1 / 27

Applying MoWGLI’s prototype to the Security Certification of IT products

Applying MoWGLI’s prototype to the Security Certification of IT products. Eduardo Giménez Trusted Logic SA 5, rue du Bailliage 78000 Versailles France. Use case. Common Criteria certification of IT products. Mowgli: semantic contents (typechecking). Mowgli: neutral exchange format

vonda
Télécharger la présentation

Applying MoWGLI’s prototype to the Security Certification of IT products

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applying MoWGLI’s prototype to the Security Certification of IT products Eduardo Giménez Trusted Logic SA 5, rue du Bailliage 78000 Versailles France MoWGLI’s Meeting

  2. Use case Common Criteria certification of IT products MoWGLI’s Meeting

  3. Mowgli: semantic contents (typechecking) Mowgli: neutral exchange format (semi-formal evaluations, developing teams) Mowgli: model explanation (Exploration & Rendering) IT Security Certification Scheme Assets, Threats Security Target Security objectives Security Functions and Security requirements SPModel Functional SPecification High-Level Design Low-Level Design IMPlementation Representation MoWGLI’s Meeting

  4. Trusted Logic Contributions • Extracting meta-data from Coq source files • Security Policy Model • Transformation into UML MoWGLI’s Meeting

  5. Mowgli’s prototype as a tool for explaining models First Contribution: extraction of meta-data from Coq source files MoWGLI’s Meeting

  6. Test case • Mowgli’s prototype tested on a formal model of a Java Card Platform • 3750 definitions • 2000 theorems • 300 Coq modules • 125000 lines of source code (4Mb) • Compressed XML output: 145Mb • Intended user: IT security evaluator MoWGLI’s Meeting

  7. Formal Models in Coq Several abstract state machines Security Policy Models Complete & declarative state machine Functional specification Simulation proof Realizability proof High Level Design Algorithms (functions) Implementation choices (many languages) Low level design Source code (C or Java) Implementation MoWGLI’s Meeting

  8. Three remarks raised by testing in the large • Rendering closer to Mathematics than to Programming • Records as inductive types, functions as lambda terms • Indentation not always as expected • Lack of an intermediate language for simplifying rendering modification • All comments in the Coq sources are lost • Common Criteria standard requires “textual” explanations • Literate programming in a javadoc style • Coherence between models and documents • Avoiding duplication • Other information that could improve readability is also missed: • Coercions • Implicit arguments MoWGLI’s Meeting

  9. Retrieving source information as meta-data • Information present in the sources that is not part of the logical terms can be thought of as meta-data: • Comments • Coq directives like: • Coercions • Implicit arguments • Hints • Derived vs. defined constants • Structured comments: tags + text • Purpose of the definition • @parameter • @requirement MoWGLI’s Meeting

  10. Generation of meta-data from Coq sources *.v Coq sources • Coercions • Derived constants • Opacity Lexical analysis (comments) Coq compiler: UWOBO Data Base RDF file SQL commands XML parser MySql MoWGLI’s Meeting

  11. Testing in the large • Installing Mowgli’s prototype : not a simple task! • Heterogeneous implementation: Ocaml, Perl, MySql, XSLT, PXP, … • No user manual • Depends on several (unstable) Linux packages (not listed) • Architecture not conceived for a protected environment (firewall) • Contribution to the packaging Mowgli’s prototype: • Installation instructions • Collecting all the Linux packages required for installation MoWGLI’s Meeting

  12. (Place demo of meta-data extraction here) A Coq module implementing association tables MoWGLI’s Meeting

  13. Second Contribution Security Policy Model document based on Mowgli’s prototype MoWGLI’s Meeting

  14. GlobalPlatform Applet Off - card Bytecode Verifier LOAD Applet Applet Applet INSTALL Card Manager DELETE MANAGE CHANNEL SELECT STORE DATA SET STATUS … MoWGLI’s Meeting

  15. GlobalPlatform Security Policies • Three security policies of GlobalPlatform were modeled: • Controlling the actions enabled for each life cycle state of the applications and the card • Enforcing life cycle transitions • Card contents management: integrity of the Executable Files, consistency of application privileges • Security policy = abstract state machine • Subject S can perform operation F on object o provided that …. • State = attributes of each subject and object that the SP controls • Transitions = premises of access control rules + effect on the security attributes MoWGLI’s Meeting

  16. A document describing GlobalPlatform models in Coq • Written using Trusted Logic’s editing tool (FDD) • Output in XHTML + minor modifications by hand • XSLT post-processing of three directives: • Inlinning of Coq definitions <ht:DEFINITION uri="component_update.con" as="Definition"/> • Hyperlinks to other definitions <a helm:helm_link="href" href=“…” > … </a> • Silent directives for opening Coq sections <ht:SECTIONuri="cic:/…./Records/Components/Component_Update/"> MoWGLI’s Meeting

  17. Some conclusions from the exercise • A high level tool for explaining formal definitions in English • Automatic processing of logical connectives and main Coq constructions • Spelling of the each atomic predicate specified by the user • XSLT transformations are too complicated and poor: what language for describing rendering? • An editing tool for writing formal Coq documents? MoWGLI’s Meeting

  18. (Place demo of the SPM document here) SPM document of VISA GlobalPlatfom MoWGLI’s Meeting

  19. Mowgli’s XML output as an exchange format for formal models Third contribution: a translator fromm Coq to UML MoWGLI’s Meeting

  20. Exchanging models between environments • Motivations: • XML format of Coq terms as a “neutral” exchange format • UML is a widely accepted standard in industry • UML provides a language to communicate with developers • UML is accepted as “semi-formal” specifications (required for some assurance levels in CC evaluations) • Linking formal models to input models provided by the clients • Goal: automatic integration of formal models in Coq into an UML environment (Rational Rose). • Data structures, predicates and comments in UML, theorems as links to Mowgli’s prototype. MoWGLI’s Meeting

  21. Unified Modeling Language(UML) Package P • Class A • public short x • private void f(int x) generalizes Class C • Class B • public static C z Class D associated to depends on MoWGLI’s Meeting

  22. Coq Module Coq T:Set Coq T(A:Set) : Set Parameter c: T Coq R{x1:T1;…xn:Tn} Coq function f(x1:T1,… xn:Tn) Coercion f : A  B UML Package UML Class T UML parameterized class T[A] UML static field c of class T UML instance fields x1, … xn UML method f attached to class C if C is « close » to f, static method of default class otherwise. Class B generalizes class A Translation Principles for informative objects MoWGLI’s Meeting

  23. P (x1:T1,… xn:Tn) : Prop Interpreted as a sub-set of the product T1× … Tn. A proof is a tuple (t1, … tn) A constructors of an inductive predicate is a function defining a tuple in T1× … Tn. A theorem is a function built from constructors. UML Class P (no parameters) with instance fields x1:T1,… xn:Tn. A proof is an object of class P with values x1:=t1 … xn:=tn A constructor is a class constructor. A theorem is a method defined in some class. Only predicates are translated, to visualize the relations between data-structures. Translation Principles for predicates MoWGLI’s Meeting

  24. Example The inductive definition: Inductive P : nat -> bool -> Prop := C : x:nat . x>0  P (S x, true). is translated into the class: class P { public nat n; public bool b; C(nat x; less p) { n:=x+1; b:=true} } MoWGLI’s Meeting

  25. Coq2UML’s Architecture *.con *.theory UWOBO Formal definitions XML Mowgli’s parser + Topological sort Coercions, derived constants, textual descriptions Rose add-in CIC environment ocaml internal structures XMI Translator XML dump Interface inference MoWGLI’s Meeting

  26. Making diagrams more readable • Derived constants are omitted • Elimination principles • Record projections • « Local » class diagrams by Coq module • Computing a minimal interface for each Coq module (experimental): • Only « public » constants used in other modules are considered • A defined constant is made abstract when it is not necessary to unfold its definition for typing other modules (requires modified typing) • An inductive type is made abstract when its constructors are never used in the other modules MoWGLI’s Meeting

  27. (Place demo of UML translator here) UML description of GlobalPlatform and association lists MoWGLI’s Meeting

More Related