Probabilistic Noninterference for Multi-threaded Programs

Paper in proceeding, 2000

A program which has access to your sensitive data presents a security threat. Does the program keep your secrets secret? To answer the question one must specify what it means for a program to be secure, and one may wish to verify the security specification before executing the program. We present a probability-sensitive security specification (probabilistic noninterference) for multi-threaded programs based on a probabilistic bisimulation. Some previous approaches to specifying confidentiality rely on a particular scheduler for executing program threads. This is unfortunate since scheduling policy is typically outside the language specification for multi-threaded languages. We describe how to generalise noninterference in order to define robust security with respect to any particular scheduler used and show, for a simple imperative language with dynamic thread creation, how the security condition satisfies compositionality properties which facilitates a straightforward proof of correctness of e.g. security type systems.