A CVS-Server Security Architecture — Concepts and Formal Analysis

We present a secure architecture of a CVS-server, its implementation (i.e. mainly its configuration) and its formal analysis. Our CVS-server is uses cvsauth, that provides protection of passwords and protection of some internal data of the CVS repository. In contrast to other (security oriented) CVS-architectures, our approach allows the CVS-server run on an open filesystem, i.e. a filesystem where users can have direct access both by CVS-commands and by standard UNIX/POSIX commands such as mv. For our secure architecture of the CVS-server, we provide a formal specification and security analysys. The latter is based on a refinement mapping high-level security requirements on the architecture on low-level security mechanisms on the UNIX/POSIX filesystem level. The purpose of the formal analysis of the secure CVS-server architecture is twofold: First, it is the bases for the specification of mutual security properties such as non-repudiation, authentication and access control for this architecture. Second, the mapping of the architecture on standard security implementation technology is described. Thus, our approach can be seen as a method to give a formal underpinning for the usually tricky business of system administrators.

[1]  P. Cederqvist,et al.  Version Management with CVS , 1993 .

[2]  Burkhart Wolff,et al.  A Structure Preserving Encoding of Z in Isabelle/HOL , 1996, TPHOLs.

[3]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[4]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[5]  Mary Shaw,et al.  An Introduction to Software Architecture , 1993, Advances in Software Engineering and Knowledge Engineering.

[6]  Maritta Heisel,et al.  Confidentiality-Preserving Refinement is Compositional - Sometimes , 2002, ESORICS.

[7]  Carroll Morgan,et al.  Specification of the UNIX Filing System , 1984, IEEE Transactions on Software Engineering.

[8]  Ravi Sandhu Decentralized Group Hierarchies in UNIX: An Experiment and Lessons Learned , 1998 .

[9]  Philippe Kruchten,et al.  The Rational Unified Process: An Introduction , 1998 .

[10]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[11]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[12]  Thomas Santen On the Semantic Relation of Z and HOL , 1998, ZUM.

[13]  Heiko Mantel,et al.  Preserving information flow properties under refinement , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[14]  Maritta Heisel Specification of the Unix File System: A Comparative Case Study , 1995, AMAST.

[15]  Martin C. Henson,et al.  A Logic for the Schema Calculus , 1998, ZUM.

[16]  Moshe Bar,et al.  Open Source Development with CVS , 1999 .

[17]  Jonathan P. Bowen,et al.  ZUM '98: The Z Formal Specification Notation , 1998 .

[18]  Jan Jürjens,et al.  Secrecy-Preserving Refinement , 2001, FME.

[19]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[20]  Mary Shaw,et al.  Software architecture - perspectives on an emerging discipline , 1996 .

[21]  J. Michael Spivey,et al.  The Z notation - a reference manual , 1992, Prentice Hall International Series in Computer Science.