A model checking-based approach for security policy verification of mobile systems

This article describes an approach for the automated verification of mobile systems. Mobile systems are characterized by the explicit notion of location (e.g., sites where they run) and the ability to execute at different locations, yielding a number of security issues. To this aim, we formalize mobile systems as Labeled Kripke Structures, encapsulating the notion of location net that describes the hierarchical nesting of the threads constituting the system. Then, we formalize a generic security-policy specification language that includes rules for expressing and manipulating the code location. In contrast to many other approaches, our technique supports both access control and information flow specification. We developed a prototype framework for model checking of mobile systems. It works directly on the program code (in contrast to most traditional process-algebraic approaches that can model only limited details of mobile systems) and uses abstraction-refinement techniques, based also on location abstractions, to manage the program state space. We experimented with a number of mobile code benchmarks by verifying various security policies. The experimental results demonstrate the validity of the proposed mobile system modeling and policy specification formalisms and highlight the advantages of the model checking-based approach, which combines the validation of security properties with other checks, such as the validation of buffer overflows.

[1]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[2]  Luca Cardelli,et al.  Mobile Ambients , 1998, FoSSaCS.

[3]  Scott D. Stoller,et al.  Model-checking multi-threaded distributed Java programs , 2000, International Journal on Software Tools for Technology Transfer.

[4]  George C. Necula,et al.  Research on proof-carrying code for untrusted-code security , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[5]  Chiara Braghin,et al.  Automated Verification of Security Policies in Mobile Code , 2007, IFM.

[6]  Rocco De Nicola,et al.  KLAIM: A Kernel Language for Agents Interaction and Mobility , 1998, IEEE Trans. Software Eng..

[7]  Sriram K. Rajamani,et al.  The SLAM Toolkit , 2001, CAV.

[8]  Javier Esparza,et al.  A BDD-Based Model Checker for Recursive Programs , 2001, CAV.

[9]  Claudia Eckert On security models , 1996, SEC.

[10]  Jean-Bernard Stefani,et al.  The Kell Calculus: Operational Semantics and Type System , 2003, FMOODS.

[11]  Rocco De Nicola,et al.  Software update via mobile agent based programming , 2002, SAC '02.

[12]  Eran Yahav,et al.  Verifying safety properties of concurrent Java programs using 3-valued logic , 2001, POPL '01.

[13]  Klaus Havelund,et al.  Model checking JAVA programs using JAVA PathFinder , 2000, International Journal on Software Tools for Technology Transfer.

[14]  David L. Dill,et al.  Verifying Systems with Replicated Components in Murϕ , 1999, Formal Methods Syst. Des..

[15]  Sagar Chaki,et al.  Verifying Concurrent Message-Passing C Programs with Recursive Calls , 2006, TACAS.

[16]  Bernhard Steffen,et al.  Composition, Decomposition and Model Checking of Pushdown Processes , 1995, Nord. J. Comput..

[17]  Amir Pnueli,et al.  TLPVS: A PVS-Based LTL Verification System , 2003, Verification: Theory and Practice.

[18]  Sriram K. Rajamani,et al.  SLAM and Static Driver Verifier: Technology Transfer of Formal Methods inside Microsoft , 2004, IFM.

[19]  Martin C. Rinard,et al.  Purity and Side Effect Analysis for Java Programs , 2005, VMCAI.

[20]  Daniel Kroening,et al.  Symbolic Model Checking for Asynchronous Boolean Programs , 2005, SPIN.

[21]  Elie Najm,et al.  Formal Methods for Open Object-based Distributed Systems , 1997, IFIP Advances in Information and Communication Technology.

[22]  Luca Cardelli Wide Area Computation , 2000, JISBD.

[23]  Cormac Flanagan,et al.  Thread-Modular Model Checking , 2003, SPIN.

[24]  Daniel Kroening,et al.  Over-Approximating Boolean Programs with Unbounded Thread Creation , 2006, 2006 Formal Methods in Computer Aided Design.

[25]  Alan Schmitt,et al.  An Abstract Machine for the Kell Calculus , 2005, FMOODS.

[26]  Natasha Sharygina,et al.  The synergy of precise and fast abstractions for program verification , 2009, SAC '09.

[27]  Jean-Bernard Stefani A calculus of Kells , 2003, Electron. Notes Theor. Comput. Sci..

[28]  Witold Charatonik,et al.  Finite-Control Mobile Ambients , 2002, ESOP.

[29]  Heike Freud,et al.  The Handbook of Mobile Middleware , 2006 .

[30]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[31]  Gianluigi Zavattaro,et al.  Formal Methods for Open Object-Based Distributed Systems, 7th IFIP WG 6.1 International Conference, FMOODS 2005, Athens, Greece, June 15-17, 2005, Proceedings , 2005, FMOODS.

[32]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[33]  Helmut Veith,et al.  Verification by Network Decomposition , 2004, CONCUR.

[34]  James Riely,et al.  Resource Access Control in Systems of Mobile Agents , 2002, HLCL.

[35]  David L. Dill,et al.  Verifying Systems with Replicated Components in Murphi , 1996, CAV.

[36]  Sriram K. Rajamani,et al.  SLIC: A Specification Language for Interface Checking (of C) , 2002 .

[37]  Jean-Jacques Lévy,et al.  A Calculus of Mobile Agents , 1996, CONCUR.

[38]  Martin C. Rinard,et al.  Analysis of Multithreaded Programs , 2001, SAS.

[39]  Thomas A. Henzinger,et al.  The Blast Query Language for Software Verification , 2004, SAS.

[40]  Sriram K. Rajamani,et al.  Bebop: A Symbolic Model Checker for Boolean Programs , 2000, SPIN.

[41]  Dino Distefano A Parametric Model for the Analysis of Mobile Ambients , 2005, APLAS.

[42]  Daniel Kroening,et al.  SATABS: SAT-Based Predicate Abstraction for ANSI-C , 2005, TACAS.

[43]  Thomas A. Henzinger,et al.  Race checking by context inference , 2004, PLDI '04.

[44]  Sagar Chaki,et al.  The ComFoRT Reasoning Framework , 2005, CAV.

[45]  Alan Schmitt,et al.  The Kell Calculus: A Family of Higher-Order Distributed Process Calculi , 2004, Global Computing.

[46]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[47]  Joël Ouaknine,et al.  State/Event-Based Software Model Checking , 2004, IFM.

[48]  Pavol Cerný,et al.  Automated Analysis of Java Methods for Confidentiality , 2009, CAV.