An Access Control Model Based Testing Approach for Smart Card Applications: Results of the {POSÉ} Project

International audienceThis paper is about generating security tests from the Common Criteria expression of a security policy, in addition to functional tests previously generated by a model-based testing approach. The method that we present re-uses the functional model and the concretization layer developed for the functional testing, and relies on an additional security policy model. We discuss how to produce the security policy model from a Common Criteria security target. We propose to compute the tests by using some test purposes as guides for the tests to be extracted from the models. We see a test purpose as the combination of a security property and a test need issued from the know-how of a security engineer. We propose a language based on regular expressions for the expression of such test purposes. We illustrate our approach by means of the IAS case study, a smart card application dedicated to the operations of Identification, Authentication and electronic Signature

An Access Control Model Based Testing Approach for Smart Card Applications: Results of the {POSÉ} Project

International audienceThis paper is about generating security tests from the Common Criteria expression of a security policy, in addition to functional tests previously generated by a model-based testing approach. The method that we present re-uses the functional model and the concretization layer developed for the functional testing, and relies on an additional security policy model. We discuss how to produce the security policy model from a Common Criteria security target. We propose to compute the tests by using some test purposes as guides for the tests to be extracted from the models. We see a test purpose as the combination of a security property and a test need issued from the know-how of a security engineer. We propose a language based on regular expressions for the expression of such test purposes. We illustrate our approach by means of the IAS case study, a smart card application dedicated to the operations of Identification, Authentication and electronic Signature

A Million Lines of Proof About a Moving Target (Invited Talk)

In the last ten years, we have been porting, maintaining, and evolving the world\u27s largest proof base, the formal proof in Isabelle/HOL of the seL4 microkernel. But actually, there is no such thing as "the seL4 proof"; there are a number of proofs (functional correctness, binary translation validation, integrity and confidentiality proofs, etc) about a number of instances of seL4 (depending on the hardware platform it runs on, the features it includes, the extensions it supports). We will give an overview of the current state of these proofs, and, importantly, the challenges we face in keeping to maintain, evolve and extend them, and the processes we have put in place to manage their dependence on the evolving implementation

Front Matter, Table of Contents, Preface, Conference Organization

Front Matter, Table of Contents, Preface, Conference Organizatio

LIPIcs, Volume 237, ITP 2022, Complete Volume

LIPIcs, Volume 237, ITP 2022, Complete Volum

Final Report AOARD 094160 Formal System Verification for Trustworthy Embedded Systems

System Verification for Trustworthy Embedded Systems. We begin by revisiting the original motivation and work plan, continue with a brief high-level summary of the project outcomes and end with two publications [1, 2] tha

G.: Bridging the gap: Automatic verified abstraction of C

Abstract. Before low-level imperative code can be reasoned about in an interactive theorem prover, it must first be converted into a logical representation in that theorem prover. Accurate translations of such code should be conservative, choosing safe representations over representations convenient to reason about. This paper bridges the gap between conservative representation and convenient reasoning. We present a tool that automatically abstracts low-level C semantics into higher level specifications, while generating proofs of refinement in Isabelle/HOL for each translation step. The aim is to generate a verified, human-readable specification, convenient for further reasoning

Refinement of Parallel Algorithms down to LLVM

We present a stepwise refinement approach to develop verified parallel algorithms, down to efficient LLVM code. The resulting algorithms’ performance is competitive with their counterparts implemented in C/C++. Our approach is backwards compatible with the Isabelle Refinement Framework, such that existing sequential formalizations can easily be adapted or re-used. As case study, we verify a parallel quicksort algorithm, and show that it performs on par with its C++ implementation, and is competitive to state-of-the-art parallel sorting algorithms. 2012 ACM Subject Classification Software and its engineering → Formal software verification; Theory of computation → Semantics and reasoning; Computing methodologies → Parallel algorithms Keywords and phrases Isabelle, Concurrent Separation Logic, Parallel Sorting, LLVM Supplementary Material Software (Isabelle Formalization): https://www21.in.tum.de/~lammich/isabelle_llvm_par

Modélisation et vérification formelles de systèmes embarqués dans les cartes à microprocesseur (plate-forme Java Card et système d'exploitation)

Les travaux présentés dans ce mémoire ont pour objectif de renforcer le niveau de sûreté et de sécurité des systèmes embarqués dans les cartes à puce grâce à l'utilisation des Méthodes Formelles. D'une part nous présentons la vérification formelle de l'isolation des données de différentes applications chargées sur une même carte à puce, et plus précisément la preuve formelle, dans le système de preuve Coq, que le contrôle dynamique d'accès aux données implémenté par Java Card assure les propriétés de confidentialité et d'intégrité. D'autre part, nous nous sommes intéressés à la correction et à l'innocuité du code source bas niveau d'un système d'exploitation embarqué. Cette étude est illustrée par un module de gestion de mémoire Flash par journalisation, assurant la cohérence des données de la mémoire en cas d'arrachage de la carte du terminal. La vérification de propriétés fonctionnelles et locales a été développée à l'aide de l'outil Caduceus. Cet outil n'acceptant pas certaines constructions de bas niveau du langage C, telles que les unions et les casts, nous proposons des solutions pour la formalisation de ces constructions. Nous proposons également une extension de Caduceus permettant de spécifier et de vérifier le comportement d'une fonction en cas d'interruption soudaine de son exécution. Puis nous introduisons une méthodologie de vérification de propriétés globales de haut niveau sur un modèle formellement lié au code source. Plus précisément, nous décrivons l'extraction automatique d'un système de transitions formel, à partir d'annotations vérifiées par le code source. Ce système de transitions peut alors être plongé dans une logique d'ordre supérieur.The work presented in this thesis aims at strengthening the security and safety level of smart card embedded systems, with the use of Formal Methods. On one hand, we present the formal verification of the isolation of the data belonging to different applets loaded on the same card. More precisely, we describe the formal proof, in the Coq proof system, that the run-time access control, performed by the Java Card platform, ensures data confidentiality and integrity. On the other hand, we study the correctness and the safety of low level source code of an embedded operating system. Such source code is illustrated by a case study of a Flash memory management module, using a journalling mechanism and ensuring the memory consistency in the case of a card tear. The verification of functional and local properties has been developed using the Caduceus program verification tool. Since this tool does not support some low level constructions of the C language, such as the unions and the casts, we propose an analysis and some solutions for the formalisation of such constructions. We also propose an extension of Caduceus that allows to specify and verify the behaviour of a function in the case of sudden interruption of its execution. Then, we introduce a methodology for the verification of high level and global properties, which is meant for the expression and proof of this kind of properties on a model formally linked to the source code. More precisely, we describe an automatic extraction of a transition system from the annotations that are verified by the source code. This transition system can then be translated in a high order logic.ORSAY-PARIS 11-BU Sciences (914712101) / SudocVILLEURBANNE-DOC'INSA LYON (692662301) / SudocSudocFranceF