ISA 763 Security Protocol Verification

1
ISA 763Security Protocol Verification

• CSP Semantics

We thank Professor Csilla Farkas of USC for
providing some transparencies that were used to
construct this transparency
2
References

• The Theory and Practice of Concurrency by A. W.
  Roscoe, available at web.comlab.ox.ac.uk/oucl/work
  /bill.roscoe/publications/68b.pdf
• Chapters 4 and 5 of Modeling and analysis of
  security protocols by Peter Ryan and Steve
  Schneider.
• The FDR2 User Manual available at
  http//www.fsel.com/documentation/fdr2/html/fdr2ma
  nual.htmlSEC_Top
• Formal Systems, FDR download, http//www.fsel.com/
  
• M. Morgenthal Design and Validation of Computer
  Protocols, http//wwwtcs.inf.tu-dresden.de/morgen
  /sem-ws02.html

2
3
CSP Semantics - 1

• Operational Semantics
• Interprets the language on an (abstract) machine
• such as the ones used in imperative languages
  using a program counter, next instruction stack
  etc.
• Denotational Semantics
• The language is translated to another abstract
  domain
• Translate the basic constructs
• Translate the combinators to constructs in the
  target domain
• Use a compositionality principle to construct the
  denotation of the whole program from translated
  parts
• Algebraic Semantics
• Translate the language into a normal from by
  rewriting all programs in that form
• Describe how to execute the program in normal form

3
4
CSP Semantics - 2

• Operational Semantics
• Interprets the language on an (abstract) machine
• Construct a labeled transition system (LTS)
• Denotational Semantics
• The language is translated to another abstract
  domain
• Trace semantics, Failure Divergence Semantics
• Algebraic Semantics
• Translate the language into a normal from by
  rewriting all programs in that form
• Proof rules

4
5
Operational Semantics

• Labeled transition system (LTS)
• Nodes state of the process
• Directed edges events
• Visible events
• Internal transitions
• Recall Trace Refinement
• S ?T T iff trace(T) ? trace(S)

5
6
An example LTS
Image from M. Morgenthal
6
7
Another LTS Example
Image from M. Morgenthal
7
8
Connection between LTS Examples

• An Implementation of S as
• A B where
• AB a ? b ? AB and
• AC a ? c ? AC
• where
• AA corresponds to AB AC
• BA corresponds to b? AB AC
• AC corresponds to AB (c ? AC)
• BC corresponds to b ? AB (c ? AC)

8
9
AA corresponds to AB AC BA corresponds to
b? AB AC AC corresponds to AB (c ?
AC) BC corresponds to b ? AB (c ? AC)
9
10
Traces Refinement Check
Image from M. Morgenthal
10
11
Trace Refinements

• An implementation refines the trace of a process
• Hence we would like an implementation to satisfy
  the specification
• Which properties?
• For his class, those trace properties used to
  specify security properties.

11
12
Denotational Semantics

• Recall Trace Semantics for CSP processes
• Could not reason the difference between external
  choice and internal choice
• Example consider Sa,b and
• Q1 (a?STOP) ? (b?STOP)
• Q2 (a?STOP) ? (b?STOP)
• Q3 STOP ?(a?STOP) ?(b?STOP)
• Refusal set of Q1
• Q2 can refuse a and b but not a,b
• Q3 can refuse any subset of S.

12
13
Refusal Sets
P1 c
P2 c
a
b
t
b
a, c
b, c
b, c
b
a
t
a
a, b, c
a, b, c
a, b, c
a, b, c
P4 c
P3 c
c
c
t
t
b, c
a, c
b, c
a, c
a
b
a
b
a, b, c
a, b, c
13
a, b, c
a, b, c
14
Refusal Sets

• P1 (a ? b? STOP) ? (b ? a ? STOP)
• (a ? STOP) (b ? STOP)
• Failure Sets (ltgt,), (ltgt,c),
• (ltagt, a,c), (ltbagt,a,b,c)
• P2 (c?a?STOP)?(b?c?STOP)\ c
• Failure sets (ltgt,X X ? b,c U
• (ltagt,X),(ltbgt,X) X ? a,b,c
• Internal actions introduce nondterminism

14
15
Refusal Sets

• P3 (a ? STOP) ? (b ? STOP)
• Must accept one of a or b if both a,b are
  offered
• Different from
• P1 - must accept either
• P2 - must accept a
• P4 (c?a?STOP)?(c?b?STOP)
• After ltcgt refuses Xa,b?X
• Failure allows us to distinguish between internal
  and external choice traces could not do this!

15
16
Failure Semantics

• failure(P) (s,X) s?S and P/s does not
  accept any x?X
• Failure Refinement P?FQ (read Q failure refines
  P) iff
• trace(Q) ? trace(P) and
• failure(Q) ? failure(p)

16
17
Divergence

• p(mp.a?p)\a
• Cannot observe a externally.
• Diverges i.e. looks like a t-loop
• We do not care what happens after a process
  diverges

t
a
S
S
17
18
Failure and Divergence

• Add extra symbol ? to S to indicate that the
  process has terminated
• Interpretation ? is emitted by the process to
  the environment to indicate normal termination
• P ?s? Q means process P becomes Q
• Stable State a state that does not accept t

18
19
Failure and Divergence

• trace(P)s? SU? ?Q.P ?s? Q
• trace?(P)s (t,X)?F is a prefix closed set
• diveregnce(P)sts? S,t? SU?
• ?Q.P ?s? Q, Q div
• Extension closed sets of traces that has an
  infinite set of t actions
• failure?(P)(s,X) s is a trace and X is set of
  actions that can be refused in a stable state of
  P

19
20
The Failures Divergence Model

• ?N(SU? x P(SU?), SU? )
• Refers to ( (s, actions D) Failure,
• strings Divergent string )
• Any non-empty subset S of N has an infimum given
  by
• ? S (?F(F,D)?S, ? D (F,D)?S)
• Supremum of a directed set ? is given by
• ?S (nF(F,D)? ?, nD (F,D)? ?)
• Theorem If S is finite then (N, ?FD, ?, ?) is a
  complete partial order

20
21
Computing the FD Semantics-1

• failures?(STOP)(ltgt,X)X?SU?
• divergences(STOP)
• failures?(SKIP)(ltgt,X)X?SU?
• divergences(SKIP)
• failures?(a?p)(ltgt,X)a?X U
• (ltagts,X)a? failures?(P)
• divergences(a?p) (ltagts,X)s?divergence(P)

21
22
Computing the FD Semantics-2

• failures?(?xA?p)(ltgt,X)XnA U
• (ltagts,X)a? failures?(P)
• divergences(?xA?p) (ltagts,X)s?divergence(Pa/x
  )
• failures?(P?Q)failures?(P) U failures?(Q)
• divergences(P?Q)
• divergence(P) U divergence(Q)

22
23
Computing the FD Semantics-3

• divergences(P?Q)
• divergence(P) U divergence(Q)
• failures?(P?Q)
• (ltgt,x) (ltgt,x)? failures?(P)nfailures?(Q)
• U (s,X) s?ltgt,(s,X)?failures?(P)Ufailures?(Q)
• U (s,X)ltgt?diveregence(P)Udiveregence(Q)
• U (s,X)X X?S, lt?gt )?trace?(P)U trace?(Q)

23
24
Computing the FD Semantics-4

• divergences(PXQ) uv?s? trace?(P),
  ?t?trace?(Q), u?(sXt)n S,
• s?divergence(P) or t?divergence(Q)
• failures?(PXQ)(u,YUZ) u? sXt
• Y\(XU ?) Z\(XU ?) /\
• ?s,t (s,Y)?failures?(P), (t,Z)?failures?(Q)
• (u,Y)u?diveregence(PXQ)

24
25
Computing the FD Semantics-5

• divergences(P\X)
• (s\X)t s?divergence(P) U
• (u\X)t u?Sw /\ (u\x) is finite /\
• ?slt u, s?trace?(P)
• failures?(P\X)
• (s\X,Y) (s,YUX)?failures?(P) U
• (s,X)s?diveregence(P\X)

25
26
Deterministic Processes

• A process is said to be deterministic if
• tltagt?trace(P) ? (t,a)?failure(P)
• divergence(P)
• That is, never diverges and do not have the
  choice of accepting and refusing an action
• Deterministic processes are the maximal elements
  under ?FD
• Example (a?STOP)?(a?a?STOP) is non-deterministic

26
27
Deterministic Processes and LTS
a
a
a
a

• Two nondeterministic LTS whose behavior is
  deterministic

27
28
Abstraction - 1

• Abstraction hide details
• Example many-to-one renaming
• (a?c?STOP)?(b?d?STOP) b/a
• (a?c?STOP) ?(a?d?STOP)
• a?( (c?STOP)?(d?STOP) )
• Eager abstraction hiding operator
• EH(P)p\H assumes that events in H pass out of
  sight

28
29
Abstraction - 2

• Lazy abstraction Projection of P into L
• LH(P) P_at_L
• (s\H,X)(s,XnL)? failures?(P)
• Example Ll1,l2, Hh
• P (l1?P) ? (l2?h?P) ? (h?P)
• LH(P) Q (l1?Q) ? l2?(STOP?Q)
• Finite traces of LH(P) are precisely
  s\H s ? traces(P)

29
30
Strong Bisimulation

• Suppose S is a LTS and the relation R on the set
  of nodes S ? S, a set of nodes is said to be a
  strong bisimulation of S iff
• ?n1,n2,m1?S?x?SU? R(n1,n2) and n1 ?x? n2, ?
  m2?S n2 ?x? m2 and R(m1,m2)
• ?n1,n2,m2?S?x?SU? R(n1,n2) and n1 ?x? n2, ?
  m1?S n1 ?x? m1 and R(m1,m2)

30
31
Casper

• Compiler
• Easy to specify protocols and security properties
• E.g., Yahalom protocol
• Input 1 page protocol and security spec.
• Output (CSP) 10 pages

31
32
Casper

• Protocol Definition
• protocol operation, including
• messages between the agents,
• tests performed by the agents,
• types of data,
• initial knowledge,
• specification of the protocols goals,
• algebraic equivalences over the types
• Components
• Protocol description
• Free variables
• Processes
• Specification

32
33
Casper

• System definition actual system to be checked,
  including agents, their roles, actual data types,
  intruders abilities
• Components
• Actual variables
• Functions
• System
• Intruder information

33
34
Protocol Description
Image from M. Morgenthal
34
35
Free Variables
Image from M. Morgenthal
35
36
Processes
Image from M. Morgenthal
36
37
Specification
Image from M. Morgenthal
37
38
System specs Variables
Image from M. Morgenthal
38
39
System specs Functions
39
Image from M. Morgenthal
40
System specs The System
Image from M. Morgenthal
40
41
System specs The Intruder
Image from M. Morgenthal
41
42
Non-interferencefreedom from covert channels
43
References

• Bishops Book Chapters 8 and 17
• CSP and determinism in security modeling by A. W.
  Roscoe, IEEE Symposium on Security and Privacy,
  1995 114-127.
• Extending non-interference properties to the
  timed world by Jian Huang and A. W. Roscoe,
  SAC06, 2006.

44
Basic Definitions

• Basic issue Confidentiality in MLS
• Information should not flow from system high to
  system low
• Actions are categorizes as H (high) and L (low)
• Want if two traces of process P differ only in
  their H actions, then the subsequent behavior of
  P seen from L are identical
• P is eagerly trace-invariant w.r.t. L, EtrINVL(P)
• tr,tr?Traces(P) /\ tr?L tr?L
  ?(P/tr)\H(P/tr)\H

45
Lazy Trace Invariance

• Define RUNH ?xH ? RUNH
• P is lazy-trace invariant w.r.t. H, LtrINVL(P)
• tr,tr?Traces(P) /\ tr?L tr?L
• ?(P/tr) RUNH (P/tr) RUNH
• What is the difference? All H communications of P
  are being made ambiguous by mixing them with RUNH
• Camouflage communication rather than hide! Note
  (P RUNA)\A P\A

46
Some Examples

• Ha,b,c,d, Lw,x,y,z
• P1 a ? x ? P1? b ? y ? P1
• P2 a ? x ? P2? b ? x ? P2
• P3 a ? x ? P3? b ? x ? x ? P3
• P4 a ? P4? b ? x ? P4
• P5 x ? (a ? P5? x ? P5 ? ? y ? P5)
  ? y ? (b? P5? x ? P5 ? ?
  y ? P5)
• P6 w ? y ? P6 ? x?z ? P6 ? a ? c ? P6 ?
  b ? d ? P6

47
Analyzing Example 1

• P1 a ? x ? P1? b ? y ? P1
• Not secure The event in L directly depends on an
  event in H. An event observed by L can be used to
  deduce the corresponding event in H occurred
• Fails EtrINVL(P) as trace tr1a,x,b,y,
  tr2x,y satisfy tr1?L tr1?Lx but (P/tr1)\H
  ltx,ygt and (P/tr1)\H
• Fails LtrINVL(P) as (P/tr1)RUNH ltx,ygt and
  (P/tr1)RUNH

48
Analyzing Examples 2,3,4

• P2 a ? x ? P2? b ? x ? P2
• P3 a ? x ? P3? b ? x ? x ? P3
• P4 a ? P4? b ? x ? P4
• Satisfy EtrINVL(P) as they satisfy (Pi/tr)\H
  RUNx for any trace tr.
• Fails LtrINVL(P) because every available L action
  depends upon a H action. Thus, can derive if an H
  action occurred.

49
Analyzing Examples 5 and 6

• P5 x ? (a ? P5 ? x ? P5 ? ? y ? P5)
  ? y ? (b ? P5 ? x ?
  P5 ? ? y ? P5)
• P6 w ? y ? P6 ? x ? z ? P6 ? a ? c ? P6 ? b ?
  d ? P6
• For UL, P5 always communicates when x or y are
  present. For any tr, P5 satisfy P5/tr RUNH
  RUN H?x,y Thus P5 satisfy EtrINVL(P) and
  LtrINVL(P).
• P6 satisfy EtrINVL(P) and fail LtrINVL(P).
• Reason for failure If a,b have occurred then
  then c,d must occur for the system to work.
  Hence if UL cannot communicate with P6, then she
  knows that UH has communicated with P6.
• Lesson The failure model matters in deciding
  what is observable by UL!

50
Determinism - 1

• Semantics matters in deciding what the intruder
  can observe! Can define EfdINVL(P) and
  LfdINVL(P).
• Points (The FDR model is not capable of
  distinguishing between these!)
• Can an intruder observe what events take place
  before and after refusals?
• Same range of non-determinism, but very different
  probabilistic behavior
• Recall Determinism A process is deterministic if
  
• tltagt?trace(P) ? (t,a)?failure(P)
• divergence(P)

51
Determinism - 2

• The Intuitive Idea I way to leak information
  from UH to UL via using the process P is to
  behave differently towards UL depending on what
  UH does. Appears as if UH resolves
  non-determinism for UL to notice and observe!
• Theorem 1
• P\H is deterministic ? EtrINVL(P), EfdINVL(P)
• PRUNH deterministic ? LtrINVL(P), LfdINVL(P)
• Theorem 2
• P deterministic, P\H divergence free, EtrINVL(P)
  ? P\H is deterministic
• P deterministic, EtrINVL(P) ? PRUNH
  deterministic

52
Eager, Lazy, Strong Independence

• Say that P is eagerly independent, EINDL(P) if
  P\H is deterministic w.r.t L.
• Say that P is lazily independent, LINDL(P) if
  PRUNH is deterministic w.r.t. L.
• Say P is strongly independent, SINDL(P) if
  (PCHAOSH)\H is deterministic where CHAOSA
  STOP ? (?xA ? CHAOSA)
• Theorem A process satisfies SINDL(P) iff it
  satisfy EINDL(P) and LINDL(P)

53
Delay-able H actions and Signals-1

• P6 w ? y ? P6 ? x ? z ? P6 ? a ? c ?
  P6 ? b ? d ? P6
• if UL cannot communicate with P6, then UL knows
  that UH has communicated with P6
• What if c, d are signals such as output
  communications whose refusals are not observable
  before it occurs.
• The process is secure! But need to make a
  distinction between the two kinds of H signals.
  So H(D,S)

54
Delay-able H actions and Signals-2

• Divide H into two parts
• D delay-able
• S signals (like output)
• Mixed conditions
• Mixed eager invariance MINVL(D,S)(P) holds if
  tr,tr?Traces(P) /\ tr?L tr?L
• ?(P/tr)\S RUND (P/tr)\S RUND
• Mixed independence MINDL(D,S)(P) holds if (P\S)
  RUND is deterministic

55
Properties of H(D,S)

• MINDL(D,S)(P) ? MINVL(D,S)(P)
• If P is deterministic and P\D is divergence-free
  then MINVL(D,S)(P) ? MINDL(D,S)(P)

56
Abstract Models of UH - 1

• CHAOSA STOP ? (?xA ? CHAOSA)
• CHAOSA is the most non-deterministic UH
• All determinism properties can be specified as
  (PH U)\H for some U (for eg U RUNH)
• The lazy specifications do not forbid infinite
  runs of H actions, requiring a different
  semantics (F,D,I) for CSP

57
Abstract Models of UH -2

• Can choose finite traces by defining a new
  process FINITEA ?Qn n?N with
• Qn STOP, and Qn1 a ? Qn
• FINITEA is a user process U for lazy conditions
• Theorem P satisfy
• EINDL(P) iff (PH FINITEH)\H is deterministic
• MINDL(D,S)(P) iff (P(RUNS FINITED)\(DUS) is
  deterministic

58
Modeling non-interference

• Example An email system where UH can send mail
  to UL.
• Referred to as conditional non-interference
• General approach Finite traces of U are H
• Show that if UH communicates within H no
  information leaks to UL.
• UH can delay only refusals
• U is divergent free

59
A Timed Version

• Ht H U tock, Lt L U tock, St Ht U Lt
• Events are D (delayable) or S (signals)
• Maximal Progress Assumption No tock occurs when
  t is present
• P is timed-deterministic iff ?s?St?a?St
  (s,a)?failures(P) ? sltagt?traces(P)
• P is timed-lazy independent T-L-Ind(P) iff
  a?Lts,s?traces(P)/\ s?Lt s?Lt ?
• (s,a)?failures(P) ? (P/s)ona

60
Timed Abstractions

• Example Let Hd and Ll and
• P tock ? Q ? d ? TOCKS
• Q tock ? Q ? d ? l ? TOCKS, TOCKS tock ?
  TOCKS and CHAOSH STOP ? (?xH ? CHAOSH)
• P is not secure because UL can find out when d
  occurs by observing l.
• Un-timed lazy abstraction (PHCHAOSH)\H TOCKS
• If P?Q is allowed then the STOP branch of ChaosH
  is blocks d and therefore does not change state
• CHAOSH need to be redefined!

61
Defining CHAOST

• Define a timed version that changes its mind when
  time passes (tn is a new event)
• CHAOST(D) CHOAST(D) \ tn
• CHAOST(D) ?xD ? CHAOST(D) ?
• tn ? tock ? CHAOST(D)
• Timed-Lazy abstraction
• LtH(P) (PHtCHAOSTH) \ H
• Timed-Mixed abstraction MStH(P)LtH(P\S)
• Note D and S are delayable and signal events

62
Time Consistency Check

• TOCKS ? (P DUtock CHAOST(D))\S
• It means that when P is synchronized with
  CHOST(D) on events in D U tock, only the tock
  events remain other than those from S.
• This can check if the timed behavior is consistent

63
Some Properties

• Theorem
• LtH(P) is time deterministic iff T-L-Ind(P)
• Suppose P and Q are processes with Alphabets A
  and B. If P and Q are T-L-Independent then so is
  P AB Q
• Separability
• A process P is separable iff it is a parallel
  composition of sub-processes A and B with
  disjoint alphabets
• In the timed world, A and B can synchronize on
  tock

64
Time Separability - 1

• Definition Suppose P is process whose non-tock
  alphabet is partitioned into disjoint subsets H
  and L. P is time-separable w.r.t H,L if there
  are processes PH and PL with
• TCC(PH) /\ TCC(PL) satisfying here TCCtime
  consistency check
• aPHHt /\ aPLLt
• P PH tock PL
• Note equivalence to a structurally secure
  process may conceal insecurities. Does not
  exclude information flow

65
Time Separability - 2

• Definition Suppose P is process whose non-tock
  alphabet is partitioned into disjoint subsets H
  and L. P is strongly time-separable w.r.t H,L
  if there are time-deterministic processes PH and
  PL with here TCCtime consistency check
• TCC(PH) /\ TCC(PL)
• aPHHt /\ aPLLt
• P PH tock PL
• Theorem P is strongly time separable w.r.t.
  H,L iff T-H-Ind(P) and T-L-Ind(P)
• Definition A process P/H has H labels removed
  from the LTS. That is, P/H P H STOP

66
Local non-interference

• Local non-interference Low level users cannot
  tell the difference between states linked by high
  level action
• R ? Proc X Proc is a weak-bisimulation t iff
  ?x?St,t, R(p,q)
• p?x?p, ? q q?x?q and R(p,q)
• q?x?q, ? p p?x?p and R(p,q)

X
X
P
P
P
P
R
R
R
R
Q
Q
Q
Q
X
X
67
Timed local non-interference - 1
S/H S without H links
S/H S without H links
any low action X
h
S
S1
S1/H S1 without H links
S1/H S1 without H links
same low action X

• P satisfies timed strong local non-interference
  written tSLNIL(P) if for states s1,s2 and h?H
  s?h?s1, then s/H t s1/H
• P satisfies timed local non-interference written
  tLNIL(P) if s?h?s1, s?h?s2, . s?h?sn is a
  complete list of H transforms, then s/H t ? si/H

68
Timed local non-interference - 2
S1/H S1 without H links
S/H S without H links
h
same FD semantics
S
S1

• P satisfies timed strong FD local
  non-interference written tFDSLNIL(P) if for all
  states s1,s2 and all h?H s?h?s1, then s/H FD
  s1/H
• P satisfies timed FD local non-interference
  written tFDLNIL(P) if s?h?s1, s?h?s2, . s?h?sn
  is a complete list of H transforms, then s/H FD
  ? si/H

69
A Theorem

• If P does not diverge, then the following are
  equivalent
• tSLNIL(P)
• tLNIL(P)
• tFDSLNIL(P)
• tFDLNIL(P)
• T-L-Ind(P)

70
Time-delayed local non-interference-1

• Ss1,s2, Ll1,l2
• P s1?tock ?l1 ? P
• Q s1?tock?l1?Q? s2?tock?l1?Q
• R s1?tock?l1?R ? s2?tock?l2?R
• For P, UL knows that s1 takes place not a
  secret
• For Q, UL knows that an H event happens, but he
  cannot discern which one want this to be secure
• For R, UH resolves the non-determinism and UL
  knows the choice. But S events are not chosen by
  UH, but by the environment
• P, Q, R do not satisfy the timed local
  non-interference conditions need mixed
  conditions

71
Time-delayed local non-interference-2

• P is said to satisfy
• Time-delayed strong local non-interference
  tDSLNIL(P) if tDSLNIL(P\S) holds
• Time-delayed local non-interference tDLNIL(P) if
  tDLNIL(P\S) holds
• Time-delayed strong FD local non-interference
  tDSLNIFDL(P) if tDSLNIFDL(P\S) holds
• Time-delayed FD local non-interference
  tDLNIFDL(P) if tDLNIFDL(P\S) holds

72
Another Theorem

• If P does not diverge and (P\S)/H is timed
  deterministic. Then the following are equivalent
• tDSLNIL(P)
• tDLNIL(P)
• tDSLNIFDL(P)
• tDLNIFDL(P)

73
A Case Study

• Will show
• A timed implementation of a secure un-timed
  process may be insecure
• Developed conditions helps design a secure timed
  implementation.
• Example 2 users UL, UH and 1 file in the system.
  
• UH reads and UL writes, so information flow L?H
• Both must request before access
• UL can write between UH reads in order to make
  fresh information available to UH

74
Case Study the un-timed version

• Sys reqH ? Sys1? reqL? writeL? Sys1
• Sys1 reqH ? Sys? reqL? writeL? Sys1
• The system is L-ind and SLNI (i.e. strong
  non-local non-interference) secure
• Adding time (assumptions)
• All actions need one unit of time
• A low level request following a high level
  request takes an extra time unit.
• The system may idle until a request is made.

75
Case Study adding time

• Sys tock ? sys ? reqH ? Sys1? reqL? tock ?
  writeL? tock ? Sys1
• Sys1 tock ? ( readH ? tock ? Sys ?
  reqL?tock?tock?writeL?tock?Sys1)
• UL can notice the existence of 2 tocks between
  reqL? and writeL ? leaks!
• In state Sys, UL can communicate reqL and not
  in state Sys1 ? can distinguish using failure
  semantics!

76
The tDSLNIL Secure Version
The Original Timed Version
tock
tock
P1
tock
t
Q2
tock
Sys
tock
P6
writeL
readH
reqH
readH
t
reqH
reqL
writeL
tock
Sys1
P2
P5
tock
tock
t
P3
tock
tock
tock
reqL
tock
P4
Q1
reqL
tock
reqL
Q6
Q3
tock
writeL
writeL
tock
tock
tock
Q4
Q5
77
A tDSLNIL secure version

• readyH is a response to reqH.
• Hence SreadyH, DreqH.
• Use R to ensure Sys\S/H t Sys1\S/H
• R(X\S/H,Y\S/H) (X,Y)?R where
• R(Sys,Sys1),(P1,Sys),(Sys,Q1),(P2,Sys1),
  (P3,Q1),(P4,Q3),(P5,Q4),(P6,Q5),(Sys,Q6),
  (P1,Q6),(P2,Q6),(P1,Q2),(P3,Q2),(P3,Sys),
  (P3,P1), (P3,P2),(P3,P3)