nach oben

Tipp

An Automatically Verified Prototype of the Tokeneer ID Station Specification

verfasst von: Maximiliano Cristiá, Gianfranco Rossi

Erschienen in: Journal of Automated Reasoning | Ausgabe 8/2021

Einloggen, um Zugang zu erhalten

Abstract

The Tokeneer project was an initiative set forth by the National Security Agency (NSA, USA) to be used as a demonstration that developing highly secure systems can be made by applying rigorous methods in a cost-effective manner. Altran UK was selected by NSA to carry out the development of the Tokeneer ID Station. The company wrote a Z specification later implemented in the SPARK Ada programming language, which was verified using the SPARK Examiner toolset. In this paper, we show that the Z specification can be readily and naturally encoded in the \(\{log\}\) set constraint language, thereby generating a functional prototype. Furthermore, we show that \(\{log\}\) ’s automated proving capabilities can discharge all the proof obligations concerning state invariants as well as important security properties. As a consequence, the prototype can be regarded as correct with respect to the verified properties. This provides empirical evidence that Z users can use \(\{log\}\) to generate correct prototypes from their Z specifications. In turn, these prototypes enable or simplify some verification activities discussed in the paper.

Vorheriger Artikel Handling Transitive Relations in First-Order Automated Reasoning

Nächster Artikel Human-Centered Automated Proof Search

Nur mit Berechtigung zugänglich

We use ellipses to shorten the presentation.

These are the operation schemas whose names begin with TIS.

By explicit precondition we mean a precondition written down in the schema as opposed to the implicit preconditions ‘that arise from the interaction between the state invariant and the predicates that are explicit in the operation schema’ [31, page 54]. Implicit preconditions were made explicit and simplified as is customary when working with Z specifications. In general they are trivial; for example, asserting that an integer variable is nonnegative.

The prime symbol is not allowed as part of a variable name in Prolog+\(\{log\}\).

2011 Microsoft Research Verified Software Milestone Award: Janet Barnes and Rod Chapman for the Tokeneer project, https://sites.google.com/site/verifiedsoftwareinitiative/mrs-award/2011-award

Abdelhalim, I., Sharp, J., Schneider, S.A., Treharne, H.: Formal verification of Tokeneer behaviours modelled in fUML using CSP. In: Dong, J.S., Zhu, H. (eds.) Formal Methods and Software Engineering - 12th International Conference on Formal Engineering Methods, ICFEM 2010, Shanghai, China, November 17-19, 2010. Proceedings. Lecture Notes in Computer Science, vol. 6447, pp. 371–387. Springer (2010), https://doi.org/10.1007/978-3-642-16901-4_25

Altran UK: Tokeneer software and project documents (2008), http://www.adacore.com/uploads/downloads/tokeneer.zip

Andréka, H., Givant, S.R., Németi, I.: Decision problems for equational theories of relation algebras, vol. 604. American Mathematical Soc. (1997)

Barnes, J., Chapman, R., Johnson, R., Widmaier, J., Cooper, D., Everett, B.: Engineering the Tokeneer enclave protection software. In: Proceedings of the IEEE International Symposium on Secure Software Engineering. IEEE (2006)

Barnes, J.: Tokeneer ID Station: Formal specification. Tech. rep., Altran Praxis (2008), http://www.adacore.com/uploads/downloads/tokeneer.zip, find it as /tokeneer/docs/41\_2\_Formal\_Functional\_Specification/41\_2.pdf inside tokeneer.zip

Barnes, J.E.: Experiences in the industrial use of formal methods. Electron. Commun. Eur. Assoc. Softw. Sci. Technol. 46,(2011)

Betarte, G., Campo, J.D., Luna, C., Romano, A.: Formal analysis of Android’s permission-based security model. Sci. Ann. Comp. Sci. 26(1), 27–68 (2016). https://doi.org/10.7561/SACS.2016.1.27

Common Criteria Recognition Arrangement: Common criteria for information technology security evaluation, part 1: Introduction and general model, version 3.1. release 5. Tech. rep. (2017), https://www.commoncriteriaportal.org/files/ccfiles/CCPART1V3.1R5.pdf

10.

Cooper, D.: Tokeneer ID Station: Security properties. Tech. rep., Altran Praxis (2008), http://www.adacore.com/uploads/downloads/tokeneer.zip, find it as /tokeneer/docs/40\_4\_Security\_Properties/40\_4.pdf inside tokeneer.zip

11.

Cooper, D., Barnes, J.: Tokeneer ID Station EAL5 demonstrator: Summary report. Tech. rep., Altran Praxis (2008), https://www.adacore.com/uploads/downloads/Tokeneer_Report.pdf

12.

Cooper, D., Everett, B., Johnson, R., Widmaier, J.: Security by construction – Engineering software to exceed EAL5. In: Proceedings of the Fourth Annual High Confidence Software and Systems Conference (2004)

13.

Cristiá, M., Albertengo, P., Frydman, C.S., Plüss, B., Rodríguez Monetti, P.: Tool support for the test template framework. Softw. Test. Verif. Reliab. 24(1), 3–37 (2014) CrossRef

14.

Cristiá, M., Rossi, G.: A decision procedure for restricted intensional sets. In: de Moura, L. (ed.) Automated Deduction - CADE 26 - 26th International Conference on Automated Deduction, Gothenburg, Sweden, August 6-11, 2017, Proceedings. Lecture Notes in Computer Science, vol. 10395, pp. 185–201. Springer (2017), https://doi.org/10.1007/978-3-319-63046-5_12

15.

Cristiá, M., Rossi, G.: Programming in Java with restricted intensional sets. In: Cristiá, M., Delahaye, D., Dubois, C. (eds.) Proceedings of the 3rd International Workshop on Sets and Tools co-located with the 6th International ABZ Conference, SETS@ABZ 2018, Southamptom, UK, June 5, 2018. CEUR Workshop Proceedings, vol. 2199, pp. 17–31. CEUR-WS.org (2018), http://ceur-ws.org/Vol-2199/paper2.pdf

16.

Cristiá, M., Rossi, G.: A set solver for finite set relation algebra. In: Desharnais, J., Guttmann, W., Joosten, S. (eds.) Relational and Algebraic Methods in Computer Science - 17th International Conference, RAMiCS 2018, Groningen, The Netherlands, October 29 - November 1, 2018, Proceedings. Lecture Notes in Computer Science, vol. 11194, pp. 333–349. Springer (2018), https://doi.org/10.1007/978-3-030-02149-8_20

17.

Cristiá, M., Rossi, G.: Automated reasoning with restricted intensional sets. CoRR abs/1910.09118 (2019), http://arxiv.org/abs/1910.09118

18.

Cristiá, M., Rossi, G.: Solving quantifier-free first-order constraints over finite sets and binary relations. J. Autom. Reason. 64(2), 295–330 (2020). https://doi.org/10.1007/s10817-019-09520-4 MathSciNetCrossRefMATH

19.

Cristiá, M., Rossi, G.: Automated proof of Bell-LaPadula security properties. J. Autom. Reason. 65(4), 463–478 (2021). https://doi.org/10.1007/s10817-020-09577-6 MathSciNetCrossRefMATH

20.

Cristiá, M., Rossi, G.: Automated reasoning with restricted intensional sets. J. Autom. Reason. (2021). https://doi.org/10.1007/s10817-021-09589-w MathSciNetCrossRefMATH

21.

Cristiá, M., Rossi, G.: \(\{log\}\): Set formulas as programs. CoRR abs/2104.08130 (2021), https://arxiv.org/abs/2104.08130

22.

Cristiá, M., Rossi, G., Frydman, C.S.: log as a test case generator for the Test Template Framework. In: Hierons, R.M., Merayo, M.G., Bravetti, M. (eds.) SEFM. Lecture Notes in Computer Science, vol. 8137, pp. 229–243. Springer (2013)

23.

Dovier, A., Piazza, C., Pontelli, E., Rossi, G.: Sets and constraint logic programming. ACM Trans. Program. Lang. Syst. 22(5), 861–931 (2000) CrossRef

24.

Dovier, A., Pontelli, E., Rossi, G.: Set unification. Theory Pract. Log. Program. 6(6), 645–701 (2006) MathSciNetCrossRef

25.

Evans, A.: An improved recipe for specifying reactive systems in Z. In: Bowen, J.P., Hinchey, M.G., Till, D. (eds.) ZUM ’97: The Z Formal Specification Notation, 10th International Conference of Z Users, Reading, UK, April 3-4, 1997, Proceedings. Lecture Notes in Computer Science, vol. 1212, pp. 275–294. Springer (1997), https://doi.org/10.1007/BFb0027293

26.

Garavel, H., ter Beek, M.H., van de Pol, J.: The 2020 expert survey on formal methods. In: ter Beek, M.H., Nickovic, D. (eds.) Formal Methods for Industrial Critical Systems - 25th International Conference, FMICS 2020, Vienna, Austria, September 2-3, 2020, Proceedings. Lecture Notes in Computer Science, vol. 12327, pp. 3–69. Springer (2020), https://doi.org/10.1007/978-3-030-58298-2_1

27.

Hall, A., Chapman, R.: Correctness by construction: developing a commercial secure system. IEEE Software 19(1), 18–25 (2002). https://doi.org/10.1109/52.976937 CrossRef

28.

Holzbaur, C., Menezes, F., Barahona, P.: Defeasibility in CLP(Q) through generalized slack variables. In: Freuder, E.C. (ed.) Lecture notes in computer science, vol. 1118, pp. 209–223. Springer, Berlin (1996)

29.

International Electrotechnical Commission: Functional safety of electrical/electronic/programmable electronic safety-related systems – part 1: General requirements. Tech. rep., International Electrotechnical Commission, https://webstore.iec.ch/preview/info_iec61508-1ed2.0b.pdf

30.

Jackson, P.B., Passmore, G.O.: Proving SPARK verification conditions with SMT solvers. Tech. rep., University of Edinburgh (2009), http://homepages.inf.ed.ac.uk/pbj/papers/vct-dec09-draft.pdf

31.

Jacky, J.: The way of Z: practical programming with formal methods. Cambridge University Press, New York, NY, USA (1996) CrossRef

32.

King, S., Hammond, J., Chapman, R., Pryor, A.: Is proof more cost-effective than testing? IEEE Trans. Software Eng. 26(8), 675–686 (2000). https://doi.org/10.1109/32.879807 CrossRef

33.

Kuppe, M.A., Lamport, L., Ricketts, D.: The TLA+ toolbox. In: Monahan, R., Prevosto, V., Proença, J. (eds.) Proceedings Fifth Workshop on Formal Integrated Development Environment, F-IDE@FM 2019, Porto, Portugal, 7th October 2019. EPTCS, vol. 310, pp. 50–62 (2019), https://doi.org/10.4204/EPTCS.310.6

34.

Lamport, L.: TLZ. In: Bowen, J.P., Hall, J.A. (eds.) Z User Workshop, Cambridge, UK, 29-30 June 1994, Proceedings. pp. 267–268. Workshops in Computing, Springer/BCS (1994), https://doi.org/10.1007/978-1-4471-3452-7_15

35.

Lamport, L.: Specifying Systems, The TLA+ Language and Tools for Hardware and Software Engineers. Addison-Wesley (2002), http://research.microsoft.com/users/lamport/tla/book.html

36.

Leroy, X.: Formal verification of a realistic compiler. Commun. ACM 52(7), 107–115 (2009). https://doi.org/10.1145/1538788.1538814 CrossRef

37.

Luna, C., Betarte, G., Campo, J.D., Sanz, C., Cristiá, M., Gorostiaga, F.: A formal approach for the verification of the permission-based security model of Android. CLEI Electron. J. (2018). https://doi.org/10.19153/cleiej.21.2.3 CrossRef

38.

Moy, Y., Wallenburg, A.: Tokeneer: Beyond formal program verification. Embed. Real Time Software Syst. 24,(2010)

39.

Murray, T.C., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., Klein, G.: seL4: From general purpose to a proof of information flow enforcement. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19-22, 2013. pp. 415–429. IEEE Computer Society (2013), https://doi.org/10.1109/SP.2013.35

40.

Nemouchi, Y., Foster, S., Gleirscher, M., Kelly, T.: Isabelle/SACM: Computer-assisted assurance cases with integrated formal methods. In: Ahrendt, W., Tarifa, S.L.T. (eds.) Integrated Formal Methods - 15th International Conference, IFM 2019, Bergen, Norway, December 2-6, 2019, Proceedings. Lecture Notes in Computer Science, vol. 11918, pp. 379–398. Springer (2019), https://doi.org/10.1007/978-3-030-34968-4_21

41.

Plagge, D., Leuschel, M.: Validating Z specifications using the probanimator and model checker. In: Davies, J., Gibbons, J. (eds.) Integrated Formal Methods, 6th International Conference, IFM 2007, Oxford, UK, July 2-5, 2007, Proceedings. Lecture Notes in Computer Science, vol. 4591, pp. 480–500. Springer (2007), https://doi.org/10.1007/978-3-540-73210-5_25

42.

Potter, B., Sinclair, J., Till, D.: An introduction to formal specification and Z. Prentice Hall PTR Upper Saddle River, NJ, USA (1996) MATH

43.

Rivera, V., Bhattacharya, S., Cataño, N.: Undertaking the Tokeneer challenge in Event-B. In: Proceedings of the 4th FME Workshop on Formal Methods in Software Engineering, FormaliSE@ICSE 2016, Austin, Texas, USA, May 15, 2016. pp. 8–14. ACM (2016), https://doi.org/10.1145/2897667.2897671

44.

Rossi, G.: \(\{log\}\). http://people.dmi.unipr.it/gianfranco.rossi/setlog.Home.html (2008), last access 2021

45.

Rossi, G., Bergenti, F.: Nondeterministic programming in Java with JSetL. Fundam. Inform. 140(3–4), 393–412 (2015). https://doi.org/10.3233/FI-2015-1260 MathSciNetCrossRef

46.

Schanda, F., Brain, M.: Using answer set programming in the development of verified software. In: Dovier, A., Costa, V.S. (eds.) Technical Communications of the 28th International Conference on Logic Programming, ICLP 2012, September 4-8, 2012, Budapest, Hungary. LIPIcs, vol. 17, pp. 72–85. Schloss Dagstuhl - Leibniz-Zentrum für Informatik (2012), https://doi.org/10.4230/LIPIcs.ICLP.2012.72

47.

Schwartz, J.T., Dewar, R.B.K., Dubinsky, E., Schonberg, E.: Programming with Sets - An Introduction to SETL. Texts and Monographs in Computer Science, Springer (1986), https://doi.org/10.1007/978-1-4613-9575-1

48.

Spivey, J.M.: The Z notation: a reference manual. Prentice Hall International (UK) Ltd., Hertfordshire, UK (1992) MATH

49.

Stocks, P., Carrington, D.: A Framework for specification-based testing. IEEE Trans. Software Eng. 22(11), 777–793 (1996) CrossRef

50.

Woodcock, J.: First steps in the verified software grand challenge. Computer 39(10), 57–64 (2006). https://doi.org/10.1109/MC.2006.340 CrossRef

51.

Woodcock, J., Aydal, J., Aydal, E.G., Chapman, R.: The Tokeneer experiments. In: Roscoe, A.W., Jones, C.B., Wood, K.R. (eds.) Reflections on the Work of C. A. R. Hoare, pp. 405–430. Springer (2010)

52.

Yin, X., Knight, J.C.: Formal verification of large software systems. In: Muñoz, C.A. (ed.) Second NASA Formal Methods Symposium - NFM 2010, Washington D.C., USA, April 13-15, 2010. Proceedings. NASA Conference Proceedings, vol. NASA/CP-2010-216215, pp. 192–201 (2010)

Titel: An Automatically Verified Prototype of the Tokeneer ID Station Specification
verfasst von: Maximiliano Cristiá
Gianfranco Rossi
Publikationsdatum: 07.09.2021
Verlag: Springer Netherlands
Erschienen in: Journal of Automated Reasoning / Ausgabe 8/2021
Print ISSN: 0168-7433
Elektronische ISSN: 1573-0670
DOI: https://doi.org/10.1007/s10817-021-09602-2

Springer Professional

Tipp

Weitere Artikel dieser Ausgabe durch Wischen aufrufen

An Automatically Verified Prototype of the Tokeneer ID Station Specification

Abstract

Premium Partner

Springer Professional

Tipp

Weitere Artikel dieser Ausgabe durch Wischen aufrufen

Abstract

Bitte loggen Sie sich ein, um Zugang zu diesem Inhalt zu erhalten

Weitere Artikel der Ausgabe 8/2021

Experiences from Exporting Major Proof Assistant Libraries

Handling Transitive Relations in First-Order Automated Reasoning

Derivational Complexity and Context-Sensitive Rewriting

Human-Centered Automated Proof Search

Formalization of Ring Theory in PVS

Premium Partner