Classification, formalization and verification of security functional requirements

  • Authors:

  • Shoichi Morimoto;Shinjiro Shigematsu;Yuichi Goto;Jingde Cheng

  • Affiliations:

  • School of Industrial Technology, Advanced Institute of Industrial Technology, Shinagawa-ku, Tokyo, Japan;Department of Information and Computer Sciences, Saitama University, Saitama, Japan;Department of Information and Computer Sciences, Saitama University, Saitama, Japan;Department of Information and Computer Sciences, Saitama University, Saitama, Japan

  • Venue:
  • SOFSEM'08 Proceedings of the 34th conference on Current trends in theory and practice of computer science
  • Year:
  • 2008

Quantified Score

Hi-index 0.00

Visualization

Abstract

This paper proposes a new hybrid method to formally verify whether the security specification of a target information system satisfies security functional requirements defined in ISO/IEC 15408 evaluation criteria for security. We classify at first the security functional requirements of ISO/IEC 15408 into two classes: static requirements concerning static properties and dynamic requirements concerning dynamic behavior of target systems, and then formalize the static requirements with Z notation and the dynamic requirements with temporal logic. Thus, we can verify static properties using theorem-proving and dynamic behavior using model-checking. As a result, developers can easily use the method to verify whether the security specification of a target information system satisfies both static and dynamic security functional requirements defined in ISO/IEC 15408. The new method is an evolution and improvement of our early verification method where only Z notation was adapted and to verify dynamic behavior of target systems is difficult.