David von Oheimb

Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage

We revisit the classical notion of noninterference for state-based systems, as presented by Rushby in 1992. We strengthen his results in several ways, in particular clarifying the impact of transitive vs. intransitive policies on unwinding. Inspired partially by Mantel’s observations on unwinding for event systems, we remove the restriction on the unwinding relation to be an equivalence and obtain new insights in the connection between unwinding relations and observational preorders.

The AVANTSSAR platform for the automated validation of trust and security of service-oriented architectures

The AVANTSSAR Platform is an integrated toolset for the formal specification and automated validation of trust and security of service-oriented architectures and other applications in the Internet of Services. The platform supports application-level specification languages (such as BPMN and our custom languages) and features three validation backends (CL-AtSe, OFMC, and SATMC), which provide a range of complementary automated reasoning techniques (including service orchestration, compositional reasoning, model checking, and abstract interpretation). We have applied the platform to a large number of industrial case studies, collected into the AVANTSSAR Library of validated problem cases. In doing so, we unveiled a number of problems and vulnerabilities in deployed services. These include, most notably, a serious flaw in the SAML-based Single Sign-On for Google Apps (now corrected by Google as a result of our findings). We also report on the migration of the platform to industry.

Impact of Public Key Enabled Applications on the Operation and Maintenance of Commercial Airplanes

Making airplanes network-enabled can significantly increase the efficiency of aircraft manufacturing, operation and maintenance processes. Yet these benefits cannot be realized without addressing the potential for network-induced security threats. This paper addresses challenges that emerge for network-enabled airplanes that use public key cryptography-based applications. In particular, we focus on the electronic distribution of airplane software and data. We present both an ad hoc approach, without trust chains between certificates, and a structured approach employing a PKI. Both approaches facilitate public key-enabled applications, and both levy operational requirements on airlines. We describe the integration of these requirements into existing airline ground infrastructure and processes, to minimize operating overhead. The presented work is based on ongoing collaborative efforts among Boeing, FAA and EASA, to identify needs of the airlines for operating and maintaining network-enabled airplanes.

Electronic distribution of airplane software and the impact of information security on airplane safety

The general trend towards ubiquitous networking has reached the realm of airplanes. E-enabled airplanes with wired and wireless network interfaces offer a wide spectrum of network applications, in particular electronic distribution of software (EDS), and onboard collection and off-board retrieval of airplane health reports. On the other hand, airplane safety may be heavily dependent on the security of data transported in these applications. The FAA mandates safety regulations and policies for the design and development of airplane software to ensure continued airworthiness. However, data networks have well known security vulnerabilities that can be exploited by attackers to corrupt and/or inhibit the transmission of airplane assets, i.e. software and airplane generated data. The aviation community has recognized the need to address these security threats. This paper explores the role of information security in emerging information technology (IT) infrastructure for distribution of safety-critical and business-critical airplane software and data. We present our threat analysis with related security objectives and state functional and assurance requirements necessary to achieve the objectives, in the spirit of the well-established Common Criteria (CC) for IT security evaluation. The investigation leverages our involvement with FAA standardization efforts. We present security properties of a generic system for electronic distribution of airplane software, and show how the presence of those security properties enhances airplane safety.

ASLan++ -- a formal security specification language for distributed systems

This paper introduces ASLan++, the AVANTSSAR Specification Language. ASLan++ has been designed for formally specifying dynamically composed security-sensitive web services and service-oriented architectures, their associated security policies, as well as their security properties, at both communication and application level. We introduce the main concepts of ASLan++ at a small but very instructive running example, abstracted form a company intranet scenario, that features non-linear and inter-dependent workflows, communication security at different abstraction levels including an explicit credentials-based authentication mechanism, dynamic access control policies, and the related security goals. This demonstrates the flexibility and expressiveness of the language, and that the resulting models are logically adequate, while on the other hand they are clear to read and feasible to construct for system designers who are not experts in formal methods.

Formal Security Analysis with Interacting State Machines

We introduce the ISM approach, a framework for modeling and verifying reactive systems in a formal, even machine-checked, way. The framework has been developed for applications in security analysis. It is based on the notion of Interacting State Machines (ISMs), sort of high-level Input/Output Automata. System models can be defined and presented graphically using the AutoFocus tool. They may be type-checked and translated to a representation within the theorem prover Isabelle or defined directly as Isabelle theories. The theorem prover may be used to perform any kind of syntactic and semantic checks, in particular semi-automatic verification. We demonstrate that the framework can be fruitfully applied for formal system analysis by two classical application examples: the LKW model of the Infineon SLE66 SmartCard chip and Lowes fix of the Needham-Schroeder Public-Key Protocol.

Challenges for IT Infrastructure Supporting Secure Network-Enabled Commercial Airplane Operations

[Abstract] The numerous benefits of enabling commercial airplanes to communicate over networks are only obtained at the price of introducing security threats to onboard systems. A primary threat arises from the opportunity for corruption of safety-critical and business-critical airplane loadable software distributed via networks from off-board systems. The FAA recognizes that the unprecedented use of such applications in networkenabled airplanes impacts well-established safety regulations and guidance. In this paper, we present a framework for securing airplane software distribution and overview the main challenges. For facilitating integration into existing certification guidelines for airplanes, we employ the Common Criteria standard based approach to security evaluation of IT infrastructure for airplane network applications. Additionally, we present some open problems in network-enabled airplane security.

Interacting State Machines: A Stateful Approach to Proving Security

We introduce Interacting State Machines (ISMs), a general formalism for abstract modeling and verification of reactive systems. We motivate and explain the concept of ISMs and describe their graphical representation with the CASE tool AutoFocus. The semantics of ISMs is defined using Higher-Order Logic within the theorem prover Isabelle. ISMs can be seen as high-level variants of Input/Output Automata, therefore we give also a semantic translation from ISMs to IOAs.

IT Security Architecture Approaches for Smart Metering and Smart Grid

The power grid is currently undergoing changes towards highly volatile and localized energy production and storage, supported by IT and communication components. Smart Metering is going to provide fine-grained measurement and automatic remote reading of consumption and production amounts. It enables flexible tariffing and dynamic load optimization, ultimately aiming at cost and consumption reduction. The related security requirements are mainly authenticity, integrity, and privacy of metering data. Even more challenging is grid automation, which is critical for the safety and availability of the grid. The overall situation calls for an integrated security architecture that not only addresses all relevant security threats but also satisfies functional, safety, performance, process integration, and economic side conditions.

Analyzing SLE 88 memory management security using Interacting State Machines

The Infineon SLE 88 is a smart card processor that offers strong protection mechanisms. One of them is a memory management system typically used for sandboxing application programs dynamically loaded on the chip. High-level (EAL5+) evaluation of the chip requires a formal security model.We formally model the memory management system as an Interacting State Machine and prove, using Isabelle/HOL, that the associated security requirements are met. We demonstrate that our approach enables an adequate level of abstraction, which results in an efficient analysis, and points out potential pitfalls like noninjective address translation.