Threat Scenarios as a Means to Formally Develop Secure Systems

. We introduce a new method for the formal development of secure systems that closely corresponds to the way secure systems are developed in practice. It is based on Focus, a general-purpose approach to the design and verification of distributed, interactive systems. Our method utilizes threat scenarios which are the result of threat identification and risk analysis and model those attacks that are of importance to the system's security. We describe the adversary's behaviour and influence on interaction. Given a suitable system specification, threat scenarios can be derived systematically from that specification. Security is defined as a particular relation on threat scenarios and systems. We show the usefulness of our approach by developing an authentic server component, thereby analysing two simple authentication protocols. Keywords. Security, Formal Methods, Threat Identification, Risk Analysis, Stream Processing Functions, Authentication, Protocols. 1 Introduction Wh..

A model-checking approach to analysing organisational controls in a loan origination process

Demonstrating the safety of a system (ie. avoiding the undesired propagation of access rights or indirect access through some other granted resource) is one of the goals of access control research, e.g. [1-4]. However, the flexibility required from enterprise resource management (ERP) systems may require the implementation of seemingly contradictory requirements (e.g. tight access control but at the same time support for discretionary delegation of workflow tasks and rights). To aid in the analysis of safety problems in workflow-based ERP system, this paper presents a model-checking based approach for automated analysis of delegation and revocation functionalities. This is done in the context of a real-world banking workflow requiring static and dynamic separation of duty properties. We derived information about the workflow from BPEL specifications and ERP business object repositories. This was captured in a SMV specification together with a definition of possible delegation and revocation scenarios. The required separation properties were translated into a set of LTL-based constraints. In particular, we analyse the interaction between delegation and revocation activities in the context of dynamic separation of duty policies

Blockchains, Smart Contracts and Future Applications (Dagstuhl Seminar 18152)

This report documents the Dagstuhl seminar 18152 "Blockchains, Smart Contracts & Future Applications". While Bitcoin currently works well in practice, there are many open questions regarding the long-term perspective of blockchain technologies, for both public and private/permissioned blockchains. It is yet unclear how processes can be designed to work in predictive ways and how to embed security in the lifecycle of smart contract development and deployment. Furthermore, the distributed nature of the system needs to be considered when thinking about which groups or individuals can influence future developments. Similar to \u27real-world\u27 societies, blockchains are based on mutual recognition of conventions. Diverse academic disciplines as well as industry can and need to collaborate to advance research in blockchain and to fully understand how the technology might impact our future lives