Stepwise Development of Secure Systems

System development by stepwise refinement is a well-established method in classical software engineering. We discuss how this method can be adapted to systematically incorporate security issues, in particular, confidentiality into the software construction process. Starting with an abstract system model that precisely captures the relevant confidentiality requirements, subsequent refinements produce models which introduce more detail or relax assumptions on the environment. For each refinement, changing adversary capabilities must be captured and their compatibility with the given confidentiality requirements must be established. In this context, security, and dependability in general, are existential properties: The existence of a secure implementation must be kept invariant during the development process. This considerably adds to the complexity of a development.

[1]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[2]  Cliff B. Jones,et al.  Systematic software development using VDM (2. ed.) , 1990, Prentice Hall International Series in Computer Science.

[3]  Jan Jürjens,et al.  Secrecy-Preserving Refinement , 2001, FME.

[4]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[5]  Eerke Albert Boiten,et al.  Refinement in Z and Object-Z: Foundations and Advanced Applications , 2001 .

[6]  James W. Gray Toward a Mathematical Foundation for Information , 1992, J. Comput. Secur..

[7]  Michael A. Jackson,et al.  Problem Frames - Analysing and Structuring Software Development Problems , 2000 .

[8]  Frank Ciesinski,et al.  On Probabilistic Computation Tree Logic , 2004, Validation of Stochastic Systems.

[9]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[10]  Thomas Santen,et al.  Probabilistic Confidentiality Properties based on Indistinguishability , 2005, Sicherheit.

[11]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[12]  Jean-Raymond Abrial,et al.  The B-book - assigning programs to meanings , 1996 .

[13]  Maritta Heisel,et al.  Confidentiality-preserving refinement , 2001, Proceedings. 14th IEEE Computer Security Foundations Workshop, 2001..

[14]  John McLean,et al.  A General Theory of Composition for a Class of "Possibilistic'' Properties , 1996, IEEE Trans. Software Eng..

[15]  Cliff B. Jones,et al.  Systematic software development using VDM , 1986, Prentice Hall International Series in Computer Science.

[16]  Heiko Mantel A uniform framework for the formal specification and verification of information flow security , 2003 .

[17]  Dieter Hutter,et al.  Possibilistic Information Flow Control in MAKS and Action Refinement , 2006, ETRICS.

[18]  Heiko Mantel,et al.  Preserving information flow properties under refinement , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[19]  John Derrick,et al.  Refinement in Z and Object-Z , 2001 .

[20]  Birgit Pfitzmann,et al.  A model for asynchronous reactive systems and its application to secure message transmission , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[21]  Paul Benoit,et al.  Météor: A Successful Application of B in a Large Project , 1999, World Congress on Formal Methods.

[22]  Nancy A. Lynch,et al.  Probabilistic Simulations for Probabilistic Processes , 1994, Nord. J. Comput..

[23]  Bertrand Meyer,et al.  Applying 'design by contract' , 1992, Computer.

[24]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[25]  Annabelle McIver,et al.  Refinement-oriented probability for CSP , 1996, Formal Aspects of Computing.

[26]  Thomas Santen A Formal Framework for Confidentiality-Preserving Refinement , 2006, ESORICS.

[27]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.