Spezifikation und Verifikation eines 'Separation of Duty'-Szenarios als verbindliche Telekooperation im Sinne des Gleichgewichtsmodells

Abstract

The balance model assures non-repudiation of telecooperation in open systems. This security model, introduced in 1993 by Dr. Ruediger Grimm, is the last step in a series of proposed security models. It addresses the problem that integrity of data in open systems cannot be assured by a third party. In contrast to 'conventional' security models that are limited to locking out danger, the balance model extends this view to the handling of dangerous situations. An important step towards this 'new' view of IT-security was the Clark/Wilson security model, introduced in 1987. As one of the first models, it makes use of a human as an interpretation instance using the classic four-eyes-principle Separation of duty. This diploma thesis is based on the balance model and describes a 'Separation of duty' - telecooperation, which is formally specified with product nets and verified with methods based on formal language theory. These methods are supported by a tool, the SH-verification tool. The four-eyes-principle is exemplified by an everyday provision-application within a company. This example consists of a two-partner cooperation, in which the 'manager' delegates the decision about a provision-application to the two cooperation partners 'head of department' and 'auditor'. An order is placed only if both partners, head of department and auditor, agree to the provision. According to the balance model, the cooperation partners control each other through collection of proofs and administration of the partner's obligations. In general, each change in the state of obligation is compensated by a proof for the favored cooperation partner. Using the formal methods of the SH-verification tool, a number of properties of the cooperation system have been verified. At first it is shown that the cooperation partners work together according to the cooperation specification and the cooperation principle. As a main aspect of the balance model, it is proved that the balance between state of obligation and proofs is kept during the cooperation at any time. In addition, a special kind of liveness property is shown, namely the property that a new provision-application can always be started. The idea of simple homomorphisms - which is fundamental for the verification by the SH-verification tool - is explained using an incorrect specification. Finally, an example for an irregular ending of the cooperation - by fraud - is specified and verified. (orig.)SIGLEAvailable from TIB Hannover: RR 8957(1998,21) / FIZ - Fachinformationszzentrum Karlsruhe / TIB - Technische InformationsbibliothekDEGerman