Integrating Functional and Security Requirements Analysis using SOFL for Software Security Assurance

Formal methods have been applied to define requirements for safety and/or security critical software systems in some industrial sectors, but the challenge is the lack of a systematic way to take security issues into account in specifying the functional behaviors. In this paper, we propose a formal approach to expressing and explicitly interweaving security and functional requirements. With this approach, the functional behaviors of the system are precisely specified using the Structured Object Oriented Formal Language (SOFL), the security rules are systematically explored, and the result is properly incorporated into the functional specification as constraints. The resultant specification then defines the system functionality that implies the conformance to the security rules. Such a specification can be used as a firm foundation for implementation and testing of the implementation. We discuss the principle of interweaving security rules with functional specifications and present a case study to demonstrate the feasibility of our approac

Data Minimisation in Communication Protocols: A Formal Analysis Framework and Application to Identity Management

With the growing amount of personal information exchanged over the Internet, privacy is becoming more and more a concern for users. One of the key principles in protecting privacy is data minimisation. This principle requires that only the minimum amount of information necessary to accomplish a certain goal is collected and processed. "Privacy-enhancing" communication protocols have been proposed to guarantee data minimisation in a wide range of applications. However, currently there is no satisfactory way to assess and compare the privacy they offer in a precise way: existing analyses are either too informal and high-level, or specific for one particular system. In this work, we propose a general formal framework to analyse and compare communication protocols with respect to privacy by data minimisation. Privacy requirements are formalised independent of a particular protocol in terms of the knowledge of (coalitions of) actors in a three-layer model of personal information. These requirements are then verified automatically for particular protocols by computing this knowledge from a description of their communication. We validate our framework in an identity management (IdM) case study. As IdM systems are used more and more to satisfy the increasing need for reliable on-line identification and authentication, privacy is becoming an increasingly critical issue. We use our framework to analyse and compare four identity management systems. Finally, we discuss the completeness and (re)usability of the proposed framework

Applying Formal Methods to Networking: Theory, Techniques and Applications

Despite its great importance, modern network infrastructure is remarkable for the lack of rigor in its engineering. The Internet which began as a research experiment was never designed to handle the users and applications it hosts today. The lack of formalization of the Internet architecture meant limited abstractions and modularity, especially for the control and management planes, thus requiring for every new need a new protocol built from scratch. This led to an unwieldy ossified Internet architecture resistant to any attempts at formal verification, and an Internet culture where expediency and pragmatism are favored over formal correctness. Fortunately, recent work in the space of clean slate Internet design---especially, the software defined networking (SDN) paradigm---offers the Internet community another chance to develop the right kind of architecture and abstractions. This has also led to a great resurgence in interest of applying formal methods to specification, verification, and synthesis of networking protocols and applications. In this paper, we present a self-contained tutorial of the formidable amount of work that has been done in formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial

Towards a Formal Model of Privacy-Sensitive Dynamic Coalitions

The concept of dynamic coalitions (also virtual organizations) describes the temporary interconnection of autonomous agents, who share information or resources in order to achieve a common goal. Through modern technologies these coalitions may form across company, organization and system borders. Therefor questions of access control and security are of vital significance for the architectures supporting these coalitions. In this paper, we present our first steps to reach a formal framework for modeling and verifying the design of privacy-sensitive dynamic coalition infrastructures and their processes. In order to do so we extend existing dynamic coalition modeling approaches with an access-control-concept, which manages access to information through policies. Furthermore we regard the processes underlying these coalitions and present first works in formalizing these processes. As a result of the present paper we illustrate the usefulness of the Abstract State Machine (ASM) method for this task. We demonstrate a formal treatment of privacy-sensitive dynamic coalitions by two example ASMs which model certain access control situations. A logical consideration of these ASMs can lead to a better understanding and a verification of the ASMs according to the aspired specification.Comment: In Proceedings FAVO 2011, arXiv:1204.579

Using Lightweight Formal Methods for JavaScript Security

The goal of this work was to apply lightweight formal methods to the study of the security of the JavaScript language. Previous work has shown that lightweight formal methods present a new approach to the study of security in the context of the Java Virtual Machine (JVM). The current work has attempted to codify best current practices in the form of a security model for JavaScript. Such a model is a necessary component in analyzing browser actions for vulnerabilities, but it is not sufficient. It is also required to capture actual browser event traces and incorporate these into the model. The work described herein demonstrates that it is (a) possible to construct a model for JavaScript security that captures important properties of current best practices within browsers; and (b) that an event translator has been written that captures the dynamic properties of browser site traversal in such a way that model analysis is tractable, and yields important information about the satisfaction or refutation of the static security rules