Alessandro Aldini

Foundations of security analysis and design IV

With testing, a system is executed with a set of selected stimuli, and observed to determine whether its behavior conforms to the specification. Therefore, testing is a strategic activity at the heart of software quality assurance, and is today the principal validation activity in industrial context to increase the confidence in the quality of systems. This paper, summarizing the six hours lesson taught during the Summer School FOSAD’12, gives an overview of the test data selection techniques and provides a state-of-the-art about Model-Based approaches for security testing. 1 Testing and Software Engineering One major issue, regarding the engineering in general and the software domain in particular, concerns the conformity of the realization in regards of the stakeholder specification. To tackle this issue, software engineering relies on two kinds of approaches: Validation and Verification, usually called V&V. 1.1 Software Engineering The approaches proposed by Software engineering to ensure software conformity are the validation and the verification. There are many definitions of these two words but we propose to explain them in regards of the usage. The validation addresses the question “Are we building the right product?”, which aims to validate that the software should do what the end users really requires, i.e. that the developed software conforms to the requirements of its specification. The verification addresses the question “Are we building the product right?”, which aims to verify that all the artifacts defined during the development stages to produce the software conform to the requirements of its specification, i.e. that the requirements and design specifications has been correctly integrated in development stuff (model, code, etc.). It should be noted that another variants or interpretations of these definitions can be found in the literature, mainly depending of the engineering domain they are applied. A. Aldini et al. (Eds.): FOSAD VII, LNCS 8604, pp. 1–33, 2014. c

A Process Algebraic Approach to Software Architecture Design

Inthe?eldofformalmethodsincomputerscience,concurrencytheoryisreceivinga constantlyincreasinginterest.Thisisespeciallytrueforprocessalgebra.Althoughit had been originally conceived as a means for reasoning about the semantics of c- current programs, process algebraic formalisms like CCS, CSP, ACP, ?-calculus, and their extensions (see, e.g., [154,119,112,22,155,181,30]) were soon used also for comprehendingfunctionaland nonfunctionalaspects of the behaviorof com- nicating concurrent systems. The scienti?c impact of process calculi and behavioral equivalences at the base of process algebra is witnessed not only by a very rich literature. It is in fact worth mentioningthe standardizationprocedurethat led to the developmentof the process algebraic language LOTOS [49], as well as the implementation of several modeling and analysis tools based on process algebra, like CWB [70] and CADP [93], some of which have been used in industrial case studies. Furthermore, process calculi and behavioral equivalencesare by now adopted in university-levelcourses to teach the foundations of concurrent programming as well as the model-driven design of concurrent, distributed, and mobile systems. Nevertheless, after 30 years since its introduction, process algebra is rarely adopted in the practice of software development. On the one hand, its technica- ties often obfuscate the way in which systems are modeled. As an example, if a process term comprises numerous occurrences of the parallel composition operator, it is hard to understand the communicationscheme among the varioussubterms. On the other hand, process algebra is perceived as being dif?cult to learn and use by practitioners, as it is not close enough to the way they think of software systems.

A process-algebraic approach for the analysis of probabilistic noninterference

We define several security properties for the analysis of probabilistic noninterference as a conservative extension of a classical, nondeterministic, process-algebraic approach to information flow theory. We show that probabilistic covert channels (that are not observable in the nondeterministic setting) may be revealed through our approach and that probabilistic information can be exploited to give an estimate of the amount of confidential information flowing to unauthorized users. Finally, we present a case study showing that the expressiveness of the calculus we adopt makes it possible to model and analyze real concurrent systems.

On the usability of process algebra: an architectural view

Despite its strengths like compositionality and equivalence checking, process algebra is rarely adopted outside the academia. In this paper we address the usability issue for process algebra along two different directions. On the modeling side, we provide a set of guidelines inspired by the software architecture field, which should enforce a clear component-oriented approach to the process algebraic design of system families. On the verification side, we propose a component-oriented technique based on equivalence checking for the detection of architecture-level mismatches and the provision of related diagnostic information. Such a technique extends previous results in terms of generality of the considered mismatches, generality of the considered system topologies, and scalability to system families.

Discrete time generative-reactive probabilistic processes with different advancing speeds

We present a process algebra expressing probabilistic external/internal choices, multi-way synchronizations, and processes with different advancing speeds in the context of discrete time, i.e. where time is not continuous but is represented by a sequence of discrete steps as in discrete time Markov chains (DTMCs). To this end, we introduce a variant of CSP that employs a probabilistic asynchronous parallel operator whose synchronization mechanism is based on a mixture of the classical generative and reactive models of probability. In particular, differently from existing discrete time process algebras, where parallel processes are executed in synchronous locksteps, the parallel operator that we adopt allows processes with different probabilistic advancing speeds (mean number of actions executed per time unit) to be modeled. Moreover, our generative-reactive synchronization mechanism makes it possible to always derive DTMCs in the case of fully specified systems. We then present a sound and complete axiomatization of probabilistic bisimulation over finite processes of our calculus, that is a smooth extension of the axiom system for a standard process algebra, thus solving the open problem of cleanly axiomatizing action restriction in the generative model. As a further result, we show that, when evaluating steady state based performance measures which are expressible by attaching rewards to actions, our approach provides an exact solution even if the advancing speeds are considered not to be probabilistic, without incurring the state space explosion problem that arises with standard synchronous approaches. We finally present a case study on multi-path routing showing the expressiveness of our calculus and that it makes it particularly easy to produce scalable specifications.

Virtual currency and reputation-based cooperation incentives in user-centric networks

Cooperation incentives are essential in user-centric networks to motivate users to share services and resources (including bandwidth, computational power, and storage space) and to avoid selfish nodes to hinder the functioning of the entire system. Virtual currency and reputation mechanisms are commonly adopted in online communities to boost participation, but their joint application has not been deeply explored, especially in the context of wireless communities, where not only the services, but even the enabling infrastructure is opportunistically built by community members. This paper investigates the combined use of virtual currency and reputation-based incentives in the specific context of a community of users with Wi-Fi enabled devices capable of establishing ad-hoc connections.

Comparing the QoS of Internet audio mechanisms via formal methods

We compute and compare the quality of service (QoS) of three soft real-time applications for audio transmissions over the Internet. The main metric we want to capture is the average packet audio playout delay vs. the packet loss rate as perceived by users. Other metrics we take into account are the packet loss rate vs. the receiving buffer capacity, the lateness of discarded packets vs. average packet audio playout delay, and the waiting time in the receiver buffer for the played packets vs. the average packet audio playout delay. The study is conducted in the algebraic language EMPA, by way of formal descriptions of the three audio mechanisms. The mechanisms are analyzed via simulation using the software tool TwoTowers under various (experimentally obtained or randomly generated) traffic conditions. The stochastic process algebra EMPA is used because it compositionally supports system modeling, it allows functional properties of systems to be formally verified (unlike conventional simulatiors), and it represents generally distributed durations (which come into play in the three audio mechanisms). The comparison reveals that in general no one of the three mechanisms outperforms the other two, as their performance depends on the traffic conditions.

Security Analysis of a Probabilistic Non-repudiation Protocol

Non-interference is a definition of security introduced for the analysis of confidential information flow in computer systems. In this paper, a probabilistic notion of non-interference is used to reveal information leakage which derives from the probabilistic behavior of systems. In particular, as a case study, we model and analyze a nonrepudiation protocol which employs a probabilistic algorithm to achieve a fairness property. The analysis, conducted by resorting to a definition of probabilistic non-interference in the context of process algebras, confirms that a solely nondeterministic approach to the information flow theory is not enough to study the security guarantees of cryptographic protocols.

Probabilistic Information Flow in a Process Algebra

We present a process algebraic approach for extending to the probabilistic setting the classical logical information flow analysis of computer systems. In particular, we employ a calculus for the analysis of probabilistic systems and a notion of probabilistic bisimulation in order to define classical security properties, such as nondeterministic noninterference (NNI) and nondeducibility on compositions (NDC), in the probabilistic setting. We show how to (i) extend the results known for the nondeterministic case, (ii) analyse insecure nondeterministic behaviors, and (ii) reveal probabilistic covert channels which may be not observable in the nondeterministic case. Finally, we show that the expressiveness of the calculus we adopt makes it possible to model concurrent systems in order to derive also performance measures.

Estimating the maximum information leakage

Preventing improper information leaks is a greatest challenge of the modern society. In this paper, we present a technique for measuring the ability of several families of adversaries to set up a covert channel. Our approach relies on a noninterference based formulation of security which can be naturally expressed by semantic models of the program execution. In our analysis the most powerful adversary is measured via a notion of approximate process equivalence. Even if finding the most powerful adversary is in general impractical, we show that this requires only a finite number of checks for a particular family of adversaries which are related to a probabilistic information flow property.