An Automatically Verified Prototype of the Tokeneer ID Station Specification

The Tokeneer project was an initiative set forth by the National Security Agency (NSA, USA) to be used as a demonstration that developing highly secure systems can be made by applying rigorous methods in a cost effective manner. Altran Praxis (UK) was selected by NSA to carry out the development of the Tokeneer ID Station. The company wrote a Z specification later implemented in the SPARK Ada programming language, which was verified using the SPARK Examiner toolset. In this paper, we show that the Z specification can be easily and naturally encoded in the {log} set constraint language, thus generating a functional prototype. Furthermore, we show that {log}'s automated proving capabilities can discharge all the proof obligations concerning state invariants as well as important security properties. As a consequence, the prototype can be regarded as correct with respect to the verified properties. This provides empirical evidence that Z users can use {log} to generate correct prototypes from their Z specifications. In turn, these prototypes enable or simplify some verificatio activities discussed in the paper

Declarative Programming with Intensional Sets in Java Using JSetL

Intensional sets are sets given by a property rather than by enumerating their elements. In previous work, we have proposed a decision procedure for a first-order logic language which provides Restricted Intensional Sets (RIS), i.e., a sub-class of intensional sets that are guaranteed to denote finite---though unbounded---sets. In this paper we show how RIS can be exploited as a convenient programming tool also in a conventional setting, namely, the imperative O-O language Java. We do this by considering a Java library, called JSetL, that integrates the notions of logical variable, (set) unification and constraints that are typical of constraint logic programming languages into the Java language. We show how JSetL is naturally extended to accommodate for RIS and RIS constraints, and how this extension can be exploited, on the one hand, to support a more declarative style of programming and, on the other hand, to effectively enhance the expressive power of the constraint language provided by the library

Hacia un prototipo certificado del sistema de permisos de Android 10

Android es un sistema operativo para dispositivos celulares que actualmente, acapara más del 85% del mercado. Permite a sus usuarios realizar múltiples tareas a través del uso de apps. Sin embargo, el fácil uso de las mismas y de la plataforma en general, se ve contrarrestado por una escalada en los riesgos en cuanto a confidencialidad de los datos y a la falta de garantías a la hora de proteger información delicada. Por este motivo, el sistema encargado de arbitrar los accesos a la información del usuario se convierte en un objetivo principal para la verificación de software usando métodos formales. En este trabajo, extendemos una formalización existente del sistema de permisos de Android 6, incorporando nuevas funcionalidades y demostrando nuevas propiedades para las versiones 7, 8, 9 y 10 de la plataforma. El resultado es un framework sobre el cual es posible razonar, de manera formal, sobre propiedades de safety y security de Android 10

A formal approach for the verification of the permission-based security model of Android

This article reports on our experiences in applying formal methods to verify the security mechanisms of Android. We have developed a comprehensive formal specification of Android's permission model, which has been used to state and prove properties that establish expected behavior of the procedures that enforce the defined access control policy. We are also interested in providing guarantees concerning actual implementations of the mechanisms. Therefore we are following a verification approach that combines the use of idealized models, on which fundamental properties are formally verified, with testing of actual implementations using lightweight model-based techniques. We describe the formalized model, present security properties that have been proved using the Coq proof assistant and propose the use of a certified algorithm for performing verification activities such as monitoring of actual implementations of the platform and also as a testing oracle