a formal connection between security properties and jml
play

A Formal Connection between Security Properties and JML Annotations - PowerPoint PPT Presentation

Sep 03, 2022 •358 likes •787 views

A Formal Connection between Security Properties and JML Annotations Work in progress with Marieke Huisman Alejandro Tamalet Radboud University Nijmegen, The Netherlands Introduction: The Goal Trusted devices (smart phones, PDA, smart

  1. A Formal Connection between Security Properties and JML Annotations Work in progress with Marieke Huisman Alejandro Tamalet Radboud University Nijmegen, The Netherlands

  2. Introduction: The Goal  Trusted devices (smart phones, PDA, smart cards) need a way to ensure the security of applications.  We want to enforce (at runtime) a certain property. Ultimately, we would like to prove (statically) that it holds.  We will work with Java or Java-like sequential programs. Tamalet - Radboud University 2

  3. Introduction: The Means  One way to achieve this goal is to encode the property as JML annotations  JML connects runtime checking (jmlc) and proving (ESC/Java2).  This imposes restrictions on the kind of properties we can express: only safety properties (no liveness). Tamalet - Radboud University 3

  4. Example: An applet protocol as an automaton (Cheon and Perumendla) destroy init stop start start init; (start; stop)+; destroy Tamalet - Radboud University 4

  5. Example: The applet protocol specified in JML (Cheon and Perumendla) @ requi res st at e I NI T st at e STO P package j ava appl et / / == | | == ; . @ ensures st at e START / / == ; publ i c voi d st ar t publ i c cl ass Appl et ( ) { { @ set st at e START @ publ i c st at i c f i nal ghost i nt / / = ; / * @ PRI STI NE . . . = 1 , @ I NI T } = 2 , @ START = 3 , @ requi res st at e START @ STO P / / == ; = 4 , @ ensur es st at e STO P @ D ESTRO Y / / == ; = 5 ; publ i c voi d st op @ ( ) { * / @ set st at e STO P / / = ; @ publ i c ghost i nt st at e PRI STI NE . . . / / = ; } @ requi res st at e PRI STI N E / / == ; @ requi res st at e STO P @ ensures st at e I N I T / / == ; / / == ; @ ensures st at e D ESTRO Y publ i c voi d i ni t / / == ; ( ) { publ i c voi d dest r oy @ set st at e I NI T ( ) { / / = ; @ set st at e D ESTRO Y / / = ; . . . . . . } } . . . Tamalet - Radboud University 5

  6. Multi-Variable Automata (MVA)  We want to keep the high level view of these properties.  Regular automata are not enough to express many interesting properties. We use automata with variables.  An automaton specifies a property of a class called the monitored class. Tamalet - Radboud University 6

  7. Transitions  Transitions of an MVA have an event, a guard and actions.  The events can be entry to or exit of methods. We distinguish between a normal exit and an exceptional exit.  Guards and actions may involve fields of the monitored class or parameters of the method. Actions can only update variables of the automaton. Tamalet - Radboud University 7

  8. Example: Embedded transactions Property: At most N embedded transactions. bt = beginTransaction() bt, t<N → skip ct = commitTransaction() at = abortTransaction() bt, t:=t+1 entry Q2 exit normal bt, skip exit exceptional t:=0 Q1 → ct, t>0 Automaton: skip Monitored class: transactions.java ct, t:=t-1 Q = {Q1, Q2, Q3} → at, t >0 Σ = {bt, bt, bt, ct, ct, ct, at} t:=t-1 Q3 ct, skip vars A = {(t, int, 0)} vars P = {} Tamalet - Radboud University 8

  9. Other properties  Enforce and order in which methods are called: life cycle or protocol of an object.  Restrict the frequency of a particular method call. Example: m() can be called at most one time.  Method m1() can not or can only be called inside method m2(). Tamalet - Radboud University 9

  10. Characteristics of a MVA  The automaton must be deterministic.  We complete the transition function by adding an error state. We call it halted.  Since we work with safety properties, halted is a trap state.  We don't have accepted states. Tamalet - Radboud University 10

  11. Abstract correctness property P = program (may already have annotations) A = automaton describing a security property || = monitored by ≈ = equivalence relation Assumptions: P does not throw nor catch JML exceptions A is “ well formed ” and “ well behaved ” P || A ≈ ann_program(P, A) Tamalet - Radboud University 11

  12. Translation into JML... plus some code transformations  Some code transformations are needed to treat exceptions. We have to enclose the body in a t r y - cat ch f i nal l y block. -  If no code transformations are allowed we must restrict the expressiveness of the automata. We would only be able to talk about entry to methods. Tamalet - Radboud University 12

  13. ann_program: Two step translation  For the following algorithm, we focus more in its correctness than in its actual implementation.  For ease of verification, the translation is done in two steps. In the first step we do some abstractions and then we refine them in the second step. Tamalet - Radboud University 13

  14. Step 1 – 1: Add ghost variables  New ghost variables are added to encode the automaton.  Control points (including halted): integers initialized to a unique value.  Current control point (cp): integer initialized to the value of the initial control point.  Variables of the automaton: their type and initial value are provided by the automaton. Tamalet - Radboud University 14

  15. Step 1 – 1: Example @ publ i c st at i c f i nal ghost i nt / * @ HALTED = 0 , @ Q 1 = 1 , @ Q 2 = 2 , @ Q 3 = 3 ; @ * / @ publ i c ghost i nt cp Q / / = 1 ; @ publ i c ghost i nt t / / = 0 ; Tamalet - Radboud University 15

  16. Step 1 – 2: Strengthen invariant  The invariant is strengthened to assert that the current control point has not reached the error state . @ publ i c i nvari ant cp hal t ed / / ! = ; Tamalet - Radboud University 16

  17. Step 1 – 3: Annotate methods @ requi res pr e ; / / m() @ ensures pos ; / / m ( ) { assert pre & inv; pre_set { pre_set; @ annot at i ons r egar di ng / * m s ent r y @ ' * / } body { m s body body; ' } pos_set { @ annot at i ons r egar di ng / * m s nor m al exi t @ → ex ' * / → assert !ex } exc_set { assert inv; pos & inv; @ annot at i ons r egar di ng exc_set; / * pos_set; m s except i onal exi t @ ' * / } } Tamalet - Radboud University 17

  18. Step 1 – 4: Translate events  Each transition is translated independently of the type of its event (entry, exit normal or exit exceptional).  We assume the existence of an i f statement that works with ghost variables in the condition and in the branches. Tamalet - Radboud University 18

  19. Step 1 – 4: Example at @ i f ( cp Q @ i f ( cp Q && t / * == 1 ) { / * == 1 > 0 ) { @ i f ( t @ set t t > 0 ) { = – 1 ; @ set t t @ set cp Q = – 1 ; = 1 ; @ set cp Q @ el se { = 1 ; } @ el se { @ set cp HALTED } = ; @ set cp HALTED @ = ; } @ el se i f ( cp Q @ } == 2 ) { * / @ set cp HALTED = ; @ el se i f ( cp Q } == 3 ) { @ set cp HALTED = ; @ el se { / / cp HALTED } == @ set cp HALTED = @ } @ * / Tamalet - Radboud University 19

  20. Step 2 – 1: Refine if - 1  The i f for ghost variables are translated into a sequence of set statements using conditional statements. i f ( c ) { set x c a x : = ? : ; set x a : = ; set y c b y : = ? : ; set y b : = ; } Tamalet - Radboud University 20

  21. Step 2 – 1: Refine if - 2  Two auxiliary ghost variables are used to ensure the independence of the branches. i f ( cp Q set b cp Q 1 = == 1 ; == 1 ) { i f ( x set b b && x 2 = 1 >= 5 ; >= 5 ) { set x x set x b x x = 2 ? - 1 : ; = - 1 ; set cp Q set cp b Q cp = 2 ? 2 : ; = 2 ; } i f ( x set b b && b && x 2 = 1 ! 2 < 0 ; < 0 ) { set x x set x b x x = 2 ? +1 : ; = +1 ; set cp Q set cp b Q y = 2 ? 1 : ; = 1 ; } el se { set b b && b 2 = 1 ! 2 ; set cp HALTED set cp b HALTED cp = 2 ? : ; = ; } } Tamalet - Radboud University 21

  22. Step 2 – 2: Refine pre_set et al. m cat ch ( Except i on e { ( ) { ) @ ghost bool ean ex @ exc_set / / ; / / ; @ set ex t rue ; t ry { / / = t hrow e @ pr e_set ; / / ; } f i nal l y { @ assert cp hal t ed / / ! = ; @ i f ( ! ex pos_exc / / ) { ; } body } } } Tamalet - Radboud University 22

  23. Example: translation of the embedded transactions publ i c voi d begi nTr ansact i on ( ) { @ ghost bool ean ex / / ; t ry { @ set cp cp Q && t N Q HALTED / / = ( == 1 < ) ? 2 : ; @ assert cp HALTED / / ! = ; body } cat ch ( Except i on e ) { @ set cp cp Q Q HALTED / / = ( == 2 ) ? 1 : ; @ set ex t rue ; / / = } f i nal l y { @ set t ex && cp Q t t / / = ( ! == 2 ) ? +1 : ; @ set cp ex && cp Q Q HALTED / / = ( ! == 2 ) ? 1 : ; } } Tamalet - Radboud University 23

  24. Formalization  Everything must be defined:  Automatons and their operational semantics.  (A subset of) Java programs with annotations and their operational semantics (big step, based on Von Oheimb's formalization).  A semantics for monitored programs.  A bisimulation relation. Tamalet - Radboud University 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Grammar formalisms Tree Adjoining Grammar: Formal Properties, Part I Parsing Formal Properties

Grammar formalisms Tree Adjoining Grammar: Formal Properties, Part I Parsing Formal Properties

Some sample languages Pumping Lemma for TAL Closure Properties Grammar formalisms Tree Adjoining Grammar: Formal Properties, Part I Parsing Formal Properties of TAG Laura Kallmeyer, Timm Lichte, Wolfgang Maier Universit at T ubingen

260 views • 14 slides
Rethinking Connection Security Indicators Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie,

Rethinking Connection Security Indicators Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie,

Rethinking Connection Security Indicators Adrienne Porter Felt, Robert W. Reeder, Alex Ainslie, Helen Harris, Max Walker, Christopher Thompson, Mustafa Emre Acer, Elisabeth Morant, Sunny Consolvo Connection Security Indicators Connection

238 views • 23 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal

Introduction to Formal Analysis Mark Greenstreet CpSc 513 Term 1, 2015/16 Formal verification uses algorithms to rigorously prove properties of hardware or software design. 20 years ago, we had the FDIV bug: 42.0 / 7.0 = 8.0 Formal

576 views • 6 slides
A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato,

A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato,

A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov Project Goals Give precise statement and formal analysis of a real world protocol Find a real world

474 views • 25 slides
Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT

Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT

Some Puzzles Security Connection Cryptography Need For Formal Methods Cryptographic Protocols and Network Security G. Sivakumar Computer Science and Engineering IIT Bombay siva@iitb.ac.in Oct 14, 2004 G. Sivakumar Computer Science and

671 views • 43 slides
Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard

Introduction to Computer Security Formal Security Models Pavel Laskov Wilhelm Schickard Institute for Computer Science Security instruments learned so far Symmetric and asymmetric cryptography confidentiality, integrity, non-repudiation

319 views • 29 slides
TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented ,

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented ,

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented , reliable stream delivery service (handles loss, duplication, transmission errors, reordering) Provides port abstraction (like UDP) Establishes

559 views • 30 slides
1 3.1.1 Formal Properties and a little Remarks (III) Theory This definition of a MAS is

1 3.1.1 Formal Properties and a little Remarks (III) Theory This definition of a MAS is

3. Multi-agent systems (MAS) 3.1 Formal Definitions and Properties Multi-agent systems (MAS) are used to describe We can now refine our agent definition: several agents that interact with each other Definition : Agent in a MAS (positively,

85 views • 4 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile

Formal analysis of security models for critical systems: Virtualization platforms and mobile devices Carlos Luna Grupo de Seguridad Inform atica, InCo Facultad de Ingenier a, Universidad de la Rep ublica, Uruguay Formal analysis

751 views • 56 slides
1 Properties of agents: Properties of agents: rationality reflectivity and reactivity (I) $ $

1 Properties of agents: Properties of agents: rationality reflectivity and reactivity (I) $ $

2. Single-agent systems 2.1 Formal Definitions and Properties n Term agent used with many different meanings: Our goal: rather broad definition l Agent of an agency (see James Bond) l Agent as a person acting on behalf of another Definition

360 views • 3 slides
1 Properties of agents: Properties of agents: rationality reflectivity and reactivity (I)

1 Properties of agents: Properties of agents: rationality reflectivity and reactivity (I)

2. Single-agent systems 2.1 Formal Definitions and Properties n Term agent used with many different meanings: Our goal: rather broad definition Agent of an agency (see James Bond) Definition : Agent Agent as a person acting on

150 views • 3 slides
Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code

Formal Security Analysis of Cryptographic Protocol Code Karthikeyan Bhargavan INRIA IIT Delhi, Fall 2010 Lecture 1: WriCng Secure Web ApplicaCons

472 views • 25 slides
Institute for Cyber Security A Formal Model for Isolation Management in Cloud

Institute for Cyber Security A Formal Model for Isolation Management in Cloud

Institute for Cyber Security A Formal Model for Isolation Management in Cloud Infrastructure-as-a-Service Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio October 15-17, 2014 NSS

146 views • 13 slides
Threshold Strategies for Risk Processes and their Relation to Queueing Theory Onno Boxma, David

Threshold Strategies for Risk Processes and their Relation to Queueing Theory Onno Boxma, David

1/37 Threshold Strategies for Risk Processes and their Relation to Queueing Theory Onno Boxma, David Perry, Andreas Lpker CONFERENCE IN HONOUR OF SREN ASMUSSEN - NEW FRONTIERS IN APPLIED PROBABILITY This talk 2/37 I. Setting / Literature

414 views • 37 slides
Rational bubbles and portfolio constraints Julien Hugonnier Swiss Finance Institute @ EPFL

Rational bubbles and portfolio constraints Julien Hugonnier Swiss Finance Institute @ EPFL

Rational bubbles and portfolio constraints Julien Hugonnier Swiss Finance Institute @ EPFL sfi.epfl.ch May 11, 2012 Arbitrage The absence of arbitrage , defined as the possibility of simultaneously buying and selling the same security at

457 views • 28 slides
NBIS The na+onal bioinforma+cs infrastructure Sweden

NBIS The na+onal bioinforma+cs infrastructure Sweden

NBIS The na+onal bioinforma+cs infrastructure Sweden www.scilifelab.se/pla&lt;orms/bioinforma+cs/ Bjrn Nystedt, bjorn.nystedt@scilifelab.se SciLifeLab SciLifeLab Na7onal

352 views • 21 slides
Asset pricing under optimal contracts Jak sa Cvitani c (Caltech) joint work with Hao Xing

Asset pricing under optimal contracts Jak sa Cvitani c (Caltech) joint work with Hao Xing

Asset pricing under optimal contracts Jak sa Cvitani c (Caltech) joint work with Hao Xing (LSE) Thera Stochastics - A Mathematics Conference in Honor of Ioannis Karatzas 1 / 32 Motivation and overview Existing literature: either -

571 views • 36 slides
MICROALGAE CULTURE (2) BIO301 Dr Navid Moheimani n.moheimani@murdoch.edu.au Types of limitation

MICROALGAE CULTURE (2) BIO301 Dr Navid Moheimani n.moheimani@murdoch.edu.au Types of limitation

MICROALGAE CULTURE (2) BIO301 Dr Navid Moheimani n.moheimani@murdoch.edu.au Types of limitation Type I Type II Limits to Growth Abiotic factors: - Light (quality, quantity) -Temperature - Nutrient - O 2 - CO 2 , and pH - Salinity - Toxic

708 views • 32 slides
Local food systems and public policy : the case of Qubec The two studies

Local food systems and public policy : the case of Qubec The two studies

Local food systems and public policy : the case of Qubec The two studies http://www.equiterre.org/publication/local-food- systems-and-public-policy-a-review-of-the-literature- 2009 (Forthcoming) Scaling up local food systems in Quebec

365 views • 12 slides
via Hardware Performance Counter s Joy Arulraj, Po-Chun Chang, Guoliang Jin and Shan Lu

via Hardware Performance Counter s Joy Arulraj, Po-Chun Chang, Guoliang Jin and Shan Lu

Production-Run Software Failure Diagnosis via Hardware Performance Counter s Joy Arulraj, Po-Chun Chang, Guoliang Jin and Shan Lu Motivation Software inevitably fails on production machines These failures are widespread and expensive

1.18k views • 33 slides
NY-Sun MW Block Program Redesign June 13, 2018 New York State Energy Research and Development

NY-Sun MW Block Program Redesign June 13, 2018 New York State Energy Research and Development

NY-Sun MW Block Program Redesign June 13, 2018 New York State Energy Research and Development Authority 2 Introductions 3 Rollout Timeline Sunday June 17th at 6PM: Portal shuts down o All unsubmitted project applications and draft invoices

536 views • 24 slides

More recommend