Amel Mammar

An advanced approach for modeling and detecting software vulnerabilities

Context: Passive testing is a technique in which traces collected from the execution of a system under test are examined for evidence of flaws in the system. Objective: In this paper we present a method for detecting the presence of security vulnerabilities by detecting evidence of their causes in execution traces. This is a new approach to security vulnerability detection. Method: Our method uses formal models of vulnerability causes, known as security goal models and vulnerability detection conditions (VDCs). The former are used to identify the causes of vulnerabilities and model their dependencies, and the latter to give a formal interpretation that is suitable for vulnerability detection using passive testing techniques. We have implemented modeling tools for security goal models and vulnerability detection conditions, as well as TestInv-Code, a tool that checks execution traces of compiled programs for evidence of VDCs. Results: We present the full definitions of security goal models and vulnerability detection conditions, as well as structured methods for creating both. We describe the design and implementation of TestInv-Code. Finally we show results obtained from running TestInv-Code to detect typical vulnerabilities in several open source projects. By testing versions with known vulnerabilities, we can quantify the effectiveness of the approach. Conclusion: Although the current implementation has some limitations, passive testing for vulnerability detection works well, and using models as the basis for testing ensures that users of the testing tool can easily extend it to handle new vulnerabilities.

On the use of domain and system knowledge modeling in goal-based Event-B specifications

When using formal methods, one of the main difficulties is to elaborate the initial formal specification from informal descriptions obtained during the requirements analysis phase. For that purpose, we propose a goal-based approach in which the building of an initial formal model (in Event-B) is driven by a goal-oriented requirements engineering model (SysML/KAOS). In a previous work, we have defined a set of rules to derive a partial Event-B specification from a goal model. In this paper, we propose to enhance the goal model in order to obtain a more complete formal specification. First, we advocate the specification of a domain ontology in order to share common understanding of the structure of the different applications of the underlying domain. This is particularly useful for complex systems to explicit and make clearer the domain knowledge. For a specific system, a class and an object diagrams are then specified to detail its components and their relationships. Finally, we describe how the ontology and the structural model are translated into Event-B. The proposed approach is illustrated through a landing gear system.

Towards correct cloud resource allocation in business processes

Cloud environments are being increasingly used for deploying and executing business processes to provide a high level of performance with low operating cost. Nevertheless, due to the lack of an explicit and formal description of the resource perspective in the existing business processes, the correctness of Cloud resources management can not be verified. The aim of the present work is to offer a formal definition of the resource perspective in business processes as a step towards ensuring a correct and consistent Cloud resource allocation in business process modeling. Concretely, we propose a formalism based on the Event-B language for specifying Cloud resource allocation policies in business process models. This formal specification is used to formally validate the consistency of Cloud resource allocation for process modeling at design time, and to analyze and check its correctness according to user requirements and resource capabilities. In order to show its feasibility, our approach has been tested using a real use case study from an industrial partner.

Modeling a Landing Gear System in Event-B

This paper describes the Event-B modeling of the landing gear system of an aircraft whose the complete description can be found in [3]. This real-life case study has been proposed by the ABZ’2014 track that takes place in Toulouse, the European capital of the aeronautic industry. Our modeling is based on the Parnas and Madey’s 4-Variable Model that permits to consider the different parts of a system. These parts are incremently introduced using the Event-B refinement technique. The entire development has been carried out under the Rodin toolset. To validate and prove the different components, we use the Atelier B, SMT and ML provers which are plugged to Rodin.

A proof-based approach to verifying reachability properties

This paper presents a formal approach to proving temporal reachability properties, expressed in CTL, on B systems. We are particularly interested in demonstrating that a system can reach a given state by executing a sequence of actions (or operation calls) called a path. Starting with a path, the proposed approach consists in calculating the proof obligations to discharge in order to prove that the path allows the system to evolve in order to verify the desired property. Since these proof obligations are expressed as first logic formulas without any temporal operator, they can be discharged using the prover of AtelierB. Our proposal is illustrated through a case study.

Using requirements engineering in an automatic security policy derivation process

Traditionally, a security policy is defined from an informal set of requirements, generally written using natural language. It is then difficult to appreciate the compatibility degree of the manually generated security policy with the informal requirements definition. The idea of this paper is to automate the process of deriving the formal security policy, using a more structured specification of the security objectives issued by the administrator of the information system to be secured. We chose the goal-oriented methodology KAOS to express the functional objectives, then based on the results of a risk analysis, we integrate the security objectives to the obtained KAOS framework. Finally, through a process of transformation applied to this structured security objectives specification, we automatically generate the corresponding security policy. This policy is consistent with the access control model OrBAC (Organization Access Control).

A Formal Framework to Integrate Timed Security Rules within a TEFSM-Based System Specification

Formal methods are very useful in software industry and are becoming of paramount importance in practical engineering techniques. They involve the design and the modeling of various system aspects expressed usually through different paradigms. In this paper, we propose to combine two modeling formalisms in order to express both functional and security timed requirements of a system. First, the system behavior is specified based on its functional requirements using TEFSM (Timed Extended Finite State Machine) formalism. Second, this model is augmented by applying a set of dedicated algorithms to integrate timed security requirements specified in Nomad language. This language is well adapted to express security properties such as permissions, prohibitions and obligations with time considerations. The resulting secure model can be used for several purposes such as code generation, specification correctness proof, model checking or automatic test generation. In this paper, we applied our approach to a France Telecom(France Telecom is the main telecommunication company in France) Travel service in order to demonstrate its feasibility.

Proof-based verification approaches for dynamic properties: application to the information system domain

This paper proposes a formal approach for generating necessary and sufficient proof obligations to demonstrate a set of dynamic properties using the B method. In particular, we consider reachability, non-interference and absence properties. Also, we show that these properties permit a wide range of property patterns introduced by Dwyer to be expressed. An overview of a tool supporting these approaches is also provided.

An Assertions-Based Approach to Verifying the Absence Property Pattern

Temporal properties are very common in various classes of systems, including information systems and security policies. This paper investigates two verification methods, proof and model checking, for one of the most frequent patterns of temporal property, the absence pattern. We explore two model-based specification techniques, B and Alloy, because of their adequacy for easily specifying systems with complex data structures, like information systems. We propose a first-order, assertion-based, sound and complete strategy to verify the absence pattern. This enables the proof of the absence pattern using conventional first-order provers. We show that the use of assertions significantly increases the size of the models that can be checked, when compared to traditional LTL model checking techniques. The approach is illustrated throughout a case study.

Proving Reachability in B using Substitution Refinement

This paper proposes an approach to prove reachability properties of the form AG(źźEFź) using substitution refinement in classical B. Such properties denote that there exists an execution path for each state satisfying ź to a state satisfying ź. These properties frequently occur in security policies and information systems. We show how to use Morganźs specification statement to represent a property and refinement laws to prove it. The idea is to construct by stepwise refinement a program whose elementary statements are operation calls. Thus, the execution of such a program provides an execution satisfying AG(źźEFź). Proof obligations are represented using assertions (ASSERTIONS clause of B) and can be discharged using Atelier B.