The formal development of secure systems

The Formal Development of Secure Systems John Graham–Cumming, Lady Margaret Hall D.Phil. Thesis, Trinity Term 1992 In secure systems the availability, integrity and confidentiality of information are important concerns. Such systems are special because conventional formal techniques for specification and development prove inadequate when security is taken into account. It is possible for a conventionally specified secure system to exhibit security flaws, even after a formal development. This thesis addresses that problem by propounding a theory (with applications) for the formal specification and development of secure systems. Here a system (and its users) are CSP processes. The users are defined by specifying their interfaces to the system. Interactions at the interface are the only way in which a user is able to determine the state of the system. We say that information flows from one interface to another if changes at the first alter the interactions possible at the second. A security specification defines when (and how) one interface may affect another. Most of our results concern the common security property called non–interference. It guarantees that no information flows from one user to another, i.e. that interactions at one interface do not affect interactions at another. We determine when one system can be replaced by another preserving its non–interference properties; we call that secure replacement. The properties of secure replacement are discussed and we investigate the relationship between maintaining functionality and maintaining security. A collection of laws is presented which show how non–interfering systems can be constructed from operators of CSP. A case study demonstrates that our theory is strong enough to encompass the standard techniques for implementing secure systems (e.g. access control). We show how to extend our work to encompass systems exhibiting timed behaviours. A suitable definition of timed non–interference is given and laws concerning it are proved. A summary of related work is given. An appendix relates state– based refinement to secure replacement, and a further appendix shows how the laws of non–interference can be extended to more general security policies. A glossary of the terminology of secure systems forms the final appendix.

[1]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[2]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[3]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[4]  C. A. R. Hoare,et al.  Data Refinement Refined , 1986, ESOP.

[5]  Michael Z. Spivey,et al.  The Z notation , 1989 .

[6]  J. Jacob,et al.  Basic Theorems About Security , 1992, J. Comput. Secur..

[7]  Inmos Limited,et al.  Occam Programming Manual , 1984 .

[8]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[9]  C. A. R. Hoare,et al.  A Theory of Communicating Sequential Processes , 1984, JACM.

[10]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[11]  John McLean,et al.  A Formal Method for the Abstract Specification of Software , 1984, JACM.

[12]  F. Javier Thayer,et al.  Security and the Composition of Machines , 1988, CSFW.

[13]  John McLean,et al.  A Comment on the 'Basic Security Theorem' of Bell and LaPadula , 1985, Inf. Process. Lett..

[14]  James W. Gray,et al.  Probabilistic interference , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[15]  Colin O'Halloran,et al.  A Calculus of Information Flow , 1990, ESORICS.

[16]  John C. Wray A methodology for the detection of timing channels , 1991 .

[17]  Sushil Jajodia,et al.  Panel Discussion on the Polyinstantiation Problem: A Position Paper , 1991, CSFW.

[18]  Ralf Burger,et al.  Computer Viruses: A High-Tech Disease , 1988 .

[19]  Teresa F. Lunt,et al.  Polyinstantiation: an inevitable part of a multilevel world , 1991, Proceedings Computer Security Foundations Workshop IV.

[20]  A. W. Roscoe,et al.  Metric Spaces as Models for Real-Time Concurrency , 1987, MFPS.

[21]  Donovan Hsieh,et al.  The SeaView Secure Database System: A Progress Report , 1990, ESORICS.

[22]  P. G. Allen,et al.  A comparison of non-interference and non-deducibility using CSP , 1991, Proceedings Computer Security Foundations Workshop IV.

[23]  Jeremy L. Jacob The basic integrity theorem , 1991, Proceedings Computer Security Foundations Workshop IV.

[24]  C. A. R. Hoare,et al.  A Model for Communicating Sequential Processes , 1980, On the Construction of Programs.

[25]  Jeremy Jacob On shared systems , 1987 .

[26]  Dominic J. A. Welsh,et al.  Codes and cryptography , 1988 .

[27]  Carroll Morgan,et al.  Of wp and CSP , 1990 .

[28]  Steven B. Lipner,et al.  A comment on the confinement problem , 1975, SOSP.

[29]  Viktor Mikhaĭlovich Glushkov,et al.  An Introduction to Cybernetics , 1957, The Mathematical Gazette.

[30]  Catherine A. Meadows Panel Discussion on the Polyinstantiation Problem: An Introduction , 1991, CSFW.

[31]  K J Biba,et al.  Integrity Considerations for Secure Computer Systems , 1977 .

[32]  C. A. R. Hoare,et al.  Communicating Sequential Processes (Reprint) , 1983, Commun. ACM.

[33]  Joseph E. Stoy,et al.  Denotational Semantics: The Scott-Strachey Approach to Programming Language Theory , 1981 .

[34]  Michael Goldsmith,et al.  Programming in occam 2 , 1985, Prentice Hall international series in computer science.

[35]  David Elliott Bell Concerning 'modeling' of computer security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[36]  Michael Goldsmith The meaning and implementation of PRI ALT in occam , 1988 .

[37]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[38]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[39]  G. M. Reed A uniform mathematical theory for real-time distributed computingT , 1988 .

[40]  Jonathan K. Millen,et al.  Covert Channel Capacity , 1987, 1987 IEEE Symposium on Security and Privacy.

[41]  Joshua D. Guttman,et al.  What Needs Securing , 1988, CSFW.

[42]  Boris Beizer,et al.  Software Testing Techniques , 1983 .

[43]  John M. Rushby,et al.  Proof of separability: A verification technique for a class of a security kernels , 1982, Symposium on Programming.

[44]  Steven A. Schneider,et al.  Correctness and communication in real-time systems (tcsp) , 1989 .

[45]  John McLean,et al.  Reasoning About Security Models , 1987, 1987 IEEE Symposium on Security and Privacy.

[46]  José Meseguer,et al.  Unwinding and Inference Control , 1984, 1984 IEEE Symposium on Security and Privacy.

[47]  Morrie Gasser,et al.  Building a Secure Computer System , 1988 .

[48]  F. Javier Thayer,et al.  Security properties consistent with the testing semantics for communicating processes , 1989, Proceedings of the Computer Security Foundations Workshop II,.

[49]  Daryl McCullough,et al.  Specifications for Multi-Level Security and a Hook-Up , 1987, 1987 IEEE Symposium on Security and Privacy.

[50]  David D. Clark,et al.  A Comparison of Commercial and Military Computer Security Policies , 1987, 1987 IEEE Symposium on Security and Privacy.

[51]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[52]  Ralph-Johan Back,et al.  Decentralization of Process Nets with Centralized Control , 1983, PODC.

[53]  F. Javier Thayer,et al.  Stating security requirements with tolerable sets , 1988, TOCS.

[54]  Jeremy L. Jacob,et al.  Separability and the Detection of Hidden Channels , 1990, Inf. Process. Lett..

[55]  Jeremy L. Jacob A Security Framework , 1988, CSFW.

[56]  A. W. Roscoe,et al.  A Timed Model for Communicating Sequential Processes , 1986, ICALP.

[57]  Matthew Hennessy,et al.  Algebraic theory of processes , 1988, MIT Press series in the foundations of computing.