Abstract
The recently formulated Shadow Semantics for noninterference-style security of sequential programs avoids the Refinement Paradox by preserving demonic nondeterminism in those cases where reducing it would compromise security. The construction (originally) of the semantic domain for The Shadow, and the interpretation of programs in it, relied heavily on intuition, guesswork and the advice of others. That being so, it is natural after the fact to try to reconstruct an idealised “inevitable” path from first principles to where we actually ended up: not only does one learn (more) about semantic principles by doing so, but the “rational reconstruction” helps to expose the choices made, along the way, and to legitimise the decisions that resolved them. Unlike our other papers on noninterference, this one does not contain a significant case study: instead its aim is to provide the most accessible account we can of the methods we use and why our model, in its details, has turned out the way it has. In passing, it might give some insight into the general role and significance of compositionality and testing-with-context for program semantics. Finally, a technical contribution here is a new “Transfer Principle” that captures uniformly a large class of classical refinements that remain valid when noninterference is taken into account in our style.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Abrial J-R (1996) The b book: assigning programs to meanings. Cambridge University Press, Cambridge
Alur R, Černý P, Zdancewic S (2006) Preserving secrecy under refinement. In: ICALP ’06: Proceedings (Part II) of the 33rd international colloquium on automata, languages and programming. Springer, Berlin, pp 107–118
Back R-JR, von Wright J (1998) Refinement calculus: a systematic introduction. Springer, Berlin
Černý P (2009) Private communication, February 2009
Chaum D (1988) The dining cryptographers problem: unconditional sender and recipient untraceability. J Cryptol 1(1): 65–75
Dijkstra EW (1976) A discipline of programming. Prentice-Hall, Englewood Cliffs
Goguen JA, Meseguer J (1984) Unwinding and inference control. In: Proceedings IEEE symp on security and privacy. IEEE Computer Society, pp 75–86
Hayes I (1987) Specification case studies. Prentice-Hall, Englewood Cliffs. http://www.itee.uq.edu.au/~ianh/Papers/SCS2.pdf
Hoare CAR (1969) An axiomatic basis for computer programming. Commun ACM 12(10): 576–580 (see also pp 583)
He J, Seidel K, McIver AK (1997) Probabilistic models for the guarded command language. Sci Comput Program 28: 171–192
Jacob J (1988) Security specifications. In: IEEE Symposium on security and privacy, pp 14–23
McIver AK (2009) The secret art of computer programming. In: Proceedings ICTAC 2009. LNCS, vol 5684, pp 61–78 (Invited presentation)
McIver AK, Morgan CC (2005) Abstraction, refinement and proof for probabilistic systems. In: Tech Mono Comp Sci. Springer, New York
McIver AK, Morgan CC (2009) Sums and lovers: case studies in security, compositionality and refinement. In: Cavalcanti A, Dams D (eds) Proceedings FM ’09. LNCS, vol 5850. Springer, New York
McIver AK, Morgan CC (2010) Compositional refinement in agent-based security protocols. Formal Aspects Comput (To appear)
McIver AK, Meinicke LA, Morgan CC (2010) Compositional closure for Bayes risk in probabilistic noninterference. In: Abramsky S, Gavoille C, Kirchner C, Meyer auf der Heide F, Spiraki PG (eds), Proceedings ICALP 2010, LNCS, vol 6199, pp 223–235 (Extended abstract)
Morgan CC, McIver AK, Seidel K (1996) Probabilistic predicate transformers. ACM Trans Prog Lang Sys 18(3): 325–353. doi:acm.org/10.1145/229542.229547
Morris JM (1987) A theoretical basis for stepwise refinement and the programming calculus. Sci Comput Program 9(3): 287–306
Morgan CC (1994) Programming from specifications, 2nd edn. Prentice-Hall, Englewood Cliffs. http://web.comlab.ox.ac.uk/oucl/publications/books/PfS/
Morgan CC (2005) Of probabilistic wp and CSP. In: Abdallah A, Jones CB, Sanders JW (eds) Communicating sequential processes: the first 25 years. Springer, Berlin
Morgan CC (2006) The shadow knows: refinement of ignorance in sequential programs. In Uustalu T (ed) Math Prog Construction, vol 4014, Treats Dining Cryptographers. Springer, Berlin, pp 359–378
Morgan CC (2009) How to brew-up a refinement ordering. In: Boiten E, Derrick J, Reeves S (eds) Proceedings international refinement workshop, Eindhoven, ENTCS, vol 259, pp 123–141
Morgan CC (2009) The shadow knows: refinement of ignorance in sequential programs. Sci Comput Program 74(8): 2009 (Treats Oblivious Transfer)
Rivest R (1999) Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initialiser. Technical report, M.I.T. http://theory.lcs.mit.edu/~rivest/Rivest-commitment.pdf
Smyth MB (1978) Power domains. J Comp Syst Sci 16: 23–36
Wirth N (1971) Program development by stepwise refinement. Commun ACM 14(4): 221–227
Author information
Authors and Affiliations
Corresponding author
Additional information
Eerke Boiten, John Derrick, Dong Jin Song and Steve Reeves
I acknowledge the support of the Australian Research Council Grant DP0879529.
Rights and permissions
About this article
Cite this article
Morgan, C. Compositional noninterference from first principles. Form Asp Comp 24, 3–26 (2012). https://doi.org/10.1007/s00165-010-0167-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-010-0167-y