Showing papers in "ACM Transactions on Software Engineering and Methodology in 2000"

Protecting privacy using the decentralized label model

Abstract: Stronger protection is needed for the confidentiality and integrity of data, because programs containing untrusted code are the rule rather than the exception. Information flow control allows the enforcement of end-to-end security policies, but has been difficult to put into practice. This article describes the decentralized label model, a new label model for control of information flow in systems with mutual distrust and decentralized authority. The model improves on existing multilevel security models by allowing users to declassify information in a decentralized way, and by improving support for fine-grained data sharing. It supports static program analysis of information flow, so that programs can be certified to permit only acceptable information flows, while largely avoiding the overhead of run-time checking. The article introduces the language Jif, an extension to Java that provides static checking of information flow using the decentralized label model.

Law-governed interaction: a coordination and control mechanism for heterogeneous distributed systems

Abstract: Software technology is undergoing a transition form monolithic systems, constructed according to a single overall design, into conglomerates of semiautonomous, heterogeneous, and independently designed subsystems, constructed and managed by different organizations, with little, if any, knowledge of each other. Among the problems inherent in such conglomerates, none is more serious than the difficulty to control the activities of the disparate agents operating in it, and the difficulty for such agents to coordinate their activities with each other. We argue that the nature of coordination and control required for such systems calls for the following principles to be satisfied: (1) coordination policies need to be enforced: (2) the enforcement needs to be decentralized; and (3) coordination policies need to be formulated explicitly—rather than being implicit in the code of the agents involved—and they should be enforced by means of a generic, broad spectrum mechanism; and (4) it should be possible to deploy and enforce a policy incrementally, without exacting any cost from agents and activities not subject to it. We describe a mechansim called law-governed interaction (LGI), currently implemented by the Moses toolkit, which has been designed to satisfy these principles. We show that LGI is at least as general as a conventional centralized coordination mechanism (CCM), and that it is more scalable, and generally more efficient, then CCM.

Verifying security protocols with Brutus

Abstract: Due to the rapid growth of the “Internet” and the “World Wide Web” security has become a very important concern in the design and implementation of software systems. Since security has become an important issue, the number of protocols in this domain has become very large. These protocols are very diverse in nature. If a software architect wants to deploy some of these protocols in a system, they have to be sure that the protocol has the right properties as dictated by the requirements of the system. In this article we present BRUTUS, a tool for verifying properties of security protocols. This tool can be viewed as a special-purpose model checker for security protocols. We also present reduction techniques that make the tool efficient. Experimental results are provided to demonstrate the efficiency of BRUTUS.

SAFKASI: a security mechanism for language-based systems

Abstract: In order to run untrusted code in the same process as trusted code, there must be a mechanism to allow dangerous calls to determine if their caller is authorized to exercise the privilege of using the dangerous routine. Java systems have adopted a technique called stack inspection to address this concern. But its original definition, in terms of searching stack frames, had an unclear relationship to the actual achievement of security, overconstrained the implementation of a Java system, limited many desirable optimizations such as method inlining and tail recursion, and generally interfered with interprocedural optimization. We present a new semantics for stack inspection based on a belief logic and its implementation using the calculus of security-passing style which addresses the concerns of traditional stack inspection. With security-passing style, we can efficiently represent the security context for any method activation, and we can build a new implementation strictly by rewriting the Java bytecodes before they are loaded by the system. No changes to the JVM or bytecode semantics are necessary. With a combination of static analysis and runtime optimizations, our prototype implementation showes reasonable performance (although traditional stack inspection is still faster), and is easier to consider for languages beyond Java. We call our system SAFKASI (the Security Architecture Formerly Known as Stack Inspection).

SMC: a symmetry-based model checker for verification of safety and liveness properties

Abstract: The article presents the SMC system. SMC can be used for checking safety and liveness properties of concurrent programs under different fairness assumptions. It is based on explicit state enumeration. It combats the state explosion by exploiting symmetries of the input concurrent program, usually present in the form of identical processes, in two different ways. Firstly, it reduces the number of explored states by identifying those states that are equivalent under the symmetries of the system; this is called process symmetry. Secondly, it reduces the number of edges explored from each state, in0 the reduced state graph, by exploiting the symmetry of a single state; this is called state symmetry. SMC works in an on-the-fly manner; it constructs the reduced state graph as and when it is needed. This method facilitates early termination, speeds up model checking, and reduces memory requirements. We employed SMC to check the correctness of, among other standard examples, the Link Layer part of the IEEE Standard 1394 “Firewire” high-speed serial bus protocol. SMC found deadlocks in the protocol. SMC was also to check certain liveness properties. A report on the case study is included in the article.

Static checking of system behaviors using derived component assumptions

Abstract: A critical challenge faced by the developer of a software system is to understand whether the system's components correctly integrate. While type theory has provided substantial help in detecting and preventing errors in mismatched static properties, much work remains in the area of dynamics. In particular, components make assumptions about their behavioral interaction with other components, but currently we have only limited ways in which to state those assumptions and to analyze those assumptions for correctness. We have formulated a method that begins to address this problem. The method operates at the architectural level so that behavioral integration errors, such as deadlock, can be revealed early and at a high level. For each component, a specification is given of its interaction behavior. Form this specification, assumptions that the component makes about the corresponding interaction behavior of the external context are automatically derived. We have defined an algorithm that performs compatibility checks between finite representations of a component's context assumptions and the actual interaction behaviors of the components with which it is intended to interact. A configuration of a system is possible if and only if a successful way of matching actual behaviors with assumptions can be found. The state-space complexity of this algorithm is significantly less than that of comparable approaches, and in the worst case, the time complexity is comparable to the worst case of standard rachability analysis.

A generic model for reflective design

Abstract: Rapid technological change has had an impact on the nature of software. This has led to new exigencies and to demands for software engineering paradigms that pay particular atttention to meeting them. We advocate that such demands can be met, at least in large parts, through the adoption of software engineering processes that are founded on a reflective stance. To this end, we turn our attention to the field of Design Rationale. We analyze and characterize Design Rationale approaches and show that despite surface differences between different approaches, they all tend to be variants of a relatively small set of static and dynamic affinities. We use the synthesis of static and dynamic affinities to develop a generic model for reflective design. The model is nonprescriptive and affects minimally the design process. It is context-independent and is intended to be used as a facilitator in participative design, supporting group communication and deliberation. The potential utility of the model is demonstrated through two examples, one from the world of business design and the other from programming language design

Using shape analysis to reduce finite-state models of concurrent Java programs

Abstract: Finite-state verification (e.g., model checking) provides a powerful means to detect concurrency errors, which are often subtle and difficult to reproduce. Nevertheless, widespread use of this technology by developers is unlikely until tools provide automated support for extracting the required finite-state models directly from program source. Unfortunately, the dynamic features of modern languages such as Java complicate the construction of compact finite-state models for verification. In this article, we show how shape analysis, which has traditionally been used for computing alias information in optimizers, can be used to greatly reduce the size of finite-state models of concurrent Java programs by determining which heap-allocated variables are accessible only by a single thread, and which shared variables are protected by locks. We also provide several other state-space reductions based on the semantics of Java monitors. A prototype of the reductions demonstrates their effectiveness.

Composite model-checking: verification with type-specific symbolic representations

Abstract: There has been a surge of progress in automated verification methods based on state exploration. In areas like hardware design, these technologies are rapidly augmenting key phases of testing and validation. To date, one of the most successful of these methods has been symbolic model-checking, in which large finite-state machines are encoded into compact data structures such as Binary Decision Diagrams (BDDs), and are then checked for safety and liveness properties. However, these techniques have not realized the same success on software systems. One limitation is their inability to deal with infinite-state programs, even those with a single unbounded integer. A second problem is that of finding efficient representations for various variable types. We recently proposed a model-checker for integer-based systems that uses arithmetic constraints as the underlying state representation. While this approach easily verified some subtle, infinite-state concurrency problems, it proved inefficient in its treatment of boolean and (unordered) enumerated types—which are not efficiently representable using arithmetic constraints. In this article we present a new technique that combines the strengths of both BDD and arithmetic constraint representations. Our composite model merges multiple type-specific symbolic representations in a single model-checker. A system's transitions and fixpoint computations are encoded using both BDD (for boolean and enumerated types) and arithmetic constraints (for integers) representations, where the choice depends on the variable types. Our composite model-checking strategy can be extended to other symbolic representations provided that they support operations such as intersection, union, complement, equivalence checking, and relational image computation. We also present conservative approximation techniques for composite representations to address the undecidability of model-checking on infinite-state systems. We demonstrate the effectiveness of our approach by analyzing two example software specifications which include a mixture of booleans, integers, and enumerated types. One of them is a requirements specification for the control software of a nuclear reactor's cooling system, and the other one is a protocol specification.

A compiler for analyzing cryptographic protocols using noninterference

Abstract: The Security Process Algebra (SPA) is a CCS-like specification languag e where actions belong to two different levels of confidentiality. It has been used to define several noninterference-like security properties whose verification has been automated by the tool CoSeC. In recent years, a method for analyzing security protocols using SPA and CoSeC has been developed. Even if it has been useful in analyzing small security protocols, this method has shown to be error-prone, as it requires the protocol description and its environment to be written by hand. This problem has been solved by defining a protocol specification language more abstract than SPA, called VSP, and a compiler CVS that automatically generates the SPA specification for a given protocol described in VSP. The VSP/CVS technology is very powerful, and its usefulness is shown with some case studies: the Woo-Lam one-way authentication protocol, for which a new attack to authentication is found, and the Wide Mouthed Frog protocol, where different kinds of attack are detected and analyzed.

A knowledge-based method for inferring semantic concepts from visual models of system behavior

Abstract: Software designers use visual models, such as data flow/control flow diagrams or object collaboration diagrams, to express system behavior in a form that can be understood easily by users and by pogrammers, and from which designers can generate a software architecture. The research described in this paper is motivated by a desire to provide an automated designer's assistant that can generate software architectures for concurrent systems directly from behavioral models expressed visually as flow diagrams. To achieve this goal, an automated designer's assistant must be capable of interpreting flow diagrams in semantic, rather than syntactic, terms. While semantic concepts can be attached manually to diagrams using labels, such as stereotypes in the Unified Model Language (UML), this paper considers the possibility of providing autmated assistance to infer appropriate tags for symbols on a flow diagram. The approach relies upon constructing an underlying metamodel that defines semantic concepts based upon (1) syntactic relationships among visual symbols and (2) inheritance relationships among semantic concepts. Given such a metamodel, a rule-based inference engine can, in many situations, infer the presence of semantic concepts on flow diagram, and can tag symbols accordingly. Futher, an object-oriented query system can compare semantic tags on digram instances for conformance with their definition in the metamodel. To illustrate the approach, the paper describes a metamodel for data flow/control flow diagrams used in the context of a specific software modeling method, Concurrent Object-Based Real-time Analysis (COBRA). The metamodel is implemented using an expert-system shell, CLIPS V6.0, which integrates an object-oriented language with a rule-based inference engine. The paper applies the implemented metamodel to design software for an automobile cruise-control system and provides an evaluation of the approach based upon results from four case studies. For the case studies, the implemented metamodel recognized, automatically and correctly, the existence of 86% of all COBRA semantic concepts within the flow diagrams. Varying degrees of human assistance were used to correctly identify the remaining semantic concepts within the diagrams: in two percent of the cases the implemented metamodel reached tentative classifications that a designer was asked to confirm or override; in four percent of the cases a designer was asked to provide additional information before a concept was classified; in the remaining eight percent of the cases the designer was asked to identify the concept.

Abstracting dependencies between software configuration items

Abstract: This article studies an abstract model of dependencies between software configuration items based on a theory of concurrent computation over a class of Petri nets called production nets. A general theory of build optimizations and their correctness is developed based on a form of abstract interpretation called a build abstraction; these are created during a build and are used to optimize subsequent builds. Various examples of such optimizations are discussed. The theory is used to show how properties can be characterized and proved, and how optimizations can be composed and compared.

Using a coordination language to specify and analyze systems containing mobile components

Abstract: New computing paradigms for network-aware applications need specification languages able to deal with the features of mobile code-based systems. A coordination language provides a formal framework in which the interaction of active entities can be expressed. A coordination language deals with the creation and destruction of code or complex agents, their communication activites, as well as their distribution and mobility in space. We show how the coordination language PoliS offers a flexible basis for the description and the automatic analysis of architectures of systems including mobile entities. Polis is based on multiple tuple spaces and offers a basis for defining, studying, and controlling mobility as it allows decoupling mobile entities from their environments both in space and in time. The pattern-matching mechanism adopted for communication helps in abstracting from addressing issues. We have developed a model-checking technique for the automatic analysis of PoliS specifications. In the article we show how this technique can be applied to mobile code-based systems

Proof linking: modular verification of mobile programs in the presence of lazy, dynamic linking

Abstract: Although mobile code systems typically employ link-time code verifiers to protect host computers from potentially malicious code, implementation flaws in the verifiers may still leave the host system vulnerable to attack. Compounding the inherent complexity of the verification algorithms themselves, the need to support lazy, dynamic linking in mobile code systems typically leads to architectures that exhibit strong interdependencies between the loader, the verifier, and the linker. To simplify verifier construction and provide improved assurances of verifier integrity, we propose a modular architecture based on the concept of proof linking. This architecture encapsulates the verification process and removes dependencies between the loader, the verifier, and the linker. We also formally model the process of proof linking and establish properties to which correct implementations must conform. As an example, we instantiate our architecture for the problem of Java bytecode verification and assess the correctness of this instantiation. Finally, we briefly discuss alternative mobile code verification architectures enabled by the proof-linking concept.