Andrew P. Moore

Design and assurance strategy for the NRL Pump

The NRL Pump forwards messages from a low level system to a high level system and monitors the timing of acknowledgments from the high level system to minimize leaks. It is the keystone to a proposed architecture that uses specialized high assurance devices to separate data at different security levels. We describe the software design and assurance argument strategy for this device, the Network NRL Pump, which can be used in any multilevel secure distributed architecture. We have completed the system requirements and logical design of a prototype pump and are working on its physical design.

Design and assurance strategy for the NRL pump

Developing a trustworthy system is difficult because the developer must construct a persuasive argument that the system conforms to its critical requirements. This assurance argument, as well as the software and hardware, must be evaluated by an independent certification team. We present the external requirements and logical design of a specific trusted device, the NRL Pump, and describe our plan, called the assurance strategy, to create the eventual assurance argument. Our assurance strategy exploits currently available graphical specification, simulation, formal proof, and testing coverage analysis tools. Portions of the design are represented by figures generated by the Statemate toolset, and we discuss how those tools, and covert channel analysis will be used to show that the logical design conforms to its external requirements. We conclude with some remarks on a possible physical architecture.

Increasing assurance with literate programming techniques

The assurance argument that a trusted system satisfies its information security requirements mast be convincing, because the argument supports the accreditation decision to allow the computer to process classified information in an operational environment. Assurance is achieved through understanding, but some evidence that supports the assurance argument can be difficult to understand. The paper describes a novel application of a technique, called literate programming (D.E. Knuth, 1984), that significantly improves the readability of the assurance argument while maintaining its consistency with formal specifications that are input to specification and verification systems. We describe an application of this technique to a simple example and discuss the lessons learned from this effort.

The specification and verified decomposition of system requirements using CSP

A formal method for decomposing the critical requirements of a system into requirements of its component processes and a minimal, possibly empty, set of synchronization requirements is described. The trace model of Hoares communicating sequential processes (CSP) is the basis for the formal method. The method is applied to an abstract voice transmitter and describes the role that the EHDM verification system plays in the transmitters decomposition is described. In combination with other verification techniques, it is expected that this method will promote the development of more trustworthy systems. >

How to Construct Formal Arguments that Persuade Certifiers

Developers of a critical system must argue that the system satisfies its critical requirements — those that, if not satisfied, could result in human injury or death, substantial loss of capital, or the compromise of national security. Documenting an explicit, persuasive assurance argument is especially important when the system produced must be evaluated and approved by an independent certifier, as is often the case for safety- and security-critical systems. Past experience developing independently evaluated systems using formal methods (Moore and Payne, 1996a; Payne et al, 1994) demonstrates that the presentation of the assurance argument is as important as the rigor of the assurance evidence on which that argument is based. Formal specifications and analyses must be presented coherently in the context of the overall system decomposition or much of their power to persuade may be lost. This chapter describes and illustrates a general framework that supports gathering, integrating, presenting and reviewing the evidence that we can trust a system to conform to its critical requirements.

An experience modeling critical requirements

Previous work at NRL demonstrated the benefits of a security modeling approach for building high assurance systems for particular application domains. This paper introduces an application domain called selective bypass that is prominent in certain network security solutions. We present a parameterized modeling framework for the domain and then instantiate a confidentiality model for a particular application, called the External COMSEC Adaptor (ECA), within the framework. We conclude with lessons we learned from modeling, implementing and verifying the ECA. Our experience supports the use of the application-based security modeling approach for high assurance systems.<<ETX>>