Security of multi-agent systems: A case study on comparison shopping

This article uses a comparison-shopping scenario to introduce a general methodology for formally verifying the security of multi-agent systems. Following the approach of possibilistic information flow security, the flow of information between and within agents is restricted in order to ensure that secrets will not be disclosed to unauthorized meddlers. The security requirements for the overall system are then decomposed into requirements for the individual agents that can be verified independently from each other. Exploiting the modular structure of a multi-agent system considerably reduces the complexity of the overall security analysis. The techniques for decomposing security requirements, for verifying individual agents, and for deriving global security guarantees for the entire system from locally verified properties are all generic in the sense that they apply also to many other systems and security requirements than the ones that appear in the example scenario.