Quantitative Verification: Formal Guarantees for Timeliness, Reliability and Performance

Computerised systems appear in almost all aspects of our daily lives, often in safety-critical scenarios such as embedded control systems in cars and aircraft or medical devices such as pacemakers and sensors. We are thus increasingly reliant on these systems working correctly, despite often operating in unpredictable or unreliable environments. Designers of such devices need ways to guarantee that they will operate in a reliable and efficient manner. Quantitative verification is a technique for analysing quantitative aspects of a system's design, such as timeliness, reliability or performance. It applies formal methods, based on a rigorous analysis of a mathematical model of the system, to automatically prove certain precisely specified properties, e.g. ``the airbag will always deploy within 20 milliseconds after a crash'' or ``the probability of both sensors failing simultaneously is less than 0.001''. The ability to formally guarantee quantitative properties of this kind is beneficial across a wide range of application domains. For example, in safety-critical systems, it may be essential to establish credible bounds on the probability with which certain failures or combinations of failures can occur. In embedded control systems, it is often important to comply with strict constraints on timing or resources. More generally, being able to derive guarantees on precisely specified levels of performance or efficiency is a valuable tool in the design of, for example, wireless networking protocols, robotic systems or power management algorithms, to name but a few. This report gives a short introduction to quantitative verification, focusing in particular on a widely used technique called model checking, and its generalisation to the analysis of quantitative aspects of a system such as timing, probabilistic behaviour or resource usage. The intended audience is industrial designers and developers of systems such as those highlighted above who could benefit from the application of quantitative verification,but lack expertise in formal verification or modelling

Security analysis for temporal role based access control

Providing restrictive and secure access to resources is a challenging and socially important problem. Among the many formal security models, Role Based Access Control (RBAC) has become the norm in many of today's organizations for enforcing security. For every model, it is necessary to analyze and prove that the corresponding system is secure. Such analysis helps understand the implications of security policies and helps organizations gain confidence on the control they have on resources while providing access, and devise and maintain policies.In this paper, we consider security analysis for the Temporal RBAC (TRBAC), one of the extensions of RBAC. The TRBAC considered in this paper allows temporal restrictions on roles themselves, user-permission assignments (UA), permission-role assignments (PA), as well as role hierarchies (RH). Towards this end, we first propose a suitable administrative model that governs changes to temporal policies. Then we propose our security analysis strategy, that essentially decomposes the temporal security analysis problem into smaller and more manageable RBAC security analysis sub-problems for which the existing RBAC security analysis tools can be employed. We then evaluate them from a practical perspective by evaluating their performance using simulated data sets

Temporal and Resource Controllability of Workflows Under Uncertainty

Workflow technology has long been employed for the modeling, validation and execution of business processes. A workflow is a formal description of a business process in which single atomic work units (tasks), organized in a partial order, are assigned to processing entities (agents) in order to achieve some business goal(s). Workflows can also employ workflow paths (projections with respect to a total truth value assignment to the Boolean variables associated to the conditional split connectors) in order (not) to execute a subset of tasks. A workflow management system coordinates the execution of tasks that are part of workflow instances such that all relevant constraints are eventually satisfied. Temporal workflows specify business processes subject to temporal constraints such as controllable or uncontrollable durations, delays and deadlines. The choice of a workflow path may be controllable or not, considered either in isolation or in combination with uncontrollable durations. Access controlled workflows specify workflows in which users are authorized for task executions and authorization constraints say which users remain authorized to execute which tasks depending on who did what. Access controlled workflows may consider workflow paths too other than the uncertain availability of resources (users, throughout this thesis). When either a task duration or the choice of the workflow path to take or the availability of a user is out of control, we need to verify that the workflow can be executed by verifying all constraints for any possible combination of behaviors arising from the uncontrollable parts. Indeed, users might be absent before starting the execution (static resiliency), they can also become so during execution (decremental resiliency) or they can come and go throughout the execution (dynamic resiliency). Temporal access controlled workflows merge the two previous formalisms by considering several kinds of uncontrollable parts simultaneously. Authorization constraints may be extended to support conditional and temporal features. A few years ago some proposals addressed the temporal controllability of workflows by encoding them into temporal networks to exploit "off-the-shelf" controllability checking algorithms available for them. However, those proposals fail to address temporal controllability where the controllable and uncontrollable choices of workflow paths may mutually influence one another. Furthermore, to the best of my knowledge, controllability of access controlled workflows subject to uncontrollable workflow paths and algorithms to validate and execute dynamically resilient workflows remain unexplored. To overcome these limitations, this thesis goes for exact algorithms by addressing temporal and resource controllability of workflows under uncertainty. I provide several new classes of (temporal) constraint networks and corresponding algorithms to check their controllability. After that, I encode workflows into these new formalisms. I also provide an encoding into instantaneous timed games to model static, decremental and dynamic resiliency and synthesize memoryless execution strategies. I developed a few tools with which I carried out some initial experimental evaluations

DISC-SET: Handling temporal and security aspects in the Web services composition

International audienceIn this paper we propose the DISC-SeT framework to handle the representation, solution computation and verification of temporal and security requirements in the services composition. The proposed approach provides a flexible event calculus based composition design, that allows for modeling different temporal (response time, time-units and other) and security aspects (access control, confidentiality and others) for Web services with different synchronization modes. The use of a formal approach allows to reason about and verify the security and temporal requirements. Further, as the proposed approach is integrated and builds upon the DISC framework, it allows to learn from run-time security and temporal constraints violations to take recovery actions

Weak, Strong and Dynamic Controllability of Access-Controlled Workflows Under Conditional Uncertainty

A workflow (WF) is a formal description of a business process in which single atomic work units (tasks), organized in a partial order, are assigned to processing entities (agents) in order to achieve some business goal(s). A workflow management system must coordinate the execution of tasks and WF instances. Usually, the assignment of tasks to agents is accomplished by external constraints not represented in a WF. An access-controlled workflow (ACWF) extends a classical WF by explicitly representing agent availability for each task and authorization constraint. Authorization constraints model which users are authorized for which tasks depending on \u201cwho did what\u201d. Recent research has addressed temporal controllability of WFs under conditional and temporal uncertainty. However, controllability analysis for ACWFs under conditional uncertainty has never been addressed before. In this paper, we define weak, strong and dynamic controllability of ACWFs under conditional uncertainty, we present algorithmic approaches to address each of these types of controllability, and we synthesize execution strategies that specify which user has been (or will be) assigned to which task

Framework for automatic verification of UML design models : application to UML 2.0 interactions

Software-intensive systems have become extremely complex and susceptible to defects and vulnerabilities. At the same time, the consequences of software errors have also become much more severe. In order to reduce the overall development cost and assure the security and reliability of the final product, it is of critical importance to investigate techniques able to detect defects as early as possible in the software development process, where the costs of repairing a software flaw are much lower than at the maintenance phase. In this research work, we propose an approach for detecting flaw at the design phase by combining two highly successful techniques in the information technology (IT) industry in the field of modeling languages and verification technologies. The first one is the Unified Modeling Language (UML). It has become the de facto language for software specification and design. UML is now used by a wide range of professionals with very different background. The second one is Model Checking , which is a formal verification technique that allows the desired properties to be verified through the inspection of all possible states of the model under consideration. Despite the fact that Model Checking gives significant capabilities to developers in order to create a secure design of the system, they are still not very popular in the UML community. There are many challenges faced by UML developers when it comes to combine UML with model checking (e.g., developer are not familiar with formal logics, the verification result is not in the UML notation, and the generation of the model checkers code from UML models is a problematic task). The proposed approach addresses these problems by implementing a new verification framework with support to property specification without using the complexity of formal languages, UML-like notation for the verification results, and a fully automatic verification proces

Architectural Generation of Context-based Attack Paths

In industriellen Prozessen (Industrie 4.0) und anderen Bereichen unseres Lebens wie dem Energie- oder Gesundheitssektor wird die Vertraulichkeit von Daten zunehmend wichtig. Um vertrauliche Informationen auf kritischen Systemen zu schützen, ist es wichtig zu bestimmen ob die Kompromittierung dieser kritischen Systeme möglich ist. Deshalb müssen relevante Angriffspfade in verschiedenen Zugriffskontrollkontexten gefunden werden, um verschiedene Softwarearchitekturen bezüglich dieses Sicherheitsaspekts zu vergleichen. Um Kosten zu sparen, ist es wichtig potentielle Angriffspfade bereits in der Entwurfsphase der Softwarearchitektur zu betrachten. Es gibt bereits Ansätze, die das Thema der Angriffspfadgenerierung adressieren. Allerdings betrachten sie es oft nicht auf einer Softwarearchitekturmodellierungsebene, was die Analyse für den Zweck der komponentenbasierten Softwaremodellierung erschwert. Des Weiteren, betrachten andere Ansätze oft nicht sowohl Verwundbarkeiten als auch Zugriffskontrollmechanismen. Deshalb stellt diese Arbeit einen Ansatz vor, um alle potentiellen Angriffspfade in einem Softwarearchitekturmodell bezüglich Verwundbarkeiten und Zugriffskontrolle zu finden. Das hilft Softwarearchitekten und Sicherheitsexperten relevante und kritische Angriffspfade zu einem kritischen Element leichter zu finden. Jedoch sind alle Angriffspfade oft zu viele, sodass der hier präsentierte Ansatz sinnvolle Filterkriterien einführt und verwendet, welche auf verbreiteten Verwundbarkeitsklassifikationsstandarts beruhen. Der Grund für diese Filter ist es, dem Softwarearchitekt zu ermöglichen, die resultierenden Angriffspfade auf die relevanten zu begrenzen. Die Evaluation der Arbeit deutete an, dass das verwendete Modell und der implementierte Ansatz in kleinen Szenarien, die aus Fallstudien aus der echten Welt extrahiert wurden, meistens angewendet werden kann. Außerdem deutete die Evaluation ebenfalls eine Aufwandsreduktion von 35 % bis zu 80 % für den Softwarearchitekt an. Allerdings konnte keine größere Skalierbarkeit des Ansatzes gezeigt werden, da ein exponentielles Laufzeitverhalten festgestellt wurde. Allerdings ist das Abmildern des Skalierbarkeitsproblem einer der Hauptgründe für das Verwenden der Filterkriterien