Volkmar Lotz

Formal Security Analysis with Interacting State Machines

We introduce the ISM approach, a framework for modeling and verifying reactive systems in a formal, even machine-checked, way. The framework has been developed for applications in security analysis. It is based on the notion of Interacting State Machines (ISMs), sort of high-level Input/Output Automata. System models can be defined and presented graphically using the AutoFocus tool. They may be type-checked and translated to a representation within the theorem prover Isabelle or defined directly as Isabelle theories. The theorem prover may be used to perform any kind of syntactic and semantic checks, in particular semi-automatic verification. We demonstrate that the framework can be fruitfully applied for formal system analysis by two classical application examples: the LKW model of the Infineon SLE66 SmartCard chip and Lowes fix of the Needham-Schroeder Public-Key Protocol.

Threat scenarios as a means to formally develop secure systems

We introduce a new method for the formal development of secure systems that closely corresponds to the way secure systems are developed in practice. It is based on Focus, a general-purpose approach to the design and verification of distributed, interactive systems. Our method utilizes threat scenarios which are the result of threat identification and risk analysis and model those attacks that are of importance to the systems security. We describe the adversarys behaviour and influence on interaction. Given a suitable system specification, threat scenarios can be derived systematically from that specification. Security is defined as a particular relation on threat scenarios and systems. We show the usefulness of our approach by developing an authentic server component, thereby analysing two simple authentication protocols.

A formal security model for microprocessor hardware

The paper introduces a formal security model for a microprocessor hardware system. The model has been developed as part of the evaluation process of the processor product according to ITSEC assurance level E4. Novel aspects of the model are the need for defining integrity and confidentiality objectives on the hardware level without the operating system or application specification and security policy being given, and the utilization of an abstract function and data space. The security model consists of a system model given as a state transition automaton on infinite structures and the formalization of security objectives by means of properties of automaton behaviors. Validity of the security properties is proved. The paper compares the model with published ones and summarizes the lessons learned throughout the modeling process.

Analyzing SLE 88 memory management security using Interacting State Machines

The Infineon SLE 88 is a smart card processor that offers strong protection mechanisms. One of them is a memory management system typically used for sandboxing application programs dynamically loaded on the chip. High-level (EAL5+) evaluation of the chip requires a formal security model.We formally model the memory management system as an Interacting State Machine and prove, using Isabelle/HOL, that the associated security requirements are met. We demonstrate that our approach enables an adequate level of abstraction, which results in an efficient analysis, and points out potential pitfalls like noninjective address translation.

A Formal Security Model of the Infineon SLE 88 Smart Card Memory Management

The Infineon SLE 88 is a smart card processor that offers strong protection mechanisms. One of them is a memory management system, typically used for sandboxing application programs dynamically loaded on the chip. High-level (EAL5+) evaluation of the chip requires a formal security model.

Generic Interacting State Machines and Their Instantiation with Dynamic Features

Interacting State Machines (ISMs) are used to model reactive systems and to express and verify their properties. They can be seen both as automata exchanging messages simultaneously on multiple buffered ports and as communicating processes with explicit local state.

Ein methodischer Rahmen zur formalen Entwicklung sicherer Systeme

Das Papier stellt einen methodischen Rahmen zur formalen Entwicklung sicherer Systeme vor, der die in der industriellen Praxis wichtigen Anforderungen nach Orientierung an etablierten Vorgehensweisen und enger Kopplung an die Systementwicklung aufgreift. Im Mittelpunkt steht ein Prozesmodell, das auf Systemspezifikationen aus der funktionalen Entwicklung aufbaut und sicherheitsspezifische Entwicklungsschritte definiert. Sicherheit wird als Relation zwischen Systemspezifikation und Bedrohungsszenario verstanden: Das Bedrohungsszenario spezifiziert das System in einer Angriffssituation, die Relation beschreibt globale Sicherheitsaspekte, die sich an Grundbedrohungen orientieren. Durch Formalisierung der Einzelschritte des Prozesses kann eine formale Methode definiert werden, die sich von existierenden Ansatzen dadurch unterscheidet, das sie den vollstandigen Entwicklungsprozes abdeckt und insbesondere Integrations- und Implementierungsaspekte berucksichtigt.

Formally Defining Security Properties with Relations on Streams

Abstract In this paper we show how to formally define security properties in the framework of Focus , a general approach for the specification and verification of reactive systems. In Focus , systems are composed of components that communicate asynchronously via unidirectional channels, with their semantics being defined by relating complete input and output histories modeled by streams. By taking into account practically established method from security engineering, we define security as being a relation between the system and a modification of the system describing relevant attack situations. The modification is called a threat scenario. The relation specifies the kind of deviation in system behaviour that is tolerable with respect to the given protection needs. We introduce generic relations covering authenticity, integrity, availability and confidentiality. By comparing our characterization with security notions occurring in the literature and by sketching properties of our definitions we argue that our formalization of security is reasonable and adequate.

A Formal Security Model for Microprocessor Hardware

The paper introduces a formal security model for a microprocessor hardware system. The model has been developed as part of the evaluation process of the processor product according to ITSEC assurance level E4. Novel aspects of the model are the need for defining integrity and confidentiality objectives on the hardware level without the operating system or application specification and security policy being given, and the utilisation of an abstract function and data space. The security model consists of a system model given as a state transition automaton on infinite structures, and the formalisation of security objectives by means of properties of automaton behaviours. Validity of the security properties is proved. The paper compares the model with published ones and summarises the lessons learned throughout the modelling process.