Advertisement

The Tokeneer Experiments

  • Jim WoodcockEmail author
  • Emine Gökçe Aydal
  • Rod Chapman
Chapter

Abstract

We describe an experiment conducted as part of a pilot project in the Verified Software Initiative (VSI). We begin by recounting the background to the VSI and its six initial pilot projects, and give an update on the current progress of each project. We describe one of these, the Tokeneer ID Station in greater detail. Tokeneer was developed by Praxis High Integrity Systems and SPRE for the US National Security Agency, and it has been acclaimed by the US National Academies as representing best practice in software development. To date, only five errors have been found in Tokeneer, and the entire project archive has been released for experimentation within the VSI. We describe the first experiment using the Tokeneer archive. Our objective is to investigate the dependability claims for Tokeneer as a security-critical system. Our experiment uses a model-based testing technique that exploits formal methods and tools to discover nine anomalous scenarios. We discuss four of these in detail.

Keywords

Security Property Configuration File Grand Challenge Proof Obligation System Under Test 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgements

First, thanks must go to all those involved in the Tokeneer project for releasing into the public domain such a useful project archive. It is incredibly valuable and has done the research community a very great service. The work on Tokeneer reported in this paper was carried out as part of Emine Gökçe Aydal’s Ph.D. thesis [3], under the supervision of Jim Woodcock. We also received helpful comments during the development of this work from Andrew Butterfield, Behzad Bordbar, Néstor Cataño, Ana Cavalcanti, John Clarke, John Fitzgerald, Leo Freitas, Rob Hierons, Tony Hoare, Randolph Johnson, Cliff Jones, Bertrand Meyer, Yannick Moy, Marcel Oliveira, Richard Paige, Brian Randell, Shankar and Angela Wallenberg. We presented the results of our experiment to Marie-Claude Gaudel’s research group during a sabbatical visit to Université de Paris-Sud, and to audiences in seminars and workshops at the University of Birmingham, Trinity College Dublin, the University of Madeira, Microsoft Research Asia, Microsoft Research Cambridge, the Federal University of Rio Grande do Norte, the University of York and ETH Zurich. We are grateful for all the encouragement we received.

References

  1. 1.
    Aichernig B.K., Maibaum, T.S.E. (eds.): Formal Methods at the Crossroads. From Panacea to Foundational Support, 10th Anniversary Colloquium of UNU/IIST, the International Institute for Software Technology of The United Nations University, Lisbon, Portugal, March 18–20, 2002, Revised Papers, volume 2757 of Lecture Notes in Computer Science. Springer (2003).Google Scholar
  2. 2.
    Aydal, E.G., Paige, R.F., Woodcock, J.: Evaluation of OCL for large-scale modelling: A different view of the Mondex purse. In: Holger Giese, (ed.) MoDELS Workshops, volume 5002 of Lecture Notes in Computer Science, pp. 194–205. Springer, Berlin, Heidelberg (2007).Google Scholar
  3. 3.
    Aydal, E.G.: Model-Based Robustness Testing of Black-box Systems. PhD thesis, Department of Computer Science, University of York (November 2009).Google Scholar
  4. 4.
    Banach, R.: Formal Methods: Guest editorial. J. UCS, 13(5), 593–601 (2007).Google Scholar
  5. 5.
    Barnes, J.: Tokeneer ID Station informed design. Technical Report S.P1229.50.2, Praxis High Integrity Systems. Available from tinyurl.com/tokeneer (2008)
  6. 6.
    Barnes, J., Chapman, R., Johnson, R., Widmaier, J., Cooper, D., Everett, B.: Engineering the Tokeneer enclave protection system. In Proceedings of the 1st International Symposium on Secure Software Engineering, Arlington, VA. IEEE (March 2006).Google Scholar
  7. 7.
    Barnes, J.: High Integrity Ada: The SPARK Approach to Safety and Security. Addison-Wesley, Reading, MA. (2003).Google Scholar
  8. 8.
    Bicarregui, J., Fitzgerald, J.S., Larsen, P.G., Woodcock, J.C.P.: Industrial practice in Formal Methods: A review. In: Ana Cavalcanti and Dennis Dams (eds.) FM, volume 5850 of Lecture Notes in Computer Science, pp. 810–813. Springer (2009).Google Scholar
  9. 9.
    Bicarregui, J., Hoare, C.A.R., Woodcock, J.C.P.: The Verified Software Repository: A step towards the verifying compiler. Formal Asp. Comput. 18(2), 143–151 (2006).CrossRefzbMATHGoogle Scholar
  10. 0.
    Butler, M., Yadav, D.: An incremental development of the Mondex system in Event-B. Formal Asp. Comput. 20(1), 61–77 (2008).CrossRefGoogle Scholar
  11. 1.
    Butterfield, A., Freitas, L., Woodcock, J.: Mechanising a formal model of flash memory. Sci. Comput. Program. 74(4), 219–237 (2009).CrossRefzbMATHMathSciNetGoogle Scholar
  12. 2.
    Butterfield, A. O’Cathain, A.: Concurrent models of flash memory device behaviour. In Marcel Oliveira and Jim Woodcock, editors, Brazilian Symposium on Formal Methods (SBMF 2009), 19–21 August 2009, Gramado, Brazil, Lecture Notes in Computer Science,in press. Springer (2009).Google Scholar
  13. 3.
    Butterfield, A., Woodcock. J.: Formalising flash memory: First steps. In 12th International Conference on Engineering of Complex Computer Systems (ICECCS 2007), 10–14 July 2007, Auckland, New Zealand, pp. 251–260. IEEE Computer Society (2007).Google Scholar
  14. 4.
    CCRA.: Common criteria for information technology security evaluation. Part 1: Introduction and general model. Technical Report CCMB-2006-09-001, Version 3.1, Revision 1, Common Criteria Recognition Agreement September (2006).Google Scholar
  15. 5.
    Chapman, R.: Tokeneer ID Station overview and reader’s guide. Technical Report S.P1229.81.8, Issue 1.0, Praxis High Integrity Systems. Available from tinyurl.com/tokeneer (2008)
  16. 6.
    Chapman, R.: Private communication. Email, 16 December 2009.Google Scholar
  17. 7.
    Cohen, E.: Validating the Microsoft Hypervisor. In: Misra, JV., Nipkow, T., Sekerinski, E. (eds.) FM 2006: Formal Methods, 14th International Symposium on Formal Methods, Hamilton, Canada, August 21–27, 2006, Proceedings, volume 4085 of Lecture Notes in Computer Science, pp. 81–81. Springer (2006).Google Scholar
  18. 8.
    Cooke, J.: Editorial (VSTTE special issue). Formal Asp. Comput. 19(2), 137–138 (2007).CrossRefGoogle Scholar
  19. 9.
    Cooper, D., Tokeneer ID Station security properties. Technical Report S.P1229.40.4, Praxis High Integrity Systems. Available from tinyurl.com/tokeneer (2008)
  20. 0.
    Cooper, D.: Tokeneer ID Station security target. Technical Report S.P1229.40.1, Praxis High Integrity Systems. Available from tinyurl.com/tokeneer (2008)
  21. 1.
    Cooper, D.: Tokeneer ID Station system requirements specification. Technical Report S.P1229.41.1, Praxis High Integrity Systems. Available from tinyurl.com/tokeneer (2008)
  22. 2.
    Craig, I.D.: Formal Models of Operating System Kernels. Springer (2006).Google Scholar
  23. 3.
    Craig, I.D.: Formal Refinement For Operating System Kernels. Springer (2007).Google Scholar
  24. 4.
    Crocker, D., Carlton, J.: Verification of C programs using automated reasoning. In Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007), 10–14 September 2007, London, England, UK, pages 7–14. IEEE Computer Society (2007).Google Scholar
  25. 5.
    Damchoom, K., Butler, M.: Applying event and machine decomposition to a flash-based filestore in Event-B. In: Oliveira, M., Woodcock, J. (eds,) Brazilian Symposium on Formal Methods (SBMF 2009), 19–21 August 2009, Gramado, Brazil, Lecture Notes in Computer Science, in press. Springer (2009).Google Scholar
  26. 6.
    Damchoom, K., Butler, MJ., Abrial, J-R.: Modelling and proof of a tree-structured file system in Event-B and Rodin. In Liu, S., Maibaum, T.S.E.. Araki, K. (eds,) Formal Methods and Software Engineering, 10th International Conference on Formal Engineering Methods, ICFEM 2008, Kitakyushu-City, Japan, October 27–31, 2008. Proceedings, volume 5256 of Lecture Notes in Computer Science, 25–44. Springer (2008).Google Scholar
  27. 7.
    Deharbe, D: Modelling FreeRTOS with B. In Oliveira, M., Woodcock, J. (eds,) Brazilian Symposium on Formal Methods (SBMF 2009), 19–21 August 2009, Gramado, Brazil, Lecture Notes in Computer Science, in press. Springer (2009).Google Scholar
  28. 8.
    Dong, J.S., Sun, J.: SCP special issue on the Grand Challenge—Preface. Sci. Comput. Program. 74(4), 167 (2009).CrossRefMathSciNetGoogle Scholar
  29. 9.
    Ferreira, M.A., Oliveira J.N.: Towards tool integration and interoperability in the GC: The Intel flash file store case study. In Marcel Oliveira and Jim Woodcock, editors, Brazilian Symposium on Formal Methods (SBMF 2009), 19–21 August 2009, Gramado, Brazil, Lecture Notes in Computer Science, in press. Springer (2009).Google Scholar
  30. 0.
    Freitas, L.: Mechanising data-types for kernel design in Z. In: Oliveira M., Woodcock, J. (eds,) Brazilian Symposium on Formal Methods (SBMF 2009), 19–21 August 2009, Gramado, Brazil, Lecture Notes in Computer Science, in press. Springer (2009).Google Scholar
  31. 1.
    Freitas, L., Fu, Z., Woodcock, J.: POSIX file store in Z/Eves: an experiment in the Verified Software Repository. In 12th International Conference on Engineering of Complex Computer Systems (ICECCS 2007), 10–14 July 2007, Auckland, New Zealand, 3–14. IEEE Computer Society (2007).Google Scholar
  32. 2.
    Freitas, L., Woodcock, J.: Mechanising Mondex with Z/Eves. Formal Asp. Comput., 20(1), 117–139 (2008).CrossRefGoogle Scholar
  33. 3.
    Freitas, L., Woodcock, J., Fu, Z.: POSIX file store in Z/Eves: An experiment in the Verified Software Repository. Sci. Comput. Program., 74(4), 238–257 (2009).CrossRefzbMATHMathSciNetGoogle Scholar
  34. 4.
    Freitas, L., Woodcock, J., Zhang, Y.: Verifying the CICS File Control API with Z/Eves: An experiment in the Verified Software Repository. Sci. Comput. Program., 74(4), 197–218 (2009).CrossRefzbMATHMathSciNetGoogle Scholar
  35. 5.
    Gal, E., Toledo, S.: Algorithms and data structures for flash memories. ACM Comput. Surv., 37(2), 138–163 (2005).CrossRefGoogle Scholar
  36. 6.
    George, C, Haxthausen, A.E.: Specification, proof, and model checking of the Mondex electronic purse using RAISE. Formal Asp. Comput. 20(1), 101–116 (2008).Google Scholar
  37. 7.
    Gomes, A O Oliveira, M.V.M: Formal specification of a Cardiac Pacing System. In Ana Cavalcanti and Denis Dams, editors, Formal Methods Symposium (FM 2009), 31 October–6 November 2009, Eindhoven, Lecture Notes in Computer Science, in press. Springer, (2009).Google Scholar
  38. 8.
    Graydon, P.J., Knight, J.C., Strunk, E.A.: Achieving dependable systems by synergistic development of architectures and assurance cases. In Rogério de Lemos, Cristina Gacek, and Alexander B. Romanovsky, editors, WADS, volume 4615 of Lecture Notes in Computer Science, pp. 362–382. Springer (2006).Google Scholar
  39. 9.
    Haneberg, D., Schellhorn, G., Grandy, H., Reif, W.: Verification of Mondex electronic purses with KIV: from transactions to a security protocol. Formal Asp. Comput., 20(1), 41–59 (2008).CrossRefGoogle Scholar
  40. 0.
    Hoare, C.A.R.: Towards the verifying compiler. In Aichernig and Maibaum [1], pp. 151–160Google Scholar
  41. 1.
    Hoare C.A.R., Misra, J.: Preface to special issue on software verification. ACM Comput. Surv. 41(4) (2009).Google Scholar
  42. 2.
    Hoare, C.A.R., Misra, J., Leavens, G T., Shankar, N.: The verified software initiative: a manifesto. ACM Comput. Surv. 41(4) (2009).Google Scholar
  43. 3.
    Hoare, T., Atkinson, M., Bundy, A., Crowcroft, J., Crowcroft, J., Milner, R., Moore, J., Rodden, T., Thomas, M.: The Grand Challenges Exercise of the UKCRC. report to the UKCRC from the programme committee. tiny.cc/gcreport (29 May 2003).
  44. 4.
    Hoare, T., Jones, C., Randell, B.: Extending the horizons of DSE. In Grand Challenges. UKCRC, 2004. tinyurl.com/ExtendingDSE (2004)
  45. 5.
    Hoare, T., Misra, J.: Verified software: Theories, tools, and experiments: Vision of a Grand Challenge project. In: Meyer, B Woodcock, J (eds,) Verified Software: Theories, Tools, and Experiments. First IFIP TC2/EG2.3 Conference, Zurich, October 2005, volume 4171 of Lecture Notes in Computer Science, pp. 1–18. Springer, Berlin, Heidelberg (2008).CrossRefGoogle Scholar
  46. 6.
    ITSEC. Information technology security evaluation criteria (ITSEC): Preliminary harmonised criteria. Technical Report Document COM(90) 314, Version 1.2, Commission of the European Communities June (1991).Google Scholar
  47. 7.
    Jackson, D.: Alloy: A lightweight object modelling notation. ACM Trans. Softw. Eng. Methodol. 11(2), 256–290 (2002).CrossRefGoogle Scholar
  48. 8.
    Jackson, D., Thomas, M., Millett, L.I., (eds.): Software for Dependable Systems: Sufficient Evidence? Committee on Certifiably Dependable Software Systems, National Research Council. The National Academies Press (2007).Google Scholar
  49. 9.
    Jackson, P., Passmore, G.O.: Improved automation for SPARK verification conditions. tiny.cc/jacksonspark (1 August 2009).
  50. 0.
    Jackson, P., Passmore, G.O.: YAFFS (Yet Another Flash File System). www.yaffs.net/ (1 August 2009).
  51. 1.
    Jhala, R., Majumdar, R.: Software model checking. ACM Comput. Surv. 41(4) (2009).Google Scholar
  52. 2.
    Jones, C.B., O’Hearn, P.W., Woodcock, J.: Verified software: A Grand Challenge. IEEE Computer 39(4), 93–95 (2006).CrossRefGoogle Scholar
  53. 3.
    Jones, C.B., Pierce, K.G.: What can the π-calculus tell us about the Mondex purse system? In 12th International Conference on Engineering of Complex Computer Systems (ICECCS 2007), Auckland, New Zealand, 10–14 July 2007, pages 300–306. IEEE Computer Society (2007).Google Scholar
  54. 4.
    Jones, C.B., Woodcock, J.: Editorial. Formal Asp. Comput. 20(1), 1–3 (2008).CrossRefGoogle Scholar
  55. 5.
    Josey, A.: The Single Unix Specification Version 3. Open Group, San Francisco, CA (2004.) ISBN: 193162447X.Google Scholar
  56. 6.
    Joshi, R., Holzmann, G.J.: A mini challenge: Build a verifiable filesystem. Formal Asp. Comput. 19(2), 269–272 (2007).CrossRefzbMATHGoogle Scholar
  57. 7.
    Kang, E., Jackson, D.: Formal modeling and analysis of a flash filesystem in Alloy. In Egon Börger, Michael Butler, Jonathan P. Bowen, and Paul Boca, editors, ABZ2008: Abstract State Machines, B and Z, First International Conference, ABZ 2008, London, September 16–18, 2008, volume 5238 of Lecture Notes in Computer Science, pp. 294–308. Springer, Berlin, Heidelberg (2008).Google Scholar
  58. 8.
    Kim, M.: Concolic testing of the multisector read operation for a flash memory. In Marcel Oliveira and Jim Woodcock, editors, Brazilian Symposium on Formal Methods (SBMF 2009), 19–21 August 2009, Gramado, Brazil, Lecture Notes in Computer Science, in press. Springer (2009).Google Scholar
  59. 9.
    King., J.C.: A Program Verifier. Ph.D. thesis, School of Computer Science, Carnegie Mellon University, (1969).Google Scholar
  60. 0.
    Kuhlmann, M., Gogolla, M.: Modeling and validating Mondex scenarios described in UML and OCL with USE. Formal Asp. Comput. 20(1), 79–100 (2008).CrossRefGoogle Scholar
  61. 1.
    Lawford, M.: Pacemaker Formal Methods Challenge. tiny.cc/pacemaker, 1 (August 2009).
  62. 2.
    Macedo, H.D., Larsen, P.G., Fitzgerald, J.S.: Incremental development of a distributed real-time model of a cardiac pacing system using VDM. In: Cuéllar, J Maibaum, T.S.E. Sere, K (eds,) FM 2008: Formal Methods, 15th International Symposium on Formal Methods, Turku, Finland, May 26–30, 2008, Proceedings, volume 5014 of Lecture Notes in Computer Science, pp. 181–197. Springer, (2008).Google Scholar
  63. 3.
    Machado, P.: Automatic test case generation of embedded real-time systems with interruptions for FreeRTOS. In: Oliveira, M Woodcock, J (eds,) Brazilian Symposium on Formal Methods (SBMF 2009), 19–21 August 2009, Gramado, Brazil, Lecture Notes in Computer Science, in press. Springer, (2009).Google Scholar
  64. 4.
    Meyer, B., Woodcock, J., (eds.): Verified Software: Theories, Tools, Experiments, First IFIP TC 2/WG 2.3 Conference, VSTTE 2005, Zurich, Switzerland, October 10–13, 2005, Revised Selected Papers and Discussions, volume 4171 of Lecture Notes in Computer Science. Springer (2008).Google Scholar
  65. 5.
    Mühlberg, J.T., Lüttgen, G.: Verifying compiled file system code. In Marcel Oliveira and Jim Woodcock, editors, Brazilian Symposium on Formal Methods (SBMF 2009), 19–21 August 2009, Gramado, Brazil, Lecture Notes in Computer Science, in press. Springer (2009).Google Scholar
  66. 6.
    Owre, S., Rushby, J.M., Shankar, N.: PVS: A prototype verification system. In CADE-11, 11th International Conference on Automated Deduction, Saratoga Springs, Juny 15–18 1992, volume 607 of Lecture Notes in Computer Science, pages 748–752, Springer, Berlin, Heidelberg (1992).Google Scholar
  67. 7.
    Ramananandro, T.: Mondex, an electronic purse: Specification and refinement checks with the Alloy model-finding method. Formal Asp. Comput. 20(1), 21–39 (2008).CrossRefGoogle Scholar
  68. 8.
    Shankar, N.: Automated deduction for verification. ACM Comput. Surv. 41(4) (2009).Google Scholar
  69. 9.
    Shankar, N., Woodcock, J., (eds.): Verified Software: Theories, Tools, Experiments, Second International Conference, VSTTE 2008, Toronto, Canada, October 6–9, 2008. Proceedings, volume 5295 of Lecture Notes in Computer Science. Springer (2008).Google Scholar
  70. 0.
    Spinellis, D.: A look at zero-defect code. tinyurl.com/spinellisblog (18 October 2008).
  71. 1.
    Spivey, J.M.: The Z Notation: a Reference Manual. International Series in Computer Science. Prentice Hall (1989).Google Scholar
  72. 2.
    Stepney, S., Cooper, D., Woodcock, J.: More powerful Z data refinement: Pushing the state of the art in industrial refinement. In: Bowen, J P. Fett, A Hinchey, M G. (eds.) ZUM, volume 1493 of Lecture Notes in Computer Science, pp. 284–307. Springer (1998).Google Scholar
  73. 3.
    Stepney, S., Cooper, D., Woodcock, J.: An electronic purse: Specification, refinement, and proof. Technical Monograph PRG-126, Oxford University Computing Laboratory July (2000).Google Scholar
  74. 4.
    Tokeneer, tinyurl.com/tokeneer (2009).
  75. 5.
    VSR.: Verified Software Repository. vsr.sourceforge.net/fmsurvey.htm (2009).
  76. 6.
    Woodcock, J.: E6: Use of formality, Video Tape G3A, Tape No. 68. Technical report, Government Communications Headquarters, Communications-Electronics Security Group (October 1997).Google Scholar
  77. 7.
    Woodcock, J.: First steps in the Verified Software Grand Challenge. IEEE Computer 39(10), 57–64 (2006).CrossRefGoogle Scholar
  78. 8.
    Woodcock, J., Banach, R.: The Verification Grand Challenge. J. UCS 13(5), 661–668 (2007).Google Scholar
  79. 9.
    Woodcock, J., Davies, J.: Using Z: Specification, Refinement, and Proof. International Series in Computer Science. Prentice Hall (1996).Google Scholar
  80. 0.
    Woodcock, J., Larsen, P.G., Bicarregui, J., Fitzgerald, J.S.: Formal Methods: Practice and experience. ACM Comput. Surv. 41(4) (2009).Google Scholar
  81. 1.
    Woodcock, J., Stepney, S., Cooper, D., Clark, J A., Jacob, J.: The certification of the Mondex electronic purse to ITSEC Level E6. Formal Asp. Comput. 20(1), 5–19 (2008).CrossRefGoogle Scholar

Copyright information

© Springer London 2010

Authors and Affiliations

  • Jim Woodcock
    • 1
    Email author
  • Emine Gökçe Aydal
    • 2
  • Rod Chapman
    • 3
  1. 1.Department of Computer ScienceUniversity of YorkYorkGreat Britain
  2. 2.Department of Computer ScienceUniversity of YorkYorkGreat Britain
  3. 3.Altran Praxis LimitedBathGreat Britain

Personalised recommendations