A verification approach to applied system security Special section on formal methods for industrial critical systems First Online: 25 January 2005 DOI:
Cite this article as: Brucker, A. & Wolff, B. Int J Softw Tools Technol Transfer (2005) 7: 233. doi:10.1007/s10009-004-0176-3 Abstract
We present a method for the security analysis of realistic models over off-the-shelf systems and their configuration by formal, machine-checked proofs. The presentation follows a large case study based on a formal security analysis of a CVS-Server architecture.
The analysis is based on an abstract architecture (enforcing a role-based access control), which is refined to an implementation architecture (based on the usual discretionary access control provided by the POSIX environment). Both architectures serve as a skeleton to formulate access control and confidentiality properties.
Both the abstract and the implementation architecture are specified in the language Z. Based on a logical embedding of Z into Isabelle/HOL, we provide formal, machine-checked proofs for consistency properties of the specification, for the correctness of the refinement, and for security properties.
Keywords Verification Security Refinement POSIX Z References
Brucker AD, Rittinger F, Wolff B (2002) A CVS-Server security architecture – concepts and formal analysis. Technical Report 182, Albert-Ludwigs-Universität, Freiburg, Germany
Brucker AD, Rittinger F, Wolff, B (2003) HOL-Z 2.0: A proof environment for Z-specifications. J Univers Comput Sci 9(2):152–172
Cederqvist P et al (2000) Version management with CVS. http://www.cvshome.org/docs/manual/
Fogel K, Bar M (2003) Open source development with CVS. Paraglyph Press, Phoenix, AZ
Frisch AE (1995) Essential System Administration. O’Reilly, Sebastopol, CA
Garlan D, Shaw M (1993) An introduction to software architecture. In: Advances in software engineering and knowledge engineering, World Scientific, Singapore, pp 1–39
Gordon MJC, Melham TF (1993) Introduction to HOL. Cambridge University Press
Jürjens J (2001) Secrecy-preserving refinement. In: Formal Methods Europe (FME). Lecture notes in computer science, vol 2021. Springer, Berlin Heidelberg New York
Nipkow T, Paulson LC, Wenzel M (2002) Isabelle/HOL – A proof assistant for higher-order logic. Lecture notes in computer science, vol 2283. Springer, Berlin Heidelberg New York
Paulson LC (1998) The inductive approach to verifying cryptographic protocols. J Comput Secur 6:85–128
CrossRef Google Scholar
Roscoe A (1998) Theory and practice of concurrency. Prentice Hall, Upper Saddle River, NJ
Sandhu R, Ahn G-J (1998) Decentralized group hierarchies in UNIX: an experiment and lessons learned. In: Conference on national information systems security, pp 486–502
Sandhu RS, Coyne EJ, Feinstein HL, Youman CE (1996) Role-based access control models. IEEE Comput 29(2):38–47
CrossRef Google Scholar
Santen T, Heisel M, Pfitzmann A (2002) Confidentiality-preserving refinement is compositional – sometimes. In: ESORICS. Lecture notes in computer science, vol 2502. Springer, Berlin Heidelberg New York, pp 194–211
Shaw M, Garlan D (1996) Software architecture: perspectives on an emerging discipline. Prentice Hall, Upper Saddle River, NJ
Spivey JM (1992) The Z notation: a reference manual. Prentice Hall, Upper Saddle River, NJ.
The Open Group, IEEE (2002) The Single UNIX Specification Version 3. [Supersedes “Single UNIX Specification Version 2” (Unix 98) and “IEEE Standard 1003.1-2001” (POSIX.1)]
Woodcock J, Davies J (1996) Using Z: specification, refinement, and proof. Prentice Hall, Upper Saddle River, NJ. http://www.usingz.com/