1,271 research outputs found
Formally based semi-automatic implementation of an open security protocol
International audienceThis paper presents an experiment in which an implementation of the client side of the SSH Transport Layer Protocol (SSH-TLP) was semi-automatically derived according to a model-driven development paradigm that leverages formal methods in order to obtain high correctness assurance. The approach used in the experiment starts with the formalization of the protocol at an abstract level. This model is then formally proved to fulfill the desired secrecy and authentication properties by using the ProVerif prover. Finally, a sound Java implementation is semi-automatically derived from the verified model using an enhanced version of the Spi2Java framework. The resulting implementation correctly interoperates with third party servers, and its execution time is comparable with that of other manually developed Java SSH-TLP client implementations. This case study demonstrates that the adopted model-driven approach is viable even for a real security protocol, despite the complexity of the models needed in order to achieve an interoperable implementation
Oblivion: Mitigating Privacy Leaks by Controlling the Discoverability of Online Information
Search engines are the prevalently used tools to collect information about
individuals on the Internet. Search results typically comprise a variety of
sources that contain personal information -- either intentionally released by
the person herself, or unintentionally leaked or published by third parties,
often with detrimental effects on the individual's privacy. To grant
individuals the ability to regain control over their disseminated personal
information, the European Court of Justice recently ruled that EU citizens have
a right to be forgotten in the sense that indexing systems, must offer them
technical means to request removal of links from search results that point to
sources violating their data protection rights. As of now, these technical
means consist of a web form that requires a user to manually identify all
relevant links upfront and to insert them into the web form, followed by a
manual evaluation by employees of the indexing system to assess if the request
is eligible and lawful.
We propose a universal framework Oblivion to support the automation of the
right to be forgotten in a scalable, provable and privacy-preserving manner.
First, Oblivion enables a user to automatically find and tag her disseminated
personal information using natural language processing and image recognition
techniques and file a request in a privacy-preserving manner. Second, Oblivion
provides indexing systems with an automated and provable eligibility mechanism,
asserting that the author of a request is indeed affected by an online
resource. The automated ligibility proof ensures censorship-resistance so that
only legitimately affected individuals can request the removal of corresponding
links from search results. We have conducted comprehensive evaluations, showing
that Oblivion is capable of handling 278 removal requests per second, and is
hence suitable for large-scale deployment
Regulating Data Exchange in Service Oriented Applications
We define a type system for COWS, a formalism for specifying and combining services, while modelling their dynamic behaviour. Our types permit to express policies constraining data exchanges in terms of sets of service partner names attachable to each single datum. Service programmers explicitly write only the annotations necessary to specify the wanted policies for communicable data, while a type inference system (statically) derives the minimal additional annotations that ensure consistency of services initial configuration. Then, the language dynamic semantics only performs very simple checks to authorize or block communication. We prove that the type system and the operational semantics are sound. As a consequence, we have the following data protection property: services always comply with the policies regulating the exchange of data among interacting services. We illustrate our approach through a simplified but realistic scenario for a service-based electronic marketplace
A Calculus for Orchestration of Web Services
Service-oriented computing, an emerging paradigm for distributed computing based on the use of services, is calling for the development of tools and techniques to build safe and trustworthy systems, and to analyse their behaviour. Therefore, many researchers have proposed to use process calculi, a cornerstone of current foundational research on specification and analysis of concurrent, reactive, and distributed systems. In this paper, we follow this approach and introduce CWS, a process calculus expressly designed for specifying and combining service-oriented applications, while modelling their dynamic behaviour. We show that CWS can model all the phases of the life cycle of service-oriented applications, such as publication, discovery, negotiation, orchestration, deployment, reconfiguration and execution. We illustrate the specification style that CWS supports by means of a large case study from the automotive domain and a number of more specific examples drawn from it
Formally Verified Implementation of an Idealized Model of Virtualization
VirtualCert is a machine-checked model of virtualization that can be
used to reason about isolation between operating systems in presence
of cache-based side-channels. In contrast to most prominent projects
on operating systems verification, where such guarantees are proved
directly on concrete implementations of hypervisors, VirtualCert
abstracts away most implementations issues and specifies the effects
of hypervisor actions axiomatically, in terms of preconditions and
postconditions. Unfortunately, seemingly innocuous implementation
issues are often relevant for security. Incorporating the treatment of
errors into VirtualCert is therefore an important step towards
strengthening the isolation theorems proved in earlier work. In this
paper, we extend our earlier model with errors, and prove that
isolation theorems still apply. In addition, we provide an executable specification of the hypervisor, and prove that it correctly implements the axiomatic model. The executable specification constitutes a first step towards a more realistic implementation of a hypervisor, and provides a useful tool for validating the axiomatic semantics developed in previous work
Secrecy for Mobile Implementations of Security Protocols
Mobile code technology offers interesting possibilities to
the practitioner, but also raises strong concerns about security. One
aspect of security is secrecy, the preservation of confidential
information. This thesis investigates the modelling, specification and
verification of secrecy in mobile applications which access and
transmit confidential information through a possibly compromised
medium (e.g. the Internet). These applications can be expected to
communicate secret information using a security protocol, a mechanism
to guarantee that the transmitted data does not reach unauthorized
entities.
The central idea is therefore to relate the secrecy properties of the
application to those of the protocol it implements, through the
definition of a ``confidential protocol implementation'' relation.
The argument takes an indirect form, showing that a confidential
implementation transmits secret data only in the ways indicated by the
protocol.
We define the implementation relation using labelled transition
semantics, bisimulations and relabelling functions. To justify its
technical definition, we relate this property to a notion of
noninterference for nondeterministic systems derived from Cohen's
definition of Selective Independency. We also provide simple and
local conditions that greatly simplify its verification, and report on
our experiments on an architecture showing how the proposed
formulations could be used in practice to enforce secrecy of mobile
code
- …