Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

The semantic validation of information flow security [6, 15] is achieved with noninterference properties [5, 7]. Recent proposals of such properties for confidentiality in event-based systems distinguish between the “presence” and “content” of communication events (e.g. [13]).

Consider the simple process \(c_1?x.c_2!d\), where some data is received from the confidential channel \(c_1\), and forgotten immediately, with some data d subsequently sent over the public channel \(c_2\). Although the confidential input content is not leaked through the public channel \(c_2\), this process is typically regarded as insecure [2, 3, 6, 8, 13, 18], in case the input can be occasionally blocked by the environment. The reason is that the “presence” of the confidential input can be leaked through the “presence” of the public output.

When separate confidentiality levels can be assigned for the presence and content of communication, a more fine-grained analysis can be obtained. Supposing both the “presence” level and the “content” level of \(c_2\) are public, then the content level of \(c_1\) can still be confidential — only the presence level needs to be public, for the process to be secure. However, existing work introduces the constraint that “presence” can be no more confidential than “content” [13, 14]: observing the content of a communication implies the knowledge that the communication is happening (present).

By the usually perceived duality [9] between confidentiality and integrity, separating “presence” and “content” applies for integrity as well. Still consider the process \(c_1?x.c_2!d\). If both the “presence” and the “content” of communication over \(c_2\) are of high integrity, then only the “presence” of communication over \(c_1\) needs to be of high integrity as well, the input content can still be of low integrity, for the process to be secure. However, the aforementioned constraint would preclude the use of channels with low presence integrity and high content integrity. Nevertheless, this combination is practically meaningful. When message authentication codes (MAC) are used, a MAC-checker can detect tampered (low integrity) content and choose to accept only high integrity content. As a result, the content, once received by an end user, can be used by her with confidence that no harm will arise. The worry, though, is that the communication allowing to receive that content may not be present. The suspension of this communication may be caused, for example, by message rejection in the MAC-checker due to content corruption. It is therefore sensible to regard the user channel as having low presence integrity and high content integrity.

Our contribution is a novel bisimulation-based noninterference property for integrity, where the presence and content of communication events are dealt with separately, and all combinations of integrity levels for these two dimensions are allowed. The property is shown to degenerate to the classical process-algebraic condition SBNDC (e.g., [6]), and a compositionality result is obtained to facilitate a structural approach to information flow analysis in a concurrent setting.

Our development will be performed in the Quality Calculus [12], a recent extension of the \(\pi \)-calculus. The distinguishing feature of the Quality Calculus is the use of composite binders \( { \& }_{q}({b}_{1},...,{b}_{n})\) that describe the combinations of communications (at the basic input/output binders \(b_1, ..., b_n\)) that suffice for the computation to proceed. This makes system models more robust, since when faced with a computation environment that does not allow certain communications to be performed, their alternatives could still succeed. Take the composite binder \( { \& }_{1\vee 2}({c}_{1}{?}{x}_{1},{c}_{2}{?}{x}_{2})\) as an example. This binder is passed immediately after the success of either input. If \(x_1\) has received data d when the binder is passed, then \(x_1\) is bound to \(\mathsf{some} (d)\); otherwise to \(\mathsf{none}\), which resembles the optional data types used in languages like Standard ML. We can then use the “\(\mathsf{case}\) construct” of the calculus to model branching decisions based on whether \(x_1\) is bound to \(\mathsf{some} (d)\) or \(\mathsf{none}\). An example here is \(\mathsf{case}\ {x_1}\ \mathsf{of}\ \mathsf{some}(y):{P_1}\ \mathsf{else}\ {P_2}\) where \(P_1\) and \(P_2\) are two processes.

2 Motivating Examples

Let us give a few examples (in Fig. 1) to frame our mind in terms of presence integrity and content integrity, and further motivate the noninterference property to be proposed. Channels with two subscripts (L or H, representing their integrity classification) will often be used. The first level describes the presence dimension and the second describes the content dimension. For each subscript, an L (resp. H) will denote low (resp. high) integrity.

Processes 1 and 2 are intuitively secure. In process 1, given the low content integrity and high presence integrity of \(c_{HL}\), the corruption of the input content by an attacker can be “passed on” to the output content, while the input cannot be blocked by the attacker, consequently blocking the output. Hence the low content integrity, high presence integrity of \(c'_{HL}\) can be justified in accordance with the integrity classes of \(c_{HL}\). In process 2, any influence on the presence of the input can in turn influence the presence of the output, but cannot by itself corrupt the output content, which also demonstrates the consistency of the integrity classes of \(c_{LH}\) and \(c'_{LH}\). On the other hand, process 3 is insecure: the classification of \(c'_{LH}\) does not meet the intuition that both the presence of the final output, and its content, can be badly influenced.

One might think that the presence integrity can either be high for all channels, or low for all channels, hence at most one of the classes “high” and “low” is needed. This is not true, as illustrated by the insecurity of process 4, and the security of process 5. In process 4, the content integrity of the output channel cannot be H, since the presence of the input leads to more choices for the output content, some of which may not be possible with the input still blocked.

Fig. 1.
figure 1

Some example processes

Full size image

Given the insecure dependency of high integrity content on low integrity presence in process 4, it becomes interesting to see when certain source channels have the presence level L, which sink channels can still have the content level H without being affected. Process 6 is coded in the Quality Calculus. It is a call to the procedure M whose definition follows. This process is in fact a simple-minded “multiplexer” that directs incoming data from \(c_{LH}\) to \(c'_{LH}\), and from \(c_{LL}\) to \(c''_{LL}\). Note that if one of the four channels has low presence integrity, then all channels have low presence integrity, since the influence by the presence of communication over one of the channels on the control flow is global. However, \(c'_{LH}\) preserves the high content integrity of \(c_{LH}\), despite this pervasive corruption on the “presence” dimension.

The process 7 is a call to procedure A whose body uses the same predicate \(1\vee 2\), which enables it to source from alternative channels \(c_{LL}\) and \(c'_{LL}\). The input content, no matter from which source channel, will be output over the channel \(c_{HL}\). The process is not secure if the environment can block the two inputs at the same time. However, \(c_{LL}\) and \(c'_{LL}\) might represent sources that are geographically distant or that fail with drastically different causes, which can be modeled by an environment strategy (e.g., [10, 13]) that always provides at least one of the inputs when the computation proceeds to the composite input binder. The procedure call will be secure under that strategy.

We end this section with a conceptualization of presence integrity and content integrity, although a more technical characterization comes along with our security property to be presented later.

  • Presence integrity: for each i, whether the existence of the i-th output/input over channel c in a finite sequence \(\pi \) of communication actions can be influenced by the attacker

  • Content integrity: for each i, whether the content of the i-th output/input over channel c can be influenced by the attacker, in case the input/output exists in a finite sequence \(\pi \) of communication actions

Note that it is not only whether an input/output on a channel c is eventually available, that matters, but how many times it occurs in each computation sequence, since we are concerned with nonterminating computation and looping behaviors: the processes 6 and 7 in Fig. 1 are such examples.

This paper is structured as follows. In Sect. 3, we present the syntax and semantics of the Quality Calculus. We then present our noninterference condition for behavioral integrity in Sect. 4. Two main theoretical properties of the noninterference condition, including its degeneration to SBNDC, and the compositionality result, are presented in Sect. 5. Further examples are given in Sect. 6, to illustrate the condition and its compositionality. We conclude in Sect. 7, with a few pointers to related work.

3 The Quality Calculus

Syntax. The Quality Calculus [12] has its roots in the \(\pi \)-calculus and CCS, but allows to specify criteria on which communications have to succeed for the computation to continue. This can be expressed by the construct \( { \& }_{q}({b}_{1},...,{b}_{n})\) with predicate q and communication binders \(b_1\),...,\(b_n\). The computation can then continue differently, depending on whether each of these communications has succeeded, using the construct \(\mathsf{case}\ {e}\ \mathsf{of}\ \mathsf{some}(y):{P_1}\ \mathsf{else}\ {P_2}\). The predicate q can refer to any specific binder among \(b_1\), ..., \(b_n\), by its index (1,...,n), and can denote any boolean combination of their evaluation status. Since some previous inputs might be unsuccessful, we allow expressions that are missing data to be evaluated to \(\mathsf{none}\), or else to \(\mathsf{some} (c)\) with some constant c.

The complete syntax is given in Table 1. Terms t and expressions e are separate syntactical categories that capture the distinction between data and optional data. A constant c is either a channel (\(\mathbf{Chn}\)), or a datum (\(\mathbf {Dt}\)), or both, as we allow \(\mathbf {Chn}\cap \mathbf {Dt}\ne \{\}\). For a constant in \(\mathbf {Dt}\), we also use d (\(d'\), etc.) for its denotation. Atomic input binders are of the form t?x. Atomic output binders are of the form \({t}!{t'}\{x\}\), where the variable x is used as an indicator of whether the output has succeeded, the output content is also bound to x in case it has. We abbreviate \({t}!{t'}\{x\}\) to \({t}!{t'}\) when such indication provided by x is not needed. With a procedure call \(A(\bar{e})\), the procedure A needs to be defined as a process P, with \(A(\bar{x})\triangleq P\). Looping behavior is allowed via recursive procedure calls. The other features not mentioned so far are mostly standard. Although the Quality Calculus does not have a non-deterministic choice operator, an encoding of internal nondeterministic choice (in the style of Hoare’s CSP) can be done using composite binders and \(\mathsf{case}\) constructs, as presented in [12].

Table 1. The syntax of the quality calculus
Full size table

Semantics. To facilitate the specification of open systems, and the formulation of our security condition, we present a semantics that is parameterized on the computation environment. The tight correspondence of this semantics with the classical semantics [12] of the Quality Calculus is discussed in the appendix.

Processes and binders make transitions together with sequences \(\pi \in \varPi \). Each such sequence contains a separator \(_\triangle \), which delimits the environment’s past actions interacting with the process, and optionally a future communication attempt. Each communication action/attempt is represented by an “abstract binder” \(\hat{b}\in AB \) given by the syntax \(\hat{b}\,{:}{:}{=}\,c?x \mid c?c' \mid c!c' \mid \square \). The abstract binders c?x and \(c?c'\) represent a pending input and a completed input, respectively, of the environment; on the other hand, \(c!c'\) represents either a pending output or a completed output, also of the environment. In addition, \(\square \) represents the suspension of any communication by one step.

We write \([\pi ]_\triangle \) for the prefix of \(\pi \) up to the \(_\triangle \) in it, and \(\varPi _\triangle \) for the set \(\{[\pi ]_\triangle ~|~\pi \in \varPi \}\). Next introduce environment strategies \(\delta : \varPi _\triangle \rightarrow 2^{ AB }\setminus \{c?c'|c,c'\in \mathbf{Chn}\cup \mathbf{Dt}\}\) from the set \(\mathbf {Strat}\). For each \(\pi \in \varPi _\triangle \), \(\delta (\pi )\) gives the set of abstract binders that represent the environment’s intended ways of “exercising” the specification for one more step. In case \(\delta (\pi )\) is an input abstract binder, it will be of the form c?x rather than \(c?c'\), since it represents a pending input.

Table 2. The transition relation for processes and binders
Full size table

The transition relation for processes and binders is given in Table 2. We make use of an unspecified evaluation relation \(\triangleright \) for terms and expressions. For binders, each transition rule is of the form \(\langle b,~\pi \rangle \overset{\beta }{\longrightarrow } \langle b',~\pi '\rangle \), representing that the binder b performs the communication action \(\beta \) (\(\beta \ne \tau \)) under the environment \(\pi \) and becomes \(b'\), turning the environment into \(\pi '\). The intermediate binder \([c:\mathsf{some} (c')/x]\) is introduced (essentially extending the syntax for binders) to record the completion of the communication of some content \(c'\) over channel c, subsequently binding \(\mathsf{some} (c')\) to the variable x.

A \([c:\mathsf{some} (c')/x]\) is produced after a transition made by either \(t!t'\{x\}\) or t?x, given that the content of the output/input is \(c'\). In the case of \(t!t'\{x\}\), \(\pi _\triangle c?x'\) represents that the environment is expecting some data to be output over channel c (from the process of \(t!t'\{x\}\) where t is evaluated to c), and the resulting \(\pi .{c?c'}_\triangle \) represents the completion of this interaction, extending the environment’s observational history by \(c?c'\). In the case of t?x, \(\pi _\triangle c!c'\) represents that the environment attempts to output \(c'\) over channel c (to the process of t?x where t is evaluated to c), and the resulting \(\pi .c!c'_\triangle \) represents the completion of this interaction, growing the environment’s observational history by \(c!c'\). The transitions of composite binders \( { \& }_{q}({b}_{1},...,{b}_{n})\) are simply built on top of those of their sub-binders.

The last couple of rules in Table 2 define the evaluation \(b::_v\theta \) of binders b, which is used by the transition rules for processes. Here \(\theta \) is the substitution produced, recording the optional data bound to variables, and v is a boolean value indicating whether the binder b can already be passed. The basic binders \(t!t'\{x\}\) and t?x represent pending (incomplete) communications and hence for the evaluation of both binders, \(v=\mathbf{ff}\), and the resulting substitution is \([\mathsf{none}/x]\), representing that no data is received into the variable x. For composite binders \( { \& }_{q}(...)\), the last evaluation rule in Table 2 uses \([\!\{q\}\!]\), the interpretation of the predicate q, to aggregate the evaluation statuses of the individual sub-binders. As examples, we have \([\!\{2\}\!](v_1,v_2) =v_2\), and \([\!\{1\vee 2\}\!](v_1,v_2) = v_1\vee v_2\). On the other hand, the resulting substitution is the composition of all the substitutions resulting from the evaluation of the sub-binders.

For processes, each transition rule of the form \(\delta \vdash \langle P,~\pi \rangle \overset{\beta }{\longrightarrow } \langle P',~\pi '\rangle \) governs the transition of process P under environment \(\pi \) into process \(P'\), turning the environment into \(\pi '\). On the other hand, each transition of the form \(\delta \vdash \langle P,~\pi \rangle \overset{\mathrm {env}}{\longrightarrow } \langle P,~\pi '\rangle \) represents the advancement of the environment alone. This transition relation is defined assuming a standard structural congruence \(\equiv \) (given in detail in Table 3 of the appendix).

For output and input, we start from a process of the form b.P. Suppose the binder b makes a transition to the binder \(b'\). In case \(b'\) has the evaluation \(b'::_{\mathbf{tt}} \theta \), the execution will embark on the process \(P\theta \) — the process P with the substitution \(\theta \) applied to it. In case \(b'\) has the evaluation \(b'::_{\mathbf{ff}}\theta \), we stay with the process \(b'.P\), waiting for further communication required by the binder \(b'\) before it can be passed. The communication action (either an input or an output) performed by the process b.P is the one performed by b. A synchronization between two processes does not rely on the environment \(\pi \), and has no impact on it.

The next two rules use the abbreviation \( CS (e,y,P_1,P_2)\) for the process \(\mathsf{case }~e~\mathsf{of }\) \(\mathsf{some} (y):P_1~\mathsf{else }~P_2\), and describe the execution of the \(\mathsf{case}\) construct. In case the expression e is evaluated to \(\mathsf{some} (c)\), where c is a constant, then the process \(P_1[c/y]\) is executed, where the substitution records the binding of y to c. In case e is evaluated to \(\mathsf{none}\), then the process \(P_2\) is executed, with no reference to y.

The rules for procedure calls, for parallel composition, for restriction, and for dealing with processes equivalent under \(\equiv \), are self-explanatory. Notation-wise, \(\mathsf{Ch}(\beta )\) represents the set of channels occurring in \(\beta \).

The second last transition rule for processes says that when a process P cannot perform any communication action when the environment attempts to use the abstract binder \(\alpha \) for the next interaction, we allow P to do a \(\square \)-step, signaling that there is one step of delay. At the same time, the observational history of the environment is extended by a \(\square \), recording the observation of this delay.

The last transition rule says that the environment can make its next interaction attempt when its observational history ends with a \(_\triangle \): it can only “prescribe” the most imminent interaction, without further predication of the future.

We illustrate the semantics in Example 1, where \(\delta _{\mathrm {ALL}}=\lambda \pi _\triangle .\{c!c'|c,c'\in \mathbf {Chn}\cup \mathbf {Dt}\}\cup \{c?x|c\in \mathbf {Chn}\}\cup \{\square \}\) is the strategy that allows the environment to produce any sensible abstract binder with any observation it has.

Example 1

The procedure call M in Fig. 1 has the following transition sequence.

$$\begin{aligned} \begin{array}{rl} \delta _{\mathrm {ALL}} \vdash \langle M,~_\triangle \rangle &{} \! \overset{\mathrm {env}}{\longrightarrow } \langle M,~_\triangle c_{LL}!d\rangle \\ &{}\! \overset{c_{LL}?d}{\longrightarrow } \langle \begin{array}{l} \mathsf{case}~\mathsf{none}~\mathsf{of}~\mathsf{some}(y_1): c'_{LH}!y_1.M\\ \mathsf{else}~ \mathsf{case}\ {\mathsf{some} (d)}\ \mathsf{of}\ \mathsf{some}(y_2):{c''_{LL}!y_2.M}\ \mathsf{else}\ {0} \end{array} ,~{c_{LL}!d}_\triangle \rangle \\ &{}\! \overset{\mathrm {env}}{\longrightarrow } \langle \begin{array}{l} \mathsf{case}~\mathsf{none}~\mathsf{of}~\mathsf{some}(y_1): c'_{LH}!y_1.M\\ \mathsf{else}~ \mathsf{case}\ {\mathsf{some} (d)}\ \mathsf{of}\ \mathsf{some}(y_2):{c''_{LL}!y_2.M}\ \mathsf{else}\ {0} \end{array} ,~{c_{LL}!d}_\triangle c''_{LL}?x\rangle \\ &{}\! \overset{c''_{LL}!d}{\longrightarrow } \langle M,~{c_{LL}!d}.c''_{LL}?d_\triangle \rangle \end{array} \end{aligned}$$

We elaborate slightly on the second step above. According to the transition rules for binders, we have \(\langle c_{LL}?x_2,~_\triangle c_{LL}!d\rangle \overset{c_{LL}?d}{\longrightarrow }\langle [c_{LL}:\mathsf{some} (d)/x_2],~c_{LL}!d_\triangle \rangle \), which gives rise to \( \langle \& _{1\vee 2}(c_{LH}?x_1,c_{LL}?x_2),~_\triangle c_{LL}!d\rangle \overset{c_{LL}?d}{\longrightarrow }\langle \& _{1\vee 2}(c_{LH}?x_1,[c_{LL}:\mathsf{some} (d)/x_2]),\) \(c_{LL}!d_\triangle \rangle \). Using the evaluation rules for binders, we have \( { \& }_{1\vee 2}(c_{LH}?x_1,[c_{LL}:\mathsf{some} (d)/x_2])::_{\mathbf{tt}}[\mathsf{none}/x_1][\mathsf{some} (d)/x_2]\). Hence by the transition rule for b.P, with b taken to be \( { \& }_{1\vee 2}({c}_{LH}?x_1,[{c}_{LL}:\mathsf{some} (d)/{x}_{2}])\), the second transition is derived.     \(\square \)

Hereafter, we will use the more compact \(\delta \vdash \langle P,~\pi \rangle \xrightarrow {\mathrm {env},{\beta }}\langle P',~\pi '\rangle \) to represent \(\exists \pi _0: \delta \vdash \langle P,~\pi \rangle \overset{\mathrm {env}}{\longrightarrow }\langle P,~\pi _0\rangle \wedge \delta \vdash \langle P,~\pi _0\rangle \overset{\beta }{\longrightarrow }\langle P',~\pi '\rangle \). We will also use \(\mathsf{rch}(P)\) to represent the channel, polarity pairs of all possible communications that can be performed by a derivative of \(\langle P,~_\triangle \rangle \) under the strategy \(\delta _{\mathrm {ALL}}\), i.e., \(\mathsf{rch}(P)=\{(c,\rho )~|~\exists P',\pi ',c':\delta _{\mathrm {ALL}}\vdash \langle P,~\!_\triangle \rangle \rightarrow ^* \langle P',\pi '\rangle \overset{c\rho c'}{\longrightarrow }\}\).

4 Noninterference for Behavioral Integrity

In this section, we build up to our noninterference condition for behavioral integrity. We introduce the classification mappings \(\mathcal {P}\) and \(\mathcal {C}\) to keep track of the presence levels and content levels, respectively, for communication channels. In our definitions and propositions, we tacitly assume that all variables not explicitly quantified are in fact universally quantified.

We start by introducing a way of indexing into traces: \(\pi @^{c,\rho }_i\) is \((n,c')\) if the i-th communication over channel c with polarity \(\rho \) in \(\pi \) is the n-th communication overall in \(\pi \), and the content of the communication is \(c'\). All the indices start with 0. If the number of communications over c with polarity \(\rho \) in \(\pi \) is less than or equal to i, then \(\pi @^{c,\rho }_i\) is \(\bot \). This is formalized in Definition 1 and illustrated in Example 2.

Definition 1

( \(\pi @^{c,\rho }_i\) ). \(\pi @^{c,\rho }_i=\pi @^{c,\rho }_{i,0}\), where \(i\ge 0\) and \(\pi @^{c,\rho }_{i,0}\) is defined by

$$\begin{aligned} \pi @^{c,\rho }_{i,n}= {\left\{ \begin{array}{ll} \bot &{} ( if ~\pi =\epsilon ) \\ (n, c') &{} ( if ~\exists \pi ': \pi =c\rho c'.\pi '\wedge i=0)\\ \pi ' @^{c,\rho }_{i-1, n+1} &{} ( if ~\exists c': \pi =c\rho c'.\pi ' \wedge i\ne 0) \\ \pi ' @^{c,\rho }_{i, n+1} &{} ( if ~\exists c'',\rho '',c''': \pi =c''\rho '' c'''.\pi '\wedge (c''\ne c\vee \rho ''\ne \rho )) \end{array}\right. } \end{aligned}$$

Example 2

Consider the trace \(\pi =c_{LL}!d.c''_{LL}?d_\triangle \) left by the environment from Example 1. We have \(\pi @^{c''_{LL},?}_{0}=(1,d)\) and \(\pi @^{c''_{LL},?}_i=\bot \) whenever \(i\ge 1\).     \(\square \)

We define the trace correspondence relation \(W^{\mathcal {P}}_{\mathcal {C}}\) as follows, where \(|\pi |\) stands for the length of \(\pi \). The presence and content of communications in traces related by \(W^{\mathcal {P}}_{\mathcal {C}}\) are supposed to reflect the integrity levels of their channels.

Definition 2

( \(W^{\mathcal {P}}_{\mathcal {C}}\) ). \(\pi _1~W^{\mathcal {P}}_{\mathcal {C}}~\pi _2\) if and only if \(\pi _1\) and \(\pi _2\) are finite, \(|\pi _1|=|\pi _2|\), and \(\forall i\ge 0: \forall c,\rho : \pi _1@_{i}^{c,\rho }~W^{\mathcal {P}(c)}_{\mathcal {C}(c)}~\pi _2@_{i}^{c,\rho }\).

In Definition 2, two traces related by \(W^{\mathcal {P}}_{\mathcal {C}}\) are required to have the same finite length, and the i-th occurrences of communication over channel c, with polarity \(\rho \), are required to be related by \(W^{\mathcal {P}(c)}_{\mathcal {C}(c)}\), for each c and \(\rho \). The latter relation is in turn defined as follows, where \(c'_1\doteq c'_2\) if and only if \(c'_1=c'_2\) or \(c'_2\not \in \mathbf {Chn}\cup \mathbf {Dt}\).

Definition 3

( \(W^{l_{\mathcal {P}}}_{l_{\mathcal {C}}}\) ). \((n_1,c'_1)~W^{l_{\mathcal {P}}}_{l_{\mathcal {C}}}~(n_2,c'_2)\) if and only if

$$\begin{aligned} \begin{array}{r@{\quad }c@{\quad }l} (n_1,c'_1)~W^{l_{\mathcal {P}}}_{l_{\mathcal {C}}}~(n_2,c'_2) &{} \mathrm {iff} &{} (l_{\mathcal {P}}=H \Rightarrow n_1=n_2)\wedge (l_{\mathcal {C}}=H \Rightarrow c'_1\doteq c'_2) \\ (n_1,c'_1)~W^{l_{\mathcal {P}}}_{l_{\mathcal {C}}}~\bot &{} \mathrm {iff} &{} l_{\mathcal {P}}=L \\ \bot ~W^{l_{\mathcal {P}}}_{l_{\mathcal {C}}}~(n_2,c'_2) &{} \mathrm {iff} &{} l_{\mathcal {P}}=L \\ \bot ~W^{l_{\mathcal {P}}}_{l_{\mathcal {C}}}~ \bot &{} \mathrm {iff} &{} \mathsf{true} \end{array} \end{aligned}$$

It can be seen that for a channel c with high presence integrity, the i-th occurrences of input/output over c need to have the same overall index in their respective traces. On the other hand, for a channel c with high content integrity, the i-th occurrences of input/output over c need to have equivalent content. This corresponds tightly to our description of “presence integrity” and “content integrity” in Sect. 2. The reason that \(\doteq \) is used for relating content, instead of \(=\), is the potential existence of variables in traces of the form \({...}_\triangle c?x\).

We will write \(\overset{\widehat{\beta '}}{\Longrightarrow }\) for the weak transition used for standard observational equivalence, i.e., it stands for \((\overset{\tau }{\longrightarrow })^*\circ \overset{\beta '}{\longrightarrow }\circ (\overset{\tau }{\longrightarrow })^*\) when \(\beta '\ne \tau \) and for \((\xrightarrow {\tau })^*\) when \(\beta '=\tau \). The weak transition will not be used directly in our noninterference property, but encapsulated within the transition \(\underset{\beta }{\overset{\widehat{\beta '}}{\Longrightarrow }}\) introduced in Definition 4. It boils down to the weak transition \(\overset{\widehat{\beta '}}{\Longrightarrow }\) in case \(\beta \) is a communication with high presence integrity; otherwise \(\tau \)’s are not allowed.

Definition 4

( \(\underset{\beta }{\overset{\widehat{\beta '}}{\Longrightarrow }}\) ).

figure b

We then define the notion of \(\delta \)-bisimulation, where \(\delta \in \mathbf {Strat}\) is a strategy.

Definition 5

( \(\delta \)-Bisimulation). A \(\delta \)-bisimulation is a symmetric relation R on configurations such that if \(\langle P_1,\pi _1\rangle ~R~\langle P_2,\pi _2\rangle \), \(\delta \vdash \!\langle P_1,~\!\!\pi _1\rangle \xrightarrow {\mathrm {env},{\beta }}\langle P'_1,~\!\!\pi '_1\rangle \), \(\delta \vdash \! \langle P_2,~\!\!\pi _2\rangle \overset{\mathrm {env}}{\longrightarrow }\langle P_2,~\!\!\pi _{20}\rangle \), and \(\pi '_1~\!W^{\mathcal {P}}_{\mathcal {C}}~\!\pi _{20}\), then we have

$$\begin{aligned} \begin{array}{l} \exists P'_2, \pi '_2, \beta ': \delta \vdash \langle P_2,~\!\!\pi _{20}\rangle \underset{\beta }{\overset{\widehat{\beta '}}{\Longrightarrow }} \langle P'_2,~\!\!\pi '_2\rangle ~\!\wedge ~\! \\ \qquad \qquad ~~~[\pi '_1]_\triangle ~\!W^{\mathcal {P}}_{\mathcal {C}}~\![\pi '_2]_\triangle ~\!\wedge ~\! \langle P'_1,~\!\![\pi '_1]_\triangle \rangle ~R~\langle P'_2,~\!\![\pi '_2]_\triangle \rangle . \end{array} \end{aligned}$$

If two configurations \(\langle P_1,~\pi _1\rangle \) and \(\langle P_2,~\pi _2\rangle \) are related by a \(\delta \)-bisimulation R, then after \(\langle P_1,~\pi _1\rangle \) interacts with the environment \(\delta \) for one step, and the environment makes an interaction attempt with \(\langle P_2,~\pi _2\rangle \), such that the interaction and the attempt meet the integrity classes of their channels (\(\pi '_1~W^{\mathcal {P}}_{\mathcal {C}}~\pi _{20}\)), the configuration \(\langle P_2,~\pi _{20}\rangle \) can simulate the interaction made by \(\langle P_1,~\pi _1\rangle \), in a way that meets the integrity classes of the channels involved (\([\pi '_1]_\triangle ~W^{\mathcal {P}}_{\mathcal {C}}~[\pi '_2]_\triangle \)).

The definition of \(\delta \)-Bisimulation introduces two universally quantified transitions, before simulating the first one with an existentially quantified transition. This pattern, previously adopted in [11], is rare in the literature.

We then define \(\delta \)-bisimilarity (\(\underset{\delta }{\overset{}{\sim }}\)) as the union of all \(\delta \)-bisimulations (which is itself a \(\delta \)-bisimulation). Note that \(\delta \)-bisimilarity is not reflexive. In fact, our noninterference condition identifies the \(\delta \)-security of a process P with the self-relatedness of \(\langle P,~_\triangle \rangle \) in \(\underset{\delta }{\overset{}{\sim }}\), as stated in Definition 6.

Definition 6

( \(\delta \) -Security). A process P is \(\delta \)-secure, denoted by \(\mathsf{Sec}_{\delta }(P)\), if and only if \(\langle P,~_\triangle \rangle \underset{\delta }{\overset{}{\sim }} \langle P,~_\triangle \rangle \).

To arrive at a better understanding of \(\delta \)-security, we introduce in Definition 7 the notion of kernel \(\delta \)-bisimulation, which constrains the pairs of observational histories further than \(\delta \)-bisimulation does. Proposition 1 then says that kernel \(\delta \)-bisimulations, with a more complex formulation, can be used to characterize \(\delta \)-security equally well.

Definition 7

(Kernel \(\delta \) -Bisimulation). A \(\delta \)-bisimulation R is said to be a kernel \(\delta \)-bisimulation if and only if \(\langle P_1,~\pi _1\rangle ~R~\langle P_2,~\pi _2\rangle \) implies \( knl (\pi _1,\pi _2)\), where \( knl (\pi _1,\pi _2)\) represents \(\pi _1~W^{\mathcal {P}}_{\mathcal {C}}~\pi _2\), \([\pi _1]_\triangle =\pi _1\), and \([\pi _2]_\triangle =\pi _2\).

Proposition 1

There is a \(\delta \)-bisimulation R such that \(\langle P,~_\triangle \rangle ~R~\langle P,~_\triangle \rangle \), if and only if there is a kernel \(\delta \)-bisimulation \(R'\) such that \(\langle P,~_\triangle \rangle ~R'~\langle P,~_\triangle \rangle \).

For a \(\delta \)-secure process P, the implications of the existence of a kernel \(\delta \)-bisimulation R such that \(\langle P,~_\triangle \rangle ~R~\langle P,~_\triangle \rangle \) are:

  1. 1.

    A communication \(\beta \) with high presence integrity needs to be simulated by a communication over the same channel, possibly together with \(\tau \)’s. In case the channel also has high content integrity, the content of the simulating communication should be the same as that of \(\beta \). If the channel has low content integrity, on the other hand, then the bisimulation should continue under all contents possibly attempted by the environment, that are not necessarily the same as that of \(\beta \).

  2. 2.

    A communication \(\beta \) with low presence integrity, or a \(\square \)-transition, is simulated by a communication over a channel also of low presence integrity, or by a \(\square \)-transition. If the channel of \(\beta \), say c, has high content integrity, and it is being used for the i-th time with polarity \(\rho \), then the content of \(\beta \) needs to agree with the content of the communication occurring on c with polarity \(\rho \) for the i-th time in the second execution, in case that communication exists. A similar requirement is imposed on the simulating communication, when its channel has high content integrity.

  3. 3.

    A \(\tau \) can only be simulated by a (possibly empty) sequence of \(\tau \)’s. This is because when a \(\tau \)-transition is made from a configuration \(\langle P,~\pi \rangle \), the \(_\triangle \) in \(\pi \) does not move, which is not the case otherwise. By Proposition 1, it is obvious that \(|\pi '_1|=|\pi _{20}|\). Hence \([\pi '_1]_\triangle \) and \([\pi '_2]_\triangle \) will not have the same length and \([\pi '_1]_\triangle ~\!W^{\mathcal {P}}_{\mathcal {C}}~\![\pi '_2]_\triangle \) will not hold, if a \(\tau \) is not simulated only by \(\tau \)’s.

The \(\delta _{\mathrm {ALL}}\)-security/insecurity of processes 1-6 in Fig. 1 of Sect. 2 agrees with the claims based on intuition in the same section, with an unconstrained environment. And process 7 is \(\delta _{\mathrm {ALT}}\)-secure, where \(\delta _{\mathrm {ALT}}\) characterizes an environment that provides content over at least one of \(c_{LL}\) and \(c'_{LL}\) whenever the process is ready for input from these two alternative channels:

$$\delta _\mathrm {ALT}(\pi )= {\left\{ \begin{array}{ll} \{c_1!d~\!|\!~c_1\in \{c_{LL},c'_{LL}\}\wedge d\in \mathbf {Dt}\} &{} (\mathrm {if}~\pi ={}_\triangle \vee \exists \pi ',d':\pi =\pi '.c_{HL}?d'_\triangle ) \\ AB &{} (\mathrm {otherwise}) \end{array}\right. }$$

The construction of the underlying kernel \(\delta _{\mathrm {ALL}}\)-bisimulation \(R_\star \) for the \(\delta _{\mathrm {ALL}}\)-security of process 6 is given in the appendix. We demonstrate in Example 3 that some of the requirements of \(\langle M,~_\triangle \rangle ~R_\star ~\langle M,~_\triangle \rangle \) are fulfilled, to aid in the reader’s intuition.

Fig. 2.
figure 2

Partial unfolding of the kernel bisimulation containing \((\langle M,~_\triangle \rangle , \langle M,~_\triangle \rangle )\)

Full size image

Example 3

Figure 2 contains a partial unfolding of \(\langle M,~_\triangle \rangle ~R_\star ~\langle M,~_\triangle \rangle \) where \(R_\star \) is a kernel \(\delta _{\mathrm {ALL}}\)-bisimulation. For each pair \(\langle P_1,~\pi _1\rangle \) and \(\langle P_2,~\pi _2\rangle \) related by \(R_\star \) in Fig. 2, \(\pi _1~W^{\mathcal {P}}_{\mathcal {C}}~\pi _2\) holds. After transitions 1 and 2, the environment has made the attempt to interact with the process on two different channels \(c_{LH}\) and \(c_{LL}\). This is allowed since \(c_{LH}!{d_1}_\triangle ~W^{\mathcal {P}}_{\mathcal {C}}~_\triangle c_{LL}!d_2\) holds. The process M can indeed perform an input over \(c_{LH}\), resulting in transition 1. This transition needs to be simulated by either an input over \(c_{LL}\), or a \(\square \)-transition in case such an input cannot be performed. We are in the former situation and transition 1 is thus simulated by transition 3. Note that according to Definition 4, the simulation of low presence communications should be done without using \(\tau \)’s. This is because such simulation is actually used to introduce interference, rather than to demonstrate resilience to it. And \(\tau \)-transitions are conventionally used to weaken the requirement for a process to be resilient to interference. We then direct our attention to transitions 7, 8 and 9. The environment intentionally resists communication with the process in transition 7. On the other hand, it attempts to feed some content over \(c_{LH}\) to the process through transition 8. That content is restricted to \(d_1\) since only then it holds that \(c_{LH}!d_1.c'_{LH}?d_1.\square _\triangle ~W^{\mathcal {P}}_{\mathcal {C}}~c_{LL}!d_2.c''_{LL}?{d_2}_\triangle c_{LH}!d_1\). Intuitively, the input over \(c_{LH}\) is blocked for a while in the second execution, but it needs to happen with the same content \(d_1\) since the channel has high content integrity. For transitions 10, 11 and 12, the attempt of the environment to input from the process over channel \(c'_{LH}\) in transition 11 is satisfied with the content \(d_1\), resulting in transition 12. The latter transition is a legitimate simulation of transition 10 since the content \(d_1\) is the same as that of transition 4 — the corresponding communication over \(c'_{LH}\) in the first execution.     \(\square \)

A total order can be built on the set \(\mathbf {Strat}\) of environment strategies, characterizing their relative aggressiveness (Definition 8), which has its impact on the strength of the security condition (Theorem 1).

Definition 8

(Aggressiveness of Environments). Environment \(\delta _2\) is said to be more aggressive than \(\delta _1\), denoted \(\delta _1\le \delta _2\), if \(\forall \pi \in \varPi _\triangle : \delta _1(\pi )\subseteq \delta _2(\pi )\).

Theorem 1

(Monotonicity). \(\delta \)-bisimilarity is anti-monotonic in \(\delta \), i.e., for all \(\delta _1\), \(\delta _2\) such that \(\delta _1\le \delta _2\), it holds that \(\underset{\delta _2}{\overset{}{\sim }}~\!\!\!\subseteq ~\!\!\!\underset{\delta _1}{\overset{}{\sim }}\).

This monotonicity result may look counter-intuitive since \(\delta \) appears to be used both positively and negatively in Definition 5. However, \(\delta \vdash \langle P_2,~\!\!\pi _{20}\rangle \underset{\beta }{\overset{\widehat{\beta '}}{\Longrightarrow }} \langle P'_2,~\!\!\pi '_2\rangle \) if and only if \(\delta '\vdash \langle P_2,~\!\!\pi _{20}\rangle \underset{\beta }{\overset{\widehat{\beta '}}{\Longrightarrow }} \langle P'_2,~\!\!\pi '_2\rangle \) for all \(\delta '\in \mathbf {Strat}\). In other words, \(\delta \) is not actually used in the derivation of the transition sequence from \(\langle P_2,~\pi _{20}\rangle \).

Corollary 1

The permissiveness of \(\delta \)-security is anti-monotonic in \(\delta \), i.e.,

$$\begin{aligned} \forall \delta _1, \delta _2\in \mathbf {Strat}: \delta _1\le \delta _2 \wedge \mathsf{Sec}_{\delta _2}(P)~ \Rightarrow ~ \mathsf{Sec}_{\delta _1}(P). \end{aligned}$$

We will discuss deeper theoretical properties of our security condition in Sect. 5, focusing on \(\delta _{\mathrm {ALL}}\)-security. It will be seen that the most pessimistic assumption about the environment, captured by its most aggressive strategy \(\delta _{\mathrm {ALL}}\), is in line with classical process-algebraic conditions like SBNDC, and also facilitates the compositional verification of the security property.

5 Theoretical Properties

Connection with SBNDC. We reformulate SBNDC [6] using the classical semantics of the Quality Calculus, and with respect to the environment \(\mathcal {I}: \mathbf {Chan}\rightarrow \{H,L\}\cup \{\bot \}\) that gives the presence level of a channel only when its presence level and content level are the same, i.e., \(\mathcal {I}(c)={\left\{ \begin{array}{ll} \mathcal {P}(c) &{} \!\!\!\!(\mathrm {if}~\!\mathcal {P}(c)=\mathcal {C}(c)) \\ \bot &{} \!\!\!\!(\mathrm {otherwise}) \end{array}\right. }.\) The aim of \(\mathcal {I}\) is to obtain the integrity class of each channel when its presence integrity and content integrity are the same (using \(\mathcal {C}(c)\) instead of \(\mathcal {P}(c)\) in the definition of \(\mathcal {I}(c)\) would have the same effect).

We also introduce the notation \(\overline{ loi }\) to represent the list of low integrity channels, i.e., \(\overline{ loi }=\{c~|~\mathcal {I}(c)=L\}\), and use \(\mathsf{ch}(\beta )\) to denote the channel used by the (non-\(\tau \)) communication action \(\beta \). The reformulation is then given in Definition 9, where \(\approx \) is the standard observational equivalence. The intuitive interpretation is that before and after each low integrity communication, a process is required to have the same high integrity behaviors. Then the central result of this subsection, that \(\delta _{\mathrm {ALL}}\)-security coincides with SBNDC when the same integrity levels are always used for both “presence” and “content”, is given in Theorem 2.

Definition 9

(SBNDC). \(P\in SBNDC \) if for all \(P'\), \(P''\), communication \(\beta \), such that \(P\rightarrow ^* P'\), \(P'\overset{\beta }{\longrightarrow }P''\), and \(\mathcal {I}(\mathsf{ch}(\beta ))=L\), we have \((\nu ~\! \overline{ loi })P'\approx (\nu ~\! \overline{ loi })P''\).

Theorem 2

(Degeneration). For all processes P, if \(~\forall c, \rho ~s.t.~(c,\rho )\in \mathsf{rch}(P): \mathcal {P}(c)=\mathcal {C}(c)\), then \(\mathsf{Sec}_{\delta _{\mathrm {ALL}}}(P)\) if and only if \(P\in SBNDC \).

To build up to a proof of Theorem 2, we recast SBNDC in the form of self-bisimilarity. The underlying bisimulation is the \(\rhd \)-bisimulation of Definition 10.

Definition 10

( \(\rhd \) -Bisimulation). A symmetric relation R on processes qualifies as a \(\rhd \)-bisimulation if \(P_1~R~P_2\) implies:

for all \(P'_1\) and \(\beta \) such that \(P_1\overset{\beta }{\longrightarrow }P'_1\), there exists \(P'_2\) such that

  • if \(\mathcal {I}(\mathsf{ch}(\beta ))=L\), then \(P'_2\equiv P_2\) and \(P'_1~R~P'_2\),

  • if \(\mathcal {I}(\mathsf{ch}(\beta ))=H\) or \(\beta =\tau \), then \(P_2\overset{\widehat{\beta }}{\Longrightarrow }P'_2\) and \(P'_1~R~P'_2\).

We define \(\rhd \)-bisimilarity as the union of all \(\rhd \)-bisimulations. The \(\rhd \) used here symbolizes the triangular structure created by the simulation of a low integrity communication by inaction, as required in Definition 10. It can be shown that self-\(\rhd \)-bisimilarity coincides with self-\(\delta _{\mathrm {ALL}}\)-bisimilarity when the presence levels and content levels are the same for all channels whose uses are reachable.

Lemma 1

Suppose P is such that \(\forall c,\rho ~s.t.~(c,\rho )\in \mathsf{rch}(P): \mathcal {P}(c)=\mathcal {C}(c)\). Then \(P\in SBNDC \iff P\sim ^{}_\rhd P\), and \(P\sim ^{}_\rhd P \iff \langle P,~_\triangle \rangle \underset{\delta _{\mathrm {ALL}}}{\overset{}{\sim }}\langle P,~_\triangle \rangle \).

The degeneration result presented above demonstrates that the notion of \(\delta \)-security is in fact well-based on the classical process-algebraic noninterference properties, and SBNDC, as one of those properties, actually has the implicit assumption of the most aggressive environment.

Compositionality. Compositionality is a desirable property for the verification of noninterference properties. The security of a parallel composition can be directly obtained from that of its constituents, in case full compositionality is enjoyed by a noninterference condition. However, \(\delta \)-security is not fully compositional. Nevertheless, this is key to spotting the insecurity of the example process 4 given in Sect. 2, since the processes \(c_{LH}?x_1.c'_{LH}!x_1\) and \(c'_{LH}!d\) are themselves \(\delta _{\mathrm {ALL}}\)-secure. We then discuss the sufficient conditions required for \(\delta _{\mathrm {ALL}}\)-security to be compositional.

A process P is deterministic with respect to output over a channel c, denoted by \(\mathsf{det}(P,c)\), if

$$\begin{aligned} \delta _{\mathrm {ALL}}\vdash \langle P,~_\triangle \rangle \rightarrow ^*\langle P',~\pi '\rangle \,\wedge \,(\forall i\in \{1,2\}: \delta _{\mathrm {ALL}}\vdash \langle P',~\pi '\rangle \overset{c!c'_i}{\longrightarrow }\langle P'_i,~\pi '_i\rangle )~ \Rightarrow ~ c'_1=c'_2. \end{aligned}$$

We then have the following theorem for the compositionality of \(\delta _{\mathrm {ALL}}\)-security.

Theorem 3

(Compositionality). If \(\mathsf{Sec}_{\delta _{\mathrm {ALL}}}(P_1)\), and \(\mathsf{Sec}_{\delta _{\mathrm {ALL}}}(P_2)\), then we have \(\mathsf{Sec}_{\delta _{\mathrm {ALL}}}((\nu \bar{c'})(P_1|P_2))\), provided that for all \(i\in \{1,2\}\) and channel c:

$$\begin{aligned} \mathcal {P}(c)\not \sqsupseteq \mathcal {C}(c)\,\wedge \,(c,\rho _1)\in \mathsf{rch}(P_i)\,\wedge \,(c,\rho _2)\in \mathsf{rch}(P_{3-i}) ~\Rightarrow ~ \rho _1\ne \rho _2\,\wedge \,\mathsf{det}(P_i,c)\,\wedge \,c\in \{\bar{c'}\}. \end{aligned}$$

In words, Theorem 3 says that given two processes \(P_1\) and \(P_2\) that are both \(\delta _{\mathrm {ALL}}\)-secure, the process \((\nu \bar{c'}) (P_1|P_2)\) is \(\delta _{\mathrm {ALL}}\)-secure, provided that

  1. 1.

    No LH-channels are used by both \(P_1\) and \(P_2\) with the same polarity (note that the process 4 given in Sect. 2 does not meet this requirement), and

  2. 2.

    For each LH-channel c used by \(P_1\) and \(P_2\) with different polarities, \(P_1\) and \(P_2\) must be deterministic with respect to output on c, and c must be among the constants over which there is a top-level restriction; thus the input side always sources from the output side, never from the environment.

Corollary 2

Suppose \(\forall c,\rho : (c,\rho )\in \mathsf{rch}(P)\Rightarrow \mathcal {P}(c)\sqsupseteq \mathcal {C}(c)\). Then \( \mathsf{Sec}_{\delta _{\mathrm {ALL}}}(P_1|P_2)\) can be deduced from \(\mathsf{Sec}_{\delta _{\mathrm {ALL}}}(P_1)\) and \(\mathsf{Sec}_{\delta _{\mathrm {ALL}}}(P_2)\).

The results presented above help elucidate the points below.

  1. 1.

    If \(\delta \)-security had been fully compositional, it would not have uncovered certain insecure dependencies of high integrity content on low integrity presence.

  2. 2.

    The notion of \(\delta \)-security is fully compositional for processes that do not make use of LH-channels.

6 Further Examples and Discussion

We have associated with LH-channels the meaning: communications over these channels can be blocked by the attacker, but with uninfluenced contents when they finally happen. So far the abstract environment has been assumed to be able to induce these channels. In this section, we present a concrete process in the Quality Calculus that can accomplish the same task. We then make the multiplexer process presented in Sect. 2 obtain its input from this process, to illustrate our compositionality result.

On LH-Channels. We illustrate that LH-channels can be induced from channels that are LL and HH by a concrete process. The procedure \( SINK \) in Fig. 3 mimics the potential congestion of the high integrity data source \(c_{ H H }\) using a queue: output of the oldest element suspended in the queue is attempted through the sink channel \(c_{LH}\) only when the low integrity switch \(c_{ L L }\) is on. Recall that the \( { \& }_{2}(\_,\_)\) can be passed if and only if the second communication is successful.

Fig. 3.
figure 3

The “Realization” of sink channels with low presence integrity and high content integrity

Full size image

The channels \(c_{\mathrm {i}}\), \(c_{\mathrm {d}}\), and \(c_{\mathrm {p}}\) are interfaces for the operations “insert” (“enque”), “delete” (“deque”), and “peek” (the non-destructive inspection of the oldest element) of the queue specified by the procedure \( QUE \) (adapted from the priority queue in [17]) in the appendix. The procedure \( SINK \) waits on the input over \(c_{HH}\) for the composite binder on the first line to be passed. When that happens, the input data over \(c_{HH}\) is enqued, with the completion of the “enque” operation signaled on \(c_{\mathrm {f}}\). If the input over \(c_{LL}\) was also successful, then outputting the head of the queue is attempted, with a high integrity timeout supposed to come over \(c'_{HH}\). If the output is successful before the timeout, then the data item of the output is deleted from the queue. In the “peek” and “deque” operations, the channels \(c_{\mathrm {e}}\) and \(c'_{\mathrm {e}}\) are sent to the queue for the latter to signal back whether it is already an empty queue. In our case the non-emptiness of the queue is an invariant and hence neither \(c_{\mathrm {e}}\) nor \(c'_{\mathrm {e}}\) is subsequently used. The process \((\nu c_{\mathrm {i}}, c_{\mathrm {d}}, c_{\mathrm {p}})( SINK ~\!|~\! QUE (\mathsf{some} (c_{\mathrm {i}}),\mathsf{some} (c_{\mathrm {d}}),\mathsf{some} (c_{\mathrm {p}})))\) is \(\delta _{\mathrm {ALL}}\)-secure.

Compositionality. We now consider making the multiplexer process (process 6 in Fig. 1) source from the channel \(c_{LH}\) in Fig. 3. Let \( SRC \triangleq (\nu c_{\mathrm {i}}, c_{\mathrm {d}}, c_{\mathrm {p}})\) \(( SINK ~\!|~\! QUE (\mathsf{some} (c_{\mathrm {i}}),\mathsf{some} (c_{\mathrm {d}}),\mathsf{some} (c_{\mathrm {p}}))).\) The process under consideration is \((\nu c_{LH})( SRC |M)\). It is not difficult to see that \(\mathsf{det}(SRC,c_{LH})\) and \(\mathsf{det}(M,c_{LH})\) hold. Hence we can deduce the validity of \(\mathsf{Sec}_{\delta _{\mathrm {ALL}}}((\nu c_{LH})( SRC |M))\) by Theorem 3 and the \(\delta _{\mathrm {ALL}}\)-security of \( SRC \) and M.

Confidentiality. We are in a position to further explain having developed our theory for integrity, rather than confidentiality. It has been illustrated by the example in Fig. 3 that a concrete process can influence the presence of communication over a sink channel of it, without influencing the communication content. For confidentiality, a channel \(c_\star \) with high presence confidentiality and low content confidentiality would correspond to our channel with LH-integrity. Assuming the existence of \(c_\star \) and developing the same theory would not be problematic. However, it is difficult to come up with a possibilistic process that leaks the content of \(c_\star \) properly, without leaking the presence of communication over it, unless other channels also with confidential presence and public content are used. Hence the meaning of “confidential presence, public content” would be harder to justify as opposed to “low integrity presence, high integrity content”.

7 Conclusion

We have studied the integrity of communication behaviors in process-algebraic systems from the viewpoint of information flow control. A fine-grained, bisimulation-based noninterference property is proposed: the presence and content of communications have separate integrity levels, and all combinations of integrity levels for both dimensions are allowed. When identical levels are always used for both dimensions, the property coincides with the classical process-algebraic property SBNDC (e.g., [6]), demonstrating faithful inheritance from known frameworks. A compositionality result is obtained, facilitating modular flow analysis of concurrent processes.

Our recasting of SBNDC as self-\(\rhd \)-bisimilarity may reflect the insights behind existing work [3] in bridging language-based and process-algebraic security, but may be the first direct reformulation of BNDC-like properties as self-bisimilarity. This gives another perspective on the secure semantics induced by SBNDC.

Clarkson et al. [4] dimensions quantitative integrity in terms of information suppression and contamination, where dissimilarity of integrity to confidentiality is also examined: information suppression has no confidentiality counterpart.

It would not be difficult to adapt \(\delta \)-security to support the use of downgrading [16], which relaxes information flow constraints. This can be done along the directions of [1]. Another interesting line of future work is the design of information flow type systems supporting \(\delta \)-security.