Probabilistic noninterference for multi-threaded programs

Abstract

We present a probability-sensitive confidentiality specification -- a form of probabilistic noninterference -- for a small multi-threaded programming language with dynamic thread creation. Probabilistic covert channels arise from a scheduler, which is probabilistic. Since scheduling policy is typically outside the language specification for multi-threaded languages, we describe how to generalize the security condition in order to define robust security with respect to a wide class of schedulers, not excluding the possibility of deterministic (e.g., round-robin) schedulers and program-controlled thread priorities. The formulation is based on an adaptation of Larsen and Skou's notion of probabilistic bisimulation. We show how the security condition satisfies compositionality properties, which facilitate straightforward proofs of correctness for, e.g., security type systems. We illustrate this by defining a security type system, which improves on previous multi-threaded systems, and by proving it correct with respect to our stronger scheduler-independent security condition.