Show simple item record

dc.contributorNational Science Foundation
dc.contributorOffice of Naval Research
dc.contributor.authorPhelps, David
dc.contributor.authorLevin, Timothy E.
dc.contributor.authorAuguston, Mikhail
dc.date.accessioned2012-07-11T15:49:36Z
dc.date.available2012-07-11T15:49:36Z
dc.date.issued2008-06-01
dc.identifier.citationProceedings of the International Conference on i-Warfare and Security, April 2008.
dc.identifier.urihttp://hdl.handle.net/10945/7158
dc.description.abstractWe describe the specification of the formal security policy model and formal top-level specification for the Least Privilege Separation Kernel (LPSK) in Alloy, a relatively new modelling language and analysis tool. The state of the art for the formal verification of secure software requires representation of an abstract model, and one or more refinements (to the model), in a formal specification language. These specifications are then examined for self-consistency with their properties, as well as for consistency between levels of abstraction, all of which can be time consuming, and costly. Alloy provides a simple, intuitive logic framework, in contrast to many other formal languages that are intended to support general-purpose mathematics. In order to determine whether Alloy can improve the efficiency and effectiveness of the verification of secure computer systems, we used it to specify portions of the LPSK formal security policy model and formal top-level specification, and utilized the Alloy Analyzer to examine the consistency of the specifications. The security-critical system elements and predicates for security properties were defined in terms of a state model, and system operations were represented as state transitions. While Alloy does not support induction or proofs, it can be used to find counter examples in a small scope of state transitions. We conclude that Alloy has few limitations and is suitable, as measured by utility and ease of use, to include in the toolbox for rapid high-assurance system development. The primary concern with using Alloy for industrial, versus academic, security verification is the scalability of the Alloy Analyzer with respect to the state-space of the security model and formal top-level specification. For real system verification, Alloy must support a much larger scope. We found that the translation of an existing informal LPSK security policy model to Alloy provided insight for making the model clearer. It is also apparent that Alloy allows for the beginner to formal system verification to quickly climb its learning curve.en_US
dc.publisherInternational Conference on i-Warfare and Securityen_US
dc.rightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. As such, it is in the public domain, and under the provisions of Title 17, United States Code, Section 105, may not be copyrighted.en_US
dc.rightsApproved for public release.en_US
dc.titleFormal models of a least privilege separation kernel in alloyen_US
dc.typeArticleen_US
dc.subject.authorSoftware Verificationen_US
dc.subject.authorPrinciplesen_US
dc.subject.authorLeast Privilegeen_US
dc.subject.authorInformation Flow Controlsen_US
dc.subject.authorSeparation Kernelsen_US
dc.subject.authorFormal Languagesen_US


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record