Preventing Intrusions through Non-Interference

The ability to prevent and to detect intrusions in computer systems is often heavily conditioned by having some knowledge of the security flaws of the system under analysis. Discover intrusions is particularly hard in concurrent systems, which contain several interactions among their components; suspicious interactions are usually studied manually by security experts which need to establish if they are dangerous. In this paper, we present an automated method to prevent intrusions in concurrent systems that does not require any previous knowledge of the flaws. We study the behaviour of an abstract model of the system that captures its security-related behaviors; the model contain the trusted components of the system such as the file system, privileged processes, etc. We then check all possible interactions with unprivileged processes to decide if the system contain security flaws. This is accomplished by introducing a non-interference security property which holds for models where unprivileged processes do not have direct or indirect write access to resources with an high security level. The property is based on traces and can be decided by using standard concurrency tools. Our method applies even to models containing information flows among their components; this turns out to be a necessary condition for analyzing interactions of actual computer systems, where privileged processes usually have both read and write access to low resources.