Robert A. Riemenschneider

Correct architecture refinement

A method is presented for the stepwise refinement of an abstract architecture into a relatively correct lower-level architecture that is intended to implement it. A refinement step involves the application of a predefined refinement pattern that provides a routine solution to a standard architectural design problem. A pattern contains an abstract architecture schema and a more detailed schema intended to implement it. The two schemas usually contain very different architectural concepts (from different architectural styles). Once a refinement pattern is proven correct, instances of it can be used without proof in developing specific architectures. Individual refinements are compositional, permitting incremental development and local reasoning. A special correctness criterion is defined for the domain of software architecture, as well as an accompanying proof technique. A useful syntactic form of correct composition is defined. The main points are illustrated by means of familiar architectures for a compiler. A prototype implementation of the method has been used successfully in a real application. >

Secure software architectures

The computer industry is increasingly dependent on open architectural standards for their competitive success. This paper describes a new approach to secure system design in which the various representations of the architecture of a software system are described formally and the desired security properties of the system are proven to hold at the architectural level. The main ideas are illustrated by means of the X/Open distributed transaction processing reference architecture, which is formalized and extended for secure access control as defined by the Bell-LaPadula model. The extension allows vendors to develop individual components independently and with minimal concern about security. Two important observations were gleaned on the implications of incorporating security into software architectures.

Intrusion tolerant software architectures

The complexity of the software systems built today virtually guarantees the existence of security vulnerabilities. When the existence of specific vulnerabilities becomes known - typically as a result of detecting a successful attack - intrusion prevention techniques such as firewalls and anti-virus software seek to prevent future attackers from exploiting these vulnerabilities. However, vulnerabilities cannot be totally eliminated, their existence is not always known and preventing mechanisms cannot always be built. Intrusion tolerance is a new concept, a new design paradigm, and potentially a new capability for dealing with residual security vulnerabilities. In this article, we describe our initial exploration of the hypothesis that intrusion tolerance is best designed and enforced at the software architecture level.

Provably dependable software architectures

Dependable architectures demonstrably possess properties such as safety, security, and fault tolerance. We are interested in developing methods allowing formal demonstrations through proof that an architecture does indeed possess the desired dependability properties. We focus on architecture hierarchies as a means of enabling such demonstrations. We pose a challenge problem for dependable software architectures and we propose a research agenda for solving it. 1 What are dependable software architectures? Software architectures describing software products that are used to implement critical functions must be trustworthy. Dependability is the property of a computing system which allows reliance to be justi ably placed on the service it delivers. The service delivered by a system is its behavior as it is perceived by its users. Dependability is a qualitative judgment about a system. The software architecture community has made great strides toward characterizing and capturing system descriptions appropriately and toward providing linguistic support for de ning families of software products, but current ADLs and their associated methodologies do not adequately address dependability. When software products are deployed in a high-integrity system, their dependability pro le is key to the survivability of the system. It is desirable to have developers of critical systems also bene t from software architecture technology. For example, an autopilot software producer would like to be able to derive, from a single abstract speci cation of a dependable software architecture, implementations for a number of aircraft variants. The derivation process would be supported by tools for applying dependability-preserving transformations that make abstract speci cations more concrete. So, these implementations would be known to share dependability attributes as well as functionality. Such dependability-preserving transformations are key not only for e ective and timely resource development, but also for assurance and certi cation. Enriching software architecture descriptions by including dependability attributes will enable and facilitate the reuse of not only software components but certi cation data as well. In critical systems, the cost of assurance and certi cation is comparable with the development cost. Dependable architectures demonstrably possess properties such as safety, security, and fault tolerance. It is our objective to produce methods allowing formal demonstrations through proof that an architecture does indeed possess the speci ed dependability properties. One important limitation on the utility of applying typical formal methods to reasoning about architectures is the purely informal connection between the mathematical models that are analyzed and the system being modeled. If formal analysis of a model reveals the presence of a aw, it is generally easy to determine whether that aw is present in the implemented system. But it is highly desirable to use formal methods to establish that the software is free of certain types of aws, such as failing to meet safety, security, or fault tolerance objectives. Security properties typically state that certain sorts of error cannot occur. For example, a security property might state that certain sorts of communication within the system | such as ow of restricted information to a component without adequate clearances | cannot occur. Tools supporting various formal methods can be used to prove that any correct implementation of the abstract mathematical model has these properties. However, there is no guarantee that the actual software correctly implements the model. The problem of gaining con dence in the correctness of the implementation is especially acute in the case of dynamic, dependable architectures, where exhaustive testing of architectural con gurations is frequently prohibitively expensive, when not theoretically infeasible. 2 IMA: a challenge problem for dependable software ar-

Checking the Correctness of Architectural Transformation Steps via Proof-Carrying Architectures

The end product of architecting is an architectural hierarchy, a collection of architectural descriptions linked by mappings that interpret the more abstract descriptions in the more concrete descriptions. Formalized transformational approaches to architecture refinement and abstraction have been proposed. One argument in favor of formalization is that it can result in architectural implementations that are guaranteed to be correct, relative to the abstract descriptions. If these are correct with respect to one another, conclusions obtained by reasoning from an abstract architectural description will also apply to the implemented architecture. But this correctness guarantee is achieved by requiring that the implementer use only verified transformations, i.e., ones that have been proven to produce correct results when applied. This paper explores an approach that allows the implementer to use transformations that have not been proven to be generally correct, without voiding the correctness guarantee. Checking means determining that application of the transformation produces the desired result. It allows the use of transformations that have not been generally verified, even ones that are known to sometimes produce incorrect results, by showing that they work in the particular case.

Secure Interoperation of Secure Distributed Databases

This paper describes the process of implementing an architecture for secure distributed transaction processing, the process of verifying that it has the desired security properties, and the implementation that resulted. The implementation and verification processes provided us with valuable experience relevant to answering several questions posed by our research on transformational development of architectures. To what extent can implementation-level architectural descriptions be derived from abstract description via application of transformations that preserve a broad class of properties, which includes satisfaction of various access control policies? To what extent can a formal derivation of a non-secure implementation-level distributed transaction processing architecture be reused in derivation of a secure architecture? Are the transformation verification techniques that we have developed sufficient for verifying a collection of transformations adequate for implementing complex secure architecture? Do our architecture hierarchies effectively fill the gap between abstract, intellectually manageable models of a complex architecture and the actual implementation? Exploring the answers to these questions resulted in a reference implementation of an architecture for secure distributed transaction processing, and an independently interesting demonstration instance of the reference implementation.

A Formalization of Software Architecture

Software architecture addresses the high level specification, design and analysis of software systems. Formal models can provide essential underpinning for architectural description languages (ADLs), and formal techniques can play an important role in analysis. While formal models and formal analysis may always enhance conventional notations and methods, they are of greatest benefit when they employ tractable models and efficient, mechanisable techniques. The novelty in our work has been in the effort to find and mechanise a general semantic framework for software architectures that can provide tractable models and support architectural formal analysis. The resultant semantic framework is a layered one: the core is a simple model of the elements and topology, which provides the basis for general architectural theorems and proof techniques; the structural core is augmented by semantic layers representing the semantics of relevant properties of the design. The model has been implemented in the higher-order logic proof tool PVS, and has been used in correctness proofs during a case study of a distributed transaction protocol.

SDTP: a verified architecture for secure distributed transaction processing

SDTP is an architecture for secure distributed transaction processing. It is based upon X/Opens standard architecture for distributed transaction processing. In addition to the ACID (atomicity, consistency, isolation, and durability) properties provided by X/Opens architecture, SDTP guarantees that the Simple Security Property and the *-Property of the Bell-LaPadula model are satisfied. We have built a reference implementation of SDTP, formally proven the security properties of the implementation using novel verification techniques, and constructed two prototype applications of the architecture. The first application is a law enforcement tracking system, inspired by the FBIs Field Office Information Management System. The second application is an intrusion detection correlation system.