈ encrypt(v2, k)}2. E ′2 = {η2[low1 7→ u, low2 7→ u] | u ∈ encrypt(v1, k)}• Now ∃u1 ∈ encrypt(v1, k), u2 ∈ encrypt(v2, k) : u1 6∼L u2 implies that∃η′1 ∈ E ′1 : η′1(low1) 6∼L η
′1(low2)
• On the other hand, ∀η′2 ∈ E ′2 : η′2(low1) ∼L η′2(low2)
• Thus ∃η′1 ∈ E ′1.∀η′2 ∈ E ′2 : η′1 6∼L η′2
⇒ Possibilistic interference
16 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Type Checking Approach
Content
The D-MILS Project
Information Flow Security
The Type Checking Approach
The Slicing Approach
17 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Type Checking Approach
MILS-AADL Specifications
crypto controller
split merge
bypass
crypto
18 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Type Checking Approach
The Type Checking Approach
• Introduce typing environment T– local variables and data ports→ security type τ (data type t + security level σ)– modes and event ports→ security level σ
• Specify typing rules– parametrised by T– derive types of connections and transitions
• Example: encryption and decryption
T ` e1 : τ T ` e2 : key L
T ` encrypt(e1, e2) : enc τ L
T ` e1 : enc τ σ T ` e2 : key H
T ` decrypt(e1, e2) : τσ
Theorem ([MILS Workshop 2015])
If the system is typeable, it is possibilistically non-interfering.
19 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Type Checking Approach
The Type Checking Approach
• Introduce typing environment T– local variables and data ports→ security type τ (data type t + security level σ)– modes and event ports→ security level σ
• Specify typing rules– parametrised by T– derive types of connections and transitions
• Example: encryption and decryption
T ` e1 : τ T ` e2 : key L
T ` encrypt(e1, e2) : enc τ L
T ` e1 : enc τ σ T ` e2 : key H
T ` decrypt(e1, e2) : τσ
Theorem ([MILS Workshop 2015])
If the system is typeable, it is possibilistically non-interfering.
19 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Type Checking Approach
The Type Checking Approach
• Introduce typing environment T– local variables and data ports→ security type τ (data type t + security level σ)– modes and event ports→ security level σ
• Specify typing rules– parametrised by T– derive types of connections and transitions
• Example: encryption and decryption
T ` e1 : τ T ` e2 : key L
T ` encrypt(e1, e2) : enc τ L
T ` e1 : enc τ σ T ` e2 : key H
T ` decrypt(e1, e2) : τσ
Theorem ([MILS Workshop 2015])
If the system is typeable, it is possibilistically non-interfering.
19 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Type Checking Approach
Ongoing Work
• Exact characterisation of determinism requirements– non-interference property is non-compositional in presence of non-determinism
• Elaboration of correctness proof for type system• Improving usability by type inference (rather than type checking)
– based on given security-level assignment to (some) event and data ports
• Implementation of type checking/inference
20 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Content
The D-MILS Project
Information Flow Security
The Type Checking Approach
The Slicing Approach
21 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Motivation
Weaknesses of type checking approach:• Analysis is flow-insensitive
Example
m0 -[when high then low := 42]-> m1;
m1 -[then low := 0]-> m2;
– choosing σ(low) = L is ok since m0 transition has “dead” effect– but type system cannot handle this (as types are global)
• Analysis does not take (non-)knowledge of encryption keys into account:
T ` e1 : enc (int H) L T ` e2 : key H
T ` decrypt(e1, e2) : int H
yields σ(decrypt(e1, e2)) = H even if e2 cannot be the matching private key
22 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Motivation
Weaknesses of type checking approach:• Analysis is flow-insensitive
Example
m0 -[when high then low := 42]-> m1;
m1 -[then low := 0]-> m2;
– choosing σ(low) = L is ok since m0 transition has “dead” effect– but type system cannot handle this (as types are global)
• Analysis does not take (non-)knowledge of encryption keys into account:
T ` e1 : enc (int H) L T ` e2 : key H
T ` decrypt(e1, e2) : int H
yields σ(decrypt(e1, e2)) = H even if e2 cannot be the matching private key
22 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
SlicingNon-interference: which high inputs influence which low outputs?Slicing: which outputs depend on which inputs?
• interesting output values define slicing criterion• backward analysis of information flow based on program dependence graph• analysis inherently flow-sensitive!
Applications:• Debugging• Testing• Model checking• Software security [Snelting et al.]
– relation to (classical)non-interference: if no high variablein the backward slice of any lowoutput, then system isnon-interfering
– interprocedural extension bycontext-sensitive slicing
23 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
SlicingNon-interference: which high inputs influence which low outputs?Slicing: which outputs depend on which inputs?
• interesting output values define slicing criterion• backward analysis of information flow based on program dependence graph• analysis inherently flow-sensitive!
Applications:• Debugging• Testing• Model checking• Software security [Snelting et al.]
– relation to (classical)non-interference: if no high variablein the backward slice of any lowoutput, then system isnon-interfering
– interprocedural extension bycontext-sensitive slicing
23 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Slicing AADL Specifications for Model Checking [NFM 2010]
D := S;E := ∅;M := ∅;}
Initialization based on slicing criterion S (= subset of data elements)repeat
for all me,g,f−→ m′ ∈ Trn with ∃d ∈ D : f updates d
or ∃d ∈ D : d inactive in m but active in m′
or e ∈ E doM := M ∪ {m};
Transitions that affect interesting data elements orhave interesting triggers
for all me,g,f−→ m′ ∈ Trn with m ∈ M or m′ ∈ M do
D := D ∪ {d ∈ Dat | g reads d}∪ {d ∈ Dat | f updates some d ′ ∈ D reading d};
E := E ∪ {e};M := M ∪ {m};
Transitions from/to interesting modes
for all a d ∈ Flw with d ∈ D doD := D ∪ {d ′ ∈ Dat | a reads d ′};M := M ∪ {m ∈ Mod | d := a active in m};
Data flows to interesting ports
for all e e′ ∈ Con with e ∈ E or e′ ∈ E doE := E ∪ {e, e′};M := M ∪ {m ∈ Mod | e e′ active in m};
Connections involving interesting eventports
until nothing changes;
24 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Slicing AADL Specifications for Model Checking [NFM 2010]
D := S;E := ∅;M := ∅;}
Initialization based on slicing criterion S (= subset of data elements)repeat
for all me,g,f−→ m′ ∈ Trn with ∃d ∈ D : f updates d
or ∃d ∈ D : d inactive in m but active in m′
or e ∈ E doM := M ∪ {m};
Transitions that affect interesting data elements orhave interesting triggers
for all me,g,f−→ m′ ∈ Trn with m ∈ M or m′ ∈ M do
D := D ∪ {d ∈ Dat | g reads d}∪ {d ∈ Dat | f updates some d ′ ∈ D reading d};
E := E ∪ {e};M := M ∪ {m};
Transitions from/to interesting modes
for all a d ∈ Flw with d ∈ D doD := D ∪ {d ′ ∈ Dat | a reads d ′};M := M ∪ {m ∈ Mod | d := a active in m};
Data flows to interesting ports
for all e e′ ∈ Con with e ∈ E or e′ ∈ E doE := E ∪ {e, e′};M := M ∪ {m ∈ Mod | e e′ active in m};
Connections involving interesting eventports
until nothing changes;
24 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Slicing AADL Specifications for Model Checking [NFM 2010]
D := S;E := ∅;M := ∅;}
Initialization based on slicing criterion S (= subset of data elements)repeat
for all me,g,f−→ m′ ∈ Trn with ∃d ∈ D : f updates d
or ∃d ∈ D : d inactive in m but active in m′
or e ∈ E doM := M ∪ {m};
Transitions that affect interesting data elements orhave interesting triggers
for all me,g,f−→ m′ ∈ Trn with m ∈ M or m′ ∈ M do
D := D ∪ {d ∈ Dat | g reads d}∪ {d ∈ Dat | f updates some d ′ ∈ D reading d};
E := E ∪ {e};M := M ∪ {m};
Transitions from/to interesting modes
for all a d ∈ Flw with d ∈ D doD := D ∪ {d ′ ∈ Dat | a reads d ′};M := M ∪ {m ∈ Mod | d := a active in m};
Data flows to interesting ports
for all e e′ ∈ Con with e ∈ E or e′ ∈ E doE := E ∪ {e, e′};M := M ∪ {m ∈ Mod | e e′ active in m};
Connections involving interesting eventports
until nothing changes;
24 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Slicing AADL Specifications for Model Checking [NFM 2010]
D := S;E := ∅;M := ∅;}
Initialization based on slicing criterion S (= subset of data elements)repeat
for all me,g,f−→ m′ ∈ Trn with ∃d ∈ D : f updates d
or ∃d ∈ D : d inactive in m but active in m′
or e ∈ E doM := M ∪ {m};
Transitions that affect interesting data elements orhave interesting triggers
for all me,g,f−→ m′ ∈ Trn with m ∈ M or m′ ∈ M do
D := D ∪ {d ∈ Dat | g reads d}∪ {d ∈ Dat | f updates some d ′ ∈ D reading d};
E := E ∪ {e};M := M ∪ {m};
Transitions from/to interesting modes
for all a d ∈ Flw with d ∈ D doD := D ∪ {d ′ ∈ Dat | a reads d ′};M := M ∪ {m ∈ Mod | d := a active in m};
Data flows to interesting ports
for all e e′ ∈ Con with e ∈ E or e′ ∈ E doE := E ∪ {e, e′};M := M ∪ {m ∈ Mod | e e′ active in m};
Connections involving interesting eventports
until nothing changes;
24 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Slicing AADL Specifications for Model Checking [NFM 2010]
D := S;E := ∅;M := ∅;}
Initialization based on slicing criterion S (= subset of data elements)repeat
for all me,g,f−→ m′ ∈ Trn with ∃d ∈ D : f updates d
or ∃d ∈ D : d inactive in m but active in m′
or e ∈ E doM := M ∪ {m};
Transitions that affect interesting data elements orhave interesting triggers
for all me,g,f−→ m′ ∈ Trn with m ∈ M or m′ ∈ M do
D := D ∪ {d ∈ Dat | g reads d}∪ {d ∈ Dat | f updates some d ′ ∈ D reading d};
E := E ∪ {e};M := M ∪ {m};
Transitions from/to interesting modes
for all a d ∈ Flw with d ∈ D doD := D ∪ {d ′ ∈ Dat | a reads d ′};M := M ∪ {m ∈ Mod | d := a active in m};
Data flows to interesting ports
for all e e′ ∈ Con with e ∈ E or e′ ∈ E doE := E ∪ {e, e′};M := M ∪ {m ∈ Mod | e e′ active in m};
Connections involving interesting eventports
until nothing changes;
24 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Slicing criterion: {outframe}
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add sources and modes of flows with interestingtargets
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add source modes of transitions that affectinteresting data elements
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add data elements, events and source modes ofinteresting transitions
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add sources and modes of flows with interestingtargets
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add source modes of transitions that affectinteresting data elements
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add data elements, events and source modes ofinteresting transitions
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add sources and modes of flows with interestingtargets
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add source modes of transitions that affectinteresting data elements
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add data elements, events and source modes ofinteresting transitions
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Add sources and modes of flows with interestingtargets
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: The Crypto Controller
system cryptocontroller(inframe: in data (int,int)outframe: out data (int,enc int)mykeys: key pair
system split(frame: in data (int,int)header: out data intpayload: out data intm0: initial modem0 -[then header := frame[0];
payload := frame[1]]-> m0)system bypass(inheader: in data intoutheader: out data intm0: initial modem0 -[then outheader := inheader]-> m0
)
Thus: (low) outframe depends on (high)inframe =⇒ (classical) interference!
system crypto(inpayload: in data int 0outpayload: out data enc intk: key pub(mykeys)m0: initial modem0 -[then outpayload := encrypt(inpayload,k)]-> m0
)system merge(header: in data intpayload: in data enc intframe: out data (int,enc int)m0: initial modem0 -[then frame := (header,payload)]-> m0
)flow inframe -> split.frameflow split.header -> bypass.inheaderflow split.payload -> crypto.inpayloadflow bypass.outheader -> merge.headerflow crypto.outpayload -> merge.payloadflow merge.frame -> outframe
)
25 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Handling Encryption and Decryption
• Security concepts in MILS-AADL:– declaration of key pairs as global constants on top level (mykeys)– assignment of (public/private) subkeys to data subcomponents (k)– forwarding via data ports possible⇒ static pool of keys with dynamic distribution
• Analysis approach: conditional slicing w.r.t. knowledge of keys– attach security level to each data element (ports and subcomponents)– encrypt(val,key):� maintain sets of data elements (D) and public keys (U) that may be used in first/as second
argument� result depends on all elements of D� result always declassified to L
– decrypt(val,key):� maintain sets of (D,U)-pairs and private keys (P) that may be used in first/as second argument� result depends on D′ =
⋃{D | U ∩ P 6= ∅}
� resulting security level is maximal level in D′
26 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Handling Encryption and Decryption
• Security concepts in MILS-AADL:– declaration of key pairs as global constants on top level (mykeys)– assignment of (public/private) subkeys to data subcomponents (k)– forwarding via data ports possible⇒ static pool of keys with dynamic distribution• Analysis approach: conditional slicing w.r.t. knowledge of keys
– attach security level to each data element (ports and subcomponents)– encrypt(val,key):� maintain sets of data elements (D) and public keys (U) that may be used in first/as second
argument� result depends on all elements of D� result always declassified to L
– decrypt(val,key):� maintain sets of (D,U)-pairs and private keys (P) that may be used in first/as second argument� result depends on D′ =
⋃{D | U ∩ P 6= ∅}
� resulting security level is maximal level in D′
26 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: Secure Communication
split1
bypass1
crypto
merge1 split2
bypass2
decrypto
merge2(L, H)
H L
(L, L)
L
L L L L
H
(L, H)
1. outpayload := encrypt(inpayload,k1) with k1 = pub(mykeys)– D = {split1.payload, split1.frame, inframe}– U = {mykeys}
2. outpayload := decrypt(inpayload,k2) with k2 = priv(mykeys)– P = {mykeys}⇒ P ∩ U = {mykeys} 6= ∅⇒ D′ = {split1.payload, split1.frame, inframe}
27 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: Secure Communication
split1
bypass1
crypto
merge1 split2
bypass2
decrypto
merge2(L, H)
H L
(L, L)
L
L L L L
H
(L, H)
1. outpayload := encrypt(inpayload,k1) with k1 = pub(mykeys)– D = {split1.payload, split1.frame, inframe}– U = {mykeys}
2. outpayload := decrypt(inpayload,k2) with k2 = priv(mykeys)– P = {mykeys}⇒ P ∩ U = {mykeys} 6= ∅⇒ D′ = {split1.payload, split1.frame, inframe}
27 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Example: Secure Communication
split1
bypass1
crypto
merge1 split2
bypass2
decrypto
merge2(L, H)
H L
(L, L)
L
L L L L
H
(L, H)
1. outpayload := encrypt(inpayload,k1) with k1 = pub(mykeys)– D = {split1.payload, split1.frame, inframe}– U = {mykeys}
2. outpayload := decrypt(inpayload,k2) with k2 = priv(mykeys)– P = {mykeys}⇒ P ∩ U = {mykeys} 6= ∅⇒ D′ = {split1.payload, split1.frame, inframe}
27 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The Slicing Approach
Ongoing Work
• Work out details of conditional slicing algorithm• Correctness proof w.r.t. possibilistic non-interference
– if no low output conditionally depends on any high input, the system is possibilistically non-interfering• Relation to type checking approach
– conjecture: if the system is typeable, then no low output conditionally depends on any high input– reverse inclusion does not hold due to flow-(in-)sensitivity
28 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015
The End
Questions?
29 of 29 Analysing Cryptographically-Masked Information Flows in D-MILS ArchitecturesThomas NollMOVES Sollerhaus Workshop; March 4, 2015