Security policies for distributed systems

A security policy specifies a security property as the maximal information flow. A distributed system composed of interacting processes implicitly defines an intransitive security policy by repudiating direct information flow between processes that do not exchange messages directly. We show that implicitly defined security policies in distributed systems are enforced, provided that processes run in separation, and possible process communication on a technical platform is restricted to specified message paths of the system. Furthermore, we propose to further restrict the allowable information flow by adding filter functions for controlling which messages may be transmitted between processes, and we prove that locally checking filter functions is sufficient for ensuring global security policies. Altogether, global intransitive security policies are established by means of local verification conditions for the (trusted) processes of the distributed system. Moreover, security policies may be implemented securely on distributed integration platforms which ensure partitioning. We illustrate our results with a smart grid case study, where we use CTL model checking for discharging local verification conditions for each process under consideration.

💡 Research Summary

The paper presents a formal framework for specifying and enforcing security policies in distributed systems that communicate via asynchronous message passing. A “distributed machine” is defined as a composition of independent processes, each modeled as a tuple (S, s₀, A_in, A_out, step). Processes exchange messages through uniquely identified send actions (!m) and receive actions (?π m), with each message stored in a per‑process input buffer until it is consumed. The composition requires that every message has exactly one sender and at least one receiver, guaranteeing a well‑defined communication topology.

Security policies are represented as directed graphs whose vertices are the processes (security domains) and whose edges denote allowed information flow. The policies are inherently intransitive: if information can flow from π₁ to π₂ and from π₂ to π₃, a direct flow from π₁ to π₃ is not permitted unless explicitly added. This captures realistic scenarios where data must pass through an intermediate trusted component. The authors contrast their model with earlier work (Rushby, van der Meyden) that assumes any action can be taken in any global state, arguing that their asynchronous, buffer‑based model better reflects actual implementations.

Two main theoretical contributions are established. First, they prove that if processes are executed in isolation (e.g., via a separation kernel or other partitioning mechanism) and the underlying platform restricts communication to the message paths defined by the policy, then the system automatically satisfies its implicit intransitive policy. In other words, “process separation + path restriction” guarantees policy enforcement without additional runtime checks.

Second, the paper introduces Boolean filter functions that further constrain the allowed messages on a given edge based on the local history of the sending domain. A filter f: History → {true, false} may depend only on the sender’s received and sent messages. The authors show that checking each process locally for compliance with its assigned filter is sufficient to guarantee that the entire distributed system respects the filtered policy. Domains without a filter need not be examined, dramatically reducing verification effort.

The framework is validated through a smart micro‑grid case study. In this scenario, prosumers (agents that both produce and consume energy) interact with a central controller. The security requirement is that no prosumer can infer another prosumer’s consumption or production values. A Boolean filter is placed on the controller‑to‑prosumer channel, allowing the controller to broadcast aggregated results only after all prosumers have submitted their individual data. The authors encode each component as a process, apply CTL model checking to verify the local filter compliance of the controller, and confirm that the global security property holds.

Finally, the paper discusses practical platform considerations. It argues that separation kernels (e.g., seL4), time‑triggered networking (e.g., TTEthernet), and the mixed‑criticality platform being developed in the EU D‑MILS project provide the necessary isolation and routing guarantees to implement the proposed policies on real hardware. By combining formal verification at design time with enforced partitioning at runtime, the approach bridges the gap between theoretical security guarantees and deployable distributed systems.

Overall, the work contributes a rigorous method for (1) deriving an implicit intransitive security policy from the communication structure of a distributed system, (2) strengthening it with locally verifiable filter functions, and (3) demonstrating that both the policy and its filters can be enforced through process isolation and controlled message routing, as substantiated by a realistic smart‑grid example.