Benign Interaction of Security Domains

Abstract

Whenever data is communicated outside a security domain there is the risk that it may influence data coming back in a way that is not permitted by the security domain. This may arise when different security domains relate to different parallel processes that exchange information through communication. We provide general definitions of the demands on the communication and sanitisation primitives so as to mitigate the risk. For interesting instantiations of these definitions we provide algorithms for checking that the demands have been met. The development is illustrated by a worked example dealing with the outsourcing of data management to the cloud.

A Semantics

As in [15] and [13] we use operational semantics to define the semantics of Secure Guarded Commands with Security Domains.

Fig. 7.

Semantics of expressions.

Expressions are evaluated with respect to a memory \(\sigma \) that assigns values to all variables of interest and the semantic judgement defined in Fig. 7 takes the form \( \sigma \vdash e \rhd v \). Evaluation is undefined if the expression accesses a variable for which the memory does not assign a value. Note that the value of is the same as the value of \(e_1\).

Fig. 8.

Semantics of commands.

Commands are executed with respect to a memory and produce a new memory. The semantic judgement defined in Fig. 8 takes the form \( (C,\sigma )\rightarrow ^\varphi (C',\sigma ') \). the superscript \(\varphi \) indicates whether the action is silent (\(\tau \)), an input (\(c\,\mathtt{?}\,{v}\)) or an output (\(c\,\mathtt{!}\,{v}\)). We allow C and \(C'\) to range both over commands and the special symbol \(\surd \) indicating a terminated configuration.

Fig. 9.

Semantics of systems.

Processes have disjoint memories so they can only exchange values by communicating over the channels. More precisely this means that for each process we will have a local memory assigning values to the variables of interest and we shall be based on synchronous communication. For processes the semantic judgement defined in Fig. 9 takes the form

$$ \begin{array}{l} ( E\ \mathtt{par}\ {{\boldsymbol{L}}_1\,S_1\,D_1\,C_1 \cdots {\boldsymbol{L}}_n\,S_n\,D_n\,C_n}\ \mathtt{rap} ,\sigma _1\cdots \sigma _n) \\ \rightarrow ( E\ \mathtt{par}\ {{\boldsymbol{L}}_1\,S_1\,D_1\,C'_1 \cdots {\boldsymbol{L}}_n\,S_n\,D_n\,C'_n}\ \mathtt{rap} ,\sigma '_1\cdots \sigma '_n) \end{array} $$

where once more we allow C and \(C'\) to range both over commands and the special symbol \(\surd \) indicating a terminated configuration. The first rule says that we can let one of the constituent processes perform a silent step adn the second rule says (omitting the details needed to deal with input and output being placed in another order) that we can let two constituent processes produce matching input and output actions. The side conditions of the rules insist that the domain of local memories (written \(\mathsf{dom}(\sigma _i)\)) includes the local variables declared in the program (written \(\mathsf{dom}(\mathsf{env}(D_i))\)) and that the channel used for communication is indeed declared in the program (written \(\mathsf{dom}(\mathsf{env}(E))\)) where the environments and declarations are constructed using \(\mathsf{env}(\cdots )\) as defined previously. Note that if one of the processes terminates then the corresponding component in the configuration will contain \(\surd \) and it will not be able to evolve further.