Abstract
The Tokeneer project was an initiative set forth by the National Security Agency (NSA, USA) to be used as a demonstration that developing highly secure systems can be made by applying rigorous methods in a cost-effective manner. Altran UK was selected by NSA to carry out the development of the Tokeneer ID Station. The company wrote a Z specification later implemented in the SPARK Ada programming language, which was verified using the SPARK Examiner toolset. In this paper, we show that the Z specification can be readily and naturally encoded in the \(\{log\}\) set constraint language, thereby generating a functional prototype. Furthermore, we show that \(\{log\}\) ’s automated proving capabilities can discharge all the proof obligations concerning state invariants as well as important security properties. As a consequence, the prototype can be regarded as correct with respect to the verified properties. This provides empirical evidence that Z users can use \(\{log\}\) to generate correct prototypes from their Z specifications. In turn, these prototypes enable or simplify some verification activities discussed in the paper.
Similar content being viewed by others
Notes
We use ellipses to shorten the presentation.
These are the operation schemas whose names begin with TIS.
By explicit precondition we mean a precondition written down in the schema as opposed to the implicit preconditions ‘that arise from the interaction between the state invariant and the predicates that are explicit in the operation schema’ [31, page 54]. Implicit preconditions were made explicit and simplified as is customary when working with Z specifications. In general they are trivial; for example, asserting that an integer variable is nonnegative.
The prime symbol is not allowed as part of a variable name in Prolog+\(\{log\}\).
References
2011 Microsoft Research Verified Software Milestone Award: Janet Barnes and Rod Chapman for the Tokeneer project, https://sites.google.com/site/verifiedsoftwareinitiative/mrs-award/2011-award
Abdelhalim, I., Sharp, J., Schneider, S.A., Treharne, H.: Formal verification of Tokeneer behaviours modelled in fUML using CSP. In: Dong, J.S., Zhu, H. (eds.) Formal Methods and Software Engineering - 12th International Conference on Formal Engineering Methods, ICFEM 2010, Shanghai, China, November 17-19, 2010. Proceedings. Lecture Notes in Computer Science, vol. 6447, pp. 371–387. Springer (2010), https://doi.org/10.1007/978-3-642-16901-4_25
Altran UK: Tokeneer software and project documents (2008), http://www.adacore.com/uploads/downloads/tokeneer.zip
Andréka, H., Givant, S.R., Németi, I.: Decision problems for equational theories of relation algebras, vol. 604. American Mathematical Soc. (1997)
Barnes, J., Chapman, R., Johnson, R., Widmaier, J., Cooper, D., Everett, B.: Engineering the Tokeneer enclave protection software. In: Proceedings of the IEEE International Symposium on Secure Software Engineering. IEEE (2006)
Barnes, J.: Tokeneer ID Station: Formal specification. Tech. rep., Altran Praxis (2008), http://www.adacore.com/uploads/downloads/tokeneer.zip, find it as /tokeneer/docs/41\_2\_Formal\_Functional\_Specification/41\_2.pdf inside tokeneer.zip
Barnes, J.E.: Experiences in the industrial use of formal methods. Electron. Commun. Eur. Assoc. Softw. Sci. Technol. 46,(2011)
Betarte, G., Campo, J.D., Luna, C., Romano, A.: Formal analysis of Android’s permission-based security model. Sci. Ann. Comp. Sci. 26(1), 27–68 (2016). https://doi.org/10.7561/SACS.2016.1.27
Common Criteria Recognition Arrangement: Common criteria for information technology security evaluation, part 1: Introduction and general model, version 3.1. release 5. Tech. rep. (2017), https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf
Cooper, D.: Tokeneer ID Station: Security properties. Tech. rep., Altran Praxis (2008), http://www.adacore.com/uploads/downloads/tokeneer.zip, find it as /tokeneer/docs/40\_4\_Security\_Properties/40\_4.pdf inside tokeneer.zip
Cooper, D., Barnes, J.: Tokeneer ID Station EAL5 demonstrator: Summary report. Tech. rep., Altran Praxis (2008), https://www.adacore.com/uploads/downloads/Tokeneer_Report.pdf
Cooper, D., Everett, B., Johnson, R., Widmaier, J.: Security by construction – Engineering software to exceed EAL5. In: Proceedings of the Fourth Annual High Confidence Software and Systems Conference (2004)
Cristiá, M., Albertengo, P., Frydman, C.S., Plüss, B., Rodríguez Monetti, P.: Tool support for the test template framework. Softw. Test. Verif. Reliab. 24(1), 3–37 (2014)
Cristiá, M., Rossi, G.: A decision procedure for restricted intensional sets. In: de Moura, L. (ed.) Automated Deduction - CADE 26 - 26th International Conference on Automated Deduction, Gothenburg, Sweden, August 6-11, 2017, Proceedings. Lecture Notes in Computer Science, vol. 10395, pp. 185–201. Springer (2017), https://doi.org/10.1007/978-3-319-63046-5_12
Cristiá, M., Rossi, G.: Programming in Java with restricted intensional sets. In: Cristiá, M., Delahaye, D., Dubois, C. (eds.) Proceedings of the 3rd International Workshop on Sets and Tools co-located with the 6th International ABZ Conference, SETS@ABZ 2018, Southamptom, UK, June 5, 2018. CEUR Workshop Proceedings, vol. 2199, pp. 17–31. CEUR-WS.org (2018), http://ceur-ws.org/Vol-2199/paper2.pdf
Cristiá, M., Rossi, G.: A set solver for finite set relation algebra. In: Desharnais, J., Guttmann, W., Joosten, S. (eds.) Relational and Algebraic Methods in Computer Science - 17th International Conference, RAMiCS 2018, Groningen, The Netherlands, October 29 - November 1, 2018, Proceedings. Lecture Notes in Computer Science, vol. 11194, pp. 333–349. Springer (2018), https://doi.org/10.1007/978-3-030-02149-8_20
Cristiá, M., Rossi, G.: Automated reasoning with restricted intensional sets. CoRR abs/1910.09118 (2019), http://arxiv.org/abs/1910.09118
Cristiá, M., Rossi, G.: Solving quantifier-free first-order constraints over finite sets and binary relations. J. Autom. Reason. 64(2), 295–330 (2020). https://doi.org/10.1007/s10817-019-09520-4
Cristiá, M., Rossi, G.: Automated proof of Bell-LaPadula security properties. J. Autom. Reason. 65(4), 463–478 (2021). https://doi.org/10.1007/s10817-020-09577-6
Cristiá, M., Rossi, G.: Automated reasoning with restricted intensional sets. J. Autom. Reason. (2021). https://doi.org/10.1007/s10817-021-09589-w
Cristiá, M., Rossi, G.: \(\{log\}\): Set formulas as programs. CoRR abs/2104.08130 (2021), https://arxiv.org/abs/2104.08130
Cristiá, M., Rossi, G., Frydman, C.S.: log as a test case generator for the Test Template Framework. In: Hierons, R.M., Merayo, M.G., Bravetti, M. (eds.) SEFM. Lecture Notes in Computer Science, vol. 8137, pp. 229–243. Springer (2013)
Dovier, A., Piazza, C., Pontelli, E., Rossi, G.: Sets and constraint logic programming. ACM Trans. Program. Lang. Syst. 22(5), 861–931 (2000)
Dovier, A., Pontelli, E., Rossi, G.: Set unification. Theory Pract. Log. Program. 6(6), 645–701 (2006)
Evans, A.: An improved recipe for specifying reactive systems in Z. In: Bowen, J.P., Hinchey, M.G., Till, D. (eds.) ZUM ’97: The Z Formal Specification Notation, 10th International Conference of Z Users, Reading, UK, April 3-4, 1997, Proceedings. Lecture Notes in Computer Science, vol. 1212, pp. 275–294. Springer (1997), https://doi.org/10.1007/BFb0027293
Garavel, H., ter Beek, M.H., van de Pol, J.: The 2020 expert survey on formal methods. In: ter Beek, M.H., Nickovic, D. (eds.) Formal Methods for Industrial Critical Systems - 25th International Conference, FMICS 2020, Vienna, Austria, September 2-3, 2020, Proceedings. Lecture Notes in Computer Science, vol. 12327, pp. 3–69. Springer (2020), https://doi.org/10.1007/978-3-030-58298-2_1
Hall, A., Chapman, R.: Correctness by construction: developing a commercial secure system. IEEE Software 19(1), 18–25 (2002). https://doi.org/10.1109/52.976937
Holzbaur, C., Menezes, F., Barahona, P.: Defeasibility in CLP(Q) through generalized slack variables. In: Freuder, E.C. (ed.) Lecture notes in computer science, vol. 1118, pp. 209–223. Springer, Berlin (1996)
International Electrotechnical Commission: Functional safety of electrical/electronic/programmable electronic safety-related systems – part 1: General requirements. Tech. rep., International Electrotechnical Commission, https://webstore.iec.ch/preview/info_iec61508-1ed2.0b.pdf
Jackson, P.B., Passmore, G.O.: Proving SPARK verification conditions with SMT solvers. Tech. rep., University of Edinburgh (2009), http://homepages.inf.ed.ac.uk/pbj/papers/vct-dec09-draft.pdf
Jacky, J.: The way of Z: practical programming with formal methods. Cambridge University Press, New York, NY, USA (1996)
King, S., Hammond, J., Chapman, R., Pryor, A.: Is proof more cost-effective than testing? IEEE Trans. Software Eng. 26(8), 675–686 (2000). https://doi.org/10.1109/32.879807
Kuppe, M.A., Lamport, L., Ricketts, D.: The TLA+ toolbox. In: Monahan, R., Prevosto, V., Proença, J. (eds.) Proceedings Fifth Workshop on Formal Integrated Development Environment, F-IDE@FM 2019, Porto, Portugal, 7th October 2019. EPTCS, vol. 310, pp. 50–62 (2019), https://doi.org/10.4204/EPTCS.310.6
Lamport, L.: TLZ. In: Bowen, J.P., Hall, J.A. (eds.) Z User Workshop, Cambridge, UK, 29-30 June 1994, Proceedings. pp. 267–268. Workshops in Computing, Springer/BCS (1994), https://doi.org/10.1007/978-1-4471-3452-7_15
Lamport, L.: Specifying Systems, The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley (2002), http://research.microsoft.com/users/lamport/tla/book.html
Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107–115 (2009). https://doi.org/10.1145/1538788.1538814
Luna, C., Betarte, G., Campo, J.D., Sanz, C., Cristiá, M., Gorostiaga, F.: A formal approach for the verification of the permission-based security model of Android. CLEI Electron. J. (2018). https://doi.org/10.19153/cleiej.21.2.3
Moy, Y., Wallenburg, A.: Tokeneer: Beyond formal program verification. Embed. Real Time Software Syst. 24,(2010)
Murray, T.C., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., Klein, G.: seL4: From general purpose to a proof of information flow enforcement. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013. pp. 415–429. IEEE Computer Society (2013), https://doi.org/10.1109/SP.2013.35
Nemouchi, Y., Foster, S., Gleirscher, M., Kelly, T.: Isabelle/SACM: Computer-assisted assurance cases with integrated formal methods. In: Ahrendt, W., Tarifa, S.L.T. (eds.) Integrated Formal Methods - 15th International Conference, IFM 2019, Bergen, Norway, December 2-6, 2019, Proceedings. Lecture Notes in Computer Science, vol. 11918, pp. 379–398. Springer (2019), https://doi.org/10.1007/978-3-030-34968-4_21
Plagge, D., Leuschel, M.: Validating Z specifications using the probanimator and model checker. In: Davies, J., Gibbons, J. (eds.) Integrated Formal Methods, 6th International Conference, IFM 2007, Oxford, UK, July 2-5, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4591, pp. 480–500. Springer (2007), https://doi.org/10.1007/978-3-540-73210-5_25
Potter, B., Sinclair, J., Till, D.: An introduction to formal specification and Z. Prentice Hall PTR Upper Saddle River, NJ, USA (1996)
Rivera, V., Bhattacharya, S., Cataño, N.: Undertaking the Tokeneer challenge in Event-B. In: Proceedings of the 4th FME Workshop on Formal Methods in Software Engineering, FormaliSE@ICSE 2016, Austin, Texas, USA, May 15, 2016. pp. 8–14. ACM (2016), https://doi.org/10.1145/2897667.2897671
Rossi, G.: \(\{log\}\). http://people.dmi.unipr.it/gianfranco.rossi/setlog.Home.html (2008), last access 2021
Rossi, G., Bergenti, F.: Nondeterministic programming in Java with JSetL. Fundam. Inform. 140(3–4), 393–412 (2015). https://doi.org/10.3233/FI-2015-1260
Schanda, F., Brain, M.: Using answer set programming in the development of verified software. In: Dovier, A., Costa, V.S. (eds.) Technical Communications of the 28th International Conference on Logic Programming, ICLP 2012, September 4-8, 2012, Budapest, Hungary. LIPIcs, vol. 17, pp. 72–85. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2012), https://doi.org/10.4230/LIPIcs.ICLP.2012.72
Schwartz, J.T., Dewar, R.B.K., Dubinsky, E., Schonberg, E.: Programming with Sets - An Introduction to SETL. Texts and Monographs in Computer Science, Springer (1986), https://doi.org/10.1007/978-1-4613-9575-1
Spivey, J.M.: The Z notation: a reference manual. Prentice Hall International (UK) Ltd., Hertfordshire, UK (1992)
Stocks, P., Carrington, D.: A Framework for specification-based testing. IEEE Trans. Software Eng. 22(11), 777–793 (1996)
Woodcock, J.: First steps in the verified software grand challenge. Computer 39(10), 57–64 (2006). https://doi.org/10.1109/MC.2006.340
Woodcock, J., Aydal, J., Aydal, E.G., Chapman, R.: The Tokeneer experiments. In: Roscoe, A.W., Jones, C.B., Wood, K.R. (eds.) Reflections on the Work of C. A. R. Hoare, pp. 405–430. Springer (2010)
Yin, X., Knight, J.C.: Formal verification of large software systems. In: Muñoz, C.A. (ed.) Second NASA Formal Methods Symposium - NFM 2010, Washington D.C., USA, April 13-15, 2010. Proceedings. NASA Conference Proceedings, vol. NASA/CP-2010-216215, pp. 192–201 (2010)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Appendices
A. Further Details on the Encoding
In this appendix, we provide more details and examples of the necoding used to go from the TIS Z specification to the \(\{log\}\) prototype.
Figure 2 shows part of the Z specification and Fig. 3 the corresponding encoding. Schema BioCheckRequired specifies part of the ValidateUserTokenOK operation which in turn is part of the TISValidateUserToken operation. BioCheckRequired makes a ‘delta’ on IDStation and RealWorld; this is hidden in schema UserEntryContext. This is reflected in the encoding as clause bioCheckRequiredwaits for IDStationand IDStation_, meaning that the clause transitions from the former to the latter. As explained in Sect. 2, IDStation includes 12 schemas and declares two variables. Then, the encoding for IDStation is a 14-tuple respecting the declaration order given in the specification. As mentioned in Sect. 2.1, the invariants stated inside IDStation are moved out of it. Note that \(IDStation'\) is encoded as IDStation_.
As BioCheckRequired states \(\Xi UserToken\) the encoding forces UserTokenand UserToken_to be the first elements of IDStationand IDStation_, respectively, while UserToken_ = UserToken is conjoined to the clause.
AddElementsToLog is an operation schema making a ‘delta‘ on the auditing subsystem, AudiLog, and accessing the configuration subsystem, Config. In \(\{log\}\) this schema corresponds to clause addElementsToLog. The clause is called inside a delay predicate for efficiency reasons. After the first proof obligations were discharged it was evident that addElementsToLogwas taking too long while not contributing to the proofs. Hence, we ask \(\{log\}\) to delay its execution as much as possible. AddElementsToLog’s predicate starts by asserting the existence of a finite set of audit records, newElements. The \(\{log\}\) encoding reflects that fact by declaring variable _NewElementsinside the clause and passing it to addElementsToLog. This simplifies the encoding of some tricky parts of the specification.
In BioCheckRequired, status is a variable declared in schema Internal (which is one of the 12 schemas included in IDStation). The encoding uses unification to access the corresponding variable, Status. Indeed, unification forces Internalto be the 12th component of IDStationand it is used again to force Statusto be the first component of Internal. Then, we can state Status = gotUserToken. Note how the change of state of status is encoded by asserting Status_ = waitingFinger.
The predicate \(\lnot UserTokenWithOKAuthCert\) is encoded by calling the negation of userTo-kenWithOKAuthCert. As explained in Sect. 3 (see Example 7), in order to preserve decidability (general) logical negation should not be used. Figure 4 shows the encoding of \(\lnot UserTokenOK\) (in place of \(\lnot UserTokenWithOKAuthCert\), which is nonetheless similar). There are several reasons why the user token is not OK. The first one occurs when the current user token does not belong to the range of goodT. This implies that it must be either noT or badT (see TOKENTRY above). The encoding is CurrentUserToken in noT, badT. The other cases occur when there is a token : Token such that \(currentUserToken = goodT(token)\). In this case, (token, now) might not conform to a current token (not_currentToken(Token,Now)); or now might not coincide with currentTime (Now neq CurrentTime); or any of the certificates stored in token are not OK (not_certOK(KeyStore,[_,_,_])).
To close this section, note that the \(\{log\}\) encoding of ValidateUserTokenOK turns out to be quite ’natural’ (both, syntactically and semantically). This encoding becomes sort of a pattern by means of which most of the Z specification is encoded. Considering the size and complexity of the TIS Z specification, it can be argued that \(\{log\}\) can be used as an effective prototyping/programming language to encode many other Z specifications.
B. Further Details on the Proof of Property 1
Figures 5 and 6 depict the state sequences that lead the system to the state where Property 1 holds. Figure 7 shows the encoding of a lemma stating that if the system ever reaches \(status = gotUserToken\), it is because the before state was \(status = quiescent\)—i.e., the first transition of Fig. 5. That is, the \(\{log\}\) code corresponds to the negation of the following formula:
where TISOpThenUpdate is the composition between the disjunction of all the TIS operations and the TISUpdate operation [10, page 5].
We prove one such lemma for each transition shown in Figs. 5 and 6. In this way, the \(\{log\}\) prototype is guaranteed to follow only those state sequences when it comes to the validity of Property 1.
Next, we prove that when the system reaches some of the states depicted in Figs. 5 and 6 some properties hold. For example, when passing from gotUserToken to waitingEntry, the user token is checked for validity and the presence in the token of an authorization certificate is checked as well. Figure 8 shows the encoding of this lemma. As can be seen, we need pfun(IssuerKey_)as a hypothesis. In Z terms, this means that \(issuerKey'\) is a partial function, which is the type given to the variable in the specification. This hypothesis is proved to be a state invariant and so it can be assumed without loss of generality.
C. Platform Where the Verification was Executed
The verification of the \(\{log\}\) prototype of the TIS specification was performed on a Latitude E7470 (06DC) with a 4 core Intel(R) Core™ i7-6600U CPU at 2.60GHz with 8 Gb of main memory, running Linux Ubuntu 18.04.4 (LTS) 64-bit with kernel 4.15.0-106-generic. \(\{log\}\) 4.9.6-21c over SWI-Prolog (multi-threaded, 64 bits, version 7.6.4) was used during the experiments. The execution time of each collection of proof obligations is given by Tin the following \(\{log\}\) formula:
prolog_call(get_time(Ti))&
<collection proof obligations>
prolog_call(get_time(Te)) &
prolog_call(T is Te - Ti).
where prolog_callis a \(\{log\}\) facility to access the Prolog interpreter.
Rights and permissions
About this article
Cite this article
Cristiá, M., Rossi, G. An Automatically Verified Prototype of the Tokeneer ID Station Specification. J Autom Reasoning 65, 1125–1151 (2021). https://doi.org/10.1007/s10817-021-09602-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10817-021-09602-2