Results 1 -
6 of
6
Monitoring Software Requirements Using Instrumented Code
- In HICSS ’02: Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS’02)-Volume 9. IEEE Computer Society
, 2002
"... Ideally, software is derived from requirements whose properties have been established as good. However, it is difficult to define and analyze requirements. Moreover, derivation of software from requirements is error prone. Finally, the installation and use of compiled software can introduce errors. ..."
Abstract
-
Cited by 28 (1 self)
- Add to MetaCart
(Show Context)
Ideally, software is derived from requirements whose properties have been established as good. However, it is difficult to define and analyze requirements. Moreover, derivation of software from requirements is error prone. Finally, the installation and use of compiled software can introduce errors. Thus, it can be difficult to provide assurances about the state of a software's execution.
Using SPIN to Verify Security Properties of Cryptographic Protocols
- In LNCS
, 2002
"... This paper explores the use of Spin for the verification of cryptographic protocol security properties. A general method is proposed to build a Promela model of the protocol and of the intruder capabilities. ..."
Abstract
-
Cited by 15 (0 self)
- Add to MetaCart
(Show Context)
This paper explores the use of Spin for the verification of cryptographic protocol security properties. A general method is proposed to build a Promela model of the protocol and of the intruder capabilities.
A Conservative Algorithm for Computing the Flow of Permissions in Java Programs
"... Open distributed systems are becoming increasingly popular. Such systems include components that may be obtained from a number of different sources. For example, Java allows run-time loading of software components residing on remote machines. One unfortunate side-effect of this openness is the possi ..."
Abstract
- Add to MetaCart
Open distributed systems are becoming increasingly popular. Such systems include components that may be obtained from a number of different sources. For example, Java allows run-time loading of software components residing on remote machines. One unfortunate side-effect of this openness is the possibility that “hostile” software components may compromise the security of both the program and the system on which it runs. Java offers a built-in security mechanism, using which programmers can give permissions to distributed components and check these permissions at run-time. This security model is flexible, but using it is not straightforward, which may lead to insufficiently tight permission checking and therefore breaches of security. In this paper, we propose a data flow algorithm for automated analysis of the flow of permissions in Java programs. Our algorithm produces, for a given instruction in the program, a set of permissions that are checked on all possible executions up to this instruction. This information can be used in program understanding tools or directly for checking properties that assert what permissions must always be checked before access to certain functionality is allowed. The worst-case complexity of our algorithm is loworder polynomial in the number of program statements and permission types, while comparable previous approaches have exponential costs.
Verification of the WAP Transaction Layer Using the Model Checker SPIN
"... This report presents a formal methodology of formalizing and verifying the Transaction Layer Protocol (WTP) design in the Wireless Application Protocol (WAP) architecture. Corresponding to the Class 2 Transaction Service (TRService) definition and the Protocol (TR-Protocol) design, two models at ..."
Abstract
- Add to MetaCart
This report presents a formal methodology of formalizing and verifying the Transaction Layer Protocol (WTP) design in the Wireless Application Protocol (WAP) architecture. Corresponding to the Class 2 Transaction Service (TRService) definition and the Protocol (TR-Protocol) design, two models at different abstraction levels are built with a finite state automaton (FSA) formalism. By using the model checker SPIN, we uncover defects in a latest approved version of the TR-Protocol design, which can lead to deadlock, channel buffer overflow and unfaithful refinement of the TR-Service definition. As an extended result, a set of safety, liveness and temporal properties is verified for the WTP to be operating in a more general environment which allows for loss and re-ordering messages.
Monitoring Software Security Requirements using Instrumented Code
"... Ideally, software is derived from requirements whose properties have been established as good. However, it is difficult to define and analyze requirements. Moreover, derivation of software from requirements is error prone. Finally, the installation and use of complied software can introduce errors. ..."
Abstract
- Add to MetaCart
(Show Context)
Ideally, software is derived from requirements whose properties have been established as good. However, it is difficult to define and analyze requirements. Moreover, derivation of software from requirements is error prone. Finally, the installation and use of complied software can introduce errors. Thus, it can be difficult to provide assurances about the state of a software's execution. We present a framework to monitor requirements of software as it executes. The framework is general, and allows for automated support. In this paper, we introduced the framework, and show how Java code can be instrumented and monitored by a model checker. We illustrate our current automated support using the widely known problem of the Dinning Philosophers. From this exemplar, we suggest how the approach may be applied to address security concerns such as those that arise during e-commerce transactions. 1.
i m t w
"... We are currently working under the assumption that Proceedings of the 35th Hawaii International Conference on System Sciences- 2002any, that it cannot also receive updates during orbital nsertion. Unfortunately, this interaction between the orbit-ng requirements and the insertion requirements was no ..."
Abstract
- Add to MetaCart
(Show Context)
We are currently working under the assumption that Proceedings of the 35th Hawaii International Conference on System Sciences- 2002any, that it cannot also receive updates during orbital nsertion. Unfortunately, this interaction between the orbit-ng requirements and the insertion requirements was not ade apparent until a fault occurred during a mission. Yet, hese are significant problems. As Lutz reports, NASA soft-are had to be “patched ” post-launch due to changes in equirements[27]. Many of the software requirements hanges arose due to: (1) unexpected or rare events, and (2) ecovery from hardware faults or limitations. Thus, the orig-external monitoring software can provide appropriate assur-ances. • Working hypothesis H1: Assurances can be provided by monitoring the running software We suggest the following formulation of software devel-opment for requirements critical software systems: E, I, M ⇒ R ∨ (¬R ∧ N). It states that, the software implementa-tion, I, within the scope of environment E and monitor M, exhibits the required behaviors, R, or a notification N is pro-vided. Thus, either the software does what it is intended toMonitoring Software Requirem