Results 1  10
of
17
Software Engineering for Security: a Roadmap
 THE FUTURE OF SOFTWARE ENGINEERING
, 2000
"... Is there such a thing anymore as a software system that doesn't need to be secure? Almost every softwarecontrolled system faces threats from potential adversaries, from Internetaware client applications running on PCs, to complex telecommunications and power systems accessible over the Interne ..."
Abstract

Cited by 150 (0 self)
 Add to MetaCart
Is there such a thing anymore as a software system that doesn't need to be secure? Almost every softwarecontrolled system faces threats from potential adversaries, from Internetaware client applications running on PCs, to complex telecommunications and power systems accessible over the Internet, to commodity software with copy protection mechanisms. Software engineers must be cognizant of these threats and engineer systems with credible defenses, while still delivering value to customers. In this paper, we present our perspectives on the research issues that arise in the interactions between software engineering and security.
Using Predicate Abstraction to Reduce ObjectOriented Programs for Model Checking
 In Proceedings of the 3rd ACM SIGSOFT Workshop on Formal Methods in Software Practice
"... While it is becoming more common to see model checking applied to software requirements specifications, it is seldom applied to software implementations. The Automated Software Engineering group at NASA Ames is currently investigating the use of model checking for actual source code, with the eventu ..."
Abstract

Cited by 24 (4 self)
 Add to MetaCart
(Show Context)
While it is becoming more common to see model checking applied to software requirements specifications, it is seldom applied to software implementations. The Automated Software Engineering group at NASA Ames is currently investigating the use of model checking for actual source code, with the eventual goal of allowing software developers to augment traditional testing with model checking. Because model checking suffers from the stateexplosion problem, one of the main hurdles for program model checking is reducing the size of the program. In this paper we investigate the use of abstraction techniques to reduce the statespace of a realtime operating system kernel written in C++. We show how informal abstraction arguments could be formalized and improved upon within the framework of predicate abstraction, a technique based on abstract interpretation. We introduce some extensions to predicate abstraction that all allow it to be used within the classinstance framework of objectoriented...
Liveness verification of reversalbounded multicounter machines with a free counter
 In FSTTCS’01, volume 2245 of LNCS
, 2001
"... Abstract. We investigate the Presburger liveness problems for nondeterministicreversalbounded multicounter machines with a free counter (NCMFs). We show the following:The 9Presburgeri.o. problem and the 9Presburgereventual problem areboth decidable. So are their duals, the 8Presburgeralmost ..."
Abstract

Cited by 17 (8 self)
 Add to MetaCart
(Show Context)
Abstract. We investigate the Presburger liveness problems for nondeterministicreversalbounded multicounter machines with a free counter (NCMFs). We show the following:The 9Presburgeri.o. problem and the 9Presburgereventual problem areboth decidable. So are their duals, the 8Presburgeralmostalways problemand the 8Presburgeralways problem. The 8Presburgeri.o. problem and the 8Presburgereventual problem areboth undecidable. So are their duals, the 9Presburgeralmostalways problem and the 9Presburgeralways problem. These results can be used to formulate a weak form of Presburger linear temporal logic and develop its modelchecking theories for NCMFs. They can also be combined with [12] to study the same set of liveness problems on an extendedform of discrete timed automata containing, besides clocks, a number of reversalbounded counters and a free counter. 1 Introduction An infinitestate system can be obtained by augmenting a finite automaton with oneor more unbounded storage devices. The devices can be, for instance, counters (unary stacks), pushdown stacks, queues, and/or Turing tapes. However, an infinitestate system can easily achieve Turingcompleteness, e.g., when two counters are attached to a finite automaton (resulting in a &quot;Minsky machine&quot;). For these systems, even simpleproblems such as membership are undecidable.
Verifying Time Partitioning in the DEOS Scheduling Kernel
 IN 22ND INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING (ICSE00
, 2004
"... This paper describes an experiment to use the Spin model checking system to support automated verification of time partitioning in the Honeywell DEOS realtime scheduling kernel. The goal of the experiment was to investigate whether model checking with minimal abstraction could be used to nd a subtl ..."
Abstract

Cited by 6 (0 self)
 Add to MetaCart
(Show Context)
This paper describes an experiment to use the Spin model checking system to support automated verification of time partitioning in the Honeywell DEOS realtime scheduling kernel. The goal of the experiment was to investigate whether model checking with minimal abstraction could be used to nd a subtle implementation error that was originally discovered and fixed during the standard formal review process. The experiment involved translating a core slice of the DEOS scheduling kernel from C++ into Promela, constructing an abstract "testdriver" environment and carefully introducing several abstractions into the system to support verification. Attempted verification of several properties related to timepartitioning led to the rediscovery of the known error in the implementation. The case study
A Symbolic Model Checker for Testing ASTRAL Realtime Specifications
 PROC. OF RTCSA'99
, 1999
"... ASTRAL is a highlevel formal specification language for realtime (infinite state) systems. It is provided with structuring mechanisms that allow one to build modularized specifications of complex realtime systems with layering. In this paper, the methods and techniques used in the prototype imple ..."
Abstract

Cited by 6 (6 self)
 Add to MetaCart
ASTRAL is a highlevel formal specification language for realtime (infinite state) systems. It is provided with structuring mechanisms that allow one to build modularized specifications of complex realtime systems with layering. In this paper, the methods and techniques used in the prototype implementation of the ASTRAL symbolic model checker, which is a component of the ASTRAL Software Development Environment(SDE), are presented. The model checking procedure uses the Omega library to represent a subset of states, and model checking is carried out on the execution tree of an ASTRAL process. The tree is further trimmed by the execution graph of the process. The model checker combines both explicit state exploration and symbolic state calculation in order to reduce the number of variables needed by dynamically resolving their values as well as their histories along a path of execution. Based upon the ASTRAL proof theory, the model checker is modularized, in the sense that each time it ...
Generalized discrete timed automata: decidable approximations for safety verification
 Theoretical Computer Science
"... Abstract. We consider generalized discrete timed automata with general linearrelations over clocks and parameterized constants as clock constraints and with parameterized durations. We look at three approximation techniques (i.e., the rresetbounded approximation, the Bbounded approximation, and t ..."
Abstract

Cited by 4 (4 self)
 Add to MetaCart
Abstract. We consider generalized discrete timed automata with general linearrelations over clocks and parameterized constants as clock constraints and with parameterized durations. We look at three approximation techniques (i.e., the rresetbounded approximation, the Bbounded approximation, and the hB; ricrossingbounded approximation), and derive automatatheoretic characterizations of the binary reachability under these approximations. The characterizations allow us to show that the safety analysis problem is decidable for generalized discrete timed automata with unit durations and for deterministic generalizeddiscrete timed automata with parameterized durations. An example specification written in ASTRAL is used to run a number of experiments using one of theapproximation techniques. 1 Introduction As a standard model for analyzing realtime systems, timed automata [3] have receivedenormous attention during the past decade. A timed automaton can be considered as a finite automaton augmented with a finite number of clocks. The clocks can be reset orprogress at the same rate, and can be tested against clock constraints in the form of clock regions (i.e., comparisons of a clock or the difference of two clocks against an integerconstant, e.g.,
Three Approximation Techniques for ASTRAL Symbolic Model Checking of Infinite State Realtime Systems
 IN PROCEEDINGS OF THE 22ND INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING
, 2000
"... ASTRAL is a highlevel formal specification language for realtime systems. It has structuring mechanisms that allow one to build modularized specifications of complex realtime systems with layering. Based upon the ASTRAL symbolic model checker reported in [13], three approximation techniques to sp ..."
Abstract

Cited by 4 (3 self)
 Add to MetaCart
(Show Context)
ASTRAL is a highlevel formal specification language for realtime systems. It has structuring mechanisms that allow one to build modularized specifications of complex realtime systems with layering. Based upon the ASTRAL symbolic model checker reported in [13], three approximation techniques to speedup the model checking process for use in debugging a specification are presented. The techniques are random walk, partial image and dynamic environment generation. Ten mutation tests on a railroad crossing benchmark are used to compare the performance of the techniques applied separately and in combination. The test results are presented and analyzed.
Formal Specification and Analysis of an eVoting System. In:
 The 5th International Conference on Availability Reliability and Security, IEEE
, 2010
"... AbstractElectronic voting systems are a perfect example of securitycritical computing. One of the critical and complex parts of such systems is the voting process, which is responsible for correctly and securely storing intentions and actions of the voters. Unfortunately, recent studies revealed ..."
Abstract

Cited by 3 (2 self)
 Add to MetaCart
(Show Context)
AbstractElectronic voting systems are a perfect example of securitycritical computing. One of the critical and complex parts of such systems is the voting process, which is responsible for correctly and securely storing intentions and actions of the voters. Unfortunately, recent studies revealed that various evoting systems show serious specification, design, and implementation flaws. The application of formal specification and verification can greatly help to better understand the system requirements of evoting systems by thoroughly specifying and analyzing the underlying assumptions and the security specific properties. This paper presents the specification and verification of the electronic voting process for the Election Systems & Software (ES&S) system. We used the ASTRAL language to specify the voting process of ES&S machines and the critical security requirements for the system. Proof obligations that verify that the specified system meets the critical requirements were automatically generated by the ASTRAL Software Development Environment (SDE). The PVS interactive theorem prover was then used to apply the appropriate proof strategies and discharge the proof obligations.
Decidable Approximations on Generalized and Parameterized Discrete Timed Automata
 COCOON'01, LNCS 2108
"... . We consider generalized discrete timed automata with general linear relations over clocks and parameterized constants as clock constraints and with parameterized durations. We look at three approximation techniques (i.e., the rresetbounded approximation, the Bbounded approximation, and the hB ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
. We consider generalized discrete timed automata with general linear relations over clocks and parameterized constants as clock constraints and with parameterized durations. We look at three approximation techniques (i.e., the rresetbounded approximation, the Bbounded approximation, and the hB; ricrossingbounded approximation), and derive automatatheoretic characterizations of the binary reachability under these approximations. The characterizations allow us to show that the safety analysis problem is decidable for generalized discrete timed automata with unit durations and for deterministic generalized discrete timed automata with parameterized durations. An example specification written in ASTRAL is used to run a number of experiments using one of the approximation techniques. 1
Formal analysis of attacks for evoting system
 In CRiSIS ’09: Fourth international
, 2009
"... AbstractRecently, the use of formal methods to specify and verify properties of electronic voting (evoting) systems, with particular interest in security, verifiability, and anonymity, is getting much attention. Formal specification and verification of such systems can greatly help to better unde ..."
Abstract

Cited by 2 (2 self)
 Add to MetaCart
(Show Context)
AbstractRecently, the use of formal methods to specify and verify properties of electronic voting (evoting) systems, with particular interest in security, verifiability, and anonymity, is getting much attention. Formal specification and verification of such systems can greatly help to better understand the system requirements by thoroughly specifying and analyzing the underlying assumptions and security specific properties. Unfortunately, even though these systems have been formally verified to satisfy the desired system security requirements, they are still vulnerable to attack. In this paper we extend a formal specification of the ES&S voting system by specifying attacks that have been shown to successfully compromise the system. We believe that performing such analysis is important for two reasons: first, it allows us to discover some missing critical requirements for the specification and/or assumptions that were not met. Second, it allows us to derive mitigation or countermeasure strategies when the system behaves differently than it should. We used the ASTRAL language for the specification, and the verification is performed using the PVS tool.