Abstract
We study bisimilarity and the security property of noninterference in a core synchronous reactive language that we name \(CRL\).
In the synchronous reactive paradigm, programs communicate by means of broadcast events, and their parallel execution is regulated by the notion of instant. Within each instant, programs may emit events and get suspended while waiting for events emitted by other programs. They may also explicitly return the control to the scheduler, thereby suspending themselves until the end of the instant. An instant is thus a period of time during which all programs compute until termination or suspension.
In \(CRL~\)there is no memory, and the focus is on the control structure of programs. An asymmetric parallel operator is used to implement a deterministic scheduling. This scheduling is fair – in the sense that it gives its turn to each parallel component – if all components are cooperative, namely if they always return the control after a finite number of steps.
We first prove that \(CRL~\)programs are indeed cooperative. This result is based on two features of the language: the semantics of loops, which requires them to yield the control at each iteration of their body; and a delayed reaction to the absence of events, which ensures the monotonicity of computations (viewed as I/O functions on event sets) during instants. Cooperativeness is crucial as it entails the reactivity of a program to its context, namely its capacity to input events from the context at the start of instants, and to output events to the context at the end of instants.
We define two bisimulation equivalences on programs, formalising respectively a fine-grained observation of programs (the observer is viewed as a program) and a coarse-grained observation (the observer is viewed as part of the context). As expected, the latter equivalence is more abstract than the former, as it only compares the I/O behaviours of programs at each instant, while the former also compares their intermediate results.
Based on these bisimulations, two properties of reactive noninterference (RNI) are proposed. Both properties are time-insensitive and termination-insensitive. Coarse-grained RNI is more abstract than fine-grained RNI, because it views the parallel operator as commutative and abstracts away from repeated emissions of the same event during an instant.
Finally, a type system guaranteeing both security properties is presented. Thanks partly to a design choice of \(CRL\), which offers two separate constructs for loops and iteration, this type system allows for a precise treatment of termination leaks, which are an issue in parallel languages.
Work partially supported by the french ANR 08-EMER-010 grant PARTOUT.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In general, we shall call “instantaneous” any property that holds within an instant.
- 2.
A direct definition of the big-step arrow \(\Downarrow \) by a set of structural rules would be slightly more involved, as it would require calculating the output set \(E'\) as a fixpoint.
- 3.
Leaks due to different termination behaviours in the branches of a conditional. In classical parallel while languages, termination leaks may also arise in while loops. This is not possible in \(CRL\), given the simple form of the loop construct. On the other hand, new termination leaks may originate from the possibility of suspension.
- 4.
Recall that in a \({\mathtt{repeat}\,{exp}\,\mathtt{do}\,{s}}\) program, \(exp\) is supposed to evaluate to some \(n\ge 1\).
References
Abadi, M., Plotkin, G.: A model of cooperative threads. In: Proceedings POPL 2009, pp. 29–40. ACM Press (2009)
Almeida Matos, A., Boudol, G., Castellani, I.: Typing noninterference for reactive programs. J. Logic Algebraic Program. 72(2), 124–156 (2007)
Amadio, R.M., Dabrowski, F.: Feasible reactivity for synchronous cooperative threads. Electron. Notes Theoret. Comput. Sci. 154(3), 33–43 (2006)
Amadio, R.M.: The SL synchronous language, revisited. J. Logic Algebraic Program. 70(2), 121–150 (2007)
Attar, P., Castellani, I.: Fine-grained and coarse-grained reactive noninterference. INRIA Research Report (2013)
Berry, G., Gonthier, G.: The ESTEREL synchronous programming language: design, semantics, implementation. Sci. Comput. Program. 19(2), 87–152 (1992)
Bohannon, A., Pierce, B. C., Sjöberg, V., Weirich, S., Zdancewic, S.: Reactive noninterference. In: Proceedings of the 16th ACM conference on Computer and communications security, pp. 79–90. ACM (2009)
Boudol, G., Castellani, I.: Noninterference for concurrent programs and thread systems. Theor. Comput. Sci. 281(1), 109–130 (2002)
Boussinot, F., de Simone, R.: The SL synchronous language. Soft. Eng. 22(4), 256–266 (1996)
Boussinot, F., Susini, J.F.: The SugarCubes tool box: a reactive Java framework. Sof. Pract. Experience 28(14), 1531–1550 (1998)
Focardi, R., Gorrieri, R.: Classification of security properties. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 331–396. Springer, Heidelberg (2001)
Goguen, J. A., Meseguer, J.: Security policies and security models. In: Proceedings 1982 IEEE Symposium on Security and Privacy, pp. 11–20 (1982)
Goguen, J. A., Meseguer, J.: Unwinding and inference control. In: Proceedings 1984 IEEE Symposium on Security and Privacy (1984)
Russo, A., Sabelfeld, A.: Security for multithreaded programs under cooperative scheduling. In: Virbitskaite, I., Voronkov, A. (eds.) PSI 2006. LNCS, vol. 4378, pp. 474–480. Springer, Heidelberg (2007)
Russo, A., Zanarini, D., Jaskelioff, M.: Precise enforcement of confidentiality for reactive systems. In: Proceedings of the 26th IEEE Computer Security Foundations Symposium. IEEE (2013)
Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)
Smith, G.: A new type system for secure information flow. In: Proceedings of the 14th IEEE Computer Security Foundations Workshop. IEEE (2001)
Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Comput. Secur. 4(3), 167–187 (1996)
Acknowledgments
We thank Frédéric Boussinot for insightful discussions and feedback, and Bernard Serpette for useful comments on a previous version of this paper. We also thank the anonymous referees for helpful remarks and suggestions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Attar, P., Castellani, I. (2014). Fine-Grained and Coarse-Grained Reactive Noninterference. In: Abadi, M., Lluch Lafuente, A. (eds) Trustworthy Global Computing. TGC 2013. Lecture Notes in Computer Science(), vol 8358. Springer, Cham. https://doi.org/10.1007/978-3-319-05119-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-05119-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05118-5
Online ISBN: 978-3-319-05119-2
eBook Packages: Computer ScienceComputer Science (R0)