An experience modeling critical requirements

Previous work at NRL demonstrated the benefits of a security modeling approach for building high assurance systems for particular application domains. This paper introduces an application domain called selective bypass that is prominent in certain network security solutions. We present a parameterized modeling framework for the domain and then instantiate a confidentiality model for a particular application, called the External COMSEC Adaptor (ECA), within the framework. We conclude with lessons we learned from modeling, implementing and verifying the ECA. Our experience supports the use of the application-based security modeling approach for high assurance systems.<<ETX>>

[1]  David Lorge Parnas,et al.  Documentation of requirements for computer systems , 1993, [1993] Proceedings of the IEEE International Symposium on Requirements Engineering.

[2]  J. C. Shepherdson,et al.  Mathematical Logic and Programming Languages , 1985 .

[3]  Carl E. Landwehr,et al.  TOWARD A COMPREHENSIVE INFOSEC CERTIFICATION METHODOLOGY , 1993 .

[4]  David Lorge Parnas,et al.  The Modular Structure of Complex Systems , 1984, IEEE Transactions on Software Engineering.

[5]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[6]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[7]  David Lorge Parnas,et al.  On the Design and Development of Program Families , 2001, IEEE Transactions on Software Engineering.

[8]  Donald E. Knuth,et al.  Literate Programming , 1984, Comput. J..

[9]  Daryl McCullough,et al.  Noninterference and the composability of security properties , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[10]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[11]  J. Jacob,et al.  On the derivation of secure components , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[12]  Carl E. Landwehr,et al.  Some lessons from formalizing a security model , 1985, SOEN.

[13]  A. Pnueli,et al.  STATEMATE: a working environment for the development of complex reactive systems , 1988, [1988] Proceedings. The Third Israel Conference on Computer Systems and Software Engineering.

[14]  Jeremy L. Jacob,et al.  1988 IEEE Symposium on Security and Privacy , 1988 .

[15]  Charles N. Payne,et al.  The ECA Critical Requirements Model , 1992 .

[16]  K. Mani Chandy,et al.  Parallel program design - a foundation , 1988 .

[17]  Carl E. Landwehr,et al.  A security model for military message systems , 1984, TOCS.

[18]  David Kim,et al.  External COMSEC Adaptor Software Engineering Methodology. , 1995 .

[19]  John McLean,et al.  The algebra of security , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[20]  Stephen T. Kent,et al.  Security Mechanisms in High-Level Network Protocols , 1983, CSUR.