Skip to main content
SpringerLink
Log in
Book cover

International Symposium on Engineering Secure Software and Systems

ESSoS 2014: Engineering Secure Software and Systems pp 45–59Cite as

Automated Formal Verification of Application-specific Security Properties

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8364))

Abstract

In the past, formal verification of security properties of distributed applications has been mostly targeted to security protocols and generic security properties, like confidentiality and authenticity.

At ESSOS 2010, Moebius et. al. presented an approach for developing Java applications with formally verified application-specific security properties. That method, however, is based on an interactive theorem prover, which is not automatic and requires considerable expertise. This paper shows that a similar result can be achieved in a fully automated way, using a different model-driven approach and state-of-the-art automated verification tools. The proposed method splits the verification problem into two independent sub-problems using compositional verification techniques and exploits one tool for analyzing the security protocol under active attackers and another tool for verifying the application logic. The same case study that was verified in the previous work is used here in order to show how the new approach works.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Patel, R., Borisaniya, B., Patel, A., Patel, D., Rajarajan, M., Zisman, A.: Comparative analysis of formal model checking tools for security protocol verification. In: Meghanathan, N., Boumerdassi, S., Chaki, N., Nagamalai, D. (eds.) CNSA 2010. CCIS, vol. 89, pp. 152–163. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  2. Visser, W., Havelund, K., Brat, G., Park, S., Lerda, F.: Model checking programs. Automated Software Engg. 10(2), 203–232 (2003)

    Article  Google Scholar 

  3. Moebius, N., Stenzel, K., Reif, W.: Formal verification of application-specific security properties in a model-driven approach. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 166–181. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  4. Blanchet, B.: An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In: 14th IEEE workshop on Computer Security Foundations, p. 82 (2001)

    Google Scholar 

  5. Avalle, M., Pironti, A., Sisto, R., Pozza, D.: The Java SPI framework for security protocol implementation. In: Sixth International Conference on Availability, Reliability and Security (ARES), pp. 746–751 (2011)

    Google Scholar 

  6. Avalle, M., Pironti, A., Sisto, R.: Formal verification of security protocol implementations: a survey. In: Formal Aspects of Computing (to appear)

    Google Scholar 

  7. Bella, G., Massacci, F., Paulson, L.C.: Verifying the SET purchase protocols. J. Autom. Reason. 36(1-2), 5–37 (2006)

    Article  MATH  Google Scholar 

  8. Nipkow, T., Paulson, L.C., Wenzel, M.T.: Isabelle/HOL. LNCS, vol. 2283. Springer, Heidelberg (2002)

    Book  MATH  Google Scholar 

  9. Borek, M., Moebius, N., Stenzel, K., Reif, W.: Model-driven development of secure service applications. In: Proceedings of the 35th Annual IEEE Software Engineering Workshop (SEW), pp. 62–71. IEEE (2012)

    Google Scholar 

  10. Borek, M., Moebius, N., Stenzel, K., Reif, W.: Model checking of security-critical applications in a model-driven approach. In: Hierons, R.M., Merayo, M.G., Bravetti, M. (eds.) SEFM 2013. LNCS, vol. 8137, pp. 76–90. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  11. Armando, A., et al.: The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 267–282. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  12. Jürjens, J.: Developing high-assurance secure systems with UML: a smartcard-based purchase protocol. In: 8th IEEE International Conference on High Assurance Systems Engineering, pp. 231–240 (2004)

    Google Scholar 

  13. Gunawan, L.A., Kraemer, F.A., Herrmann, P.: A tool-supported method for the design and implementation of secure distributed applications. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds.) ESSoS 2011. LNCS, vol. 6542, pp. 142–155. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  14. Gunawan, L.A., Herrmann, P.: Compositional verification of application-level security properties. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 75–90. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  15. Dolev, D., Yao, A.C.C.: On the security of public key protocols. IEEE Transactions on Information Theory 29(2), 198–207 (1983)

    Article  MATH  MathSciNet  Google Scholar 

  16. Pozza, D., Sisto, R., Durante, L.: Spi2Java: automatic cryptographic protocol Java code generation from spi calculus. In: 18th International Conference on Advanced Information Networking and Applications, 2004, vol. 1, pp. 400–405 (2004)

    Google Scholar 

  17. Pironti, A., Sisto, R.: Provably correct Java implementations of Spi Calculus security protocols specifications. Computers & Security 29, 302–314 (2010)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Dipartimento di Automatica e Informatica, Politecnico di Torino, Italy

    Piergiuseppe Bettassa Copet & Riccardo Sisto

Authors
  1. Piergiuseppe Bettassa Copet
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Riccardo Sisto
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, Technical University Dortmund, Otto-Hahn-Strasse 14, 44221, Dortmund, Germany

    Jan Jürjens

  2. Department of Computer Science, KU Leuven, Celestijnenlaan 200A, 3001, Heverlee, Belgium

    Frank Piessens

  3. Inria Sophia Antipolis – Mediterranee, 2004 route des Lucioles, B.P. 93, 06902, Sophia Antipolis Cedex, France

    Nataliia Bielova

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Bettassa Copet, P., Sisto, R. (2014). Automated Formal Verification of Application-specific Security Properties. In: Jürjens, J., Piessens, F., Bielova, N. (eds) Engineering Secure Software and Systems. ESSoS 2014. Lecture Notes in Computer Science, vol 8364. Springer, Cham. https://doi.org/10.1007/978-3-319-04897-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-04897-0_4

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-04896-3

  • Online ISBN: 978-3-319-04897-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation