Kurt Stenzel

Formal System Development with KIV

KIV is a tool for formal systems development. It can be employed, e.g., — for the development of safety critical systems from formal requirements specifications to executable code, including the verification of safety requirements and the correctness of implementations, — for semantical foundations of programming languages from a specification of the semantics to a verified compiler, — for building security models and architectural models as they are needed for high level ITSEC [7] or CC [1] evaluations.

A Formally Verified Calculus for Full Java Card

We present a calculus for the verification of sequential Java programs. It supports all Java language constructs and has additional support for Java Card. The calculus is formally proved correct with respect to a natural semantics. It is implemented in the KIV system and used for smart card applications.

SecureMDD: A Model-Driven Development Method for Secure Smart Card Applications

In this paper we introduce our model-driven software engineering method, called SecureMDD, which facilitates the development of security-critical applications that are based on cryptographic protocols. The approach seamlessly integrates the generation of code and formal methods. Starting with a platform-independent UML model of a system under development, we generate executable Java (Card) code as well as a formal model from the UML model. Subsequent to this, the formal model is used to verify the security of the modeled system. Our goal is to prove that the generated code is correct w.r.t. the generated formal model in terms of formal refinement. The approach is tailored to the domain of security-critical systems, e.g. smart card applications.

VSE: Controlling the Complexity in Formal Software Developments

We give an overview of the enhanced VSE system which is a tool to formally specify and verify systems. It provides means for structuring specifications and it supports the development process from the specification of a system to the code generation. Formal developments following this method are stored and maintained in an administration system that guides the user and maintains a consistent state. An integrated deduction system provides proof support for the deduction problems arising during the development process.

KIV 3.0 for Provably Correct Systems

KIV 3.0 is an advanced tool for engineering high assurance systems. It provides an economically applicable verification technology, and supports the entire design process from formal specifications to executable verified code. In KIV the design process for high assurance systems proceeds as follows. 1. KIV supports both functional and state based software/system design using algebraic specifications or Abstract State Machines (ASMs), respectively. As a first step, predefined theories from a library can be imported. New specifications are added to the hierarchically structured specification graph which is graphically visualized. 2. In addition to the specification, a formal safety/security model is defined. The formulation of extra validation properties helps to detect gross specification errors before it is attempted to prove the main safety/security properties. 3. It has to be shown that the validation and safety/security properties are satisfied by the specification. The necessary formal proofs are done in an interactive graphical proof environment. Proof search is automated to a large extent. Proof engineering facilities help to reveal specification errors. After correcting the specification, invalid proofs can be reused automatically. 4. The components of the hierarchical system specification can be implemented independently (modular) using an imperative programming language. Proof obligations for the correctness of the implementation are generated automatically and have to be verified by the proof component. Again, corrected errors lead to invalidated proofs which can be reused automatically. 5. The whole specification and verification process is guarded by an elaborate correctness management. If, finally, every specification and implementation is in “proved state”, it guarantees that there are no inconsistencies and all proof obligations and used lemmas are proved. 6. For use in future projects, specifications and implementations can be added to a library.

Generating formal specifications for security-critical applications - A model-driven approach

The SecureMDD approach aims to generate both, a formal specification for verification and executable code, from UML diagrams. The UML models define the static as well as dynamic components of the system under development. This model-driven approach is focused on security-critical applications that are based on cryptographic protocols, esp. Java Card applications. In this paper we describe the generation of the formal specification from the UML model which is then used as input for our interactive verification system KIV. The formal specification is based on abstract state machines and algebraic specifications. It allows to formulate and to prove application-specific security properties.

Verification of Mondex Electronic Purses with KIV: From a Security Protocol to Verified Code

We present a verified JavaCard implementation for the Mondex Verification Challenge. This completes a series of verification efforts that we made to verify the Mondex case study starting at abstract transaction specifications, continuing with an introduction of a security protocol and now finally the refinement of this protocol to running source code. We show that current verification techniques and tool support are not only suitable to verify the original case study as stated in the Grand Challenge but also can cope with extensions of it resulting in verified and running code. The Mondex verification presented in this paper is the first one that carries security properties proven on an abstract level to an implementation level using refinement.

Model-Driven Development of Secure Service Applications

The development of a secure service application is a difficult task and designed protocols are very error-prone. To develop a secure SOA application, application-independent protocols (e.g. TLS or Web service security protocols) are used. These protocols guarantee standard security properties like integrity or confidentiality but the critical properties are applicationspecific (e.g. “a ticket can not be used twice”). For that, security has to be integrated in the whole development process and application-specific security properties have to be guaranteed. This paper illustrates the modeling of a security-critical service application with UML. The modeling is part of an integrated software engineering approach that encompasses model-driven development. Using the approach, an application based on service-oriented architectures (SOA) is modeled with UML. From this model executable code as well as a formal specification to prove the security of the application is generated automatically. Our approach, called SecureMDD, supports the development of security-critical applications and integrates formal methods to guarantee the security of the system. The modeling guidelines are demonstrated with an online banking example.

Model-Driven Code Generation for Secure Smart Card Applications

SecureMDD is a model-driven approach to develop secure systems with a special focus on smart card applications. Based on a platform-independent UML model of the system under development we generate a platform-specific model, and finally executable code. The Secure MDD approach also allows to generate a formal specification where security properties can be proven formally. In this paper we describe the automatic generation of Java Card code from UML class and activity diagrams in detail. The full coderunning on the smart card is generated which is not trivial because of the limitations of smart cards and the specialties of Java Card.

A refinement method for Java programs

We present a refinement method for Java programs which is motivated by the challenge of verifying security protocol implementations. The method can be used for stepwise refinement of abstract specifications down to the level of code running in the real application. The approach is based on a calculus for the verification of Java programs for the concrete level and Abstract State Machines for the abstract level. In this paper we illustrate our method by the verification of a M-Commerce application for buying movie tickets using a mobile phone written in J2ME. For verification we use KIV, our interactive theorem prover [1].