=Paper=
{{Paper
|id=Vol-2571/CSP2019_paper_6
|storemode=property
|title=Observations, Testing and Security
|pdfUrl=https://ceur-ws.org/Vol-2571/CSP2019_paper_6.pdf
|volume=Vol-2571
|authors=Damas Gruska,M. Carmen Ruiz
|dblpUrl=https://dblp.org/rec/conf/csp/GruskaR19
}}
==Observations, Testing and Security==
Observations, Testing and Security ? Damas P. Gruska1 and M. Carmen Ruiz2 1 Comenius University, Slovakia 2 Universidad de Castilla-La Mancha, Spain Abstract. Testing of security for multi-agent systems is proposed and studied. We assume an attacker, as an agent, who can accumulate and exploit knowledge about other agents. This will be done by observation function and security property called process opacity. Unfortunately, this property is undecidable in general, so we propose its more realistic variant based on tests and testing. Here we consider systems to be secure if they cannot be compromised by a given test or set of tests. In the end, we state a decidability result for security testing. Keywords: multi-agent systems, process algebras, information flow, se- curity, testing 1 Introduction Formal methods play an important role to guarantee software quality. On the other side their application is frequently either rather expensive or practically impossible due to complexity issues. On top of these there are properties which cannot be formally verified in general due to their undecidability. In such cases, tests and testing offer a more realistic approach. In this paper, we address security properties of systems, particularly multi- agent (MAS). We consider an attacker, as one of agents, who can accumulate some knowledge on the behaviour of other agents. We propose corresponding se- curity properties and means how to test these properties. In a sense, we combine formal verification with testing. The presented approach combines several ideas emerged from the security theory. We exploit an idea (of an absence) of infor- mation flow between public and private system’s behaviour (see [GM82]). This concept has been exploited many times in various formalisms. For example, the security property called Bisimulation Strong Nondeterministic Non-Interference requires that it cannot be distinguished (by means of bisimulation) between for- bidding and hiding of private actions. In [Gru13] we have exploited this idea, but we weaken it by requiring that forbidding and the hiding of the private ac- tions cannot be distinguished by a given test, i.e. we exploit a kind of testing equivalence (see also [NH84,SL95]). ? Work supported by the grant VEGA 1/0778/18. Copyright c 2019 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). Here we start with security concept called opacity. To explain the opacity principle, let’s suppose that we have some property φ over sequences of actions. Such property might be an execution of one or more classified actions, an ex- ecution of actions in a particular classified order which should be kept hidden, etc. We would like to know whether an observer can deduce the validity of the property φ just by partially observing (not all actions are visible) sequences of actions (traces) performed by the given process. The observer cannot deduce the validity of φ if there are two traces w, w0 such that φ(w) ∧ ¬φ(w0 ) holds and the traces cannot be distinguished by the observer. In [Gru15] opacity is modified (the result is called process opacity) in such a way that instead of a process’ traces we focus on properties of reachable states and attackers which can see only some process’s actions. Hence we assume an intruder who is not primarily interested in whether some sequence of actions performed by a given process has some given property but we consider an intruder who wants to discover whether this process reaches a state which satisfied some given (classified) predicate. It turned out that in this way we could capture many new security flaws. On the other hand some security flaws, particularly important for multi-agent systems, are not covered by this state-based security property neither by its variant called an initial state opacity or infinite studied in [Gru17,GR19b]. In this paper we extend process opacity to reflect attackers which can ac- cumulate some knowledge about other system’s behaviour. This approach is particularly appealing for multi-agent systems where one of the agents could be an attacker. Qualitative security properties are often criticized for being either too restrictive or too benevolent. For example, a standard access control process should be considered insecure even if there always exists some (even very small) information flow which could help an attacker who tries to learn a password. By every attempt an attacker can learn, at least, what is not the correct one. There are several ways to overcome these disadvantages i.e. either quantify information flow or put some restrictions on attacker’s capabilities. An amount of leaked in- formation could be expressed by means of the Shannon’s information theory as it was done, for example, in [CHM07,CMS09] for simple imperative languages. In this way we can obtain quantification of information flow either as a number of bits of private information which could leak or as a probability that an intruder can learn some secrete property. Here we exploit a different approach. We define tests and testing of security properties. Hence instead of requiring general secu- rity we require security with respect to a given set of tests. Each test represents a possible scenario of an attacker as well his or her capabilities. For example, an access control system with strong password policy should be considered rea- sonable secure with respect to a ”small” attackers (tests), which can try only a few passwords. Moreover, testing allow us, besides other advantages, to express security of a system with respect to size of the test which could jeopardize its security. Hence the resulting level of security gives us relevant information on real (practical) system’s security. In this paper we also exploit an idea of observation function which express a capability of an attacker to accumulate some knowledge over MAS behaviour. Attacker’s observations may not be just simple ones, say that some actions are visible for her and others are not (see [GR19a]). Visibility of a particular action could depend on previous actions as well. Hence the presented testing approach is strictly stronger then that of [Gru11], which is based on simple process’s observations. Contribution of the work can be summarized as follows: 1. definition of secu- rity with respect to a given test, 2. modeling observations by processes, 3. mod- eling predicates by processes, 4. reducing security checking to process’s traces checking, 5. decidability results, for practically the most interesting, finite states processes. The paper is organized as follows. Our working formalism is introduced in Section 2. In Section 3 we describe information flow security properties of inter- est. In Sections 4 we define tests and testing and in Section 5 we relate testing and security. 2 Working Formalism As an working formalism we will use Milner’s CCS (see [Mil89]). Let A be a se of atomic action symbols not containing symbols τ and such that for every a ∈ A there exists a ∈ A and a = a. We define Act = A ∪ {τ }. We assume that a, b, u, v . . . range over A, x, y, . . . range over Act, For s = x1 .x2 . . . . .xn , xi ∈ Act s x x xn we write P → instead of P →1 →2 . . . → and we say that s is a trace of P . The set of all traces of P will be denoted by T r(P ). By we will denote the empty sequence of actions, by Succ(P ) we will denote the set of all successors s of P i.e. Succ(P ) = {P 0 |P → P 0 , s ∈ Act∗ }. If the set Succ(P ) is finite we x say that P is a finite state process. We define modified transitions ⇒M which x 0 ”hide” actions from M . Formally, we will write P ⇒M P for M ⊆ Act iff s1 x s2 s x x xn P → →→ P 0 for s1 , s2 ∈ M ? and P ⇒M instead of P ⇒1 M ⇒2 M . . . ⇒ M . We will x x x write P ⇒M if there exists P 0 such that P ⇒M P 0 . We will write P ⇒M P 0 b x instead of P ⇒M P 0 if x ∈ M . Note that ⇒M is defined for arbitrary action x but in definitions of security properties we will use it for actions (or sequence of actions) not belonging to M . We can extend the definition of ⇒M for sequences s of actions similarly to →. By s|B we will denote the sequence obtained from s by removing all actions not belonging to B. We define two equivalences which are modifications of trace equivalence and weak bisimulation, respectively (see [Mil89]). Definition 1. The set of weak traces of process P with respect to the set M, M ⊆ s A is defined as T rwM (P ) = {s ∈ A? |∃P 0 .P ⇒M P 0 }. Instead of T rw∅ (P ) we will write T rw (P ). Two processes P and Q are weakly trace equivalent with respect to M (P ≈wM Q) iff T rwM (P ) = T rwM (Q). We will write ≈w instead of ≈w∅ . Definition 2. Let (Act, Act, →) be a labelled transition system (LTS). A rela- tion < ⊆ Act × Act is called a M-bisimulation if it is symmetric and it satisfies x the following condition: if (P, Q) ∈ < and P → P 0 , x ∈ Act then there exists a x process Q0 such that Q ⇒M Q0 and (P 0 , Q0 ) ∈ <. Two processes P, Q are M- b bisimilar, abbreviated P ≈M Q, if there exists a M-bisimulation relating P and Q. 3 Opacity To formalize an information flow we do not divide actions into public and private ones at the system description level, as it is done for example in [GM04,BG04], but we use a more general concept of observation and opacity. This concept was exploited in [BKR04] and [BKMR06] in a framework of Petri Nets and transition systems, respectively. Firstly we define observation function on sequences from Act? . Definition 3 (Observation). Let Θ be a set of elements called observables. Any function O : Act? → Θ? is an observation function. It is called static /dynamic /orwellian / m-orwellian (m ≥ 1) if the following conditions hold respectively (below we assume w = x1 . . . xn ): – static if there is a mapping O0 : Act → Θ ∪ {} such that for every w ∈ Act? it holds O(w) = O0 (x1 ) . . . O0 (xn ), – dynamic if there is a mapping O0 : Act? → Θ ∪ {} such that for every w ∈ Act? it holds O(w) = O0 (x1 ).O0 (x1 .x2 ) . . . O0 (x1 . . . xn ), – orwellian if there is a mapping O0 : Act × Act? → Θ ∪ {} such that for every w ∈ Act? it holds O(w) = O0 (x1 , w).O0 (x2 , w) . . . O0 (xn , w), – m-orwellian if there is a mapping O0 : Act × Act? → Θ ∪ {} such that for every w ∈ Act? it holds O(w) = O0 (x1 , w1 ).O0 (x2 , w2 ) . . . O0 (xn , wn ) where wi = xmax{1,i−m+1} .xmax{1,i−m+1}+1 . . . xmin{n,i+m−1} . In the case of the static observation function each action is observed inde- pendently from its context. In the case of the dynamic observation function an observation of an action depends on the previous ones, in the case of the orwellian and m-orwellian observation function an observation of an action depends on the all and on m previous actions in the sequence, respectively. The static observa- tion function is the special case of m-orwellian one for m = 1. Note that from the practical point of view the m-orwellian observation functions are the most interesting ones. An observation expresses what an observer - eavesdropper can see from a system behavior and we will alternatively use both the terms (obser- vation - observer) with the same meaning. Note that the same action can be seen differently during an observation (except static observation function) and this express a possibility to accumulate some knowledge by intruder. For example, an action not visible at the beginning could become somehow observable. Now suppose that we have some security property. This might be an execution of one or more classified actions, an execution of actions in a particular classified order which should be kept hidden, etc. Suppose that this property is expressed by predicate φ over process traces. We would like to know whether an observer can deduce the validity of the property φ just by observing sequences of actions from Act? performed by given process. The observer cannot deduce the validity of φ if there are two traces w, w0 ∈ Act? such that φ(w), ¬φ(w0 ) and the traces cannot be distinguished by the observer i.e. O(w) = O(w0 ). We formalize this concept by opacity. Definition 4 (Opacity). Given process P , a predicate φ over Act? is opaque w.r.t. the observation function O if for every sequence w, w ∈ T r(P ) such that φ(w) holds and O(w) 6= , there exists a sequence w0 , w0 ∈ T r(P ) such that ¬φ(w0 ) holds and O(w) = O(w0 ). The set of processes for which the predicate φ is opaque with respect to O will be denoted by OpφO . A predicate is opaque if for any trace of a system for which it holds, there exists another trace for which it does not hold and the both traces are indistin- guishable for an observer (which is expressed by an observation function). This means that the observer (intruder) cannot say whether a trace for which the predicate holds has been performed or not. 4 Process Opacity Now let us assume a different scenario, namely that an intruder is not interested in traces and their properties but he or she tries to discover whether a given process has reached a state with some given property which is expressed by a (total) predicate. This property might be process deadlock, capability to execute only traces with some given actions, capability to perform at the same actions form a given set, incapacity to idle (to perform τ action ) etc. We do not put any restriction on such predicates but we only assume that they are consistent with some suitable behavioral equivalence. The formal definition follows. Definition 5. We say that the predicate φ over processes is consistent with respect to relation ∼ = if whenever P ∼ = P 0 then φ(P ) ⇔ φ(P 0 ). As the consistency relation ∼ = we could take bisimulation (≈∅ ), weak bisim- ulation (≈{τ } ) or any other suitable equivalence. . Definition 6 (Process Opacity). Given process P , a predicate φ over pro- w cesses is process opaque w.r.t. the observation function O whenever P → P 0 for w0 w ∈ Act∗ and φ(P 0 ) holds then there exists P 00 such that P → P 00 for some w0 ∈ Act∗ and ¬φ(P 00 ) holds and moreover O(w) = O(w0 ). The set of processes for which the predicate φ is process opaque w.r.t. to the O will be denoted by P OpφO . Schematically, Fig. 1 depicts process opacity. In [Gru15]) process opacity is defined for static observational function, namely a set of public actions which can w P =⇒ φ(P 0 ) O(w) k w0 P =⇒ ¬φ(P 00 ) O(w0 ) Fig. 1. Process opacity with respect to O be observed and a set of hidden (not necessarily private) actions are assumed. s To model such observations we exploit the relation ⇒M where actions from M are those ones which could not be seen by the observer. Definition 7. Given process P , a predicate φ over processes is process opaque s w.r.t. the set M if whenever P ⇒M P 0 for s ∈ (Act \ M )∗ and φ(P 0 ) holds then s there exists P 00 such that P ⇒M P 00 and ¬φ(P 00 ) holds. The set of processes for which the predicate φ is process opaque w.r.t. to the M will be denoted by P OpφM . Schematically, Fig. 2 depicts process opacity e w.r.t. the set M . Note that if P ∼ φ φ = P 0 then P ∈ P OpM ⇔ P 0 ∈ P OpM whenever φ is consistent with respect to ∼ = and ∼ = is such that it is a subset of the trace equivalence (defined as 'w s s but instead of ⇒{τ } we use ⇒∅ ). s P =⇒M φ(P 0 ) s P =⇒M ¬φ(P 00 ) Fig. 2. Process opacity with respect to M A relation between these two security properties is stated by the following lemma. Lemma 1. Let O : Act → Act such that O(x) = iff x ∈ M and O(x) = x otherwise. Then P ∈ P OpφO iff P ∈ P OpφM . Proof. Directly from Definitions 6 and 7. The process opacity is defined for arbitrary predicates and observation func- tions. Now we will reformulate it for those ones which can be expressed by process algebras. Firstly we start with observation function O . Suppose that Act ∩ Θ = ∅. We extend the set of actions A by Θ and we model O by a special process. Definition 8. Process O is called process definition of observation function O s o if for every P and s ∈ Act∗ it holds P −→ P 0 iff (P |O) \ A ⇒ (P 0 |O0 ) \ A for ∗ o ∈ Θ such that O(s) = o. Some observation function cannot be computed at all (we can prove this by defining a function which returns a specific symbol if a given Turing machine halts). But some observation functions can be emulated by finite state processes as it is stated by the following lemma. Lemma 2. For any static or m-orwellian observation functions O there exists finite state process O which is process definition of observation function O. Proof. Sketch. Any static or m-orwellian observation function can be simulated by finite-state transducer which can be simulated by finite state process. Note that also some dynamic and orwellian observation function can be de- fined by finite state systems in a case that their computation does not need an unlimited memory. Now we can relate observation functions defined by processes with the defi- nition of process opacity. o Lemma 3. Let for every o ∈ Θ∗ such that (P |O) \ A ⇒ (P 0 |O0 ) \ A and φ(P 0 ) o holds there exists P 00 such that (P |O) \ A ⇒ (P 00 |O0 ) \ A such that ¬φ(P 00 ) holds. φ Then P ∈ P OpO and vice versa. Proof. Directly from Definitions 6 and 8. An observation function defines what an attacker can see from process be- haviour. One attacker could see more that another attacker. There are several ways how to express this situation. In the following definition we suppose that the set of observables for one attacker is a subset of observables of another at- tacker. This gives an ordering between observation functions. Definition 9. Let O1 , O2 are two observation functions with the common set of observables Θ. We define ordering between them (denoted by ≺) as follows. O1 ≺ O2 iff for every w, w ∈ Act∗ we have O1 (w)|U = O2 (w) for some set U, U ⊆ Θ. Lemma 4. Let O1 , O2 are two observation functions such that O1 ≺ O2 . Then for every w, w ∈ Act∗ it holds that O1 (w) = O1 (w0 ) implies O2 (w) = O2 (w0 ). Proof. Let O1 (w) = O1 (w0 ). Then also O1 (w)|U = O1 (w0 )|U for arbitrary U . Since O1 ≺ O2 we have O1 (w)|U = O2 (w) and O1 (w0 )|U = O2 (w0 ) i.e. O2 (w) = O2 (w0 ). The ordering between observation functions corresponds to stronger and weaker process opacity properties as it is stated by the following lemma. Lemma 5. Let O1 , O2 are two observation functions such that O1 ≺ O2 . Then P OpφO1 ⊆ P OpφO2 . Proof. Main idea. Let P ∈ P OpφO1 Then from Definitions 6 we know that when- w ever P → P 0 for w ∈ Act∗ and φ(P 0 ) holds then there exists P 00 such that w0 P → P 00 for some w0 ∈ Act∗ and ¬φ(P 00 ) holds and moreover O1 (w) = O1 (w0 ). But since O1 ≺ O2 we have by the previous lemma also O2 (w) = O2 (w0 ) and hence P ∈ P OpφO2 . The ordering on observation functions could be related to the relations ⇒M as it is stated by the following Lemma. Lemma 6. Let O1 , O2 are process definitions of observation functions O1 , O2 , o respectively and O1 ≺ O2 . Then for every P and o ∈ Θ∗ it holds (P |O1 ) \ A ⇒ 0 0 o 0 0 (P |O1 ) \ A iff (P |O2 ) \ A ⇒U (P |O2 ) \ A for some U, U ⊆ Θ. Proof. Sketch. Since O1 ≺ O2 from Definition 9 we have O1 (w)|U = O2 (w) for some set U, U ⊆ Θ. And from Definition 8 we have translation of this fact of this to traces. Note that there also other possibilities how to order intruders with respect to their capabilities to observe processes behaviour expressed by observation func- tion. For example, observation of one attacker can be included in observations of another one, one attacker cannot see completely something which can be seen by another one etc. We leave investigations of such orderings to future work. 5 Testing Process opacity is undecidable property, since its special variant (see Definition 7) is undecidable (see [Gru15]). Undecidability results from many factors, one of them is too general notion of observer’s capabilities. Now we use a concept of testing, which will help us to define security with respect to given test or set of tests. A test examines process’s capability to perform some set of actions. It is required that every sequence of test’s actions should be emulated also by tested process i.e. for a test T and tested process P it should hold T rw (PT ) ⊆ T rw (P ) where PT is behavior of P under the test T . But since we will later incorporate also visibility of such traces as well as properties of resulting processes we need a more elaborated definition of testing. We suppose that a test communicates with tested process by means of new alternative actions, which are original ones just indexed by a (i.e. alternative actions to x, y, z are depicted as xa , ya , ya ). The formal definition follows. Definition 10. Process T is called a test for process P iff T rw ((T |P [f ]) \ Aa ) ⊆ T rw (P ) where f maps every action of Sort(P ) to its alter ego, depicted by index a. Alter age actions will be denoted by Aa . In the following example we present a test which examines all process traces. P Example 1. Let T = µX. x∈A (x.x̄a .X + x̄.xa .X). Then we have T rw ((T |P [f ])\ Aa ) = T rw (P ) for every P and hence T will be called a simple complete test. Now we are prepared for combining testing with observation functions. It reduces general process opacity to property which requires that for an ob- server/tester, expressed by T , tested process P is secure. Definition 11. Let process O is a process definition of observation function O and T is the test of process P . We say that P pass test T under O and φ o (denoted by P ∈ P OpφO (T )) iff if for every o ∈ Θ∗ it holds ((T |P [f ]) Aa |O)\A ⇒ ((T 0 |P 0 [f ]) Aa |O0 )\A and φ(P 0 ) holds there exists P 00 such that ((T |P [f ]) Aa |O)\ o A ⇒ ((T 0 |P 00 [f ]) Aa |O0 ) \ A such that ¬φ(P 00 ) holds. Testing by test T and observation function defined by process O is depicted by Fig. 3. Actions of process P are firstly tested by T and its sequence of actions and then the same sequence is taken as an input for O to produce its visible part, i.e. as a sequence of observables from Θ. O T P - - Fig. 3. Testing scenario If a process P is process opaque with respect to φ and O then it should be process opaque with respect to any test T as its is stated by the following Lemma. Lemma 7. Let process O is process definition of observation function O, test T of process P and P ∈ P OpφO . Then P pass test T under O. Proof. Directly from Definitions 6 and 11. Now we can show how a natural ordering between tests defines ordering on security of processes with respect to process opacity. Lemma 8. Let T1 , T2 are two tests for process P such that T r(T1 ) ⊆ T r(T2 ). Then if P ∈ P OpφO (T2 ) then P ∈ P OpφO (T1 ). Proof. Sketch. Let P ∈ P OpφO (T2 ) i.e. it has to pass test T2 which represents, basically a set of traces. Since test T1 produces less traces it has to pass also this test and hence P ∈ P OpφO (T1 ). As a direct consequence of the previous Lemma we have the following one. Lemma 9. Let T1 , T2 are two tests for process P . Then if P ∈ P OpφO (T1 + T2 ) then P ∈ P OpφO (T1 ) and P ∈ P OpφO (T2 ). Proof. The proof follows from the previous Lemma and facts that T r(T1 ) ⊆ T r(T1 + T2 ) and T r(T2 ) ⊆ T r(T1 + T2 ). A property similar to the one expressed by Lemma 8 holds for predicates i.e. security with respect to weaker predicate implies security with respect to stronger one. Lemma 10. Let φ1 , φ2 are two predicates such that φ1 ⇒ φ2 and T is a test for process P . Then if P ∈ P OpφO2 (T ) then P ∈ P OpφO1 (T ). w Proof. Let P ∈ P OpφO2 (T ) and let P → P 0 for w ∈ Act∗ and φ1 (P 0 ) holds. Since φ1 ⇒ φ2 then also φ2 (P 0 ) holds and since P ∈ P OpφO2 (T ) there exists w0 P 00 such that P → P 00 for some w0 ∈ Act∗ and ¬φ2 (P 00 ) holds and moreover O(w) = O(w0 ). Again since ¬φ2 ⇒ ¬φ1 then also ¬φ1 (P 00 ) holds and hence P ∈ P OpφO1 (T ). Now we show how checking of process opacity could be reduced to checking of standard process algebra properties. Firstly we define also a predicate over processes by a special process. Definition 12. Predicate φ is called process√ definable if there exists a process √ √ Pφ such that φ(P ) holds iff (P |Pφ ) \ A ⇒ where is a new action 6∈ A. Process Pφ is called process definition of φ. Example 2. Let φ(Q) holds of QP can once perform action a then later P action b. 0 0 Process √ P φ defined as P φ = µX. x6 =a x.X + a.P , where P = µX. x6=b x.X + b. .N il is process definition of φ. Now we can reduce process opacity checking to checking of trace inclusion as it is stated by the following theorem. Theorem 1. Let O, Pφ , P¬φ are process definitions of observation functions O and predicates √ φ, ¬φ, respectively. Then√P ∈ P OpφO iff for every o ∈ Θ∗ it holds that if o. ∈ T rw (P |O|Pφ ) \ A then o. ∈ T rw (P |O|P¬φ ) \ A. Proof. The proof follows from Definitions 6, 8 and 12. Now, thank to the above mention reduction, we can obtain decidable variant for process opacity. Theorem 2. Let O, T, Pφ , P¬φ are finite state process definitions of observa- tion functions O, test and predicates φ, ¬φ, respectively. Then process opacity is decidable for any finite state test. Proof. Sketch. The proof follows from Definitions 6, 8 and 12 and Theorem 1. The security property process opacity expects an attacker who can just ob- serve process’ traces but cannot interact with the process. In many cases this does not cover real attacks and attackers, particularly in the case of multi-agent systems where a possible attacker could be one of the agents. Hence we gener- alize process opacity in such a way that also every successor of a process has to be process opaque as well. The formal definition follows. Definition 13 (Persistent Process Opacity). We say that process P is per- sistently process opaque w.r.t. the observation function O and φ if Succ(P ) ⊆ P P OpφO . Proposition 1. P P OpφO ⊆ P OpφO for every φ and O. Moreover, there exist φ and O such that P P OpφO ⊂ P OpφO . Proof. The main idea. Let P ∈ P P OpφO . Then directly from Definition 13 we have that P ∈ P OpφO . To show that the inclusion is proper let us assume the following example. Let P = a.b.b.N il +a.c.c.N il, an observation function O such that O(a) = a, O(b) = O(c) = and predicate φ such that φ(Q) hold iff Q can perform a or b. Then P ∈ P OpφO but P 6∈ P P OpφO since b.b.N il 6∈ P OpφO . For persistent process opacity similar properties as for process opacity but some modifications are needed. For example, in Lemma 8 we have to replace trace inclusion by simulation, what is an asymmetric variant of bisimulation. 6 Conclusions We have presented the security concept called process opacity and its stronger variant persistent process opacity. We show how to model observation functions, which express capability to observe a system as well as capabilities to accumulate some knowledge on its behaviour as well as security predicates by processes. We have proposed a way how to (partially) verify these properties by means of tests and testings. Each test represents a scenario for an attacker as well his or her capabilities. Instead of verifying process opacity we define system security with respect to a given set of tests. We have shown, that under some restriction, this testing is feasible or at least decidable. As future work, we plan to define and study a minimal set of tests which are necessary to be passed to guarantee some security property. In this way we would simplify overall testing. Moreover we plan to work with different ordering on observation functions as well as tests. The presented approach allows us to exploit also process algebras enriched by operators expressing other ”parameters” (space, distribution, networking ar- chitecture, processor or power consumption and so on). Hence we could obtain security properties which have even higher practical value. References [BKR04] Bryans J., M. Koutny and P. Ryan: Modelling non-deducibility using Petri Nets. Proc. of the 2nd International Workshop on Security Issues with Petri Nets and other Computational Models, 2004. [BKMR06] Bryans J., M. Koutny, L. Mazare and P. Ryan: Opacity Generalised to Transition Systems. In Proceedings of the Formal Aspects in Security and Trust, LNCS 3866, Springer, Berlin, 2006. [BG04] Busi N. and R. Gorrieri: Positive Non-interference in Elementary and Trace Nets. Proc. of Application and Theory of Petri Nets 2004, LNCS 3099, Springer, Berlin, 2004. [CHM07] Clark D., S. Hunt and P. Malacaria: A Static Analysis for Quantifying the Information Flow in a Simple Imperative Programming Language. The Journal of Computer Security, 15(3). 2007. [CMS09] Clarkson, M.R., A.C. Myers, F.B. Schneider: Quantifying Information Flow with Beliefs. Journal of Computer Security, to appear, 2009. [NH84] De Nicola R. and M. C. B. Hennessy: Testing Equivalences for Processes, Theoretical Computer Science, 34, 1984. [GM04] Gorrieri R. and F. Martinelli: A simple framework for real-time crypto- graphic protocol analysis with compositional proof rules. to appear at Sci- ence of Computer Programing. [GM82] Goguen J.A. and J. Meseguer: Security Policies and Security Models. Proc. of IEEE Symposium on Security and Privacy, 1982. [GR19a] Gruska D.P and M. C. Ruiz: Security Testing for Multi-Agent Systems. IWANN 2019, LNCS 11506, Springer, 2019. [GR19b] Gruska D.P and M. C. Ruiz: Security of Low Level IoT. ICCS 2019, LNCS 11538, Springer, 2019. [Gru18] Gruska D.P and M. C, Ruiz: Opacity-enforcing for Process Algebras. CS&P’2018, 2018. [Gru17] Gruska D.P and M. C, Ruiz: Initial process security. in Specification and Verification CS&P’2017, 2017. [Gru15] Gruska D.P.: Process Opacity for Timed Process Algebra. In Perspectives of System Informatics, LNCS 8974, 2015. [Gru13] Gruska D.P.: Information flow testing Fundamenta Informaticae. - Vol. 128, No. 1-2 (2013). [Gru11] Gruska D.P.: Gained and Excluded Private Actions by Process Observa- tions. Fundamenta Informaticae. - Vol. 109, No. 3 (2011). [Mil89] Milner, R.: Communication and concurrency. Prentice-Hall International, New York,1989. [SL95] Segala R. and N. Lynch: Probabilistic Simulations for Probabilistic Pro- cesses. Nord. J. Comput. 2(2): 250-273, 1995.