A Constraint-Solving Approach for Achieving Minimal-Reset Transition Coverage of Smartcard Behaviour

Smartcards are security critical devices requiring a high assurance verification approach. Although formal techniques can be used at design or even at development stages, such systems have to undergo a traditional hardware-in-the-loop testing phase. This phase is subject to two key requirements: achieving exhaustive transition coverage of the behavior of the system under test, and minimizing the testing time. In this context, testing time is highly bound to a specific hardware reset operation. Model-based testing is the adequate approach given the availability of a precise model of the system behavior and its ability to produce high quality coverage while optimizing some cost criterion. %l'argument n'est pas convainquant.This paper presents an original algorithm addressing this problem by reformulating it as an integer programming problem to make a graph Eulerian. The associated cost criterion captures both the number of resets and the total length of the test suite, as an auxiliary objective. The algorithm ensures transition coverage. An implementation of the algorithm was developed, benchmarked, and integrated into an industrial smartcard testing framework. A validation case study from this domain is also presented. The approach can of course be applied to any other domains with similar reset-related testing constraints

Elaborating complete and consistent requirements for security-critical systems

The elaboration of requirements is a crucial step in the development of software-intensive security-critical application. From this stage on, the security engineering process heads towards the implementation of the identified security requirements. A missing, inadequate, imprecise or inconsistent requirement might cause the resulting application to have vulnerabilities, despite the huge amount of work that might be invested in implementing the elaborated security requirements. Vulnerabilities in requirements models notably arise from incompleteness and inconsistency. Incompleteness refers to missing requirements; inconsistency refers to requirements prescribing incompatible behaviors. Inconsistent requirements might give rise to vulnerabilities because they cannot be enforced altogether: one of them will be violated at run time. This thesis proposes three techniques for assisting engineers in the elaboration of complete and consistent requirements through model-based analysis. The two first focus on completeness issues, the last one on consistency. The three techniques build on a specific model-based framework for goal-oriented requirements analysis. They are demonstrated through models of an e-purse system and an e-signature system. The first technique is a formal framework for specifying and analyzing confidentiality concerns. Our framework makes it possible to discover confidentiality violations at requirements engineering time through model checking. The second technique focuses on the responsibility assignment of security requirements. Some agents in the software or in its environment might be malicious or too vulnerable. One should not rely on them in the enforcement of security goals. This technique introduces a security-specific completeness criterion ensuring that the enforcement of security goals only depends on the behavior of agents that are known to be trustworthy or built to be trustworthy. A systematic process is proposed for elaborating requirements models complying with this criterion. The third technique makes it possible to automatically detect goal-level inconsistencies called divergences. Divergences between goals lead to inconsistencies between requirements, and to potential vulnerabilities in the running system.(FSA 3) -- UCL, 200

Reasoning About Confidentiality at Requirements Engineering Time

Growing attention is being paid to application security at requirements engineering time. Confidentiality is a particular subclass of security concerns that requires sensitive information to never be disclosed to unauthorized agents. Disclosure refers to undesired knowledge states of such agents. In previous work we have extended our requirements specification framework with epistemic constructs for capturing what agents may or may not know about the application. Roughly, an agent knows some property if the latter is found in the agent’s memory. This paper makes the semantics of such constructs further precise through a formal model of how sensitive information may appear or disappear in an agent’s memory. Based on this extended framework, a catalog of specification patterns is proposed to codify families of confidentiality requirements. A proof-ofconcept tool is presented for early checking of requirements models against such confidentiality patterns. In case of violation, the counterexample scenarios generated by the tool show how an unauthorized agent may acquire confidential knowledge. Countermeasures should then be devised to produce further confidentiality requirements

Query-based risks management of manufacturing processes

Managing risks in supply chains is challenging for most companies, given the globalisation process which is strengthening the production constraints and also introducing more procurements risks. This is especially difficult for smaller companies because they generally lack resources to develop a specific expertise or buy expensive tools. Our research aims at addressing those issues by proposing an easy to use, yet powerful simulation framework based on Discrete Event Simulation. In our previous work we demonstrated the expressiveness of our modelling language and the efficiency of our simulation framework. The focus of this paper is on the usability dimension of the developed tool. We describe the global process driving the company through the whole risk control process, from identification, modelling, simulation and analysis. We demonstrate our ideas on a web-based prototype composed on a number of wizards and component supporting the structured analysis of simulation outcome in direct relation with the risks

Deriving tabular event-based specifications from goal-oriented requirements models

Goal-oriented methods are increasingly popular for elaborating software requirements. They offer systematic support for incrementally building intentional, structural and operational models of the software and its environment. They also provide various techniques for early analysis, notably, to manage conflicting goals or to anticipate abnormal environment behaviours that prevent goals from being achieved. On the other hand, tabular event-based methods are well-established for specifying operational requirements for control software. They provide sophisticated techniques and tools for late analysis of software behaviour models through simulation, model checking or table exhaustiveness checks. The paper proposes to take the best out of these two worlds to engineer requirements for control software. It presents a technique for deriving event-based specifications, written in the SCR tabular language, from operational specifications built according to the KAOS goal-oriented method. The technique consists of a series of transformation steps each of which resolves semantic, structural or syntactic differences between the KAOS source language and the SCR target language. Some of these steps need human intervention and illustrate the kind of semantic subtleties that need to be taken into account when integrating multiple formalisms. As a result of our technique SCR specifiers may use upstream goal-based processes a la KAOS for the incremental elaboration, early analysis, organization and documentation of their tables, while KAOS modelers may use downstream tables d la SCR for later analysis of the behaviour models derived from goal specifications

Reasoning about confidentiality at requirements engineering time

Growing attention is being paid to application security at requirements engineering time. Confidentiality is a particular subclass of security concerns that requires sensitive information to never be disclosed to unauthorized agents. Disclosure refers to undesired knowledge states of such agents. In previous work we have extended our requirements specification framework with epistemic constructs for capturing what agents may or may not know about the application. Roughly, an agent knows some property if the latter is found in the agent's memory.This paper makes the semantics of such constructs further precise through a formal model of how sensitive information may appear or disappear in an agent's memory. Based on this extended framework, a catalog of specification patterns is proposed to codify families of confidentiality requirements. A proof-of-concept tool is presented for early checking of requirements models against such confidentiality patterns. In case of violation, the counterexample scenarios generated by the tool show how an unauthorized agent may acquire confidential knowledge. Counter-measures should then be devised to produce further confidentiality requirements