Abstract.
Ten years ago the Mondex electronic purse was certified to ITSEC Level E6, the highest level of assurance for secure systems. This involved building formal models in the Z notation, linking them with refinement, and proving that they correctly implement the required security properties. The work has been revived recently as a pilot project for the international Grand Challenge in Verified Software. This paper records the history of the original project and gives an overview of the formal models and proofs used.
Similar content being viewed by others
References
Banach R, Jeske C, Poppleton M, Stepney S (2006) Retrenching the purse: finite exception logs, and validating the small. 30th Annual IEEE/NASA Software engineering workshop. Columbia, April 2006
Banach R, Jeske C, Poppleton M, Stepney S (2006) Retrenching the purse: hashing injective CLEAR codes, and security properties. In: 2nd International symposium on leveraging applications of formal methods, verification and validation (ISoLA 2006). Cyprus, November 2006. IEEE, 2006
Banach R, Jeske C, Poppleton M, Stepney S (2007) Retrenching the purse: the balance enquiry quandary, and generalised and (1,1) forward refinements. Fundam Inform 77:1–41
Banach R, PoppletonM(1998)Retrenchment: an engineering variation on refinement B-98. Lecture notes in computer science, vol 1393. Springer, Heidelberg
Banach R, Poppleton M, Jeske C, Stepney S (2005) Retrenchment and the Mondex electronic purse (extended abstract). In: Proceedings 12th international workshop on abstract state machines (ASM’05). Paris, March 2005
Banach R, Poppleton M, Jeske C, Stepney S (2005) Retrenching the purse: finite sequence numbers and the tower pattern. In: Proceedings FM05. Lecture notes in computer science, vol 3582. Springer, Heidelberg, pp 382–398
Barden R, Stepney S, Cooper D (1994) Z in Practice. BCS Practitioners Series. Prentice Hall, Englewood Cliffs
Boiten EA, Derrick J (2005) Formal program development with approximations. ZB 2005. Lecture notes in computer science, vol 3455. Springer, Heidelberg, pp 374–392
Burton S (2002) Automated testing of high integrity test suites from graphical specifications. Ph.D. thesis. Department of Computer science, University of York
Clark JA, Stepney S, Chivers H (2005) Breaking the model: finalisation and a taxonomy of security attacks. REFINE 2005, Surrey. Electron Notes Theor Comput Sci 137(2):225–242
Cooper D, Stepney S, Woodcock J (2002) derivation of Z refinement proof rules: forwards and backwards rules incorporating input/output refinement. Technical report YCS-2002-347, December, University of York
Derrick J, Boiten E (2001) Refinement in Z and Object-Z. Springer, Heidelberg
Dunne S (2003) Introducing backwards refinement into B. In: ZB2003: third international conference of B and Z Users, Turku, June 2003. Lecture notes in computer science, vol 2651, Springer, Heidlberg, pp 178–196
Flynn M, Hoverd T, Brazier D (1990) Formaliser—an interactive support tool for Z. Z UserWorkshop. In: Proceedings of the 4th annual Z user meeting, workshops in computing, Springer, Hiedelberg, pp 128–141
E6: Use of formality discussion. G3A Tape No 68. Unclassified. Government Communications Headquarters (GCHQ). 22 October 1997
Hoare CAR, Hayes IJ, He J, Morgan C, Roscoe AW, Sanders JW et al (1987) The laws of programming. Commun ACM. 30
Jifeng H, Hoare CAR, Sanders JW (1986) Data refinement refined: resume. ESOP 86. Lecture notes in computer science, vol 213. Springer, Heidelberg, pp 187–196
Information Technology Security Evaluation Criteria (ITSEC): Preliminary Harmonised Criteria. Document COM(90) 314, Version 1.2. Commission of the European Communities. June 1991
Jacob JL (1992) Basic theorems about security. J Comput Secur 1(4):385–411
Srivratanakul J, Clark J, Polack F, Stepney S (2003) Challenging formal specifications with mutation: a CSP security example. 12th IEEE Asia Pacific Software Engineering Conference (APSEC)
Stepney S, Cooper D, Woodcock J (2000) An electronic purse: specification, refinement, and proof. Technical monograph PRG-126, Oxford University Computing Laboratory, July 2000
Stepney S, Cooper D, Woodcock J (1998) More powerful Z data refinement: pushing the state of the art in industrial refinement. In: ZUM ’98: 11th international conference of Z users, Berlin, September 1998. Lecture notes in computer science, vol 1493. Springer, Heidelberg, pp 284–307
Stepney S, Polack F, Toyn I (2003) Patterns to guide practical refactoring: examples targetting promotion in Z. In: ZB2003: third international conference of B and Z Users, Turku, June 2003. Lecture notes in computer science, vol 2651. Springer, Heidelberg, pp 20–39
Spivey JM (1992) The Z Notation: a reference manual, 2nd edn. http://spivey.oriel.ox.ac.uk/~mike/fuzz
Spivey JM (1992) The fUZZ Manual. Computer Science Consultancy, 2nd edn. Prentice Hall, Englewood Cliff
Stepney S (2001) New horizons in formal methods. The Computer Bulletin, pp 24–26. BCS, January 2001
Stepney S (1998) A tale of two proofs. BCS-FACS third Northern formal methods workshop, Ilkley, September 1998. Electronic Workshops in Computing
Woodcock J, Davies J (1996) Using Z: specification, refinement, and proof. Prentice Hall, Englewood Cliff
Author information
Authors and Affiliations
Corresponding author
Additional information
C. B. Jones
Rights and permissions
About this article
Cite this article
Woodcock, J., Stepney, S., Cooper, D. et al. The certification of the Mondex electronic purse to ITSEC Level E6. Form Asp Comp 20, 5–19 (2008). https://doi.org/10.1007/s00165-007-0060-5
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00165-007-0060-5