Results 1  10
of
18
Noninterference, transitivity and channelcontrol security policies
, 1992
"... We consider noninterference formulations of security policies [7] in which the “interferes ” relation is intransitive. Such policies provide a formal basis for several real security concerns, such as channel control [17, 18], and assured pipelines [4]. We show that the appropriate formulation of non ..."
Abstract

Cited by 110 (0 self)
 Add to MetaCart
We consider noninterference formulations of security policies [7] in which the “interferes ” relation is intransitive. Such policies provide a formal basis for several real security concerns, such as channel control [17, 18], and assured pipelines [4]. We show that the appropriate formulation of noninterference for the intransitive case is that developed by Haigh and Young for “multidomain security ” (MDS) [9, 10]. We construct an “unwinding theorem ” [8] for intransitive polices and show that it differs significantly from that of Haigh and Young. We argue that their theorem is incorrect. A companion report [22] presents a mechanicallychecked formal specification and verification of our unwinding theorem. We consider the relationship between transitive and intransitive formulations of security. We show that the standard formulations of noninterference and unwinding [7, 8] correspond exactly to our intransitive formulations, specialized to the transitive case. We show that transitive
A benchmark for comparing different approaches for specifying and verifying realtime systems
 IN PROC. 10 TH IEEE WORKSHOP ON REALTIME OPERATING SYSTEMS AND SOFTWARE
, 1993
"... ..."
Formal specification and verification of data separation in a separation kernel for an embedded system
 In CCS
, 2006
"... Although many algorithms, hardware designs, and security protocols have been formally verified, formal verification of the security of software is still rare. This is due in large part to the large size of software, which results in huge costs for verification. This paper describes a novel and pract ..."
Abstract

Cited by 28 (4 self)
 Add to MetaCart
Although many algorithms, hardware designs, and security protocols have been formally verified, formal verification of the security of software is still rare. This is due in large part to the large size of software, which results in huge costs for verification. This paper describes a novel and practical approach to formally establishing the security of code. The approach begins with a welldefined set of security properties and, based on the properties, constructs a compact security model containing only information needed to reason about the properties. Our approach was formulated to provide evidence for a Common Criteria evaluation of an embedded software system which uses a separation kernel to enforce data separation. The paper describes 1) our approach to verifying the kernel code and 2) the artifacts used in the evaluation: a Top Level Specification (TLS) of the kernel behavior, a formal definition of data separation, a mechanized proof that the TLS enforces data separation, code annotated with pre and postconditions and partitioned into three categories, and a formal demonstration
Mechanical Verification of a Generalized Protocol for Byzantine Fault Tolerant Clock Synchronization
, 1992
"... Schneider [Sch87] generalizes a number of protocols for Byzantine faulttolerant clock synchronization and presents a uniform proof for their correctness. We present a mechanical verification of Schneider's protocol leading to several significant clarifications and revisions. The verification was ca ..."
Abstract

Cited by 24 (1 self)
 Add to MetaCart
Schneider [Sch87] generalizes a number of protocols for Byzantine faulttolerant clock synchronization and presents a uniform proof for their correctness. We present a mechanical verification of Schneider's protocol leading to several significant clarifications and revisions. The verification was carried out with the Ehdm system [RvHO91] developed at the SRI Computer Science Laboratory. The mechanically checked proofs include the verification that the egocentric mean function used in Lamport and MelliarSmith's Interactive Convergence Algorithm [LMS85] satisfies the requirements of Schneider's protocol. Our mechanical verification raises a number of issues regarding the verification of faulttolerant, distributed, realtime protocols that are germane to the design of a specialpurpose logic for such problems.
An Overview of Formal Verification for the TimeTriggered Architecture
, 2002
"... We describe formal verification of some of the key algorithms in the TimeTriggered Architecture (TTA) for realtime safetycritical control applications. ..."
Abstract

Cited by 22 (3 self)
 Add to MetaCart
We describe formal verification of some of the key algorithms in the TimeTriggered Architecture (TTA) for realtime safetycritical control applications.
A formally verified algorithm for clock synchronization under a hybrid fault model
 IN THIRTEENTH ACM SYMPOSIUM ON PRINCIPLES OF DISTRIBUTED COMPUTING
, 1994
"... A small modification to the interactive convergence clock synchronization algorithm allows it to tolerate a larger number of simple faults than the standard algorithm, without reducing its ability to tolerate arbitrary or “Byzantine” faults. Because the extended caseanalysis required by the new fa ..."
Abstract

Cited by 20 (7 self)
 Add to MetaCart
A small modification to the interactive convergence clock synchronization algorithm allows it to tolerate a larger number of simple faults than the standard algorithm, without reducing its ability to tolerate arbitrary or “Byzantine” faults. Because the extended caseanalysis required by the new fault model complicates the already intricate argument for correctness of the algorithm, it has been subjected to mechanicallychecked formal verification. The fault model examined is similar to the “hybrid ” one previously used for the problem of distributed consensus: in addition to arbitrary faults, we also admit symmetric (Le., consistent) and manifest (i.e., detectable) faults. With n processors, the modified algorithm can withstand a arbitrary, s symmetric, and m manifest faults simultaneously, provided n> 3a + 29 + m. A further extension to the fault model includes link faults with bound n> 3a + 2s + m + 1 where 1 is the maximum, over all pairs of processors, of the number of processors that have faulty links to one or other of the pair. The
Deduction in the Verification Support Environment (VSE)
 High Integrity Systems
, 1996
"... The reliability of complex software systems is becoming increasingly important for the technical systems they are embedded in. In order to assure the highest levels of trustworthiness of software formal methods for the development of software are required. The VSEtool was developed by a consort ..."
Abstract

Cited by 20 (8 self)
 Add to MetaCart
The reliability of complex software systems is becoming increasingly important for the technical systems they are embedded in. In order to assure the highest levels of trustworthiness of software formal methods for the development of software are required. The VSEtool was developed by a consortium of German universities and industry to make a tool available which supports this formal development process. VSE is based on a particular method for programming in the large. This method is embodied in an administration system to edit and maintain formal developments. A deduction component is integrated into this administration system in order to provide proof support for the formal concepts. In parallel to the development of the system itself, two large case studies were conducted in close collaboration with an industrial partner. In both cases components of systems previously developed by the industry were redeveloped from scratch, starting with a formal specification derived...
A Tutorial on Using PVS for Hardware Verification
 Proc. 2nd International Conference on Theorem Provers in Circuit Design (TPCD94), volume 901 of Lecture Notes in Computer Science
, 1995
"... PVS stands for "Prototype Verification System." It consists of a specification language integrated with support tools and a theorem prover. PVS tries to provide the mechanization needed to apply formal methods both rigorously and productively. This tutorial serves to introduce PVS and its use in the ..."
Abstract

Cited by 15 (0 self)
 Add to MetaCart
PVS stands for "Prototype Verification System." It consists of a specification language integrated with support tools and a theorem prover. PVS tries to provide the mechanization needed to apply formal methods both rigorously and productively. This tutorial serves to introduce PVS and its use in the context of hardware verification. In the first section, we briefly sketch the purposes for which PVS is intended and the rationale behind its design, mention some of the uses that we and others are making of it. We give an overview of the PVS specification language and proof checker. The PVS language, system, and theorem prover each have their own reference manuals, which you will need to study in order to make productive use of the system. A pocket reference card, summarizing all the features of the PVS language, system, and prover is also available. The purpose of this tutorial is not to describe in detail the features of PVS and how to use the system. Rather, its purpose is to...
Comparing Verification Systems: Interactive Consistency in ACL2
 PROCEEDINGS OF 11TH ANNUAL CONFERENCE ON COMPUTER ASSURANCE
, 1996
"... Achieving interactive consistency among processors in the presence of faults is an important problem in fault tolerant computing, first cleanly formulated by Lamport, Pease and Shostak and solved in selected cases with their Oral Messages (OM) Algorithm. Several machinesupported verifications of th ..."
Abstract

Cited by 13 (0 self)
 Add to MetaCart
Achieving interactive consistency among processors in the presence of faults is an important problem in fault tolerant computing, first cleanly formulated by Lamport, Pease and Shostak and solved in selected cases with their Oral Messages (OM) Algorithm. Several machinesupported verifications of this algorithm have been presented, including a particularly elegant formulation and proof by John Rushby using EHDM and PVS. Rushby proposes interactive consistency as a benchmark problem for specification and verification systems. We present a formalization of the OM algorithm in the ACL2 logic and compare our formalization and proof to his. We draw some conclusions concerning the range of desirable features for verification systems. In particular, while higherorder functions, strong typing, lambda abstraction and full quantification have some value they come with a cost; moreover, many uses of such feature can be easily translated into simpler logical constructs which facilitate more autom...
Formal Verification of the Interactive Convergence Clock Synchronization Algorithm
, 1991
"... We describe a formal specification and mechanically checked verification of the Interactive Convergence Clock Synchronization Algorithm of Lamport and MelliarSmith [16]. In the course of this work, we discovered several technical flaws in the analysis given by Lamport and MelliarSmith, even though ..."
Abstract

Cited by 13 (2 self)
 Add to MetaCart
We describe a formal specification and mechanically checked verification of the Interactive Convergence Clock Synchronization Algorithm of Lamport and MelliarSmith [16]. In the course of this work, we discovered several technical flaws in the analysis given by Lamport and MelliarSmith, even though their presentation is unusually precise and detailed. As far as we know, these flaws (affecting the main theorem and four of its five lemmas) were not detected by the "social process" of informal peer scrutiny to which the paper has been subjected since its publication. We discuss the flaws in the published proof and give a revised presentation of the analysis that not only corrects the flaws in the original, but is also more precise and, we believe, easier to follow. This informal presentation was derived directly from our formal specification and verification. Some of our corrections to the flaws in the original require slight modifications to the assumptions underlying the algorithm and ...