FORMAL LOGICAL METHODS FOR SYSTEM SECURITY AND CORRECTNESS NATO Science for Peace and Security Series This Series presents the results of scientific meetings supported under the NATO Programme: Science for Peace and Security (SPS). The NATO SPS Programme supports meetings in the following Key Priority areas: (1) Defence Against Terrorism; (2) Countering other Threats to Security and (3) NATO, Partner and Mediterranean Dialogue Country Priorities. The types of meeting supported are generally “Advanced Study Institutes” and “Advanced Research Workshops”. The NATO SPS Series collects together the results of these meetings. The meetings are co-organized by scientists from NATO countries and scientists from NATO’s “Partner” or “Mediterranean Dialogue” countries. The observations and recommendations made at the meetings, as well as the contents of the volumes in the Series, reflect those of participants and contributors only; they should not necessarily be regarded as reflecting NATO views or policy. Advanced Study Institutes (ASI) are high-level tutorial courses to convey the latest developments in a subject to an advanced-level audience. Advanced Research Workshops (ARW) are expert meetings where an intense but informal exchange of views at the frontiers of a subject aims at identifying directions for future action. Following a transformation of the programme in 2006 the Series has been re-named and re- organised. Recent volumes on topics not related to security, which result from meetings supported under the programme earlier, may be found in the NATO Science Series. The Series is published by IOS Press, Amsterdam, and Springer Science and Business Media, Dordrecht, in conjunction with the NATO Public Diplomacy Division. Sub-Series A. Chemistry and Biology Springer Science and Business Media B. Physics and Biophysics Springer Science and Business Media C. Environmental Security Springer Science and Business Media D. Information and Communication Security IOS Press E. Human and Societal Dynamics IOS Press http://www.nato.int/science http://www.springer.com http://www.iospress.nl Sub-Series D: Information and Communication Security – Vol. 14 ISSN 1874-6268 Formal Logical Methods for System Security and Correctness Edited by Orna Grumberg Technion, Israel Tobias Nipkow Technische Universität München, Germany and Christian Pfaller Technische Universität München, Germany Amsterdam • Berlin • Oxford • Tokyo • Washington, DC Published in cooperation with NATO Public Diplomacy Division Proceedings of the NATO Advanced Study Institute on Formal Logical Methods for System Security and Correctness Marktoberdorf, Germany 31 July–12 August 2007 © 2008 IOS Press. All rights reserved. All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without prior written permission from the publisher. ISBN 978-1-58603-843-4 Library of Congress Control Number: 2008922610 Publisher IOS Press Nieuwe Hemweg 6B 1013 BG Amsterdam Netherlands fax: +31 20 687 0019 e-mail: [email protected] Distributor in the UK and Ireland Distributor in the USA and Canada Gazelle Books Services Ltd. IOS Press, Inc. White Cross Mills 4502 Rachael Manor Drive Hightown Fairfax, VA 22032 Lancaster LA1 4XS USA United Kingdom fax: +1 703 323 3668 fax: +44 1524 63232 e-mail: [email protected] e-mail: [email protected] LEGAL NOTICE The publisher is not responsible for the use which might be made of the following information. PRINTED IN THE NETHERLANDS Formal Logical Methods for System Security and Correctness v O. Grumberg et al. (Eds.) IOS Press, 2008 © 2008 IOS Press. All rights reserved. Preface The objective of our Summer School 2007 on Formal Logical Methods for System Security and Correctness was to present the state-of-the-art in the field of proof technol- ogy in connection with secure and correct software. The lecturers have shown that meth- ods of correct-by-construction program and process synthesis allow a high level pro- gramming method more amenable to security and reliability analysis and guarantees. By providing the necessary theoretical background and presenting corresponding applica- tion oriented concepts, the objective was an in-depth presentation of such methods cov- ering both theoretical foundations and industrial practice. In detail the following courses were given: GILLES BARTHE lectured on Verification Methods for Software Security and Cor- rectness. The objective of the lectures was to present static enforcement mechanisms to ensure reliability and security of mobile code. First, he introduced a type based verifier for ensuring information flow policies and a verification condition generator for Java bytecode programs. He also described how these mechanisms have been certified using the proof assistant Coq. Second, he related these two enforcement mechanisms to their counterparts for Java programs. ROBERT CONSTABLE’s lectures Logical Foundations of Computer Security were concerned with developing correct-by-construction security protocols for distributed sys- tems on communication networks. He used computational type theory to express logi- cally sound cryptographic services and established them by machine generated formal proofs. In his course Building a Software Model-Checker JAVIER ESPARZA introduced jMoped, a tool for the analysis of Java programs. He then explained the theory and algo- rithms behind the tool. In jMoped is assumed that variables have a finite range. He started by considering the computational complexity of verifying different classes of programs satisfying this constraint. After choosing a reasonable class of programs, he introduced a model-checking algorithm based on pushdown automata and then addressed the problem of data. He presented an approach to this problem based on BDDs and counterexample- based abstraction refinement with interpolants. With Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evalu- ation ORNA GRUMBERG presented a powerful model checking technique called Sym- bolic Trajectory Evaluation (STE), which is particularly suitable for hardware. STE is applied to a circuit M, described as a graph over nodes (gates and latches). The specifi- cation consists of assertions in a restricted temporal language. The assertions are of the form A =⇒ C, where the antecedent A expresses constraints on nodes n at different times t, and the consequent C expresses requirements that should hold on such nodes (n, t). Abstraction in STE is derived from the specification by initializing all inputs not appearing in A to the X (“” unknown ) value. A refinement amounts to changing the as- sertion in order to present node values more accurately. A symbolic simulation and the specific type of abstraction, used in STE, was described. We proposed a technique for automatic refinement of assertions in STE, in case the model checking results in X.In vi this course the notion of hidden vacuity for STE was defined and several methods for detecting it was suggested. JOHN HARRISON lectured on Automated and Interactive Theorem Proving.Hecov- ered a range of topics from Boolean satisfiability checking (SAT), several approaches to first-order automated theorem proving, special methods for equations, decision pro- cedures for important special theories, and interactive proofs. He gave some suitable references. MARTIN HOFMANN gave a series of lectures on Correctness of Effect-based Pro- gram Transformations in which a type system was considered capable of tracking read- ing, writing and allocation in a higher-order language with dynamically allocated refer- ences. He gave a denotational semantics to this type system which allowed us to validate a number of effect-dependent program equivalences in the sense of observational equiv- alence. On the way we learned popular techniques such as parametrised logical relations, regions, admissible relations, etc which belong to the toolbox of researchers in principles of programming languages. Abstract and Concrete Models of Recursion was the course of MARTIN HYLAND. Systems of information flow are fundamental in computing systems generally and secu- rity protocols in particular. One key issue is feedback (or recursion) and we developed an approach based on the notion of trace. He covered applications to fixed point theory, automata theory and topics in the theory of processes. In his course Security Analysis of Network Protocols JOHN MITCHELL provided an introduction to network protocols that have security requirements. He covered a variety of contemporary security protocols and gave students information needed to carry out case studies using automated tools and formal techniques. The first lectures surveyed protocols and their properties, including secrecy, authentication, key establishment, and fairness. The second part covered standard formal models and tools used in security protocol analysis, and described their advantages and limitations. With his lectures on The Engineering Challenges of Trustworthy Computing GREG MORRISETT talked about a range of language, compiler, and verification techniques that can be used to address safety and security issues in systems software today. Some of the techniques, such as software fault isolation, are aimed at legacy software and provide relatively weak but important guarantees, and come with significant overhead. Other techniques, such as proof-carrying code, offer the potential of fine-grained protection with low overhead, but introduce significant verification challenges. The focus of