Jan Jurjens and Guido Wimmel. Speci cation-based testing of rewalls. In Andrei Ershov 4th International Conference "Perspectives of System Informatics" (PSI'01), LNCS. Springer-Verlag, 2001. To be published.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... of the model checker FDR2 to check security properties [BD00, Cri01] As a case study we plan to apply our approach to the design of PKIs [FH99] 12 Furthermore one may go beyond veri cation and make use of techniques more feasible in practice, such as speci cation based testing (cf. e.g. JW01b] Acknowledgements This idea for this line of work arose when doing security consulting for a project during a research visit with M. Abadi at Bell Labs (Lucent Tech. Palo Alto, whose hospitality is gratefully acknowledged. It has also bene tted from discussions with D. Gollmann, A. P ....

Jan Jurjens and Guido Wimmel. Speci cation-based testing of rewalls. In Andrei Ershov 4th International Conference "Perspectives of System Informatics" (PSI'01), LNCS. Springer-Verlag, 2001. To be published.

....simpli ed formal fragment of UML, we may reason formally, showing e.g. that a given system is as secure as certain components of it. Furthermore one may go beyond formal veri cation and make use of techniques more feasible in practice, such as speci cationbased testing (e.g. following ideas in [JW01b]) In this position paper, we explain our approach by showing how it relates to the principles of security engineering set out in [SS75] using examples from earlier work (for which the details have to be omitted and can be found in the respective references given) We also mention brie y how one ....

....privileges of the entities in the system leads to a system that does not satisfy the requirements. This can be formalised within our speci cation framework and the condition can be checked. An example application for this rule are the access control rules enforced by rewalls, e.g. considered in [JW01b]. Least common mechanism Since we follow an object oriented approach, this principle is automatically enforced in so far as data is encapsulated in objects and the sharing of data between di erent parts of a system is thus well de ned and can be kept at the minimum of what is necessary. Note ....

Jan Jurjens and Guido Wimmel. Speci cation-based testing of rewalls. In Andrei Ershov 4th International Conference "Perspectives of System Informatics " (PSI'01), LNCS. Springer, 2001. To be published.

.... may be a promising way of introducing formal methods into the industrial development context, as it has been argued before (for security critical systems, e.g. in [FBGL94] The work presented here builds on experience for example from using speci cation based test sequences in rewall testing [JW01b]. This paper is organized as follows. In Section 2 we introduce the tool AutoFocus and show how to specify security critical systems using an extension of AutoFocus models. In Section 3 we describe our approach of generating security related test sequences from such speci cations and their ....

.... to the domain of security cricital systems with its speci c characteristics as explained in Section 1 (most prominently, the use of cryptography) To the best of our knowledge, this is the rst published work using formally generated test sequences for security critical systems, apart from [JW01b] which concerns testing of rewalls. Dushina et al. explain concretization in their Genevieve framework [DBG01] but do not address the speci c issues we explained in Section 3.2. In intrusion detection (see e.g. US01] for a model based approach) a running system is monitored for attacks. ....

Jan Jurjens and Guido Wimmel. Speci cation-based testing of rewalls. In Andrei Ershov 4th International Conference "Perspectives of System Informatics" (PSI'01), LNCS. Springer, 2001.

....Great Britain y wimmel informatik.tu muenchen.de, tel. 49 89 289 28362, fax 49 89 289 25310 TU M unchen, 80290 M unchen, Germany to nd security weaknesses in an implementation in a systematic way. In the current work (which is part of a wider e ort reported previously in [J ur01b, WW01, JW01b, JW01a] we concentrate on one classical principle of computer security engineering, namely that of fail safety of security critical systems [SS75] This principle postulates that, if a security critical system fails, it should do so in a secure state. What this means exactly in the system ....

.... mostly with respect to secure information ow [GM82, O H90] or security protocols (e.g. BAN89, Low96] an overview is in [RSG 01] Work on speci cation based testing has been presented e.g. in [FS99, RR99, GH99, WLPS00, LMW01] An application to security ( rewall testing) is given e.g. in [JW01b] Formal methods have already been applied to smart card security, e.g. in [And99, BCG 00, BCM 00] J ur01a] uses the Uni ed Modeling Language to reason about part of CEPS, but without considering fail safety or testing. AutoFocus has been used for security in [WW01, JW01a] in the ....

Jan Jurjens and Guido Wimmel. Specication-based testing of rewalls. In Andrei Ershov 4th International Conference "Perspectives of System Informatics" (PSI'01), LNCS. Springer, 2001. To be published.

....to be non composable, and provides a slight modi cation of Gray s model where PNI is composable. In [Lot97] threat scenarios are used to formally develop secure systems using Focus. Composability (and re nement) is left for further work. Further applications of Focus to system security are in [JW01] 1 TLS is the successor of the Internet security protocol SSL. 2 Speci cation language We give a short overview on the speci cation language used here; for a more detailed account cf. J ur01b] In this work, we view speci cations as nondeterministic programs in the speci cation framework ....

Jan Jurjens and Guido Wimmel. Specication-based testing of rewalls. Submitted, 2001.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC