Formal methods in security engineering: where we've been, where we are, where we need to go
Proceedings of the 2007 ACM workshop on Formal methods in security engineering
Formal Verification by Reverse Synthesis
SAFECOMP '08 Proceedings of the 27th international conference on Computer Safety, Reliability, and Security
A formal security policy for xenon
Proceedings of the 6th ACM workshop on Formal methods in security engineering
On the Role of Formal Methods in Software Certification: An Experience Report
Electronic Notes in Theoretical Computer Science (ENTCS)
Formal Methods in System Design
Trustable formal specification for software certification
ISoLA'10 Proceedings of the 4th international conference on Leveraging applications of formal methods, verification, and validation - Volume Part II
Supporting requirements engineers in recognising security issues
REFSQ'11 Proceedings of the 17th international working conference on Requirements engineering: foundation for software quality
Formal analysis of an electronic voting system: An experience report
Journal of Systems and Software
Critical systems development methodology using formal techniques
Proceedings of the Third Symposium on Information and Communication Technology
Idea: writing secure c programs with secprove
ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Formal verification of information flow security for a simple arm-based separation kernel
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Comprehensive formal verification of an OS microkernel
ACM Transactions on Computer Systems (TOCS)
Hi-index | 0.00 |
A major problem in verifying the security of code is that the code's large size makes it much too costly to verify in its entirety. This article describes a novel and practical approach to verifying the security of code which substantially reduces the cost of verification. In this approach, the security property of interest is represented formally and a compact security model, containing only information needed to reason about the policy, is constructed. To reduce the cost of verification, the code to be verified is partitioned into three categories: Only the first category, less than 10% of the code, requires requires substantial effort to verify; the proof of the other two categories is relatively trivial. Our approach was developed to support a Common Criteria evaluation of the separation kernel of an embedded software system. This article describes 1) our techniques and theory for verifying the kernel code and 2) the artifacts produced: a Top Level Specification (TLS), a formal statement of the security property, a mechanized proof that the TLS satisfies the property, the partitioning of the code, and a demonstration that the code conforms to the TLS. The article also presents the formal argument that the kernel code conforms to the TLS and consequently satisfies the security property.