A security specification verification technique based on the international standard ISO/IEC 15408

A security specification verification technique based on the international standard ISO/IEC 15408
of 2
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
  A Security Specification Verification TechniqueBased on the International Standard ISO/IEC 15408 Shoichi Morimoto, Shinjiro Shigematsu, Yuichi Goto, and Jingde Cheng Department of Information and Computer SciencesSaitama University, Saitama, 338-8570, Japan { morimo, shigematsu, gotoh, cheng } ABSTRACT This paper proposes a security specification verification tech-nique based on the international standard ISO/IEC 15408.We formalized the security criteria of ISO/IEC 15408 anddeveloped the verification technique of security specifica-tions based on the formalized criteria with formal methods.With the technique, one can formally verify whether or notspecifications satisfy the security criteria of ISO/IEC 15408.Ambiguity and/or oversight about security in specificationswritten in natural language can also be detected. Categories and Subject Descriptors D.2.4 [ Software Engineering ]: Software/Program Verifi-cation— Formal methods  General Terms Security, Verification Keywords Common Criteria, Z notation, Theorem-proving 1. INTRODUCTION Security specifications and their verification have becomean important issue in information security engineering. How-ever, it is not clear what security criteria are, and it isdifficult to define security criteria. In order to solve theproblems, we propose adopting the international standardISO/IEC 15408 as the criteria of the security which shouldbe applied to validate an information system. ISO/IEC15408 was established as a set of criteria for evaluating thesecurity level of IT products [5]. However, because ISO/IEC15408 is written in natural language, it is difficult to useISO/IEC 15408 in formal verification of security specifica-tions.In this paper, we propose a security specification verifica-tion technique based on ISO/IEC 15408 with formal meth- Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee. SAC’06   April 23-27, 2006, Dijon, FranceCopyright 2006 ACM 1-59593-108-2/06/0004 ... $ 5.00. ods. We formalized beforehand all 251 criteria of ISO/IEC15408 as formal criterion templates which are necessary toany verification of security specifications based on ISO/IEC15408. For the formalization, we used Z notation [4,10],one of the formal methods, which have produced actual re-sults in the verification of software reliability with theorem-proving [2]. 2. THE VERIFICATION TECHNIQUE Here we describe the verification technique and the for-malized criteria of ISO/IEC 15408. 2.1 Outline of the Verification Technique The following is the procedure of the verification tech-nique. 1)  Select required formalized criteria (templates). 2)  Formalize the specification of a target system in Z. 3)  Materialize the selected criterion templates. 4)  Verify the formalized specifications against the material-ized criteria.To verify a security specification of a target system, usersfirst select criterion templates which are required in the sys-tem. Secondly, the users formalize the specification of thesystem in Z, somewhat taking the selected criterion tem-plates into consideration. In the third step the users mustmaterialize the selected criterion templates in order to fitthem into the formalized specification. Then the users verifywhether or not the materialized criteria are deducible fromgiven axioms and the formalized specification as premiseswith theorem-proving, e.g., the verification tool Z/EVES [6]. 2.2 The Formal Description of the Criteria In order to explain how the criteria were formalized, weshow a formalization example of a criterion in ISO/IEC15408. The original text of the criterion FDP RIP.1.1 isas follows. FDP RIP.1  Subset residual information protection FDP RIP.1.1  The TSF shall ensure that any previous informa-tion content of a resource is made unavailable upon the [selection: allocation of the resource to, deallocation of the resource from  ]the following objects: [assignment:  list of objects ]. In the srcinal text,  TSF   means a security function of sys-tems, the  selection   is the specification of one or more itemsfrom a list in the systems, and the  assignment   is the spec-ification of an identified parameter in the systems. Thus, 1802  the criteria of ISO/IEC 15408 are very abstract. It is prob-ably impossible to understand at a glance, what is meant.The detailed usage of them is not described in themselves.Therefore, we formalized the criteria as templates after wehad extracted the substantive meaning of them in the con-text of many actual public specifications [3] for which it isused.FDP RIP.1.1 specifies that systems must make  any pre-vious information content of a resource   unavailable, when allocation of the resource to the following objects   or  deal-location of the resource from the following objects   occurs.In other words, after allocation or deallocation occurs, it isimpossible to refer to all  previous information content of a resource  . The following is the formula in Z converted fromthis interpretation. Template  FDP RIP.1.1 ∀  System  ′ |  Allocation or deallocation operation  •∀ previous information content  ∈  Resource ′ •  unavailability conditions This template formula means that after performing  Allo-cation or deallocation operation  , it is safe to say that all previous information content  s included in  Resource   satisfy unavailability conditions   in  System  .Thus, all 251 criteria of ISO/IEC 15408 were formalizedas templates. 2.3 Materialization of the Criteria The formalized criteria are merely templates so that anyspecification can use them. Therefore, when using them,users have to materialize them to fit each target system.Here we describe the way of the materialization.In the templates, an italic bold word denotes a state sche-ma, a bold word denotes an operation schema, an italic worddenotes a set, a sans-serif font word denotes a logic expres-sion or a type schema, a normal font word denotes the othercomponent in Z specifications. For example, there are thefollowing template and Z specification, provided that theydo not have any meaning. ∀  State ′ ; variable  |  An operation  •  elements  ∈  Set   ∧  conditions Object entity  1 :  TYPE entity  2 :  P TYPE Operation  ∆ Object Typea   :  TYPE b  :  TYPE a   =  b When this template is materialized so that it can fit into thisspecification,  State  can be replaced by the state schema Object  ,  An operation  can be replaced by the operationschema  Operation  ,  Set   can be replaced by the set  entity2  , conditions  can be replaced by the type schema  Type   or alogical expression which consists of components in the Zspecification, variable can be replaced by the entities  entity1 or  entity2   in  Object  , elements can be replaced by the element entity1  which can be included in the set  entity2  . Users verifywhether or not the formula that is materialized in this wayis deducible in the Z specification by theorem-proving. 3. CONCLUDING REMARKS In this paper, we have proposed a security specificationverification technique based on the international standardISO/IEC 15408. With this verification technique, one canverify whether or not specifications satisfy the criteria of ISO/IEC 15408. Verifiers do not need to make verificationcriteria from scratch. At least, specifications verified by theverification technique can be considered to be security spec-ifications certified by ISO/IEC 15408. Moreover, since thecriterion templates of ISO/IEC 15408 in Z are representedby first-order predicate logic, the verification technique mayalso be applied to other formal descriptions. We are consid-ering so that the templates can be used not only by Z butby all formal methods.Since the technique is not suitable for verification of dy-namic behavior in systems, we have tried to introduce model-checking to the technique [9]. When users use the technique,they then must select required criteria and formalize targetspecifications. However, it is not so easy. Therefore, wehave developed a database that stores dependencies of therequired criteria and system categories and supports the se-lection of the required criteria [1]. Additionally, we haveproposed a method which simplifies creation and formal-ization of security specifications [7] and have verified thespecifications using the method by the technique [8]. 4. REFERENCES [1] Advanced Information Systems EngineeringLaboratory. Security Functional RequirementManagement Database. Saitama University.[2] Y. Bertot and P. Casteran. Interactive TheoremProving and Program Development. Springer-Verlag.2004.[3] Common Criteria Org. Evaluated Product Files.[4] ISO/IEC 13568 Standard. Information Technology - ZFormal Specification Notation - Syntax, Type Systemand Semantics. 2002.[5] ISO/IEC 15408 Standard. Common Criteria forInformation Technology Security Evaluation Version2.2 Revision 256. 2004.[6] ORA Canada. Z/EVES.[7] S. Morimoto and J. Cheng. Patterning ProtectionProfiles by UML for Security Specifications. In  Proc.of the IEEE 2005 International Conference on Intelligent Agents, Web Technology and Internet Commerce (IAWTIC’05) , November 2005.[8] S. Morimoto and J. Cheng. Modeling ProtectionProfiles by UML and their Formal Verification.  IEICE Trans. , Vol.J89-D, No.4, April 2006 (in Japanese).[9] S. Morimoto, S. Shigematsu, Y. Goto, and J. Cheng.A Security Specification Verification Technique UsingTheorem Proving and Model Checking Based on theInternational Standard ISO/IEC 15408. In  Proc. of the Second Symposium on Science and Technology for System Verification  , pages. 12-23, National Institute of Advanced Industrial Science and Technology, October2005 (in Japanese).[10] B. Potter, J. Sinclair, and D. Till. An Introduction toFormal Specification and Z 2nd Edition.  International Series in Computer Science  , Prentice-Hall, 1996. 1803
Similar documents
View more...
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks