formal methods
play

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd - PowerPoint PPT Presentation

Jun 23, 2023 •279 likes •911 views

Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-1 Outline Formal verification techniques Design verification languages Bell-LaPadula and SPECIAL Current verification systems

  1. Formal Methods Chapter 21 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-1

  2. Outline • Formal verification techniques • Design verification languages • Bell-LaPadula and SPECIAL • Current verification systems • Functional programming languages • Formally verified products Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-2

  3. Formal Verification Techniques • Formal specification languages for specifying requirements and systems • Well-defined semantics, syntax • Based on mathematical logic systems • Mathematically-based automated formal methods for proving properties of specifications and programs • Inductive verification techniques • Model checking techniques Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-3

  4. Inductive Verification vs. Model Checking Classification criteria: • Proof-based vs. model-based techniques : • premises embody system description • conclusion represents properties to be proved • Proof-based: derive intermediate formulae that go from premises to conclusion • Model-based: establish that premises, conclusion have same truth table values • Degree of automation : fully manual to fully automatic, with everything in between Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-4

  5. Inductive Verification vs. Model Checking Classification criteria: • Full vs. property verification : • System specification may describe entire system or part of system • Property specification may be single property or many properties • Predevelopment vs. postdevelopment : may be design aid or for verification after system design is complete • Intended domain of application : hardware or software, sequential or concurrent, non-terminating (like an operating system) or terminating, and so forth Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-5

  6. Example: HDM • Developed at SRI • Began as proof-based formal verification methodology • Covers design through implementation • Automated, general-purpose methodology • Used specification languages, implementation languages • Provided model checking with its multilevel security tool • Input is formal specification in language SPECIAL • Theorem prover uses proof-based technique; fully automated property- oriented verification system Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-6

  7. Example: HDM • Tool uses SRI model (interpretation of Bell-LaPadula model) • Given a SPECIAL specification • Verification condition generator creates formulae that assert specification correctly implements SRI model • Boyer-Moore theorem prover processes these formulae • Output is list of the formulae that were satisfied and those that were not Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-7

  8. Formal Specification • A specification written in a formal language with restricted syntax, well-defined semantics, based on well-established mathematical concepts • Precise semantics avoids ambiguity • Languages support exact descriptions of system function behavior • Generally eliminate implementation details • Automated tools support verification of syntax, semantics Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-8

  9. Example Language: SPECIAL • First-order logic-based language • Nonprocedural, strongly typed • Specification in SPECIAL represents module • Specifier defines module scope • Systems described in terms of modules • Function representation in modules • VFUN: describe variable data • OFUN: describe state transitions • OVFUN: describe state transitions and changes in VFUN values Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-9

  10. Bell-LaPadula Model and SPECIAL MODULE Bell_LaPadula_Model give-access TYPES Subject_ID: DESIGNATOR ; Object_ID: DESIGNATOR ; Access_Mode: {OBSERVE_ONLY, ALTER_ONLY, OBSERVE_AND_ALTER}; Access: STRUCT_OF ( Subject_ID subject; Object_ID object; Access_Mode mode); Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-10

  11. Comments • Subject_ID, Object_ID types described at lower level of abstraction • The DESIGNATOR indicates this • Access_Mode types have 3 possible values • Access type is structure with 3 fields of types shown Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-11

  12. Bell-LaPadula Model and SPECIAL FUNCTIONS VFUN active (Object_ID object) -> BOOLEAN active: HIDDEN ; INITIALLY TRUE ; VFUN access_matrix () -> Access accesses: HIDDEN ; INITIALLY FORALL Access a: a INSET accesses => active(a.object); Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-12

  13. Comments • VFUN active ( object ) defines the state variable active for the object and sets it to TRUE initially • So state variable for that object is true if the object exists • VFUN access_matrix() defines the state variable access_matrix to be set of triples ( subject , object , right ) • This is simply the current set of access rights in the system Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-13

  14. Bell-LaPadula Model and SPECIAL OFUN give-access(Subject_ID giver; Access access); ASSERTIONS active(access.object) = TRUE ; EFFECTS access_matrix() = access_matrix() UNION (access); END_MODULE Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-14

  15. Comments • OFUN access_matrix () defines state transition when new object added to matrix • State variable active for object must be true • See in the ASSERTIONS sections • Value of state variable access_matrix after transition is value before transition and additional access rights for the new object Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-15

  16. Hierarchical Development Methodology (HDM) • General-purpose methodology Requirements Analyze, accept requirements for design, implementation • Goal was to automate and Model proven internally consistent, Model formalize development process used as basis for verifying lower AMs • System design specification is External Interfaces First AM is usually external interface, AM 1 called Formal Top Level Specification hierarchy of a series of abstract machines at increasing level of Abstract Machine Each AM mapped to next lower detail AM 1 AM, which represents lower levels of system specification Primitive Machine Some combination of hardware and AM n software that runs verified system Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-16

  17. Specifications • Hierarchical specification identifies abstract machines (AMs) making up hierarchy • Each AM a set of modules written in SPECIAL • Modules could be reused in more than one AM • Mapping specifications define functions of one AM in terms of next higher AM • Hierarchy consistency checker: ensured consistency among hierarchy specs, associated module specs for AMs, mapping specs between AMs Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-17

  18. Design Hierarchy • Look at each pair of consecutive AMs, mappings between them • For each function in higher AM, write programs to show how it was implemented in terms of lower-level AM • Written in high-order language • Translator mapped program into common internal form that HDM tools used • Specs mapped into intermediate language; this and common internal form generated verification conditions • Sent to Boyer-Moore theorem prover • If lower-level AM correct, then higher-level AM verified to work correctly Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-18

  19. Verification in HDM • Approach: prove the FTLS correctly implemented predefined properties within a model • Used to verify design of a multi-level security (MLS) tool implementing a version of Bell-LaPadula model (called SRI model ) Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-19

  20. SRI Model • Some SRI model entities had no corresponding Bell-LaPadula features • Visible function references and results (VFUN, OVFUN) • Defined subjects implicitly (function callers) • *-property addresses downward flow of information • Bell-LaPadula model had features SRI model did not • Discretionary access control, current access triples • Defined subjects explicitly • *-property addressed allowable downward access Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-20

  21. Properties of SRI Model in MLS Tool • Information returned by specific function invocation to subject can depend only on information with security levels no greater than subject • Information flowing into state variable (ie, VFUN) can depend only on other state variables with security levels no greater than that of first state variable • If value of state variable modified, only function invocation with security level no greater than level of state variable can do the modification Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-21

  22. MLS Tool • Processed SPECIAL specification describing external interfaces to SPECIAL model • One AM represented, so no mappings • Could be multiple modules in specification; each module had to be verified, and then the set verified using hierarchy consistency tool Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 21-22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical

Formal Methods and Cryptography Lecture 24 1 Formal Methods 2 Formal Methods Logical foundations of computer science 2 Formal Methods Logical foundations of computer science A language that machines can understand 2 Formal Methods

1.22k views • 121 slides
Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why

Formal Methods Michael Collins. 18-849, Section B Spring 1999 Formal Methods Why Formalisms? Relationships Flaws Some systems Conclusions Why Formal Methods? We already can build systems. Roman Engineers built

671 views • 12 slides
Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3.

Lecture Outline 1. The lecturer 2. Introduction to Formal Methods DD2452 Formal Methods 3. Course syllabus 4. Course objectives Introductory Lecture 5. Course organization 1. Lecturer 2. Formal Methods Name: Dilian Gurov Formal

56 views • 3 slides
Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

1.67k views • 123 slides
Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Testing/Simulation Formal Analysis Real System Formal Model Partial coverage Complete coverage

Formal Methods Assurance for TTP John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Formal Methods Assurance for TTP: 1 Formal Methods for Analysis and Assurance: The Idea Testing/Simulation Formal

200 views • 6 slides
Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in

Specifying circuit properties in PSL Formal methods Mathematical and logical methods used in system development Aim to increase confidence in riktighet of system Apply to both hardware and software 1 Formal methods Complement other

524 views • 25 slides
A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4)

A Review of Formal Methods : 200514170 : (T4) (T4) Contents INTRODUCTION INTRODUCTION DEFINITION AND OVERVIEW OF FORMAL METHODS SPECIFICATION METHODS LIFE CYCLES AND

317 views • 19 slides
Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process

Requirements and Formal Methods Softw are Engineering Overview Overview on the RE process What are Formal Methods? Advantages and Disadvantages of Formal Methods Formal Methods in the Requirement Process Mathematical Formulas

561 views • 20 slides
THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING

THEY DIDNT KNOW THEY WERE DOING MATHEMATICS INTRODUCING FORMAL METHODS USING REWRITING LOGIC Peter Olveczky University of Oslo FMfun19, December 3, 2019 OUTLINE How to introduce formal methods to undergraduates? Fun!

1.95k views • 171 slides
Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal

Formal Methods at Intel An Overview John Harrison Intel Corporation Second NASA Formal Methods Symposium NASA HQ, Washington DC 14th April 2010 (09:0010:00) 0 Table of contents Intels diverse verification problems Verifying

834 views • 45 slides
A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004

A Formal (proved) Approach to Discrete System Development Modeling J-R. Abrial September 2004 Purpose of the Course - Giving some insights about Formal Methods - Showing that Formal Methods can be made practical - Illustrating Formal Methods

1.25k views • 112 slides
Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T

F F F Formal Methods && Tools Group Stefania Gnesi F F F M&&T M&&T M&&T June 27, 03 Formal Methods && Tools Group - ISTI CNR CAF - 1 F F F Outline Overview of the Formal Methods

276 views • 23 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

1.75k views • 151 slides
Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember

3BA31 Formal Methods 1 3BA31: Formal Methods Andrew Butterfield Foundations & Methods Group, Software Systems Laboratory Andrew.Butterfield@cs.tcd.ie Room F.13, OReilly Institute 3BA31 Formal Methods 2 Remember This? A Stock

631 views • 33 slides
1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January

Preliminaries Hallmarks of a Formal Approach Formal Systems in Information Technology 1Initial Ideas on Formal Methods UIT2206: The Importance of Being Formal Martin Henz January 15, 2014 Generated on Wednesday 15 th January, 2014, 09:54

517 views • 49 slides
Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in

Formal Methods and the Chromatic Number of the Plane Marijn J.H. Heule Formal Methods in Mathematics January 8, 2020 1 / 35 marijn@cmu.edu Computer-Aided Mathematics Chromatic Number of the Plane Clausal Proof Optimization

634 views • 52 slides
Overview Deduction can be carried out by rigorous formal rules of inference. With mechanization,

Overview Deduction can be carried out by rigorous formal rules of inference. With mechanization,

The Kernel of Truth 1 N. Shankar Computer Science Laboratory SRI International Menlo Park, CA Mar 3, 2010 1 This research was supported NSF Grants CSR-EHCS(CPS)-0834810 and CNS-0917375. Overview Deduction can be carried out by rigorous

510 views • 36 slides
A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu Rochester Institute of Technology Rochester, NY, USA FMCAD-18 Student Forum David E. Narv aez (RIT) Formally Verified Symmetry Breaking Tool FMCAD-18

215 views • 6 slides
Overview of the Type System of PVS Lecture Interactive Proof Tools Summer Term 2003 Hans de

Overview of the Type System of PVS Lecture Interactive Proof Tools Summer Term 2003 Hans de

Overview of the Type System of PVS Lecture Interactive Proof Tools Summer Term 2003 Hans de Nivelle, Patrick Maier 1 Types in Programming Languages provide structure provide specification which can be checked (type checking),

319 views • 21 slides
Interactive Theorem Provers from the perspective of Isabelle/Isar Makarius Wenzel Univ.

Interactive Theorem Provers from the perspective of Isabelle/Isar Makarius Wenzel Univ.

Interactive Theorem Provers from the perspective of Isabelle/Isar Makarius Wenzel Univ. Paris-Sud, LRI July 2014 e Isar l l e b a s I = 1 Introduction Notable ITP systems LISP based: ACL2

629 views • 30 slides
as an RD Blogger or Influencer Watermelon Promotion Board Monterey Mushrooms New

as an RD Blogger or Influencer Watermelon Promotion Board Monterey Mushrooms New

3/10/2019 Disclosures I am currently working with the following companies on sponsored blog content and/or sponsored social media content: How to Actually Make Money Northeast Beef Promotion Initiative as an RD Blogger or Influencer

92 views • 7 slides
Lecture 3 January 16, 2020 The Visualization Toolkit Open source library for Visualization:

Lecture 3 January 16, 2020 The Visualization Toolkit Open source library for Visualization:

CS530 - Spring 2020 Introduction to Scientific Visualization Lecture 3 January 16, 2020 The Visualization Toolkit Open source library for Visualization: Mostly sciviz, some infoviz Computer Graphics Imaging Written in C++ Supports Python

670 views • 65 slides
Outline Outline Characterization of Harmonics in a Utility Characterization of Harmonics in a

Outline Outline Characterization of Harmonics in a Utility Characterization of Harmonics in a

10/31/2012 Outline Outline Characterization of Harmonics in a Utility Characterization of Harmonics in a Utility Feeder with PV Distributed Generation Feeder with PV Distributed Generation Background Motivation Significance of

304 views • 5 slides
Truly Modular (Co)datatypes for Jasmin Blanchette Johannes Hlzl Andreas Lochbihler Lorenz

Truly Modular (Co)datatypes for Jasmin Blanchette Johannes Hlzl Andreas Lochbihler Lorenz

Truly Modular (Co)datatypes for Jasmin Blanchette Johannes Hlzl Andreas Lochbihler Lorenz Panny Andrei Popescu Dmitriy Traytel D ATATYPES l e z n e g W . n a l i , r r h e t o f e o M l h e - g t n n y r i

919 views • 70 slides

More recommend