SOFTWARE SYSTEM RELIABILITY AND SECURITY

Transcription

1 SOFTWARE SYSTEM RELIABILITY AND SECURITY

2 NATO Security through Science Series This Series presents the results of scientific meetings supported under the NATO Programme for Security through Science (STS). Meetings supported by the NATO STS Programme are in security-related priority areas of Defence Against Terrorism or Countering Other Threats to Security. The types of meeting supported are generally Advanced Study Institutes and Advanced Research Workshops. The NATO STS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATO s Partner or Mediterranean Dialogue countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience. Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action. Following a transformation of the programme in 2004 the Series has been re-named and reorganised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media, Dordrecht, in conjunction with the NATO Public Diplomacy Division. Sub-Series A. Chemistry and Biology Springer Science and Business Media B. Physics and Biophysics Springer Science and Business Media C. Environmental Security Springer Science and Business Media D. Information and Communication Security IOS Press E. Human and Societal Dynamics IOS Press Sub-Series D: Information and Communication Security Vol. 9 ISSN:

3 Software System Reliability and Security Edited by Manfred Broy Technische Universität München, Germany Johannes Grünbauer Technische Universität München, Germany and Tony Hoare Microsoft Research, UK Amsterdam Berlin Oxford Tokyo Washington, DC Published in cooperation with NATO Public Diplomacy Division

4 Proceedings of the NATO Advanced Research Institute on Software System Reliability and Security Marktoberdorf, Germany 1 13 August IOS Press. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN Library of Congress Control Number: Publisher IOS Press Nieuwe Hemweg 6B 1013 BG Amsterdam Netherlands fax: order@iospress.nl Distributor in the UK and Ireland Distributor in the USA and Canada Gazelle Books Services Ltd. IOS Press, Inc. White Cross Mills 4502 Rachael Manor Drive Hightown Fairfax, VA Lancaster LA1 4XS USA United Kingdom fax: fax: iosbooks@iospress.com sales@gazellebooks.co.uk LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS

5 Software System Reliability and Security M. Broy et al. (Eds.) IOS Press, IOS Press. All rights reserved. v Preface Today almost every complex technical system used in industry, science, commerce and communication is more or less interfaced with software and software systems. This dictates that most information exchange is closely related to software and computer systems. The consequence of this wide distribution of software is a high dependency on its functioning and quality. Because of this dependency and distribution, making information systems safe, reliable, as well as secure and protecting information against all kinds of attack is an essential research topic, particularly in computer science. Scientific foundations have been developed for programming and building computer systems. These foundations cover a broad spectrum of issues and work with formal models and description techniques in order to support a deep and precise understanding and managing of a system s properties and interplay. In addition, software engineering has many additional applications, ranging from telecommunications to embedded systems. For example software engineering has now become essential in automotive and aircraft industry, and has been intergral in furthering computer networks distributed over widearea networks. A vast proportion of information exchange is influenced by computer systems and information security is important for reliable and secure software and computer systems. Information security covers the protection of information against unauthorized disclosure, transfer, modification, and destruction, whether accidentally or intentionally. Attacks against computer systems can cause considerable economic and physical damage. Quality of life in general and of individual citizens, and the effectiveness of the economy critically depends on our ability to build software in a transparent and efficient way. Furthermore, we must be able to enhance the software development process systematically in order to ensure safety, security and reliability. This, in turn, requires very high software reliability, i. e., an extremely high confidence in the ability of the software to perform flawlessly. The foundations of software technology provide models that enable us to capture application domains and their requirements, but also to understand the structure and working of software systems, software architectures and programs. New developments must pay due diligence to the importance of security-related aspects, and align current methods and techniques to information security, integrity, and system reliability. However, based on the specific needs in applications of software technology, models and formal methods must serve the needs and the quality of advanced software engineering methods, especially taking into account security aspects in Information Technology. As a consequence of the wide distribution of software and software infrastructure, information security depends on the quality and excellent understanding of its functioning. Only when this functionality is guaranteed as safe, customers, and information are protected against adversarial attacks. Thus, to make communication and computation secure against catastrophic failure and malicious interference, it is essential to build secure software systems and methods for their development. Such development is difficult, mainly because of the conflict between development costs and verifiable correctness.

6 vi In the summer of 2006, a group of internationally renowned researchers in computer science met and lectured on the topics described above. The articles in this book describe the state-of-the-art ideas on how to meet these challenges in software engineering. Rajeev Alur describes the foundations of model checking of programs with finite data and stack-based control flow. Manfred Broy introduces an abstract theory for systems, components, composition, architectures, interfaces, and compatibility. In his article he applies this theory to object orientation and elaborates on the application of that theory covering notions for a formal model of objects, classes, components, and architectures as well as those of interfaces of classes and components and their specification. Ernie Cohen explains how to use ordinary program invariants to prove properties of cryptographic protocols. Networked computer systems face a range of threats from hostile parties on the network leading to violations of design goals such as confidentiality, privacy, authentication, access control, and availability. The purpose of Andrew Gordon s article is to introduce an approach to this problem based on process calculi. Transactions are the essential components of electronic business systems, and their safety and security are of increasing concern. Tony Hoare presents a theoretical model of compensable transactions, showing how long running transactions may be correctly composed out of shorter ones. Orna Kupferman presents on Applications of Automata-Theory in Formal Verification. In this automata-theoretic approach to verification, she reduces questions about programs and their specifications to questions about automata. In a distributed system with no central management such as the Internet, security requires a knowledge about who can be trusted for each step in establishing it, and why. Butler W. Lampson explains the speaks for relation between principals describing how authority is delegated. Axel van Lamsweerde contributes model-based requirements engineering. Models for agents, operations, obstacles to goals, and security threats are introduced and a model building with the KAOS method is presented. Wolfgang Paul outlines a correctness proof for a distributed real time system for the first time in a single place from the gate level to the computational model of a CASE tool. Amir Pnueli describes an approach for the synthesis of (hardware and software) designs from LTL specifications. This approach is based on modelling the synthesis problem which is similar to the problem of finding a winning strategy in a two-person game. K. Venkatesh Prasad introduces the notion of a mobile networked embedded system, in which a mobile entity is composed of internally and externally networked software components. He discusses the challenges related to designing a mobile networked embedded system with regards to security, privacy, usability, and reliability. Finally, Wolfram Schulte explains the Spec# Approach, which provides method contracts in the form of pre- and post-conditions as well as object invariants. He describes the design of Spec# s state-of-the-art program verifier for object-oriented programs. The contributions in this volume have emerged from lectures of the 27th International Summer School on Software System Reliability and Security, held at Marktoberdorf from August 1 to August 13, More than 100 participants from 28 countries attended, including students, lecturers and staff. The Summer School provided two weeks of learning, discussion and development of new ideas, and was a fruitful event, at both the professional and social level.

7 We would like to thank all lecturers, staff, and hosts in Marktoberdorf. In particular special thanks goes to our secretaries Dr. Katharina Spies, Silke Müller, and Sonja Werner for their great and gentle support. The Marktoberdorf Summer School was arranged as an Advanced Study Institute of the NATO Security Through Science Programme with support from the town and county of Marktoberdorf and the Deutscher Akademischer Austausch Dienst (DAAD). We thank all authorities involved. THE EDITORS vii

8 viii

9 ix Contents Preface v Logics and Automata for Software Model-Checking 1 Rajeev Alur and Swarat Chaudhuri Specifying, Relating and Composing Object Oriented Interfaces, Components and Architectures 22 Manfred Broy Using Invariants to Reason About Cryptographic Protocols 73 Ernie Cohen Verified Interoperable Implementations of Security Protocols 87 Karthikeyan Bhargavan, Cédric Fournet, Andrew D. Gordon and Stephen Tse Compensable Transactions 116 Tony Hoare Automata on Infinite Words and Their Applications in Formal Verification 135 Orna Kupferman Practical Principles for Computer Security 151 Butler Lampson Engineering Requirements for System Reliability and Security 196 Axel van Lamsweerde Pervasive Verification of Distributed Real-Time Systems 239 Steffen Knapp and Wolfgang Paul Verification and Synthesis of Reactive Programs 298 Amir Pnueli Security, Privacy, Usability and Reliability (SPUR) in Mobile Networked Embedded Systems: The Case of Modern Automobiles 341 K. Venkatesh Prasad and T.J. Giuli A Verifying Compiler for a Multi-Threaded Object-Oriented Language 351 K. Rustan, M. Leino and Wolfram Schulte Author Index 417