TY - GEN
T1 - Formal specification of security guidelines for program certification
AU - Zhioua, Zeineb
AU - Roudier, Yves
AU - Ameur-Boulifa, Rabea
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/7/2
Y1 - 2017/7/2
N2 - Secure software can be obtained out of two distinct processes: security by design, and security by certification. The former approach has been quite extensively formalized as it builds upon models, which are verified to ensure security properties are attained and from which software is then derived manually or automatically. In contrast, the latter approach has always been quite informal in both specifying security best practices and verifying that the code produced conforms to them. In this paper, we focus on the latter approach and describe how security guidelines might be captured by security experts and verified formally by developers. Our technique relies on abstracting actions in a program based on modularity, and on combining model checking together with information flow analysis. Our goal is to formalize the existing body of knowledge in security best practices using formulas in the MCL language and to conduct formal verifications of the conformance of programs with such security guidelines. We also discuss our first results in creating a methodology for the formalization of security guidelines.
AB - Secure software can be obtained out of two distinct processes: security by design, and security by certification. The former approach has been quite extensively formalized as it builds upon models, which are verified to ensure security properties are attained and from which software is then derived manually or automatically. In contrast, the latter approach has always been quite informal in both specifying security best practices and verifying that the code produced conforms to them. In this paper, we focus on the latter approach and describe how security guidelines might be captured by security experts and verified formally by developers. Our technique relies on abstracting actions in a program based on modularity, and on combining model checking together with information flow analysis. Our goal is to formalize the existing body of knowledge in security best practices using formulas in the MCL language and to conduct formal verifications of the conformance of programs with such security guidelines. We also discuss our first results in creating a methodology for the formalization of security guidelines.
KW - Information Flow Analysis
KW - Labelled Transition Systems
KW - Model Checking
KW - Program Certification
KW - Security Best Practices
KW - Security Guidelines
U2 - 10.1109/TASE.2017.8285634
DO - 10.1109/TASE.2017.8285634
M3 - Conference contribution
AN - SCOPUS:85050684242
T3 - Proceedings - 11th International Symposium on Theoretical Aspects of Software Engineering, TASE 2017
SP - 1
EP - 8
BT - Proceedings - 11th International Symposium on Theoretical Aspects of Software Engineering, TASE 2017
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 11th International Symposium on Theoretical Aspects of Software Engineering, TASE 2017
Y2 - 13 September 2017 through 15 September 2017
ER -