Skip to main content
SpringerLink
Log in

The certification of the Mondex electronic purse to ITSEC Level E6

  • Original Article
  • Published:
Formal Aspects of Computing

Abstract.

Ten years ago the Mondex electronic purse was certified to ITSEC Level E6, the highest level of assurance for secure systems. This involved building formal models in the Z notation, linking them with refinement, and proving that they correctly implement the required security properties. The work has been revived recently as a pilot project for the international Grand Challenge in Verified Software. This paper records the history of the original project and gives an overview of the formal models and proofs used.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Banach R, Jeske C, Poppleton M, Stepney S (2006) Retrenching the purse: finite exception logs, and validating the small. 30th Annual IEEE/NASA Software engineering workshop. Columbia, April 2006

  2. Banach R, Jeske C, Poppleton M, Stepney S (2006) Retrenching the purse: hashing injective CLEAR codes, and security properties. In: 2nd International symposium on leveraging applications of formal methods, verification and validation (ISoLA 2006). Cyprus, November 2006. IEEE, 2006

  3. Banach R, Jeske C, Poppleton M, Stepney S (2007) Retrenching the purse: the balance enquiry quandary, and generalised and (1,1) forward refinements. Fundam Inform 77:1–41

    MathSciNet  Google Scholar 

  4. Banach R, PoppletonM(1998)Retrenchment: an engineering variation on refinement B-98. Lecture notes in computer science, vol 1393. Springer, Heidelberg

    Google Scholar 

  5. Banach R, Poppleton M, Jeske C, Stepney S (2005) Retrenchment and the Mondex electronic purse (extended abstract). In: Proceedings 12th international workshop on abstract state machines (ASM’05). Paris, March 2005

  6. Banach R, Poppleton M, Jeske C, Stepney S (2005) Retrenching the purse: finite sequence numbers and the tower pattern. In: Proceedings FM05. Lecture notes in computer science, vol 3582. Springer, Heidelberg, pp 382–398

  7. Barden R, Stepney S, Cooper D (1994) Z in Practice. BCS Practitioners Series. Prentice Hall, Englewood Cliffs

    Google Scholar 

  8. Boiten EA, Derrick J (2005) Formal program development with approximations. ZB 2005. Lecture notes in computer science, vol 3455. Springer, Heidelberg, pp 374–392

    Google Scholar 

  9. Burton S (2002) Automated testing of high integrity test suites from graphical specifications. Ph.D. thesis. Department of Computer science, University of York

  10. Clark JA, Stepney S, Chivers H (2005) Breaking the model: finalisation and a taxonomy of security attacks. REFINE 2005, Surrey. Electron Notes Theor Comput Sci 137(2):225–242

    Article  Google Scholar 

  11. Cooper D, Stepney S, Woodcock J (2002) derivation of Z refinement proof rules: forwards and backwards rules incorporating input/output refinement. Technical report YCS-2002-347, December, University of York

  12. http://www.niap-ccevs.org/cc-scheme/cc_docs/

  13. Derrick J, Boiten E (2001) Refinement in Z and Object-Z. Springer, Heidelberg

    MATH  Google Scholar 

  14. Dunne S (2003) Introducing backwards refinement into B. In: ZB2003: third international conference of B and Z Users, Turku, June 2003. Lecture notes in computer science, vol 2651, Springer, Heidlberg, pp 178–196

  15. Flynn M, Hoverd T, Brazier D (1990) Formaliser—an interactive support tool for Z. Z UserWorkshop. In: Proceedings of the 4th annual Z user meeting, workshops in computing, Springer, Hiedelberg, pp 128–141

  16. E6: Use of formality discussion. G3A Tape No 68. Unclassified. Government Communications Headquarters (GCHQ). 22 October 1997

  17. Hoare CAR, Hayes IJ, He J, Morgan C, Roscoe AW, Sanders JW et al (1987) The laws of programming. Commun ACM. 30

  18. Jifeng H, Hoare CAR, Sanders JW (1986) Data refinement refined: resume. ESOP 86. Lecture notes in computer science, vol 213. Springer, Heidelberg, pp 187–196

    Google Scholar 

  19. Information Technology Security Evaluation Criteria (ITSEC): Preliminary Harmonised Criteria. Document COM(90) 314, Version 1.2. Commission of the European Communities. June 1991

  20. Jacob JL (1992) Basic theorems about security. J Comput Secur 1(4):385–411

    Google Scholar 

  21. Srivratanakul J, Clark J, Polack F, Stepney S (2003) Challenging formal specifications with mutation: a CSP security example. 12th IEEE Asia Pacific Software Engineering Conference (APSEC)

  22. Stepney S, Cooper D, Woodcock J (2000) An electronic purse: specification, refinement, and proof. Technical monograph PRG-126, Oxford University Computing Laboratory, July 2000

  23. Stepney S, Cooper D, Woodcock J (1998) More powerful Z data refinement: pushing the state of the art in industrial refinement. In: ZUM ’98: 11th international conference of Z users, Berlin, September 1998. Lecture notes in computer science, vol 1493. Springer, Heidelberg, pp 284–307

  24. Stepney S, Polack F, Toyn I (2003) Patterns to guide practical refactoring: examples targetting promotion in Z. In: ZB2003: third international conference of B and Z Users, Turku, June 2003. Lecture notes in computer science, vol 2651. Springer, Heidelberg, pp 20–39

  25. Spivey JM (1992) The Z Notation: a reference manual, 2nd edn. http://spivey.oriel.ox.ac.uk/~mike/fuzz

  26. Spivey JM (1992) The fUZZ Manual. Computer Science Consultancy, 2nd edn. Prentice Hall, Englewood Cliff

    Google Scholar 

  27. Stepney S (2001) New horizons in formal methods. The Computer Bulletin, pp 24–26. BCS, January 2001

  28. Stepney S (1998) A tale of two proofs. BCS-FACS third Northern formal methods workshop, Ilkley, September 1998. Electronic Workshops in Computing

  29. Woodcock J, Davies J (1996) Using Z: specification, refinement, and proof. Prentice Hall, Englewood Cliff

    MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of York, Heslington, YO10 5DD, York, UK

    Jim Woodcock, Susan Stepney, David Cooper, John Clark & Jeremy Jacob

Authors
  1. Jim Woodcock
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Susan Stepney
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Cooper
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. John Clark
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jeremy Jacob
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jim Woodcock.

Additional information

C. B. Jones

Rights and permissions

Reprints and permissions

About this article

Cite this article

Woodcock, J., Stepney, S., Cooper, D. et al. The certification of the Mondex electronic purse to ITSEC Level E6. Form Asp Comp 20, 5–19 (2008). https://doi.org/10.1007/s00165-007-0060-5

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00165-007-0060-5

Keywords.

Search

Navigation