Jakub Szefer,Tianwei Zhang,Ruby B. Lee

DOI: https://doi.org/10.48550/arXiv.1807.01854

2018-07-05

Abstract:We present a new and practical framework for security verification of secure architectures. Specifically, we break the verification task into external verification and internal verification. External verification considers the external protocols, i.e. interactions between users, compute servers, network entities, etc. Meanwhile, internal verification considers the interactions between hardware and software components within each server. This verification framework is general-purpose and can be applied to a stand-alone server, or a large-scale distributed system. We evaluate our verification method on the CloudMonatt and HyperWall architectures as examples.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Tieming Chen,Zhenbo Yu,Shijian Li,Bo Chen

DOI: https://doi.org/10.1155/2016/8797568

IF: 2.336

2016-01-01

Journal of Sensors

Abstract:Model checking has successfully been applied on verification of security protocols, but the modeling process is always tedious and proficient knowledge of formal method is also needed although the final verification could be automatic depending on specific tools. At the same time, due to the appearance of novel kind of networks, such as wireless sensor networks (WSN) and wireless body area networks (WBAN), formal modeling and verification for these domain-specific systems are quite challenging. In this paper, a specific and novel formal modeling and verification method is proposed and implemented using an expandable tool called PAT to do WSN-specific security verification. At first, an abstract modeling data structure for CSP#, which is built in PAT, is developed to support the nodemobility related specification for modeling location-based node activity. Then, the traditional Dolev Yao model is redefined to facilitate modeling of location-specific attack behaviors on security mechanism. A throughout formal verification application on a location-based security protocol in WSN is described in detail to show the usability and effectiveness of the proposed methodology. Furthermore, also a novel location-based authentication security protocol in WBAN can be successfully modeled and verified directly using our method, which is, to the best of our knowledge, the first effort on employing model checking for automatic analysis of authentication protocol for WBAN.

Hongbo Li,Xiaohong Li,Jianye Hao,Guangquan Xu,Zhiyong Feng,Xiaofei Xie

DOI: https://doi.org/10.1109/QRS.2017.45

2017-01-01

Abstract:It is critical and foremost to come up with the corresponding security requirements first which the following implementations are based on. However, previous security requirement elicitation work based on Common Criteria (CC) rarely addresses the detailed elicitation process of threats from specific functional requirements, which thus results in the widen gap between specific functional requirements and their corresponding threats. To this end, this paper proposes a framework for eliciting corresponding security requirements of specific functional requirements from the requirements specification. A formal model is built in the framework to assist requirement analysts in half-automatic collecting threats. To enhance the framework's automaticity and reusability, a security property base is constructed based on authoritative sources of security properties to support the framework. A practical information system is applied to verify the framework's practicability. Finally the framework's advantages and limitations are discussed thoroughly compared with previous approaches and useful insights are revealed.

Eduardo dos Santos,Andrew Simpson,Dominik Schoop

DOI: https://doi.org/10.4204/EPTCS.271.7

2018-05-15

Abstract:Ensuring a car's internal systems are free from security vulnerabilities is of utmost importance, especially due to the relationship between security and other properties, such as safety and reliability. We provide the starting point for a model-based framework designed to support the security testing of modern cars. We use Communicating Sequential Processes (CSP) to create architectural models of the vehicle bus systems, as well as an initial set of attacks against these systems. While this contribution represents initial steps, we are mindful of the ultimate objective of generating test code to exercise the security of vehicle bus systems. We present the way forward from the models created and consider their potential integration with commercial engineering tools

Cryptography and Security,Software Engineering

Martin Kardos,Yuhong Zhao

DOI: https://doi.org/10.1007/1-4020-8149-9_3

2004-01-01

Abstract:System level design incorporating system modeling and formal specification in combination with formal verification can substantially contribute to the correctness and quality of the embedded systems and consequently help reduce the development costs. Ensuring the correctness of the designed system is, of course, a crucial design criterion especially when complex distributed (realtime) embedded systems are considered. Therefore, this paper aims at presenting a verification framework designated for formal verification and validation of UML-based design of embedded systems. It first introduces an approach of using the AsmL language for acquiring formal models of the UML semantics and consequently presents an on-the-fly model checking technique designed to run the formal verification directly over those semantic models.

Mikhail Mandrykin,Jake O’Shannessy,Jacob Payne,Ilya Shchepetkov

DOI: https://doi.org/10.1007/978-3-030-54994-7_30

2020-01-01

Abstract:As smart contracts are growing in size and complexity, it becomes harder and harder to ensure their correctness and security. Due to the lack of isolation mechanisms a single mistake or vulnerability in the code can bring the whole system down, and due to this smart contract upgrades can be especially dangerous. Traditional ways to ensure the security of a smart contract, including DSLs, auditing and static analysis, are used before the code is deployed to the blockchain, and thus offer no protection after the deployment. After each upgrade the whole code need to be verified again, which is a difficult and time-consuming process that is prone to errors. To address these issues a security protocol and framework for smart contracts called Cap9 was developed. It provides developers the ability to perform upgrades in a secure and robust manner, and improves isolation and transparency through the use of a low level capability-based security model. We have used Isabelle/HOL to develop a formal specification of the Cap9 framework and prove its consistency. The paper presents a refinement-based approach that we used to create the specification, as well as discussion of some encountered difficulties during this process.

Mukund Bhole,Wolfgang Kastner,Thilo Sauter

DOI: https://doi.org/10.1109/ETFA52439.2022.9921549

2023-06-22

Abstract:Todays industrial control systems consist of tightly coupled components allowing adversaries to exploit security attack surfaces from the information technology side, and, thus, also get access to automation devices residing at the operational technology level to compromise their safety functions. To identify these concerns, we propose a model-based testing approach which we consider a promising way to analyze the safety and security behavior of a system under test providing means to protect its components and to increase the quality and efficiency of the overall system. The structure of the underlying framework is divided into four parts, according to the critical factors in testing of operational technology environments. As a first step, this paper describes the ingredients of the envisioned framework. A system model allows to overview possible attack surfaces, while the foundations of testing and the recommendation of mitigation strategies will be based on process-specific safety and security standard procedures with the combination of existing vulnerability databases.

Software Engineering,Systems and Control

Fan Zhang,Bolin Yang,Shize Guo,Xinjie Zhao,Tao Wang,Francois-Xavier Standaert,Dawu Gu

DOI: https://doi.org/10.1007/978-3-030-11333-9_5

2019-01-01

Abstract:Algebraic fault analysis (AFA), which combines algebraic cryptanalysis with fault attacks, has represented serious threats to the security of lightweight block ciphers. Inspired by an earlier framework for the analysis of side-channel attacks presented at EUROCRYPT 2009, a new generic framework is proposed to analyze and evaluate algebraic fault attacks on lightweight block ciphers. We interpret AFA at three levels: the target, the adversary, and the evaluator. We describe the capability of an adversary in four parts: the fault injector, the fault model describer, the cipher describer, and the machine solver. A formal fault model is provided to cover most of the current fault attacks. Different strategies of building optimal equation set are also provided to accelerate the solving process. At the evaluator level, we consider the approximate information metric and the actual security metric. These metrics can be used to …

Chung-Ling Lin,Wuwei Shen,Tao Yue,Guangyuan Li

DOI: https://doi.org/10.1007/978-3-319-99933-3_2

2018-01-01

Abstract:One of the challenges in developing safety critical systems is to ensure software assurance which encompasses quality attributes such as reliability and security as well as functionality and performance. An assurance case, which lays out an argumentation-structure with supporting evidence to claim that software assurance in a system is achieved, is increasingly considered as an important means to gain confidence that a system has achieved acceptable safety when checking with emerging standards and national guidelines. However, the complexity of modern safety critical applications hinders the automatic integration of heterogeneous artifacts into an assurance case during a development process such as a V-model, let alone the automatic support of system evolution. In this paper, we present a novel framework to automatically generate assurance cases via safety patterns and further support the maintenance of them during a system’s evolution. The application of safety patterns not only enables reusability of previously successful argument structures but also directs the support of assurance maintenance caused by common types of modifications in safety critical domains. The framework is implemented as a prototypical tool built using Model Driven Architecture (MDA). We evaluated the framework with two case studies featuring two criteria and the preliminary experimental results not only show that the framework is useful in evaluation of safety critical systems but also reveal how different types of modification can affect a structure of an assurance case.

Jingda Yang,Sudhanshu Arya,Ying Wang

2023-07-21

Abstract:Softwarization and virtualization in 5G and beyond necessitate thorough testing to ensure the security of critical infrastructure and networks, requiring the identification of vulnerabilities and unintended emergent behaviors from protocol designs to their software stack implementation. To provide an efficient and comprehensive solution, we propose a novel and first-of-its-kind approach that connects the strengths and coverage of formal and fuzzing methods to efficiently detect vulnerabilities across protocol logic and implementation stacks in a hierarchical manner. We design and implement formal verification to detect attack traces in critical protocols, which are used to guide subsequent fuzz testing and incorporate feedback from fuzz testing to broaden the scope of formal verification. This innovative approach significantly improves efficiency and enables the auto-discovery of vulnerabilities and unintended emergent behaviors from the 3GPP protocols to software stacks. Following this approach, we discover one identifier leakage model, one DoS attack model, and two eavesdrop attack models due to the absence of rudimentary MITM protection within the protocol, despite the existence of a Transport Layer Security (TLS) solution to this issue for over a decade. More remarkably, guided by the identified formal analysis and attack models, we exploit 61 vulnerabilities using fuzz testing demonstrated on srsRAN platforms. These identified vulnerabilities contribute to fortifying protocol-level assumptions and refining the search space. Compared to state-of-the-art fuzz testing, our united formal and fuzzing methodology enables auto-assurance by systematically discovering vulnerabilities. It significantly reduces computational complexity, transforming the non-practical exponential growth in computational cost into linear growth.

Cryptography and Security

Hezhen Liu,Jiacheng Yin,Chengqiang Huang,Hao Lan,Zhi Jin,Zheng,Xun Zhang

DOI: https://doi.org/10.1109/issrew60843.2023.00045

2023-01-01

Abstract:Previous studies suggest that the combination of model-based fault injection and model checking can effectively detect the dependability bottlenecks and verify the fault-tolerance capability of systems at very early phases of their lifecycles. However, a challenge of applying such techniques in the industry is that semi-formal modeling languages like UML cannot easily support automated analysis and formal verification. To address this challenge, we propose a fault injection and verification framework based on UML sequence diagrams. The idea is to create formal models from sequence diagrams as well as predefined fault models, and then run a model checker to check if specific properties are violated. With an exhaustive exploration of a system’s states and fault space by the model checker, the approach ensures complete, automated reasoning on failure modes and effects. The framework also allows the designs of additional recovery actions to tolerate faults and then the verification of the updated models. The framework separates manual and automated activities, providing a guide to the practices of developers and the development of the support tool. We conduct a study on an industrial case and demonstrate that by the proposed approach, critical design flaws are revealed.

LIU Bo-ling,YE Xiao-jun,XIE Feng,LI Bin

DOI: https://doi.org/10.3969/j.issn.1002-137x.2012.02.042

2012-01-01

Computer Science

Abstract:Security function independent testing for DBMS is an security function evaluation process during which an evaluator runs typical test cases against the DBMS under test and compares DBMS internal metadata and actual outputs with expected outputs to accomplish the evaluation on DBMS security function implementation.This paper presented a DBMS security test automation framework and its implementation which is based on an open-source framework called STAF/STAX.We practiced the audit component security test case implementation against Oracle and a domestic-produced DBMS which well proves the usability of this framework.

Li Li,Jun Sun,Yang Liu,Meng Sun,Jin Song Dong

DOI: https://doi.org/10.1109/TSE.2017.2712621

IF: 7.4

2018-01-01

IEEE Transactions on Software Engineering

Abstract:Nowadays, protocols often use time to provide better security. For instance, critical credentials are often associated with expiry dates in system designs. However, using time correctly in protocol design is challenging, due to the lack of time related formal specification and verification techniques. Thus, we propose a comprehensive analysis framework to formally specify as well as automatically ...

Katja Tuma,Sven Peldszus,Daniel Strüber,Riccardo Scandariato,Jan Jürjens

DOI: https://doi.org/10.1007/s10270-022-00991-5

2022-03-18

Abstract:Abstract It is challenging to verify that the planned security mechanisms are actually implemented in the software. In the context of model-based development, the implemented security mechanisms must capture all intended security properties that were considered in the design models. Assuring this compliance manually is labor intensive and can be error-prone. This work introduces the first semi-automatic technique for secure data flow compliance checks between design models and code. We develop heuristic-based automated mappings between a design-level model (SecDFD, provided by humans) and a code-level representation (Program Model, automatically extracted from the implementation) in order to guide users in discovering compliance violations, and hence, potential security flaws in the code. These mappings enable an automated , and project-specific static analysis of the implementation with respect to the desired security properties of the design model. We developed two types of security compliance checks and evaluated the entire approach on open source Java projects.

computer science, software engineering

Jeremy Morse,Dejanira Araiza-Illan,Jonathan Lawry,Arthur Richards,Kerstin Eder

DOI: https://doi.org/10.48550/arXiv.1603.01082

IF: 3.7

2016-03-03

Robotics

Abstract:The widespread adoption of autonomous systems depends on providing guarantees of safety and functional correctness, at both design time and runtime. Information about the extent to which functional requirements can be met in combination with non-functional requirements (NFRs) -- i.e. requirements that can be partially complied with -- , under dynamic and uncertain environments, provides opportunities to enhance the safety and functional correctness of systems at design time. We present a technique to formally define system attributes that can change or be changed to deal with dynamic and uncertain environments (denominated weakened specifications) as a partially ordered lattice, and to automatically explore the system under different specifications, using probabilistic model checking, to find the likelihood of satisfying a requirement. The resulting probabilities form boundaries of "optimal specifications", analogous to Pareto frontiers in multi-objective optimization, informing the designer about the system's capabilities, such as resilience or robustness, when changing its attributes to deal with dynamic and uncertain environments. We illustrate the proposed technique through a domestic robotic assistant example.

Ran Wei,Tim P. Kelly,Xiaotian Dai,Shuai Zhao,Richard Hawkins

DOI: https://doi.org/10.1016/j.jss.2019.05.013

2019-05-07

Abstract:Assurance cases are used to demonstrate confidence in system properties of interest (e.g. safety and/or security). A number of system assurance approaches are adopted by industries in the safety-critical domain. However, the task of constructing assurance cases remains a manual, trivial and informal process. The Structured Assurance Case Metamodel (SACM) is a standard specified by the Object Management Group (OMG). SACM provides a richer set of features than existing system assurance languages/approaches. SACM provides a foundation for model-based system assurance, which has great potentials in growing technology domains such as Open Adaptive Systems. However, the intended usage of SACM has not been sufficiently explained. In addition, there has been no support to interoperate between existing assurance case (models) and SACM models. In this article, we explain the intended usage of SACM based on our involvement in the OMG specification process of SACM. In addition, to promote a model-based approach, we provide SACM compliant metamodels for existing system assurance approaches (the Goal Structuring Notation and Claims-Arguments-Evidence), and the transformations from these models to SACM. We also briefly discuss the tool support for model-based system assurance which helps practitioners to make the transition from existing system assurance approaches to model-based system assurance using SACM.

Software Engineering

丁洪达,王伟光,曾庆凯

DOI: https://doi.org/10.3969/j.issn.1009-3443.2009.04.003

2008-01-01

Abstract:According to the requirements of validating higher secure systems,an approach to generate testing cases based on Z formal descriptions was proposed.With this approach,a testing case generator was implemented,which could produce testing cases with MC/DC(modified condition/decision coverage)criterion to balance the quantity and quality of the produced testing cases.Compared with related work,this approach can reduce the manual interferences and the requirements in designing the formal specification,and improve the accuracy and efficiency of testing-case generation.

Sihan Qing,Liping Li,Jianbo He,Qingni Shen

DOI: https://doi.org/10.1360/crad20071110

2007-01-01

Journal of Computer Research and Development

Abstract:High security level trusted information system need formal model of security policies to gain adequate assurance. Security domain separation based on DTE policy is one of the basic technologies to build trusted system. But the current DTE systems are difficult to assure their security, because they have no explicit security objective, their policy configuration is too complex, and there are no formal specification and formal verification of security properties on these systems or their policies. A security domain separation model based on DTE policy is formalized. It defines system state and adopted least privilege as domain separation principle. It extends original DTE policy, defines authorized information flow and pipeline information flow as two new invariants based on information flow analysis. Then system secure state is given and formal analysis by proven theorem is adopted to verify system security. The model is specified using the Z formal language and verified with the help of Z?EVES tool. The model has been implemented in the ANSHENG V4.0 security operation system and a Web server example is given. The work will also facilitate policy analysis and management of SELinux. This formal model resolves the formalization problem of DTE system and provids the foundation for security domain separation implementation and verification.

Muhammad Shaban,Gill Dobbie,Jing Sun

DOI: https://doi.org/10.1109/SEEFM.2009.11

2009-01-01

Abstract:Web Services (WS), which are based on standard XML protocols, such as, WSDL, SOAP and UDDI, are the building blocks of Service Oriented Architecture (SOA). The aim of SOA is to automate web service tasks, such as, web service discovery, selection, composition and execution. Since XML is a syntax-based language, the automation of these tasks is still a challenge. To overcome this, web services can be described semantically using an ontology description language, e.g., Web Ontology Language (OWL), giving rise to semantic web services (SWS). Because semantic web services are relatively new, there has been little research into testing and quality assurance aspects. In this paper, we propose a novel approach for generating test cases based on user requirements for testing semantic web services. In SWS frameworks, such as, Web Service Modelling Ontology (WSMO), the user requirements are presented as a goal specification in terms of a state model. We use a model checking approach to generate test cases from this state model. To achieve this, we represent a set of rules for translation from a goal specification to a formal B abstract state machine. The B representation of the goal specification is given as input to the model checker to generate concrete test cases using the assertion violation property of the model checker. Finally, the proposed framework is evaluated using a real world case study based on, the Amazon E-commerce Service.

Lian Yu,Jun Zhou,Yue Yi,Jianchu Fan,Qianxiang Wang

DOI: https://doi.org/10.1109/qsic.2009.10

2009-01-01

Abstract:Static analysis works well at checking defects that clearly map to source code constructs. Model checking can find defects of deadlocks and routing loops that are not easily detected by static analysis, but faces the problem of state explosion. This paper proposes a hybrid approach to detecting security defects in programs. Fuzzy Inference System is used to infer selection among the two detection approaches. A cluster algorithm is developed to divide a large system into several clusters in order to apply model checking. Ontology based static analysis employs logic reasoning to intelligently detect the defects. We also put forwards strategies to improve performance of the static analysis. At last, we perform experiments to evaluate the accuracy and performance of the hybrid approach.