Abstract. We propose a general framework of secrecy and preservation of secrecy for labeled transition systems. Our definition of secrecy is parameterized by the distinguishing power of the observer, the properties to be kept secret, and the executions of interest, and captures a multitude of definitions in the literature. We define a notion of secrecy preserving refinement between systems by strengthening the classical trace-based refinement so that the implementation leaks a secret only when the specification also leaks it. We show that secrecy is in general not definable in μ-calculus, and thus not expressible in specification logics supported by standard model-checkers. However, we develop a simulation-based proof technique for establishing secrecy preserving refinement. This result shows how existing refinement checkers can be used to show correctness of an implementation with respect to a specification. 1

Abstract. We present a method for the security analysis of realistic models over off-the-shelf systems and their configuration by formal, machine-checked proofs. The presentation follows a large case study based on a formal security analysis of a CVS-Server architecture. The analysis is based on an abstract architecture (enforcing a role-based access control), which is refined to an implementation architecture (based on the usual discretionary access control provided by the POSIX environment). Both architectures serve as a skeleton to formulate access control and confidentiality properties. Both the abstract and the implementation architecture are specified in the language Z. Based on a logical embedding of Z into Isabelle/HOL, we provide formal, machine-checked proofs for consistency properties of the specification, for the correctness of the refinement, and for security properties.

Confidentiality-preserving refinement describes a relation between a specification and an implementation that ensures that all confidentiality properties required in the specification are preserved by the implementation. Stating positively what an observer may learn about the executing system, the specification implicitly requires that all other information about the system be kept confidential. Confidentiality-preserving refinement preserves that property even in a probabilistic setting. The present paper investigates the condition under which that notion of refinement is compositional, i.e. the condition under which refining a sub-system of a larger system yields a confidentiality-preserving refinement. It turns out that the refinement relation is not composition in general, but the condition for compositionality can be stated in a way that builds on the analysis of sub-systems and aids systems designers in analyzing a composition.

In fault-tolerant computing, dependability of systems is usually demonstrated by abstracting from failure probabilities (under simplifying assumptions on failure occurrences). In the specification framework Focus, we show under which conditions and to which extent this is sound: We use a specification language that is interpreted in the usual abstract model and in a probabilistic model. We give probability bounds showing the degree of faithfulness of the abstract model wrt. the probabilistic one. These include cases where the usual assumptions are not fulfilled.

In a service-oriented architecture, business processes are executed as composition of services, which can suffer from vulnerabilities. These vulnerabilities in services and the underlying software applications put at risk computer systems in general and business processes in particular. Current vulnerability analysis approaches involve several manual tasks and, hence, are error-prone and costly. Service-oriented architectures impose additional analysis complexity as they provide much flexibility and frequent changes within orchestrated processes and services. Therefore, it is inevitable to provide tools and mechanisms that enable efficient and effective management of vulnerabilities within these complex systems. Model-based security engineering is a promising approach that can help to fill the gap between vulnerabilities on the one hand, and concrete protection mechanisms on the other. We present an approach that integrates model-based engineering and vulnerability analysis in order to cope with the security challenges of a service-oriented architecture.

Abstract not found

while the second author was working at the Foundation. The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of any sponsoring institution, the U.S. government, or any other Privacy means something different to everyone. Against a vast and rich canvas of diverse types of privacy rights and violations, we argue technology’s dual role in privacy: new technologies raise new threats to privacy rights and new technologies can help preserve privacy. Formal methods, as just one class of technology, can be applied to privacy, but privacy raises new challenges, and thus What is privacy? Today, the answer seems to be “It all depends on whom you ask. ” There are philosophical, legal, societal, and technical notions of privacy. Cultures differ in their expectations regarding privacy. In some cultures, it is impolite to ask someone’s age or someone’s salary. Governments differ in their citizens ’ rights to privacy; just witness the difference in privacy among

Designing and implementing security-critical systems correctly is very difficult. In practice, most vulnerabilities arise from bugs in implementations. We present work towards systematic specification-based testing of securitycritical systems using the CASE tool AutoFocus. Cryptographic systems are formally specified with state transition diagrams, a notation for state machines in the AutoFocus system. We show how to systematically generate test sequences for security properties based on the model that can be used to test the implementation for vulnerabilities. In particular, we focus on the principle of fail-safety.

Abstract not found

Communication is one of the cornerstone of our everyday life. Guaranteeing the security of a communication is a very important challenge. In this paper, we propose a formal top-down approach for assuring that security properties are preserved during the development of a complex and concurrent system, i.e., within passage from specification to implementation of the components of the system. Indeed, we investigate on the set of requirements a refinement function has to satisfy for preserving a class of properties that can be formalized as specific instances of a general scheme, called Generalized Non Deducibility on Composition (GNDC). Hence, we show that it is possible to guarantee that the refinement of a considered system that is verified to be GNDC at a high level of abstraction, is GNDC also at a lower one without checking it again.