Stepwise Development of Secure Systems

  • Thomas Santen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4166)


System development by stepwise refinement is a well-established method in classical software engineering. We discuss how this method can be adapted to systematically incorporate security issues, in particular, confidentiality into the software construction process. Starting with an abstract system model that precisely captures the relevant confidentiality requirements, subsequent refinements produce models which introduce more detail or relax assumptions on the environment. For each refinement, changing adversary capabilities must be captured and their compatibility with the given confidentiality requirements must be established. In this context, security, and dependability in general, are existential properties: The existence of a secure implementation must be kept invariant during the development process. This considerably adds to the complexity of a development.


Security Requirement Message Content Computation Tree Logic Adversary Model Nondeterministic Choice 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abrial, J.-R.: The B-Book: Assigning programs to meanings. Cambridge University Press, Cambridge (1996)MATHCrossRefGoogle Scholar
  2. 2.
    Behm, P., Benoit, P., Faivre, A., Meynadier, J.-M.: Météor: A successful application of B in a large project. In: Wing, J.M., Woodcock, J.C.P., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 369–387. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  3. 3.
    Chaum, D.L.: Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2), 84–88 (1981)CrossRefGoogle Scholar
  4. 4.
    Ciesinski, F., Größer, M.: On probabilistic computation tree logic. In: Baier, C., Haverkort, B.R., Hermanns, H., Katoen, J.-P., Siegle, M. (eds.) Validation of Stochastic Systems. LNCS, vol. 2925, pp. 147–188. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  5. 5.
    Derrick, J., Boiten, E.: Refinement in Z and Object-Z. Springer, London (2001)MATHGoogle Scholar
  6. 6.
    Goguen, J.A., Meseguer, J.: Security policies and security models. In: IEEE Symposium on Security and Privacy, pp. 11–20. IEEE Computer Society Press, Los Alamitos (1982)Google Scholar
  7. 7.
    Gray III., J.W.: Toward a mathematical foundation for information flow security. Journal of Computer Security, 255–294 (1992)Google Scholar
  8. 8.
    Heisel, M., Pfitzmann, A., Santen, T.: Confidentiality-preserving refinement. In: 14th IEEE Computer Security Foundations Workshop, pp. 295–305. IEEE Computer Society Press, Los Alamitos (2001)CrossRefGoogle Scholar
  9. 9.
    Hutter, D.: Possibilistic information flow control in MAKS and action refinement. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 268–281. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  10. 10.
    Jackson, M.: Problem Frames: Analyzing and Structuring Software Development Problems. Addison-Wesley, Reading (2000)Google Scholar
  11. 11.
    Jacob, J.: On the derivation of secure components. In: IEEE Symposium on Security and Privacy, pp. 242–247. IEEE Press, Los Alamitos (1989)CrossRefGoogle Scholar
  12. 12.
    Jones, C.B.: Systematic Software Development using VDM, 2nd edn. Prentice Hall, Englewood Cliffs (1990)MATHGoogle Scholar
  13. 13.
    Jürjens, J.: Secrecy-preserving refinement. In: Oliveira, J.N., Zave, P. (eds.) FME 2001. LNCS, vol. 2021, pp. 135–152. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)MATHGoogle Scholar
  15. 15.
    Mantel, H.: Preserving information flow properties under refinement. In: IEEE Symposium on Security and Privacy, pp. 78–91. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  16. 16.
    Mantel, H.: A Uniform Framework for the Formal Specification and Verification of Information Flow Security. Ph.D thesis, Universität des Saarlandes (2003)Google Scholar
  17. 17.
    McLean, J.: A general theory of composition for a class of “possibilistic” properties. IEEE Transactions on Software Engineering 22(1), 53–67 (1996)CrossRefGoogle Scholar
  18. 18.
    Meyer, B.: Applying “design by contract”. IEEE Computer, 40–51 (October 1992)Google Scholar
  19. 19.
    Morgan, C., McIver, A., Seidel, K., Sanders, J.W.: Refinement-oriented probability for CSP. Formal Aspects of Computing 8(6), 617–647 (1996)MATHCrossRefGoogle Scholar
  20. 20.
    Pfitzmann, B., Waidner, M.: A model for asynchronous reactive systems and its application to secure message transmission. In: IEEE Symposium on Security and Privacy, pp. 184–201. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  21. 21.
    Roscoe, A.W.: CSP and determinism in security modelling. In: Proc. IEEE Symposium on Security and Privacy, pp. 114–127. IEEE Computer Society Press, Los Alamitos (1995)Google Scholar
  22. 22.
    Santen, T.: Probabilistic confidentiality properties based on indistinguishability. In: Federrath, H. (ed.) Proc. Sicherheit 2005 – Schutz und Zuverlässigkeit. Lecture Notes in Informatics, pp. 113–124. Gesellschaft für Informatik (2005)Google Scholar
  23. 23.
    Santen, T.: A formal framework for confidentiality-preserving refinement. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 225–242. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  24. 24.
    Segala, R., Lynch, N.: Probabilistic simulations for probabilistic processes. In: Jonsson, B., Parrow, J. (eds.) CONCUR 1994. LNCS, vol. 836, pp. 481–496. Springer, Heidelberg (1994)CrossRefGoogle Scholar
  25. 25.
    Zakinthinos, A., Lee, E.S.: A general theory of security properties. In: Proc. IEEE Symposium on Security and Privacy, pp. 94–102 (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Thomas Santen
    • 1
  1. 1.Institut für Softwaretechnik und Theoretische InformatikTechnische Universität BerlinGermany

Personalised recommendations