Formal Safety and Security Assessment of an Avionic Architecture with Alloy

We propose an approach based on Alloy to formally model and assess a system architecture with respect to safety and security requirements. We illustrate this approach by considering as a case study an avionic system developed by Thales, which provides guidance to aircraft. We show how to define in Alloy a metamodel of avionic architectures with a focus on failure propagations. We then express the specific architecture of the case study in Alloy. Finally, we express and check properties that refer to the robustness of the architecture to failures and attacks.Comment: In Proceedings ESSS 2014, arXiv:1405.055

A Dual-Engine for Early Analysis of Critical Systems

This paper presents a framework for modeling, simulating, and checking properties of critical systems based on the Alloy language -- a declarative, first-order, relational logic with a built-in transitive closure operator. The paper introduces a new dual-analysis engine that is capable of providing both counterexamples and proofs. Counterexamples are found fully automatically using an SMT solver, which provides a better support for numerical expressions than the existing Alloy Analyzer. Proofs, however, cannot always be found automatically since the Alloy language is undecidable. Our engine offers an economical approach by first trying to prove properties using a fully-automatic, SMT-based analysis, and switches to an interactive theorem prover only if the first attempt fails. This paper also reports on applying our framework to Microsoft's COM standard and the mark-and-sweep garbage collection algorithm.Comment: Workshop on Dependable Software for Critical Infrastructures (DSCI), Berlin 201

Using Lightweight Formal Methods for JavaScript Security

The goal of this work was to apply lightweight formal methods to the study of the security of the JavaScript language. Previous work has shown that lightweight formal methods present a new approach to the study of security in the context of the Java Virtual Machine (JVM). The current work has attempted to codify best current practices in the form of a security model for JavaScript. Such a model is a necessary component in analyzing browser actions for vulnerabilities, but it is not sufficient. It is also required to capture actual browser event traces and incorporate these into the model. The work described herein demonstrates that it is (a) possible to construct a model for JavaScript security that captures important properties of current best practices within browsers; and (b) that an event translator has been written that captures the dynamic properties of browser site traversal in such a way that model analysis is tractable, and yields important information about the satisfaction or refutation of the static security rules

The Role of Invariants in the Co-evolution of Business and Technical Service Specification of an Enterprise

We explore invariants as a linking mechanism between the business and technical service perspectives: From the business perspec- tive, invariants can be used to model (business) requirements of an en- terprise; from the technical perspective, invariants express the properties that must hold during the execution of a service. We propose an approach to enterprise service design that can be de- scribed as an iterative introduction and a modication of invariants in response to the evolution of business and/or technical service specica- tions. We formalize the service specications in Alloy and demonstrate how each design iteration can be simulated, visualized and validated with the Alloy analyzer tool. We illustrate our ndings with the example of Order Creation service

Modeling the Java Bytecode Verifier

The Java programming language has been widely described as secure by design. Nevertheless, a number of serious security vulnerabilities have been discovered in Java, particularly in the Bytecode Verifier, a critical component used to verify class semantics before loading is complete. This paper describes a method for representing Java security constraints using the Alloy modeling language. It further describes a system for performing a security analysis on any block of Java bytecodes by converting the bytes into relation initializers in Alloy. Any counterexamples found by the Alloy analyzer correspond directly to insecure code. Analysis of the approach in the context of known security exploits is provided. This type of analysis represents a significant departure from standard malware analysis methods based on signatures or anomaly detection

Animation-Based Service Specification, Verification and Validation

[Context] With the expansion of services and service science, service systems have become an important abstraction for the service revolution. Service is defined as the application of resources (including competences, skills, and knowledge) to make changes that have value for another (system). The service system is a configuration of people, technologies, and other resources that interact with other service systems to create mutual value. Many systems can be viewed as service systems, including families, cities, and companies, among many others. Therefore, services became very important for unifying concepts from various disciplines. Service specifications are used to represent service systems on different levels of abstraction: from business down to IT. [Motivation and Problem] Traditionally, high-level service specifications are used only for communication among different participants, to catalyze the discussions between them; but only the specifications modeling IT systems have enough details to be simulated and executed. As a consequence, it becomes difficult to create precise high-level specifications and make sure that the implemented services are those that correspond to the business needs, potentially leading to severe project problems. Therefore, the challenge is to create abstract, yet precise service specifications, while keeping the relation between specifications at different levels of abstraction. [Idea and Results] In this work, we use formal methods and code generation techniques to create service-prototypes from service specifications at any level of abstraction, keeping the relations between different specifications. Stakeholders can try out the prototypes and give feedback regarding services that are being provided. This way, prototypes are used to validate the specifications and detect inconsistencies and unexpected behavior. [Contribution] The contributions of our work are threefold. First, we provide the visual formalism for service specification and simulation, by adding the necessary concepts to the existing method SEAM. Second, we define two design spirals: for service specification and for service validation and verification. The service specification spiral enables us to keep the relation between several service specifications. It includes steps with explicit design decisions on how to refine high-level specifications in order to include all the details necessary for providing the identified services. The validation and verification spiral is used to validate and verify specifications at any level of abstraction. Finally, it provides an environment that enables the simulation and prototyping of service specifications that are then used for their validation and verification. [Relevance] In addition to the theoretical contribution to the knowledge base of service design, we also provide the tools and guidelines that help business and IT analysts create and validate the service model, as confirmed by a survey conducted with practitioners. We illustrate the application of this work with a case study based on a consulting project we conducted at EPFL

Lightweight Modeling of Java Virtual Machine Security Constraints using Alloy

Abstract. The Java programming language has been widely described as secure by design. Nevertheless, a number of serious security vulnerabilities have been discovered in Java, particularly in the component known as the Bytecode Verifier. This paper describes a method for representing Java security constraints using the Alloy modeling language. It further describes a system for performing a security analysis on any block of Java bytecodes by converting the bytes into relation initializers in Alloy. Any counterexamples found by the Alloy analyzer correspond directly to insecure code. Analysis of a real-world malicious applet is given to demonstrate the efficacy of the approach. Introduction. This paper will describe an analysis tool for verifying security constraints within Java bytecodes. This investigation was motivated by the continued appearance of malicious Java code that violates the security constraints imposed by the Java compiler, the Java Bytecode Verifier and the Java runtime. The analysis approach is based on the lightweight modeling language Alloy [AL, DJ]. This pape