170 likes | 182 Views
Learn how to develop a commercial secure system following the Correctness by Construction approach from Computer Security: Art and Science book. Explore topics such as formal methods, programming languages, and static analysis to ensure rigorous requirements, precise system behavior specification, and solid design. Understand the process steps, detailed design, code implementation, verification, and validation techniques used in the system development. Discover the effective use of Spark and Ada95 programming languages for enhanced security enforcement and system reliability.
E N D
Correctness by Construction:Developing a Commercial Secure System by Anthony Hall Roderick Chapman Computer Security: Art and Science
Topics • Introduction • Background • Development Approach • Formal Methods • Programming Languages and Static Analysis • The Use of SPARK in the CA • Results • Summary Computer Security: Art and Science
Introduction • Correctness by construction is building correctness in every step of the development process. • Correctness by construction demands • Rigorous requirements definitions • Precise system behavior specification • Solid and verifiable design • Code whose behavior is precisely understood Computer Security: Art and Science
Background • Development of CA for the Multos smart card scheme on be half of Mondex International by Praxis Critical Systems • The CA produces the necessary information to enable cards and signs certificates that permit application loading and deletion from Multos cards. • Made use of COTS hardware and infrastructure software • Development had to be in keeping with the UK Information technology Criteria • Forced the customer and supplier to explicitly and unambiguously understand system requirements. Computer Security: Art and Science
The Development Approach • Requirements • Used requirements engineering methods, Reveal, to define CA’s environment and business objectives • UR document consisted of context diagrams, class diagrams, structured operation definitions • UR document included an informal security policy that identified assests, threats and countermeasures. Computer Security: Art and Science
The Development Approach Development deliverables grouped into the main process steps Computer Security: Art and Science
The Development Approach • Specification and architecture • Detailed system behavior specification • System’s look and feel • FTLS-functionality behind the interface • High-level design • Description of the System’s internal structure and intercomponent communication • Aimed at ensuring satisfaction of security and throughput requirements Computer Security: Art and Science
The Development Approach • Detailed Design • Defined the set of software modules and processes and allocated the functionality across them. • Used Z to specify the module that manages cryptographic keys and their verification on system startup. • Code • Used technologies fashionable at the time • Avoided use of COTS as far as was practical • Used Spark Ada to implement system’s security enforcing kernel Computer Security: Art and Science
The Development Approach • Code • Used Ada95 to implement the system’s infrastructure for instance, remote procedure call mechanisms and concurrency. • Avoided security related functionality in GUI, implemented in C++ using MFC • Used C to implement device drivers for cryptographic hardware. • Enforced rigorous coding standards and reviewed all the code against these standards and relevant source documents such as FTLS and UIS. Used automatic static analysis tools where possible Computer Security: Art and Science
The Development Approach • Verification and Validation • Testing • Incremental to-down build up of the system. • Tests derived directly from the system specification. • Ran the tests using Rational’s Visual Test • Instrumented the code using IPL’s AdaTest to measure the statement and branch coverage achieved by the system tests. • Devised extra design-based test scenarios where the system tests failed to cover parts of the code Computer Security: Art and Science
Formal Methods • Formal top-level specification • Used numerous schemas to capture each operation’s different security-relevant aspects. • Used separate schemas to define each operation’s inputs, displayed information, and outputs • Used separate schemas to define when an operation was valid or available. Computer Security: Art and Science
Formal Methods • Process Design • Modeled the process structure in the CSP language. • Mapped sets of Z operations in the FTLS to CSP actions • Introduced actions to represent interprocess communications • The CSP model let check if the overall system was deadlock free and if there was no concurrent processing of security-critical functions Computer Security: Art and Science
Programming Languages and Static Analysis • Conventional programming language • Inherently ambiguous • Favor dynamic behavior and performance over safety • Inappropriate for static analysis • Formal specification language • Counter sloppy implementation • Unambiguous • Enables static analysis Computer Security: Art and Science
The Use of Spark in the CA • Information flow-centered software architecture • Maximizes cohesion and minimizes coupling • Used both Spark and Ada95 for each compilation unit, on the basis of the required separation between security-related functions in the system. • All Spark code had to pass through Spark Examiner with no unjustified warnings or errors before any other review or inspection activity • Let reviewers focus on important topics such as Does this code implement the FTLS ? • Used basic form of annotation and analysis offered by the Examiner. Computer Security: Art and Science
Results • Successful development • The delivered system satisfied its users, performed well, and was highly reliable • 100,000 lines of code. 0.04 defects per KLOC • Productivity-28 lines of code per day Computer Security: Art and Science
Results Computer Security: Art and Science
Summary • A secure system can be built using insecure components, including COTS. • Use formal methods when required. Formal methods reduce the number of late discovered errors and the over all system cost. • Spark supports strong static analysis and proof of program properties which enables it to meet the CC requirements for formal development process. Questions/Comments ??? Computer Security: Art and Science