A Uniform Approach to Security and Fault-Tolerance Specification and Analysis

The availability of techniques for dependability specification and analysis is essential for the design and the implementation of trustworthy software architectures. Today's software architectures are usually designed following the principle of component-based software engineering, they are open and networked, and dependable software architectures are required to be both secure and fault-tolerant. Traditional methods of dependability analysis of software architectures must evolve as well to keep on supporting the software engineering practice. This step is not straightforward. Methods and tools for the specification and analysis of fault-tolerance are usually independent from those available in security, while a unified approach would reinforce proving the overall systems' trustworthiness. This paper demonstrates that, in certain cases, a uniform approach between fault-tolerance and security is possible. We propose to check dependability properties against an unspecified environment that plays the same role as a malicious intruder in security. Then, we show how two security analysis techniques, related to partial model checking and to generalized non-interference, can be applied to verify a family of fault-tolerance properties. A running example illustrates the applicability of the proposed approaches.

[1]  Henrik Reif Andersen,et al.  Partial model checking of modal equations: A survey , 1999, International Journal on Software Tools for Technology Transfer.

[2]  Miguel Correia,et al.  The CRUTIAL Architecture for Critical Information Infrastructures , 2008, WADS.

[3]  William H. Sanders,et al.  Experiences with building an intrusion-tolerant group communication system , 2008 .

[4]  Roberto Di Pietro,et al.  Formal Specification for Fast Automatic IDS Training , 2002, FASec.

[5]  Rong Su,et al.  Self-adjusting Component-Based Fault Management , 2006, 32nd EUROMICRO Conference on Software Engineering and Advanced Applications (EUROMICRO'06).

[6]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[7]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[8]  Colin Stirling,et al.  Modal Logics and mu-Calculi: An Introduction , 2001, Handbook of Process Algebra.

[9]  Rocco De Nicola,et al.  An Action-Based Framework for Verifying Logical and Behavioural Properties of Concurrent Systems , 1993, Comput. Networks ISDN Syst..

[10]  Derek Yates Editorial: Find the missing links? , 2002, Softw. Test. Verification Reliab..

[11]  Dexter Kozen,et al.  RESULTS ON THE PROPOSITIONAL’p-CALCULUS , 2001 .

[12]  Andrew C. Simpson,et al.  Safety through security , 1998, Proceedings Ninth International Workshop on Software Specification and Design.

[13]  Bruno Dutertre,et al.  From security to safety and back , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[14]  Roberto Gorrieri,et al.  CVS: a compiler for the analysis of cryptographic protocols , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[15]  Henrik Reif Andersen,et al.  Partial model checking , 1995, Proceedings of Tenth Annual IEEE Symposium on Logic in Computer Science.

[16]  Orna Kupferman,et al.  Module Checking , 1996, Inf. Comput..

[17]  Erland Jonsson,et al.  An integrated framework for security and dependability , 1998, NSPW '98.

[18]  Simon N. Foley,et al.  A nonfunctional approach to system integrity , 2003, IEEE J. Sel. Areas Commun..

[19]  Howard Barringer,et al.  Assumption generation for software component verification , 2002, Proceedings 17th IEEE International Conference on Automated Software Engineering,.

[20]  Gabriele Lenzini,et al.  Applying Generalized Non Deducibility on Compositions (GNDC) Approach in Dependability , 2004, MEFISTO.

[21]  Luca Simoncini,et al.  Formally Verifying Fault Tolerant System Designs , 2000, Comput. J..

[22]  Fabio Martinelli,et al.  Partial model checking and theorem proving for ensuring security properties , 1998, Proceedings. 11th IEEE Computer Security Foundations Workshop (Cat. No.98TB100238).

[23]  Gabriele Lenzini,et al.  Logical Specification and Analysis of Fault Tolerant Systems Through Partial Model Checking , 2005, SVV@ICLP.

[24]  Roberto Gorrieri,et al.  A compiler for analyzing cryptographic protocols using noninterference , 2000, TSEM.

[25]  Roberto Gorrieri,et al.  The Compositional Security Checker: A Tool for the Verification of Information Flow Security Properties , 1997, IEEE Trans. Software Eng..

[26]  Fabio Martinelli,et al.  Analysis of security protocols as open systems , 2003, Theor. Comput. Sci..

[27]  Isabelle Puaut,et al.  Experimental evaluation of the fail-silent behavior of a distributed real-time run-time support built from COTS components , 2001, 2001 International Conference on Dependable Systems and Networks.

[28]  Girish Bhat,et al.  Efficient model checking via the equational /spl mu/-calculus , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[29]  Paola Inverardi,et al.  Software Architecture for Correct Components Assembly , 2003, SFM.

[30]  Roberto Gorrieri,et al.  Classification of Security Properties (Part I: Information Flow) , 2000, FOSAD.

[31]  Antonio Maña,et al.  Towards Precise Security Patterns , 2008, 2008 19th International Workshop on Database and Expert Systems Applications.

[32]  Andrea Bondavalli,et al.  Analysis of a Redundant Architecture for Critical Infrastructure Protection , 2008, WADS.

[33]  John McLean,et al.  Security and dependability: then and now , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[34]  D. G. Weber,et al.  Formal specification of fault-tolerance and its relation to computer security , 1989, IWSSD '89.

[35]  Roberto Gorrieri,et al.  A taxonomy of trace-based security properties for CCS , 1994, Proceedings The Computer Security Foundations Workshop VII.

[36]  Dhiraj K. Pradhan,et al.  Fault Injection: A Method for Validating Computer-System Dependability , 1995, Computer.

[37]  Henrik Reif Andersen,et al.  Partial Model Checking (Extended Abstract) , 1995, LICS 1995.

[38]  J. Muskens,et al.  Integrity management in component based systems , 2004 .

[39]  Mads Dam CTL* and ECTL* as Fragments of the Modal mu-Calculus , 1994, Theor. Comput. Sci..

[40]  Fabio Martinelli,et al.  A Uniform Approach for the Definition of Security Properties , 1999, World Congress on Formal Methods.

[41]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[42]  Roberto Gorrieri,et al.  A Classification of Security Properties , 1993 .

[43]  Rance Cleaveland,et al.  The concurrency workbench: a semantics-based tool for the verification of concurrent systems , 1993, TOPL.

[44]  Peter H. N. de With,et al.  CARAT: a Toolkit for Design and Performance Analysis of Component-Based Embedded Systems , 2007, 2007 Design, Automation & Test in Europe Conference & Exhibition.

[45]  Johan J. Lukkien,et al.  Adaptive runtime fault management for service instances in component-based software applications , 2007, IET Softw..

[46]  Rocco De Nicola,et al.  Three logics for branching bisimulation , 1995, JACM.

[47]  Christian Cachin,et al.  Secure INtrusion-Tolerant Replication on the Internet , 2002, Proceedings International Conference on Dependable Systems and Networks.

[48]  Erland Jonsson,et al.  Towards an integrated conceptual model of security and dependability , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[49]  Erland Jonsson,et al.  On the functional relation between security and dependability impairments , 1999, NSPW '99.

[50]  Chin-Laung Lei,et al.  Efficient Model Checking in Fragments of the Propositional Mu-Calculus (Extended Abstract) , 1986, LICS.

[51]  Andrew Tokmakoff,et al.  Managing Trustworthiness in Component-based Embedded Systems , 2007, STM.

[52]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[53]  H. Andersen Verification of Temporal Properties of Concurrent Systems , 1993 .

[54]  Gabriele Lenzini,et al.  Integration of Analysis Techniques in Security and Fault-Tolerance , 2005 .

[55]  Stefania Gnesi,et al.  Model checking fault tolerant systems , 2002, Softw. Test. Verification Reliab..

[56]  Victoria Stavridou,et al.  Provably dependable software architectures , 1998, ISAW '98.

[57]  Felix C. Freiling,et al.  Consistent detection of global predicates under a weak fault assumption , 2000, Proceedings 19th IEEE Symposium on Reliable Distributed Systems SRDS-2000.

[58]  Thomas A. Henzinger,et al.  On the Universal and Existential Fragments of the µ-Calculus , 2003, TACAS.

[59]  Simon N. Foley,et al.  External Consistency and the Verification of Security Protocols (Position Paper) , 1998, Security Protocols Workshop.

[60]  Miguel Correia,et al.  The CRUTIAL reference critical information infrastructure architecture: a blueprint , 2008, Int. J. Syst. Syst. Eng..

[61]  Catherine A. Meadows,et al.  Applying the dependability paradigm to computer security , 1995, Proceedings of 1995 New Security Paradigms Workshop.

[62]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for CCS. , 1994 .