Adel Bouhoula

Specification and proof in membership equational logic

This paper is part of a long-term effort to increase expressiveness of algebraic specification languages while at the same time having a simple semantic basis on which efficient execution by rewriting and powerful theorem-proving tools can be based. In particular, our rewriting techniques provide semantic foundations for Maudes functional sublanguage, where they have been efficiently implemented.

Implicit induction in conditional theories

We propose a new procedure for proof by induction in conditional theories where case analysis is simulated by term rewriting. This technique reduces considerably the number of variables of a conjecture to be considered for applying induction schemes. Our procedure is presented as a set of inference rules whose correctness has been formally proved. Moreover, when the axioms are ground convergent and the functions are completely defined, it is possible to apply the system for refuting conjectures. The procedure is even refutationally complete for conditional equations with Boolean preconditions over free constructors. The method is entirely implemented in the proverSPIKE. This system has solved interesting problems in a completely automatic way, that is, without interaction with the user and without ad hoc heuristics. It has also proved the challenging Gilbreath card trick, with only two easy lemmas.

Protocol analysis in intrusion detection using decision tree

Network based intrusion detection are the most deployed IDS. They frequently rely on signature matching detection method and focus on the security of low level network protocols. Because of the large number of false positives from one side, and the incapacity to detect some attack types from another side, IDS must allow more interest to the monitoring of application level protocols. We propose in this paper a combination of pattern matching and protocol analysis approaches. While the first method of detection relies on a multipattern matching strategy, the second one benefits from an efficient decision tree adaptive to the network traffic characteristics.

Managing Delegation in Access Control Models

In the field of access control, delegation is an important aspect that is considered as a part of the administration mechanism. Thus, a complete access control must provide a flexible administration model to manage delegation. Unfortunately, to our best knowledge, there is no complete model for describing all delegation requirements for role-based access control. Therefore, proposed models are often extended to consider new delegation characteristics, which is a complex task to manage and necessitate the redefinition of these models. In this paper we describe a new delegation approach for extended role-based access control models. We show that our approach is flexible and is sufficient to manage all delegation requirements.

Automated Mathematical Induction

Proofs by induction are important in many computer science and artifical intelligence applications, in particular, in program verification and specification systems. We present a new method to prove (and disprove) automatically inductives properties. Given a set of axioms, a well-suited induction scheme is constructed automatically. We call such and induction scheme a test set. Then, for proving a property, we just instantiate it with terms from the test set and apply pure algebraic simplifications to the result. This method needs no completion and explicit induction. However it retains their positive features, namely, the completeness of the former and the robustness of the latter. It has been implemented in the theorem-prover SPIKE.

Automated Theorem Proving by Test Set Induction

Test set induction is a goal-directed proof technique which combines the full power of explicit induction and proof by consistency. It works by computing an appropriate explicit induction scheme calleda test set, to trigger the induction proof, and then applies a refutation principle using proof by consistency techniques. We present a general scheme for test set induction together with a simple soundness proof. Our method is based on new notions of test sets,induction variables, andprovable inconsistency, which allow us to refute false conjectures even in the case where the functions are not completely defined. We show how test sets can be computed when the constructors are not free, and give an algorithm for computing induction variables. Finally, we present a procedure for proof by test set induction which is refutationally complete for a larger class of specifications than has been shown in previous work. The method has been implemented in the proverSPIKE. Based on computer experiments dealing with mutual induction,SPIKEappears to be more practical and efficient than explicit induction based systems.

Using induction and rewriting to verify and complete parameterized specifications

Abstract In software engineering there is a growing demand for formal methods for the specification and validation of software systems. The formal development of a system might give rise to many proof obligations. We must prove the completeness of the specification and the validity of some inductive properties. In this framework, many provers have been developed. However they require much user interaction even for simple proof tasks. In this paper, we present new procedures to test sufficient completeness and to prove or disprove inductive properties automatically in para-meterized conditional specifications. The method has been implemented in the prover SPIKE. Computer experiments illustrate the improvements in length and structure of proofs, due to parameterization. Moreover, SPIKE offers facilities to check and complete specifications.

An inference system for detecting firewall filtering rules anomalies

Firewalls are crucial equipments for protecting private networks. However by only deploying firewalls, administrators are far from securing their enterprises networks. Bad configurations may cause serious security breaches and network vulnerabilities. In particular, conflicting filtering rules lead to block legitimate traffic or to accept unwanted packets. We present in this paper a new classification method to detect overlaps between packet filters within one firewall. Our method processes a set of filtering rules that have a variable number of fields. A field has a range of values, represented by an interval or a variable length bit string, that may intersect with the corresponding field ranges of other rules. In order to detect overlaps we organize the conditions of each filtering rule in such a way that we can quickly separate non overlapping rules. This strategy allows us to avoid considering the entire rule header in many cases.

Automatic verification of conformance of firewall configurations to security policies

The configuration of firewalls is highly error prone and automated solution are needed in order to analyze its correctness. We propose a formal and automatic method for checking whether a firewall reacts correctly with respect to a security policy given in an high level declarative language. When errors are detected, some feedback is returned to the user in order to correct the firewall configuration. Furthermore, the procedure verifies that no conflicts exist within the security policy. We show that our method is both correct and complete. Finally, it has been implemented in a prototype of verifier based on a satisfiability solver modulo theories (SMT). Experiment conducted on relevant case studies demonstrate the efficiency and scalability of the approach.

Observational proofs with critical contexts

Observability concepts contribute to a better understanding of software correctness. In order to prove observational properties, the concept of Context Induction has been developed by Hennicker [10]. We propose in this paper to embed Context Induction in the implicit induction framework of [8]. The proof system we obtain applies to conditional specifications. It allows for many rewriting techniques and for the refutation of false observational conjectures. Under reasonable assumptions our method is refutationally complete, i.e. it can refute any conjecture which is not observationally valid. Moreover this proof system is operational: it has been implemented within the Spike prover and interesting computer experiments are reported.