Timing-Sensitive Noninterference through Composition

  • Willard RafnssonEmail author
  • Limin JiaEmail author
  • Lujo BauerEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10204)


Sound compositional reasoning principles are the foundation for analyzing the security properties of complex systems. We present a general theory for compositional reasoning about the information-flow security of interactive discrete-timed systems. We develop a simple core—and with it, a language—of combinators, including ones that orchestrate the execution of a collection of interactive systems. We establish conditions under which timing-sensitive noninterference is preserved through composition, for each combinator in our language. To demonstrate the practicality of our theory, we model secure multi-execution (SME) using our combinators. Through this, we show that our theory makes it straightforward 1) to prove, through compositional reasoning, that complex systems are free of external timing channels, and 2) to identify sub-components that cause information leakage of a composite system.


Schedule Strategy Compositionality Result Security Property Timing Channel Covert Channel 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This research was supported in part by US Navy grant N000141310156 and NSF grant 1320470.


  1. 1.
    Agat, J.: Transforming out timing leaks. In: POPL (2000)Google Scholar
  2. 2.
    Askarov, A., Chong, S., Mantel, H.: Hybrid monitors for concurrent noninterference. In: CSF (2015)Google Scholar
  3. 3.
    Askarov, A., Hunt, S., Sabelfeld, A., Sands, D.: Termination-insensitive noninterference leaks more than just a bit. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 333–348. Springer, Heidelberg (2008). doi: 10.1007/978-3-540-88313-5_22 CrossRefGoogle Scholar
  4. 4.
    Askarov, A., Sabelfeld, A.: Tight enforcement of information-release policies for dynamic languages. In: CSF (2009)Google Scholar
  5. 5.
    Askarov, A., Zhang, D., Myers, A.C.: Predictive black-box mitigation of timing channels. In: CCS (2010)Google Scholar
  6. 6.
    Brumley, D., Boneh, D.: Remote timing attacks are practical. Comput. Netw. 48(5), 701–716 (2005)CrossRefGoogle Scholar
  7. 7.
    Clark, D., Hunt, S.: Noninterference for deterministic interactive programs. In: FAST (2008)Google Scholar
  8. 8.
    Corradini, F., D’Ortenzio, D., Inverardi, P.: On the relationships among four timed process algebras. Fundamenta Informaticae 38(4), 377–395 (1999)MathSciNetzbMATHGoogle Scholar
  9. 9.
    De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: CCS (2012)Google Scholar
  10. 10.
    Devriese, D., Piessens, F.: Non-interference through secure multi-execution. In: S&P (2010)Google Scholar
  11. 11.
    Felten, E.W., Schneider, M.A.: Timing attacks on web privacy. In: CCS (2000)Google Scholar
  12. 12.
    Focardi, R., Gorrieri, R.: A classification of security properties for process algebras. JCS 3(1), 5–33 (1995)CrossRefGoogle Scholar
  13. 13.
    Focardi, R., Gorrieri, R., Martinelli, F.: Real-time information flow analysis. JSAC 21(1), 20–35 (2003)Google Scholar
  14. 14.
    Hedin, D., Sands, D.: Timing aware information flow security for a JavaCard-like bytecode. ENTCS 141(1), 163–182 (2005)Google Scholar
  15. 15.
    Hennessy, M., Regan, T.: A temporal process algebra. In: FORTE (1990)Google Scholar
  16. 16.
    Honda, K., Vasconcelos, V., Yoshida, N.: Secure information flow as typed process behaviour. In: Smolka, G. (ed.) ESOP 2000. LNCS, vol. 1782, pp. 180–199. Springer, Heidelberg (2000). doi: 10.1007/3-540-46425-5_12 CrossRefGoogle Scholar
  17. 17.
    Honda, K., Yoshida, N.: A uniform type structure for secure information flow. In: POPL (2002)Google Scholar
  18. 18.
    Jacobs, B., Rutten, J.: A tutorial on (co)algebras and (co)induction. EATCS Bull. 62, 62–222 (1997)zbMATHGoogle Scholar
  19. 19.
    Johnson, D.M., Thayer, F.J.: Security and the composition of machines. In: CSFW (1988)Google Scholar
  20. 20.
    Kashyap, V., Wiedermann, B., Hardekopf, B.: Timing- and termination-sensitive secure flow, exploring a new approach. In: S&P (2011)Google Scholar
  21. 21.
    Kaynar, D.K., Lynch, N., Segala, R., Vaandrager, F.: Timed, I/O automata: a mathematical framework for modeling and analyzing real-time systems. In: RTSS (2003)Google Scholar
  22. 22.
    Kocher, P.C.: Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996). doi: 10.1007/3-540-68697-5_9 Google Scholar
  23. 23.
    Lynch, N.A., Tuttle, M.R.: An introduction to input/output automata. CWI Q. 2, 219–246 (1989)MathSciNetzbMATHGoogle Scholar
  24. 24.
    Mantel, H.: On the composition of secure systems. In: Proceedings of IEEE Symposium on Security and Privacy, pp. 81–94, May 2002Google Scholar
  25. 25.
    Mantel, H., Sands, D., Sudbrock, H.: Assumptions and guarantees for compositional noninterference. In: CSF (2011)Google Scholar
  26. 26.
    McCullough, D.: Specifications for multi-level security and a hook-up property. In: S&P, pp. 161–166 (1987)Google Scholar
  27. 27.
    McCullough, D.: Noninterference and the composability of security properties. In: S&P, pp. 177–186 (1988)Google Scholar
  28. 28.
    McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: S&P (1994)Google Scholar
  29. 29.
    Nicollin, X., Sifakis, J.: An overview and synthesis on timed process algebras. In: Larsen, K.G., Skou, A. (eds.) CAV 1991. LNCS, vol. 575, pp. 376–398. Springer, Heidelberg (1992). doi: 10.1007/3-540-55179-4_36 CrossRefGoogle Scholar
  30. 30.
    Osvik, D.A., Shamir, A., Tromer, E.: Cache attacks and countermeasures: the case of AES. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 1–20. Springer, Heidelberg (2006). doi: 10.1007/11605805_1 CrossRefGoogle Scholar
  31. 31.
    Pottier, F.: A simple view of type-secure information flow in the pi-Calculus. In: CSFW, June 2002Google Scholar
  32. 32.
    Rafnsson, W., Hedin, D., Sabelfeld, A.: Securing interactive programs. In: CSF (2012)Google Scholar
  33. 33.
    Rafnsson, W., Jia, L., Bauer, L.: Timing-sensitive noninterference through composition (Technical report). Technical report CMU-CyLab-16-005, CMU CyLab (2016)Google Scholar
  34. 34.
    Rafnsson, W., Sabelfeld, A.: Secure multi-execution: fine-grained, declassification-aware, and transparent. In: CSF (2013)Google Scholar
  35. 35.
    Rafnsson, W., Sabelfeld, A.: Compositional information-flow security for interactive systems. In: CSF, pp. 277–292 (2014)Google Scholar
  36. 36.
    Ryan, P.Y.A.: Mathematical models of computer security. In: Focardi, R., Gorrieri, R. (eds.) FOSAD 2000. LNCS, vol. 2171, pp. 1–62. Springer, Heidelberg (2001). doi: 10.1007/3-540-45608-2_1 CrossRefGoogle Scholar
  37. 37.
    Ryan, P., Schneider, S.: Process algebra and non-interference. In: CSFW (1999)Google Scholar
  38. 38.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. JSAC 21(1), 5–19 (2003)Google Scholar
  39. 39.
    Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: CSFW (2000)Google Scholar
  40. 40.
    Ulidowski, I., Yuen, S.: Extending process languages with time. In: Johnson, M. (ed.) AMAST 1997. LNCS, vol. 1349, pp. 524–538. Springer, Heidelberg (1997). doi: 10.1007/BFb0000494 CrossRefGoogle Scholar
  41. 41.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. JCS 4(3), 167–187 (1996)CrossRefGoogle Scholar
  42. 42.
    Wittbold, J.T., Johnson, D.M.: Information flow in nondeterministic systems. In: S&P (1990)Google Scholar
  43. 43.
    Zakinthinos, A., Lee, E.S.: How and why feedback composition fails. In: CSFW (1996)Google Scholar
  44. 44.
    Zakinthinos, A., Lee, E.S.: A general theory of security properties. In: S&P (1997)Google Scholar
  45. 45.
    Zanarini, D., Jaskelioff, M., Russo, A.: Precise enforcement of confidentiality for reactive systems. In: CSF (2013)Google Scholar
  46. 46.
    Zdancewic, S., Myers, A.C.: Observational determinism for concurrent program security. In: CSFW (2003)Google Scholar
  47. 47.
    Zhang, D., Askarov, A., Myers, A.C.: Language-based control and mitigation of timing channels. In: PLDI (2012)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  1. 1.Max Planck Institute for Software SystemsSaarbrückenGermany
  2. 2.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations