verisoft
play

Verisoft Verification as Engineering Gerd Beuster - PowerPoint PPT Presentation

Mar 07, 2024 •213 likes •589 views

Verisoft Verification as Engineering Gerd Beuster gb@uni-koblenz.de Universitt Koblenz-Landau Overview Part 1: Verisoft Part 2: Formalizing Input and Output Verisoft p. 2/15 Part 1 Part 1: Verisoft Verisoft p. 3/15 Verisoft

  1. Verisoft Verification as Engineering Gerd Beuster gb@uni-koblenz.de Universität Koblenz-Landau

  2. Overview Part 1: Verisoft Part 2: Formalizing Input and Output Verisoft – p. 2/15

  3. Part 1 Part 1: Verisoft Verisoft – p. 3/15

  4. Verisoft — Project Goals Completely verified systems: Industrial System Academic System Biometric System−on−a−Chip Email System Access Control Compiler Tools Verisoft – p. 4/15

  5. Verisoft — Project Goals Completely verified systems: Industrial System Academic System Biometric System−on−a−Chip Email System Access Control Compiler Software− Verification Verification Tools Verification dist. Systems stoch. System Verisoft – p. 4/15

  6. Verisoft — Project Goals Completely verified systems: Industrial System Academic System Biometric System−on−a−Chip Email System Access Control CPU Software Compiler Software− Verification Verification Tools Verification dist. Systems stoch. System Verisoft – p. 4/15

  7. Verisoft — Project Goals Completely verified systems: Industrial System Academic System Biometric System−on−a−Chip Email System Access Control CPU Software Compiler C Compiler C Library Software− Verification Verification Tools Verification dist. Systems stoch. System Verisoft – p. 4/15

  8. Verisoft — Project Goals Completely verified systems: Industrial System Academic System Biometric System−on−a−Chip Email System Access Control CPU Email Client & Signature Software Comm.− Protocols Crypto System & Protocols OS Compiler C Compiler C Library Software− Verification Verification Tools Verification dist. Systems stoch. System Verisoft – p. 4/15

  9. Verisoft — Project Goals Completely verified systems: Industrial System Academic System Biometric System−on−a−Chip Email System Access Control CPU Access Control Email Client Protocol & Signature Software Comm.− Crypto System Protocols & Protocols OS Crypto System & Protocols OS Compiler C Compiler C Library Software− Verification Verification Tools Verification dist. Systems stoch. System Verisoft – p. 4/15

  10. Email Client Our part: A Simple Email Client • Send & receive email via SMTP • Sign email & check signatures • Text based (ASCII) • No folders (not even an Inbox) Verisoft – p. 5/15

  11. Email Client—Screenshot Keyboard locked by PID 57256 (bb) | Screen locked by PID 57256 (bb) ---------------------------------------------------------------------- From: "Gerd Beuster" <gb@uni-koblenz.de> To: "Bernhard Beckert" <beckert@uni-koblenz.de> Message-ID: <8d6701c3db02$76191724$cb29c023@uni-koblenz.de> Subject: Verisoft-Spezifikation X-Signature: SDLJK489342HJFVSFKJWQUI89237CFSDKJOIQ398LKSDFJSKLDJ Date: Tue, 27 Jan 2004 16:53:48 +0100 Hallo Bernhard, wir sollten uns mal ueber die Spezifikation des Email-Clients unterhalten. Wann hast Du Zeit? Gruesse, Gerd ---------------------------------------------------------------------- Public Key: DLFJDLSDCMVCDZ53DFDFJL9087/LDIEHJSDLFDJIOEJKLDST/GHSB2SLJ Private Key: FDSLJF4O3489VNV XCKLJN3457896T87HSFDJVNS943ZFHFDIUSFHLA8V ---------------------------------------------------------------------- (s)end (p)oll | edit (m)ail p(u)b p(r)iv key | (a)dd (c)heck signature ---------------------------------------------------------------------- Last Cmd: Check Signature | Result: Signature valid | Processing... Verisoft – p. 6/15

  12. Email Client—Methods & Tools Specification: • Semi-formal specification in UML • Formal specification in HOL-OCL • Proofs in Isabelle Verisoft – p. 7/15

  13. Part 2 Part 2: Formalizing Input and Output Verisoft – p. 8/15

  14. Security Aspects Securing I/O against man-in-the-middle attacks Verisoft – p. 9/15

  15. Security Aspects Securing I/O against man-in-the-middle attacks Verisoft – p. 9/15

  16. Security Aspects Securing I/O against man-in-the-middle attacks Verisoft – p. 9/15

  17. Software Attacks • Locking screen & keyboard • Providing information who locks the resource Keyboard locked by PID 57256 (bb) | Screen locked by PID 57256 (bb) ---------------------------------------------------------------------- From: "Gerd Beuster" <gb@uni-koblenz.de> To: "Bernhard Beckert" <beckert@uni-koblenz.de> Message-ID: <8d6701c3db02$76191724$cb29c023@uni-koblenz.de> Subject: Verisoft-Spezifikation X-Signature: SDLJK489342HJFVSFKJWQUI89237CFSDKJOIQ398LKSDFJSKLDJ Date: Tue, 27 Jan 2004 16:53:48 +0100 Hallo Bernhard, Verisoft – p. 10/15

  18. The Boundary between Hard- and Software In a text based application, input is a list of keystrokes,and output is a (multi-dimensional) list of characters. Verisoft – p. 11/15

  19. The Boundary between Hard- and Software In a text based application, input is a list of keystrokes,and output is a (multi-dimensional) list of characters. • keyboard = List of all keystrokes • keyboard ( t ) = List of all keystrokes received up to time t . • screenAt ( t )[ x, y ] = The character shown at time t at screen position ( x, y ) . Verisoft – p. 11/15

  20. The Boundary between Hard- and Software In a text based application, input is a list of keystrokes,and output is a (multi-dimensional) list of characters. • keyboard = List of all keystrokes • keyboard ( t ) = List of all keystrokes received up to time t . • screenAt ( t )[ x, y ] = The character shown at time t at screen position ( x, y ) . screenAt ( t ) = f ( keyboard ( t )) Verisoft – p. 11/15

  21. Screen Up-To-Date screenAt ( t ) describes what’s actually shown on the screen. Verisoft – p. 12/15

  22. Screen Up-To-Date screenAt ( t ) describes what’s actually shown on the screen. screenOutput ( conf ) describes what should be shown in a given system configuration. (“ observer ”) Verisoft – p. 12/15

  23. Screen Up-To-Date screenAt ( t ) describes what’s actually shown on the screen. screenOutput ( conf ) describes what should be shown in a given system configuration. (“ observer ”) ⇒ The screen is up-to-date if what we want to show ( screenOutput ) is identical to what is actually shown ( screenAt ). Verisoft – p. 12/15

  24. Screen Up-To-Date screenAt ( t ) describes what’s actually shown on the screen. screenOutput ( conf ) describes what should be shown in a given system configuration. (“ observer ”) ⇒ The screen is up-to-date if what we want to show ( screenOutput ) is identical to what is actually shown ( screenAt ). For security reasons, we also want to show who locks i/o ressources. Verisoft – p. 12/15

  25. Constraints for Secure Systems The display is correct (or up-to-date) at time t , if ∀ x, y : screenAt ( t )[ x, y ] = screenOutput ( conf ( t ))[ x, y ] Verisoft – p. 13/15

  26. Constraints for Secure Systems The display is correct (or up-to-date) at time t , if ∀ x, y : screenAt ( t )[ x, y ] = screenOutput ( conf ( t ))[ x, y ] If resources are locked, this should be shown on the screen. Verisoft – p. 13/15

  27. Constraints for Secure Systems The display is correct (or up-to-date) at time t , if ∀ x, y : screenAt ( t )[ x, y ] = screenOutput ( conf ( t ))[ x, y ] If resources are locked, this should be shown on the screen. displayLocked ( conf ) provides information who locks the resources. Verisoft – p. 13/15

  28. Constraints for Secure Systems The display is correct (or up-to-date) at time t , if ∀ x, y : screenAt ( t )[ x, y ] = screenOutput ( conf ( t ))[ x, y ] If resources are locked, this should be shown on the screen. displayLocked ( conf ) provides information who locks the resources. displayLocked ( conf )[ x ] = screenOutput ( conf )[ x, 0] Verisoft – p. 13/15

  29. Constraints for Secure Systems The display is correct (or up-to-date) at time t , if ∀ x, y : screenAt ( t )[ x, y ] = screenOutput ( conf ( t ))[ x, y ] If resources are locked, this should be shown on the screen. displayLocked ( conf ) provides information who locks the resources. displayLocked ( conf )[ x ] = screenOutput ( conf )[ x, 0] It is essential that only the operating system may change the area where this information is shown! Verisoft – p. 13/15

  30. Conclusions The method we introduced. . . • . . . does not help against hardware based attacks. Verisoft – p. 14/15

  31. Conclusions The method we introduced. . . • . . . does not help against hardware based attacks. • . . . does not help against content based attacks. Verisoft – p. 14/15

  32. Conclusions The method we introduced. . . • . . . does not help against hardware based attacks. • . . . does not help against content based attacks. • . . . does not guarantee that the output is perceived as intended. Verisoft – p. 14/15

  33. Conclusions The method we introduced. . . • . . . does not help against hardware based attacks. • . . . does not help against content based attacks. • . . . does not guarantee that the output is perceived as intended. • . . . does prevent software based attacks on i/o ressources. Verisoft – p. 14/15

More recommend