Steve Schneider

ZB 2002:Formal Specification and Development in Z and B

Alloy: A Logical Modelling Language.- An Outline Pattern Language for Z: Five Illustrations and Two Tables.- Patterns to Guide Practical Refactoring: Examples Targetting Promotion in Z.- Reuse of Specification Patterns with the B Method.- Composing Specifications Using Communication.- When Concurrent Control Meets Functional Requirements, or Z + Petri-Nets.- How to Diagnose a Modern Car with a Formal B Model?.- Parallel Hardware Design in B.- Operation Refinement and Monotonicity in the Schema Calculus.- Using Coupled Simulations in Non-atomic Refinement.- An Analysis of Forward Simulation Data Refinement.- B#: Toward a Synthesis between Z and B.- Introducing Backward Refinement into B.- Expression Transformers in B-GSL.- Probabilistic Termination in B.- Probabilistic Invariants for Probabilistic Machines.- Proving Temporal Properties of Z Specifications Using Abstraction.- Compositional Verification for Object-Z.- Timed CSP and Object-Z.- Object Orientation without Extending Z.- Comparison of Formalisation Approaches of UML Class Constructs in Z and Object-Z.- Towards Practical Proofs of Class Correctness.- Automatically Generating Information from a Z Specification to Support the Classification Tree Method.- Refinement Preserves PLTL Properties.- Proving Event Ordering Properties for Information Systems.- ZML: XML Support for Standard Z.- Formal Derivation of Spanning Trees Algorithms.- Using B Refinement to Analyse Compensating Business Processes.- A Formal Specification in B of a Medical Decision Support System.- Extending B with Control Flow Breaks.- Towards Dynamic Population Management of Abstract Machines in the B Method.

A practical voter-verifiable election scheme

We present an election scheme designed to allow voters to verify that their vote is accurately included in the count. The scheme provides a high degree of transparency whilst ensuring the secrecy of votes. Assurance is derived from close auditing of all the steps of the vote recording and counting process with minimal dependence on the system components. Thus, assurance arises from verification of the election rather than having to place trust in the correct behaviour of components of the voting system. The scheme also seeks to make the voter interface as familiar as possible.

Security properties and CSP

Security properties such as confidentiality and authenticity may be considered in terms of the flow of messages within a network. To the extent that this characterisation is justified, the use of a process algebra such as Communicating Sequential Processes (CSP) seems appropriate to describe and analyse them. This paper explores ways in which security properties may be described as CSP specifications, how security mechanisms may be captured, and how particular protocols designed to provide these properties may be analysed within the CSP framework. The paper is concerned with the theoretical basis for such analysis. A sketch verification of a simple example is carried out as an illustration.

CSP and Anonymity

Security protocols are designed to meet particular security properties. In order to analyse such protocols formally, it is necessary to provide a formal definition of the property that they are intended to provide. This paper is concerned with the property of anonymity. It proposes a definition of anonymity within the CSP notation, discusses the approach taken by CSP to anonymity with respect to different viewpoints, and illustrates this approach on some toy examples, and then applies it to a machine-assisted analysis of the dining cryptographers example and some variants.

Verifying authentication protocols in CSP

This paper presents a general approach for analysis and verification of authentication properties using the theory of Communicating Sequential Processes (CSP). The paper aims to develop a specific theory appropriate to the analysis of authentication protocols, built on top of the general CSP semantic framework. This approach aims to combine the ability to express such protocols in a natural and precise way with the ability to reason formally about the properties they exhibit. The theory is illustrated by an examination of the Needham-Schroeder (1978) public key protocol. The protocol is first examined with respect to a single run and then more generally with respect to multiple concurrent runs.

A brief history of Timed CSP

Abstract This paper is a comprehensive introduction to the language of Timed CSP, proposed by Reed and Roscoe (1986). A brief description of the notation is followed by a detailed survey of timed and untimed models for the language. A compositional proof system is included, together with an account of timed refinement. The paper ends with a list of the changes made to the theory in recent years, and a brief discussion of other timed process algebras.

Formal Aspects in Security and Trust

Strategic Games on Defense Trees.- Timed Calculus of Cryptographic Communication.- A Semantic Paradigm for Component-Based Specification Integrating a Notion of Security Risk.- Game-Based Criterion Partition Applied to Computational Soundness of Adaptive Security.- Measuring Anonymity with Relative Entropy.- Formalizing and Analyzing Sender Invariance.- From Simulations to Theorems: A Position Paper on Research in the Field of Computational Trust.- A Tool for the Synthesis of Controller Programs.- Where Can an Insider Attack?.- Maintaining Information Flow Security Under Refinement and Transformation.- A Classification of Delegation Schemes for Attribute Authority.- Program Partitioning Using Dynamic Trust Models.- Locality-Based Security Policies.- A Theorem-Proving Approach to Verification of Fair Non-repudiation Protocols.- A Formal Specification of the MIDP 2.0 Security Model.- A Comparison of Semantic Models for Noninterference.- Hiding Information in Multi Level Security Systems.- A New Trust Model Based on Advanced D-S Evidence Theory for P2P Networks.

Verifying authentication protocols with CSP

The paper presents a general approach for analysis and verification of authentication properties in the language of communicating sequential processes (CSP). It is illustrated by an examination of the Needham-Schroeder public key protocol (R. Needham and M. Schroeder, 1978). The contribution of the article is to develop a specific theory appropriate to the analysis of authentication protocols, built on top of the general CSP semantic framework. This approach aims to combine the ability to express such protocols in a natural and precise way with the facility to reason formally about the properties they exhibit.

An attack on a recursive authentication protocol. A cautionary tale

We describe an attack on a recursive authentication protocol proposed by John Bull of APM. The protocol is an implementation of a more abstract design that was analysed by Paulson and shown to establish session keys in a secure manner. The fact that Bulls implementation nevertheless fails to be secure in this sense provides an object lesson on how careful one has to be in interpreting the results of a formal analysis.

PrÊt À Voter: a Voter-Verifiable Voting System

¿¿¿¿¿¿Pre¿t a¿ Voter provides a practical approach to end-to-end verifiable elections with a simple, familiar voter-experience. It assures a high degree of transparency while preserving secrecy of the ballot. Assurance arises from the auditability of the election itself, rather than the need to place trust in the system components. The original idea has undergone several revisions and enhancements since its inception in 2004, driven by the identification of threats, the availability of improved cryptographic primitives, and the desire to make the scheme as flexible as possible. This paper presents the key elements of the approach and describes the evolution of the design and their suitability in various contexts. We also describe the voter experience, and the security properties that the schemes provide.