In my Wish List, an Automated Tool for Fail-Secure Design Analysis: an Alloy-Based Feasibility Draft

A system is said to be fail-secure, sometimes confused with fail-safe, if it maintains its security requirements even in the event of some faults. Fail-secure analyses are required by some validation schemes, such as some Common Criteria or NATO certifications. However, it is an aspect of security which as been overlooked by the community. This paper attempts to shed some light on the fail-secure field of study by: giving a definition of fail-secure as used in those certification schemes, and emphasizing the differences with fail-safe; and exhibiting a first feasibility draft of a fail-secure design analysis tool based on the Alloy model checker.Comment: In Proceedings ESSS 2014, arXiv:1405.055

Système de recherche de méthodes Java basé sur leur signature

L'objectif de cet article est de proposer une démarche permettant de mettre en place un moteur de recherche de méthodes au sein d'un langage de programmation. Un tel outil s'avère particulièrement utile aux développeurs. Des solutions ont déjà été proposées mais elles sont pour la plupart basées sur une recherche textuelle, c'est-à-dire uniquement basées sur le contenu textuel de la description des différentes méthodes. Nous proposons dans cet article une nouvelle approche basée sur la signature des méthodes. Le langage utilisé tout au long de cet article est le langage Java

Industrial Experience Report on the Formal Specification of a Packet Filtering Language Using the K Framework

Many project-specific languages, including in particular filtering languages, are defined using nonformal specifications written in natural languages. This leads to ambiguities and errors in the specification of those languages. This paper reports on an industrial experiment on using a tool-supported language specification framework (K) for the formal specification of the syntax and semantics of a filtering language having a complexity similar to those of real-life projects. This experimentation aims at estimating, in a specific industrial setting, the difficulty and benefits of formally specifying a packet filtering language using a tool-supported formal approach

Retour d'expérience sur l'utilisation du framework K pour la spécification formelle d'un langage de filtrage de trames

Many project-specific languages, including in particular filtering languages, are defined using non-formal specifications written in natural languages. This leads to ambiguities and errors in the specification of those languages. This paper reports on an experiment on using a tool-supported language specification framework (K) for the formal specification of the syntax and semantics of a filtering language having a complexity similar to those of real-life projects. In the context of this experimentation, the cost and benefits of formally specifying a language using a tool-supported framework in general (as well as the expressivity and ease of use of the K framework in particular) are evaluated.De nombreux langages spécifiques à un projet, entre autre les langages de filtrage, sont définis dans une spécification non-formelle écrite en langage naturel. Ces spécifications sont par conséquence souvent ambiguës et erronées. Ce rapport est un retour d'expérience sur l'utilisation d'un framework outillé de spécification de langage (le framework K) pour la spécification formelle de la syntaxe et sémantique d'un langage de filtrage de trames ayant une complexité similaire à celle rencontrée sur des projets réels. Dans le contexte de cette expérimentation, ce rapport évalue les coûts et bénéfices liés à une démarche de spécification formelle d'un langage en s'appuyant sur un framework outillé en général, et plus particulièrement dans le cas du framework K

From Monolithic to Microservice Architecture: The Case of Extensible and Domain-Specific IDEs

International audienceIntegrated Development Environments (IDEs) are evolving towards cloud-native applications with the aim to relocate the language services provided by an IDE on distant servers. Existing research works focus on the overall migration process to handle more efficiently their specific requirements. However, the microservicization of legacy monolithic applications is still highly dependent on the specific properties of the application of interest. In this paper, we report our experiment on the microservicization process of the Cloud-Based graphical modeling workbench Sirius Web. We aim to identify the technical challenges related to applications with similar properties, and provide insights for practitioners to migrate their similar applications towards microservices. We discuss the main lessons learned and identify the underlying challenges to be further addressed by the community

Confidentiality Enforcement Using Dynamic Information Flow Analyses

With the intensification of communication in information systems, interest in security has increased. The notion of noninterference is typically used as a baseline security policy to formalize confidentiality of secret information manipulated by a program. This notion, based on ideas from classical information theory, has first been introduced by Goguen and Meseguer (1982) as the absence of strong dependency (Cohen, 1977).“information is transmitted from a source to a destination only when variety in the source can be conveyed to the destination” Cohen (1977)Building on the notion proposed by Goguen and Meseguer, a program is typically said to be noninterfering if the values of its public outputs do not depend on the values of its secret inputs. If that is not the case then there exist illegal information flows that allow an attacker, having knowledge about the source code of the program, to deduce information about the secret inputs from the public outputs of the execution. In contrast to the vast majority of previous work on noninterference which are based on static analyses (especially type systems), this PhD thesis report considers dynamic monitoring of noninterference. A monitor enforcing noninterference is more complex than standard execution monitors.“the information carried by a particular message depends on the set it comes from. The information conveyed is not an intrinsic property of the individual message.” Ashby (1956).The work presented in this report is based on the combination of dynamic and static information flow analyses. The practicality of such an approach is demonstrated by the development of a monitor for concurrent programs including synchronization commands. This report also elaborates on the soundness with regard to noninterference and precision of such approaches.Avec l'augmentation des communications entre systèmes d'information, l'intérêt pour les mécanismes de sécurité s'est accru. La notion de non-interférence, introduite par Goguen and Meseguer (1982), est fréquemment utilisée pour formaliser des politiques de sécurité impliquant la confidentialité des secrets manipulés par un programme. Un programme est dit non-interférant si son comportement observable par tous n'est pas influencé par la valeur des secrets qu'il manipule. Si ce n'est pas le cas, alors un attaquant ayant connaissance du code source du programme peut déduire des information concernant les secrets manipulés à partir de l'observation du comportement du programme. À la différence de la majorité des travaux précédents sur la non-interférence (principalement des analyses statiques), ce rapport de thèse s'intéresse au contrôle dynamique de la non-interférence. Le contrôle dynamique des flux d'information est une tâche complexe car l'information transportée par un message n'est pas une propriété intrinsèque de ce message. Elle dépend aussi, lorsque le destinataire connaît l'ensemble des message qui peuvent être envoyés, de la composition de cet ensemble. Le travail présenté dans ce rapport se base sur la composition d'analyses dynamiques et statiques des flux d'information. Des moniteurs de non-interférence sont développés pour différents langages dont un langage concurrent intégrant une commande de synchronisation. L'exactitude de ces moniteurs est prouvée et leur précision est comparée à des travaux précédents

Automaton-based Non-interference Monitoring of Concurrent Programs

Earlier work [LGBJS06] presents an automaton-based non-interference monitoring mechanism for sequential programs. This technical report extends this work to a concurrent setting. Monitored programs are constituted of a set of threads running in parallel. Those threads run programs equivalent to those of [LGBJS06] except for the inclusion of a synchronization command. The monitoring mechanism is still based on a security automaton and on a combination of dynamic and static analyses. As in [LGBJS06], the monitoring semantics sends abstractions of program events to the automaton, which uses the abstractions to track information flows and to control the execution by forbidding or editing dangerous actions. All monitored executions are proved to be non-interfering (soundness)

Precise dynamic verification of noninterference

Confidentiality is maybe the most popular security property to be formally or informally verified. Noninterference is a baseline security policy to formalize confidentiality of secret information manipulated by a program. Many static analyses have been developed for the verification of noninterference. In contrast to those static analyses, this paper considers the run-time verification of the respect of confidentiality by a single execution of a program. It proposes a dynamic noninterference analysis for sequential programs based on a combination of dynamic and static analyses. The static analysis is used to analyze some unexecuted pieces of code in order to take into account all types of flows. The static analysis is sensitive to the current program state. This sensitivity allows the overall dynamic analysis to be more precise than previous work. The soundness of the overall dynamic noninterference analysis with regard to confidentiality breaches detection and correction is proved