A Formal Framework to Integrate Timed Security Rules within a TEFSM-Based System Specification

Formal methods are very useful in software industry and are becoming of paramount importance in practical engineering techniques. They involve the design and the modeling of various system aspects expressed usually through different paradigms. In this paper, we propose to combine two modeling formalisms in order to express both functional and security timed requirements of a system. First, the system behavior is specified based on its functional requirements using TEFSM (Timed Extended Finite State Machine) formalism. Second, this model is augmented by applying a set of dedicated algorithms to integrate timed security requirements specified in Nomad language. This language is well adapted to express security properties such as permissions, prohibitions and obligations with time considerations. The resulting secure model can be used for several purposes such as code generation, specification correctness proof, model checking or automatic test generation. In this paper, we applied our approach to a France Telecom(France Telecom is the main telecommunication company in France) Travel service in order to demonstrate its feasibility.

[1]  Konstantin Beznosov,et al.  Supporting relationships in access control using role based access control , 1999, RBAC '99.

[2]  Jorge Lobo,et al.  A Policy Description Language , 1999, AAAI/IAAI.

[3]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[4]  Emil C. Lupu,et al.  Ponder: An Object-oriented Language for Specifying Security and Management Policies , 2001 .

[5]  Dominique Cansell,et al.  Integration of Security Policy into System Modeling , 2007, B.

[6]  Ana R. Cavalli,et al.  Hit-or-Jump: An algorithm for embedded testing with applications to IN services , 1999, FORTE.

[7]  Ana R. Cavalli,et al.  Two Complementary Tools for the Formal Testing of Distributed Systems with Time Constraints , 2008, 2008 12th IEEE/ACM International Symposium on Distributed Simulation and Real-Time Applications.

[8]  Joseph Sifakis,et al.  The IF Toolset , 2004, SFM.

[9]  Nora Cuppens-Boulahia,et al.  Nomad: a security model with non atomic actions and deadlines , 2005, 18th IEEE Computer Security Foundations Workshop (CSFW'05).

[10]  Ana R. Cavalli,et al.  A formal approach for testing security rules , 2007, SACMAT '07.

[11]  Keqin Li,et al.  Test Generation from Security Policies Specified in Or-BAC , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[12]  David Lee,et al.  Principles and methods of testing finite state machines-a survey , 1996, Proc. IEEE.

[13]  Frédéric Cuppens,et al.  Analyzing consistency of security policies , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[14]  Iulian Ober,et al.  IF Validation Environment Tutorial , 2004, SPIN.