Logical Specification and Analysis of Fault Tolerant Systems through Partial Model Checking

This paper presents a framework for a logical characterisation of fault tolerance and its formal analysis based on partial model checking techniques. The framework requires a fault tolerant system to be modelled using a formal calculus, here the CCS process algebra. To this aim we propose a uniform modelling scheme in which to specify a formal model of the system, its failing behaviour and possibly its fault-recovering procedures. Once a formal model is provided into our scheme, fault tolerance - with respect to a given property - can be formalized as an equational µ-calculus formula. This formula expresses in a logic formalism, all the fault scenarios satisfying that fault tolerance property. Such a characterisation understands the analysis of fault tolerance as a form of analysis of open systems and thank to partial model checking strategies, it can be made independent on any particular fault assumption. Moreover this logical characterisation makes possible the fault-tolerance verification problem be expressed as a general µ-calculus validation problem, for solving which many theorem proof techniques and tools are available. We present several analysis methods showing the flexibility of our approach

Logical specification and analysis of fault tolerant systems through partial model checking

This paper presents a framework for a logical characterization of fault tolerance and its formal analysis based on partial model checking techniques. The framework requires a fault tolerant system to be modeled using a formal calculus, here the CCS process algebra. To this aim we propose a uniform modeling scheme in which to specify a formal model of the system, its failing behaviour and possibly its fault-recovering procedures. Once a formal model is provided into our scheme, fault tolerance - with respect to a given property - can be formalized as an equational ?-calculus formula. This formula expresses, in a logic formalism, all the fault scenarios satisfying that fault tolerance property. Such a characterization understands the analysis of fault tolerance as a form of analysis of open systems and, thank to partial model checking strategies, it can be made independent from any particular fault assumption. Moreover this logical characterization makes possible the fault-tolerance verification problem be expressed as a general ?-calculus validation problem, for solving which many theorem proof techniques and tools are available. We present several analysis methods showing the flexibility of our approach

Through Modeling to Synthesis of Security Automata

AbstractWe define a set of process algebra operators, that we call controller operators, able to mimic the behavior of security automata introduced by Schneider in [Schneider, F. B., Enforceable security policies, ACM Transactions on Information and System Security 3 (2000), pp. 30–50] and by Ligatti and al. in [Bauer, L., J. Ligatti and D. Walker, More enforceable security policies, in: I. Cervesato, editor, Foundations of Computer Security: proceedings of the FLoC'02 workshop on Foundations of Computer Security (2002), pp. 95–104]. Security automata are mechanisms for enforcing security policies that specify acceptable executions of programs.Here we give the semantics of four controllers that act by monitoring possible un-trusted component of a system in order to enforce certain security policies. Moreover, exploiting satisfiability results for temporal logic, we show how to automatically build these controllers for a given security policy

Automated Synthesis of Enforcing Mechanisms for Security Properties in a Timed Setting

AbstractIn [Martinelli, F. and I. Matteucci, Modeling security automata with process algebras and related results (2006), presented at the 6th International Workshop on Issues in the Theory of Security (WITS '06) - Informal proceedings; Martinelli, F. and I. Matteucci, Through modeling to synthesis of security automata (2006), accepted to STM06. To appeare in ENTCS] we have presented an approach for enforcing security properties. It is based on the automatic synthesis of controller programs that are able to detect and eventually prevent possible wrong action performed by an external agent. Here, we extend this approach also to a timed setting. Under certain assumptions, we are also able to enforce several information flow properties. We show how to deal with parameterized systems

Infrastrutture a chiave pubblica e protocolli di sicurezza

This paper deals with case studies about the management of a public key infrastrcture. An automated verification of secure procedures for certificate delivery is carried out

Partial mode checking, process algebra operators and satisfiability procedures for (automatically) enforcing security properties

In this paper we show how the partial model checking approach for the analysis of secure systems may be also useful for enforcing security properties. We define a set of process algebra operators that act as programmable controllers of possibly insecure components. The program of these controllers may be automatically obtained through the usage of satisfiability procedures for a variant of mu-calculus

About compositional analysis of pi-calculus processes

We set up a logical framework for the compositional analysis of finite pi-calculus processes. In particular, we extend the partial model checking techniques developed for value passing process algebras to a nominal calculus, i.e. the pi-calculus. The logic considered is an adaptation of the ambient logic to the pi-calculus. As one of the possible applications, we show that our techniques may be used to study interesting security properties as confidentiality for (finite) pi-calculus processes

Specification and Analysis of Information Flow Properties for Distributed Systems

We present a framework for the speci?cation and the analysis of infor- mation ?ow properties in partially speci?ed distributed systems, i.e., sys- tems in which there are several unspeci?ed components located in di?erent places. First we consider the notion of Non Deducibility on Composition (NDC for short) originally proposed for nondeterministic systems and based on trace semantics. We study how this information ?ow property can be extended in order to deal also with distributed partially speci?ed systems. In particular, we develop two di?erent approaches: the cen- tralized NDC (CNDC) and the decentralized NDC (DNDC). According to the former, there is just one unspeci?ed global component that has complete control of the n distributed locations where interaction occurs between the system and the unspeci?ed component. According to DNDC, there is one unspeci?ed component for each distributed location, and the n unspeci?ed components are completely independent, i.e., they cannot coordinate their e?orts or cooperate. Surprisingly enough, we prove that centralized NDC is as discriminating as decentralized NDC. However, when we move to Bisimulation-based Non-Deducibility on Composition, BNDC for short, the situation is completely di?erent. We prove that centralized BNDC (CBNDC for short) is strictly ?ner than decentralizedBNDC (DBNDC for short), hence proving the quite expected fact that a system that can resist to coordinated attacks is also able to resist to simpler attacks performed by independent entities. Hence, by exploiting a variant of the modal ?-calculus that permits to manage tuples of ac- tions, we present a method to analyze when a system is CBNDC and/or DBNDC, that is based on the theory of decomposition of formulas and compositional analysis

A framework for automatic security controller generation

This paper concerns the study, the development and the synthesis of mechanisms for guaranteeing the security of complex systems, i.e., systems composed by several interactive components. A complex system under analysis is described as an open system, in which a certain component has an unspecified behavior (not fixed in advance). Regardless of the unspecified behavior, the system should work properly, e.g., should satisfy a certain property. Within this formal approach, we propose techniques to enforce properties and synthesize controller programs able to guarantee that, for all possible behaviors of the unspecified component, the overall system results secure. For performing this task, we use techniques able to provide us necessary and sufficient conditions on the behavior of this unspecified component to ensure the whole system is secure. Hence, we automatically synthesize the appropriate controller programs by exploiting satisfiability results for temporal logic. We contribute within the area of the enforcement of security properties by proposing a flexible and automated framework that goes beyond the definition of how a system should behave to work properly. Indeed, while the majority of related work focuses on the definition of monitoring mechanisms, we aid in the synthesis of enforcing techniques. Moreover, we present a tool for the synthesis of secure systems able to generate a controller program directly executable on real devices as smart phones