brucker:verifikation:2000
Report
Albert-Ludwigs-Universität Freiburg
Freiburg
2000
April
https://www.brucker.ch/bibliography/abstract/brucker-verifikation-2000
BruckerAchimD
Verifikation von Dividierern mit Word-Level-Decision-Diagrams
Late detection of design errors typically results in higher costs, therefore the importance of design verification and validation increases. This was especially shown in 1994 by the “Pentium bug”. Since then the effort put into the verification of arithmetic circuits, particularly division, has increased.\ In the area of the hardware verification decision diagrams are the most important data structures for the representation of boolean functions. However, in 1998 was shown that the representational power of any known decision diagram ist too weak to efficiently represent division.\ In this work a new approach for the verification of divider circuits is introduced, which by a transformation avoids the representation of the division operation as decision diagram. With this approach it was the first time possible to verify the nonrestoring division automatically only by the application of decision diagrams.
brucker.ea:case:2003
ArticleInAPeriodical
Amsterdam
Elsevier Science Publishers
2003
Electronic Notes in Theoretical Computer Science
80
https://www.brucker.ch/bibliography/abstract/brucker.ea-case-2003
https://doi.org/10.1016/S1571-0661(04)80807-7
24-40
BruckerAchimD
WolffBurkhart
A Case Study of a Formalized Security Architecture
CVS is a widely known version management system, which can be used for the distributed development of software as well as its distribution from a central database. In this paper, we provide an outline of a formal security analysis of a CVS-Server architecture performed in \citebrucker.ea:cvs-server:2002. The analysis is based on an abstract architecture (enforcing a role-based access control on the repository), which is refined to an implementation architecture (based on the usual discretionary access control provided by the POSIX environment). Both architectures serve as framework to formulate access control and confidentiality properties. Both the abstract as well as the concrete architecture are specified in the language Z. Based on a logical embedding of Z into Isabelle/HOL, we provide formal, machine-checked proofs for consistency properties of the specification, for the correctness of the refinement, and for some security properties. Thus, we present a case study for the security analysis of realistic models over an off-the-shelf system by formal machine-checked proofs.Proceedings of the Eighth International Workshop on Formal Methods for Industrial Critical Systems (FMICS’03)
brucker.ea:checking:2001
Report
Albert-Ludwigs-Universität Freiburg
2001
July
157
https://www.brucker.ch/bibliography/abstract/brucker.ea-checking-2001
BruckerAchimD
WolffBurkhart
Checking OCL Constraints in Distributed Systems Using J2EE/EJB
We present a pragmatic approach using formal methods to increase the quality of distributed component based systems: Based on UML class diagrams annotated with OCL constraints, code for runtime checking of components in J2EE/EJB is automatically generated. Thus, a UML–model for a component can be used in a black–box test for the component. Further we introduce different design patterns for EJBs, which are motivated by different levels of abstraction, and show that these patterns work smoothly together with our OCL constraint checking. A prototypic implementation of the code generator, supporting our design patterns with OCL support, has been integrated into a commercial software development tool.
brucker.ea:cvs-server:2002
BookSection
Augsburg
2002
July
FM-TOOLS 2002
https://www.brucker.ch/bibliography/abstract/brucker.ea-cvs-server-2002
47-52
BruckerAchimD
RittingerFrank
WolffBurkhart
HanebergDominik
SchellhornGerhard
ReifWolfgang
The CVS-Server Case Study: A Formalized Security Architecture
CVS is a widely known version management system. Configured in server mode, it can be used for the distributed development of software as well as its distribution from a central database called the repository. In this setting, a number of security mechanisms have to be integrated into the CVS-server architecture. We present an abstract formal model of the access control aspects of a CVS-server architecture enforcing a role-based access control on the data in the repository. This abstract architecture is refined to an implementation architecture, which represents (an abstraction of) a concrete CVS-server configuration running in a POSIX/UNIX environment. Both the abstract as well as the concrete architecture are specified in the language Z. The specification is compiled to HOL-Z, such that refinement proofs for this case study can be done in Isabelle/HOL.Available as Technical Report, University Augsburg, number 2002–11.
brucker.ea:cvs-server:2002-b
Report
Albert-Ludwigs-Universität Freiburg
2002
182
https://www.brucker.ch/bibliography/abstract/brucker.ea-cvs-server-2002-b
BruckerAchimD
RittingerFrank
WolffBurkhart
A CVS-Server Security Architecture — Concepts and Formal Analysis
We present a secure architecture of a CVS-server, its implementation (i.e. mainly its configuration) and its formal analysis. Our CVS-server is uses cvsauth, that provides protection of passwords and protection of some internal data of the CVS repository. In contrast to other (security oriented) CVS-architectures, our approach allows the CVS-server run on an open filesystem, i.e. a filesystem where users can have direct access both by CVS-commands and by standard UNIX/POSIX commands such as mv. For our secure architecture of the CVS-server, we provide a formal specification and security analysys. The latter is based on a refinement mapping high-level security requirements on the architecture on low-level security mechanisms on the UNIX/POSIX filesystem level. The purpose of the formal analysis of the secure CVS-server architecture is twofold: First, it is the bases for the specification of mutual security properties such as non-repudiation, authentication and access control for this architecture. Second, the mapping of the architecture on standard security implementation technology is described. Thus, our approach can be seen as a method to give a formal underpinning for the usually tricky business of system administrators.
brucker.ea:embedding:2003
BookSection
Heidelberg
Springer-Verlag
2003
Types for Proof and Programs
2646
https://www.brucker.ch/bibliography/abstract/brucker.ea-embedding-2003
https://doi.org/10.1007/3-540-39185-1_4
59-77
BruckerAchimD
WolffBurkhart
GeuversHerman
WiedijkFreek
Using Theory Morphisms for Implementing Formal Methods Tools
Tools for a specification language can be implemented directly (by building a special purpose theorem prover) or by a conservative embedding into a typed meta-logic, which allows their safe and logically consistent implementation and the reuse of existing theorem prover engines. For being useful, the conservative extension approach must provide derivations for several thousand “folklore” theorems. In this paper, we present an approach for deriving the mass of these theorems mechanically from an existing library of the meta-logic. The approach presupposes a structured theory morphism mapping library datatypes and library functions to new functions of the specification language while uniformly modifying some semantic properties; for example, new functions may have a different treatment of undefinedness compared to old ones.
brucker.ea:hol-ocl:2002
BookSection
Heidelberg
Springer-Verlag
2002
UML 2002: Model Engineering, Concepts and Tools
2460
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-ocl-2002
https://doi.org/10.1007/3-540-45800-X_17
196-211
BruckerAchimD
WolffBurkhart
JézéquelJean-Marc
HussmannHeinrich
CookStephen
HOL-OCL: Experiences, Consequences and Design Choices
Based on experiences gained from an embedding of the Object Constraint Language (OCL) in higher-order logic \citebrucker.ea:proposal:2002, we explore several key issues of the design of a formal semantics of the OCL. These issues comprise the question of the interpretation of invariants, pre- and postconditions, their transformation, an executable sub-language and the possibilities of refinement notions. A particular emphasize is put on the issue of mechanized deduction in UML/OCL specification.
brucker.ea:hol-z:2002
BookSection
Augsburg
2002
July
FM-TOOLS 2002
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-z-2002
33-38
BruckerAchimD
FriedrichStefan
RittingerFrank
WolffBurkhart
HanebergDominik
SchellhornGerhard
ReifWolfgang
HOL-Z 2.0: A Proof Environment for Z-Specifications
We present a proof environment for the specification language Z on top of Isabelle/HOL. It comprises a LaTeX-based front end (including the integrated type-checker ZETA), generic facilities to generate proof obligations and improved proof support for the logical embedding HOL-Z, namely for the schema-calculus and structural Z proofs.Available as Technical Report, University Augsburg, number 2002–11.
brucker.ea:hol-z:2003
ArticleInAPeriodical
2003
February
Journal of Universal Computer Science
9
2
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-z-2003
https://doi.org/10.3217/jucs-009-02-0152
152-172
BruckerAchimD
RittingerFrank
WolffBurkhart
HOL-Z 2.0: A Proof Environment for Z-Specifications
We present a new proof environment for the specification language Z. The basis is a semantic representation of Z in a structure-preserving, shallow embedding in Isabelle/HOL. On top of the embedding, new proof support for the Z schema calculus and for proof structuring are developed. Thus, we integrate Z into a well-known and trusted theorem prover with advanced deduction technology such as higher-order rewriting, tableaux-based provers and arithmetic decision procedures. A further achievement of this work is the integration of our embedding into a new tool-chain providing a Z-oriented type checker, documentation facilities and macro support for refinement proofs; as a result, the gap has been closed between a logical embedding proven correct and a tool suited for applications of non-trivial size.
brucker.ea:proposal:2002
BookSection
Heidelberg
Springer-Verlag
2002
Theorem Proving in Higher Order Logics (TPHOLs)
2410
https://www.brucker.ch/bibliography/abstract/brucker.ea-proposal-2002
https://doi.org/10.1007/3-540-45685-6_8
99-114
BruckerAchimD
WolffBurkhart
CarreñoVíctorA
MuñozCésarA
TaharSophiène
A Proposal for a Formal OCL Semantics in Isabelle/HOL
We present a formal semantics as a conservative shallow embedding of the Object Constraint Language (OCL). OCL is currently under development within an open standardization process within the OMG; our work is an attempt to accompany this process by a proposal solving open questions in a consistent way and exploring alternatives of the language design. Moreover, our encoding gives the foundation for tool supported reasoning over OCL specifications, for example as basis for test case generation.
brucker.ea:testing:2001
Proceedings
Wien
Österreichische Computer Gesellschaft
2001
November
Informatik 2001
1
157
https://www.brucker.ch/bibliography/abstract/brucker.ea-testing-2001
608-614
BruckerAchimD
WolffBurkhart
BauknechtK
BrauerW
MückTh.
Testing Distributed Component Based Systems Using UML/OCL
We present a pragmatic approach using formal methods to increase the quality of distributed component based systems: Based on UML class diagrams annotated with OCL constraints, code for runtime checking of components in J2EE/EJB is automatically generated. Thus, a UML–model for a component can be used in a black–box test for the component. Further we introduce different design patterns for EJBs, which are motivated by different levels of abstraction, and show that these patterns work smoothly together with our OCL constraint checking. A prototypic implementation of the code generator, supporting our patterns with OCL support, has been integrated into a commercial software development tool.
brucker.ea:note:2002
Report
Albert-Ludwigs-Universität Freiburg
2002
January
168
https://www.brucker.ch/bibliography/abstract/brucker.ea-note-2002
BruckerAchimD
WolffBurkhart
A Note on Design Decisions of a Formalization of the OCL
We compare several formal and informal approaches to define the semantics of the Object Constraint Language (OCL). This comparison reveals a number of minor and major design problems to be settled in upcoming versions of the OCL standard. We review these problems in the context of our work of providing a formal semantics of OCL through an conservative embedding in HOL using the Isabelle theorem prover.
brucker.ea:symbolic:2004
Report
ETH Zurich
2004
June
449
https://www.brucker.ch/bibliography/abstract/brucker.ea-symbolic-2004
BruckerAchimD
WolffBurkhart
Symbolic Test Case Generation for Primitive Recursive Functions
We present a method for the automatic generation of test cases for HOL formulae containing primitive recursive predicates. These test cases may be used for the animation of specifications as well as for black-box-testing of external programs. Our method is two-staged: first, the original formula is partitioned into test cases by transformation into a Horn-clause normal form (CNF). Second, the test cases are analyzed for ground instances satisfying the premises of the clauses. Particular emphasis is put on the control of test hypothesis’ and test hierarchies to avoid intractability. We applied our method to several examples, including AVL-trees and the red-black implementation in the standard library from SML/NJ.
brucker.ea:symbolic:2005
BookSection
Heidelberg
Springer-Verlag
2004
Formal Approaches to Testing of Software
3395
https://www.brucker.ch/bibliography/abstract/brucker.ea-symbolic-2005
https://doi.org/10.1007/b106767
16-32
BruckerAchimD
WolffBurkhart
GrabowskiJens
NielsenBrian
Symbolic Test Case Generation for Primitive Recursive Functions
We present a method for the automatic generation of test cases for HOL formulae containing primitive recursive predicates. These test cases can be used for the animation of specifications as well as for black-box testing of external programs. Our method is two-staged: first, the original formula is partitioned into test cases by transformation into a Horn-clause normal form (HCNF). Second, the test cases are analyzed for instances with constant terms satisfying the premises of the clauses. Particular emphasis is put on the control of test hypotheses and test hierarchies to avoid intractability. We applied our method to several examples, including AVL-trees and the red-black tree implementation in the standard library from SML/NJ.
brucker.ea:verification:2005
ArticleInAPeriodical
Heidelberg
Springer-Verlag
2005
International Journal on Software Tools for Technology (STTT)
7
3
https://www.brucker.ch/bibliography/abstract/brucker.ea-verification-2005
https://doi.org/10.1007/s10009-004-0176-3
233-247
BruckerAchimD
WolffBurkhart
A Verification Approach for Applied System Security
We present a method for the security analysis of realistic models over off-the-shelf systems and their configuration by formal, machine-checked proofs. The presentation follows a large case study based on a formal security analysis of a CVS-Server architecture. The analysis is based on an abstract architecture (enforcing a role-based access control), which is refined to an implementation architecture (based on the usual discretionary access control provided by the \posix environment). Both architectures serve as a skeleton to formulate access control and confidentiality properties. Both the abstract and the implementation architecture are specified in the language Z. Based on a logical embedding of Z into Isabelle/HOL, we provide formal, machine-checked proofs for consistency properties of the specification, for the correctness of the refinement, and for security properties.
brucker.ea:hol-testgen:2005
Report
ETH Zurich
2005
April
482
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-2005
BruckerAchimD
WolffBurkhart
HOL-TestGen 1.0.0 User Guide
brucker.ea:hol-testgen:2010
Report
ETH Zurich
2010
April
670
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-2010
BruckerAchimD
BrüggerLukas
KriegerMatthiasP
WolffBurkhart
HOL-TestGen 1.5.0 User Guide
brucker.ea:hol-testgen:2012
Report
Laboratoire en Recherche en Informatique (LRI), Université Paris-Sud 11, France
2012
April
1551
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-2012
BruckerAchimD
BrüggerLukas
KriegerMatthiasP
WolffBurkhart
HOL-TestGen 1.7.0 User Guide
brucker.ea:interactive:2005
BookSection
Heidelberg
Springer-Verlag
2005
Formal Approaches to Testing of Software
3997
https://www.brucker.ch/bibliography/abstract/brucker.ea-interactive-2005
https://doi.org/10.1007/11759744_7
BruckerAchimD
WolffBurkhart
GrieskampWolfgang
WeiseCarsten
Interactive Testing using HOL-TestGen
HOL-TestGen is a test environment for specification-based unit testing build upon the proof assistant Isabelle/HOL\@. While there is considerable skepticism with regard to interactive theorem provers in testing communities, we argue that they are a natural choice for (automated) symbolic computations underlying systematic tests. This holds in particular for the development on non-trivial formal test plans of complex software, where some parts of the overall activity require inherently guidance by a test engineer. In this paper, we present the underlying methods for both black box and white box testing in interactive unit test scenarios. HOL-TestGen can also be understood as a unifying technical and conceptual framework for presenting and investigating the variety of unit test techniques in a logically consistent way.
brucker.ea:transformation:2006
BookSection
Heidelberg
Springer-Verlag
2006
MoDELS 2006: Model Driven Engineering Languages and Systems
4199
https://www.brucker.ch/bibliography/abstract/brucker.ea-transformation-2006
https://doi.org/10.1007/11880240_22
306-320
BruckerAchimD
DoserJürgen
WolffBurkhart
NierstraszOscar
WhittleJon
HarelDavid
ReggioGianna
A Model Transformation Semantics and Analysis Methodology for SecureUML
SecureUML is a security modeling language for formalizing access control requirements in a declarative way. It is equipped with a \UML notation in terms of a \UML profile, and can be combined with arbitrary design modeling languages. We present a semantics for SecureUML in terms of a model transformation to standard UML/OCL. The transformation scheme is used as part of an implementation of a tool chain ranging from front-end visual modeling tools over code-generators to the interactive theorem proving environment \holocl. The methodological consequences for an analysis of the generated ØCL formulae are discussed.An extended version of this paper is available as ETH Technical Report, no. 524.
brucker.ea:transformation:2006-b
Report
ETH Zurich
2006
524
https://www.brucker.ch/bibliography/abstract/brucker.ea-transformation-2006-b
BruckerAchimD
DoserJürgen
WolffBurkhart
A Model Transformation Semantics and Analysis Methodology for SecureUML
SecureUML is a security modeling language for formalizing access control requirements in a declarative way. It is equipped with a \UML notation in terms of a \UML profile, and can be combined with arbitrary design modeling languages. We present a semantics for SecureUML in terms of a model transformation to standard UML/OCL. The transformation scheme is used as part of an implementation of a tool chain ranging from front-end visual modeling tools over code-generators to the interactive theorem proving environment \holocl. The methodological consequences for an analysis of the generated ØCL formulae are discussed.
brucker.ea:package:2006
BookSection
Seattle, USA
2006
August
International Workshop on Software Verification and Validation (SVV 2006)
https://www.brucker.ch/bibliography/abstract/brucker.ea-package-2006
BruckerAchimD
WolffBurkhart
RoychoudhuryAbhik
YangZijiang
A Package for Extensible Object-Oriented Data Models with an Application to IMP++
We present a datatype package that enables the use of shallow embedding technique to object-oriented specification and programming languages. The package incrementally compiles an object-oriented data model to a theory containing object-universes, constructors, and accessor functions, coercions between dynamic and static types, characteristic sets, their relations reflecting inheritance, and the necessary class invariants. The package is conservative, i.e., all properties are derived entirely from axiomatic definitions. As an application, we use the package for an object-oriented core-language called \IMPOO, for which correctness of a Hoare logic with respect to an operational semantics is proven.
brucker.ea:hol-ocl-book:2006
Report
ETH Zurich
2006
525
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-ocl-book-2006
BruckerAchimD
WolffBurkhart
The HOL-OCL Book
HOL-OCL is an interactive proof environment for the Object Constraint Language (OCL). It is implemented as a shallow embedding of OCL into the Higher-order Logic (HOL) instance of the interactive theorem prover Isabelle. HOL-OCL defines a machine-checked formalization of the semantics as described in the standard for OCL 2.0. This conservative, shallow embedding of UML/OCL into Isabelle/HOL includes support for typed, extensible UML data models supporting inheritance and subtyping inside the typed lambda-calculus with parametric polymorphism. As a consequence of conservativity with respect to higher-order logic (HOL), we can guarantee the consistency of the semantic model. Moreover, HOL-OCL provides several derived calculi for UML/OCL that allow for formal derivations establishing the validity of UML/OCL formulae. Elementary automated support for such proofs is also provided top
brucker.ea:test-sequence:2007
BookSection
Heidelberg
Springer-Verlag
2007
TAP 2007: Tests And Proofs
4454
https://www.brucker.ch/bibliography/abstract/brucker.ea-test-sequence-2007
https://doi.org/10.1007/978-3-540-73770-4_9
149-168
BruckerAchimD
WolffBurkhart
MeyerBertrand
GurevichYuri
Test-Sequence Generation with HOL-TestGen – With an Application to Firewall Testing
HOL-TestGen is a specification and test-case generation environment extending the interactive theorem prover Isabelle/HOL. Its method is two-staged: first, the original formula is partitioned into test cases by transformation into a normal form. Second, the test cases are analyzed for ground instances (the test data) satisfying the constraints of the test cases. Particular emphasis is put on the control of explicit test hypotheses which can be proven over concrete programs. Although originally designed for black-box unit-tests, HOL-TestGen’s underlying logic and deduction engine is powerful enough to be used in test-sequence generation, too. We develop the theory for test-sequence generation with HOL-TestGen and describe its use in a substantial case-study in the field of computer security, namely the black-box test of configured firewalls.
krieger.ea:objective-functions:2011
ArticleInAPeriodical
2011
Electronic Communications of the EASST
44
https://www.brucker.ch/bibliography/abstract/krieger.ea-objective-functions-2011
https://doi.org/10.14279/tuj.eceasst.44.662
KriegerMatthiasP
BruckerAchimD
Extending OCL Operation Contracts with Objective Functions
We explore the potential of adding objective functions to OCL operation contracts. If an operation contract includes an objective function, the operation has the obligation to yield results that make the objective function assume an optimal value. Thus, an objective function expresses a preference among the possible operation results that conform to the postconditions of the operation contract and any class invariants. Objective functions strictly increase the expressiveness of OCL operation contracts. While objective functions arise naturally in application domains like operations research, we argue that objective functions are a useful general-purpose specification instrument and discuss several application examples. As tool support for operation contracts with objective functions, we present an animator for OCL operation contracts with optimization capabilities. We ensure tool interoperability by specifying objective functions in a UML profile.
wahler.ea:model-driven:2006-b
ArticleInAPeriodical
2006
Electronic Communications of the EASST
5
https://www.brucker.ch/bibliography/abstract/wahler.ea-model-driven-2006-b
https://doi.org/10.14279/tuj.eceasst.5.44
WahlerMichael
KoehlerJana
BruckerAchimD
Model-Driven Constraint Engineering
A high level of detail and well-formedness of models have become crucial ingredients in model-driven development. Constraints play a central role in model precision and validity. However, the task of constraint development is time-consuming and error-prone because constraints can be arbitrarily complex in real-world models.To overcome this problem, we propose a solution that we call model-driven constraint engineering. In our solution, we define constraint patterns, add structure and develop a taxonomy for them. The constraint patterns integrate into the UML meta-model. These computation-independent, parameterized patterns are transformed into platform-independent constraints by a model transformation. In addition, we show how our approach can be supported by a tool.
brucker.ea:mda:2006-b
ArticleInAPeriodical
2006
Electronic Communications of the EASST
5
https://www.brucker.ch/bibliography/abstract/brucker.ea-mda-2006-b
https://doi.org/10.14279/tuj.eceasst.5.45
BruckerAchimD
DoserJürgen
WolffBurkhart
An MDA Framework Supporting OCL
We present an MDA framework, developed in the functional programming language SML, that tries to bridge the gap between formal software development and the needs of industrial software development, e.g., code generation. Overall, our tool-chain provides support for software modeling using UML/OCL and guides the user from type-checking and model transformations to code generation and formal analysis of the UML/OCL model. We conclude with a report on our experiences in using a functional language for implementing MDA tools.
brucker.ea:semantic:2006-b
ArticleInAPeriodical
2006
Electronic Communications of the EASST
5
https://www.brucker.ch/bibliography/abstract/brucker.ea-semantic-2006-b
https://doi.org/http://dx.doi.org/10.14279/tuj.eceasst.5.46
BruckerAchimD
DoserJürgen
WolffBurkhart
Semantic Issues of OCL: Past, Present, and Future
We report on the results of a long-term project to formalize the semantics of OCL 2.0 in Higher-order Logic (HOL). The ultimate goal of the project is to provide a formalized, machine-checked semantic basis for a theorem proving environment for OCL (as an example for an object-oriented specification formalism) which is as faithful as possible to the original informal semantics. We report on various (minor) inconsistencies of the OCL semantics, discuss the more recent attempt to align the OCL semantics with UML 2.0 and suggest several extensions which make, in our view, OCL semantics more fit for future extensions towards programming-like verifications and specification refinement, which are, in our view, necessary to make OCL more fit for future extensions.
brucker:interactive:2007
Report
ETH Zurich
2007
March
https://www.brucker.ch/bibliography/abstract/brucker-interactive-2007
BruckerAchimD
An Interactive Proof Environment for Object-oriented Specifications
We present a semantic framework for object-oriented specification languages. We develop this framework as a conservative shallow embedding in Isabelle/HOL. Using only conservative extensions guarantees by construction the consistency of our formalization. Moreover, we show how our framework can be used to build an interactive proof environment, called HOL-OCL, for object-oriented specifications in general and for UML/OCL in particular. Our main contributions are an extensible encoding of object-oriented data structures in HOL, a datatype package for object-oriented specifications, and the development of several equational and tableaux calculi for object-oriented specifications. Further, we show that our formal framework can be the basis of a formal machine-checked semantics for OCL that is compliant to the OCL 2.0 standard.ETH Dissertation No. 17097.
brucker.ea:metamodel:2007
BookSection
Nashville, USA
2007
October
4th International Workshop on Software Language Engineering (ATEM 2007)
https://www.brucker.ch/bibliography/abstract/brucker.ea-metamodel-2007
BruckerAchimD
DoserJürgen
FavreJeanMarie
GasevicDragan
LämmelRalf
WinterAndreas
Metamodel-based UML Notations for Domain-specific Languages
We present a metamodel-based approach for specifying UML notations for domain-specific modeling languages. Traditionally, domain specific languages are either defined by UML profiles or using metamodels. We provide a generic integration of these two methods supporting arbitrary UML profiles and metamodels. Our approach provides a bi-directional mapping between the UML notation and the metamodel of the domain specific language. We use OCL constraints that are embedded into the metamodel, for describing the mapping between the UML notation and the metamodel. Moreover, we describe an implementation, as ArgoUML-plugin, for arbitrary SecureUML dialects.
brucker.ea:hol-ocl:2008
BookSection
Heidelberg
Springer-Verlag
2008
Fundamental Approaches to Software Engineering (FASE08)
4961
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-ocl-2008
https://doi.org/10.1007/978-3-540-78743-3_8
97-100
BruckerAchimD
WolffBurkhart
FiadeiroJosé
InverardiPaola
HOL-OCL – A Formal Proof Environment for UML/OCL
We present the theorem proving environment HOL-OCL that is integrated in a MDE framework. HOL-OCL allows to reason over UMLclass models annotated with OCL specifications. Thus, HOL-OCL strengthens a crucial part of the UML to an object-oriented formal method. HOL-OCL provides several derived proof calculi that allow for formal derivations establishing the validity of UML/OCL formulae. These formulae arise naturally when checking the consistency of class models, when formally refining abstract models to more concrete ones or when discharging side-conditions from model-transformations.
brucker.ea:verifying:2008
ArticleInAPeriodical
Amsterdam
Elsevier Science Publishers
2008
Electronic Notes in Theoretical Computer Science
220
1
https://www.brucker.ch/bibliography/abstract/brucker.ea-verifying-2008
https://doi.org/10.1016/j.entcs.2008.11.003
15-27
BruckerAchimD
BrüggerLukas
WolffBurkhart
Verifying Test-Hypotheses: An Experiment in Test and Proof
HOL-TestGen is a specification and test case generation environment extending the interactive theorem prover Isabelle/HOL. The HOL-TestGen method is two-staged: first, the original formula, called test specification, is partitioned into test cases by transformation into a normal form called test theorem. Second, the test cases are analyzed for ground instances (the test data) satisfying the constraints of the test cases. Particular emphasis is put on the control of explicit test hypotheses which can be proven over concrete programs. As such, explicit test hypotheses establish a logical link between validation by test and by proof. Since HOL-TestGen generates explicit test hypotheses and makes them amenable to formal proof, the system is in a unique position to explore the relations between them at an example.Proceedings of the Fourth Workshop on Model Based Testing (MBT 2008)
brucker.ea:extensible:2008
BookSection
Heidelberg
Springer-Verlag
2008
ECOOP 2008 – Object-Oriented Programming
5142
https://www.brucker.ch/bibliography/abstract/brucker.ea-extensible-2008
https://doi.org/10.1007/978-3-540-70592-5_19
438-462
BruckerAchimD
WolffBurkhart
VitekJan
Extensible Universes for Object-oriented Data Models
We present a datatype package that enables the shallow embedding technique to object-oriented specification and programming languages. The package incrementally compiles an object-oriented data model to a theory containing object-universes, constructors, and accessors functions, coercions between dynamic and static types, characteristic sets, their relations reflecting inheritance, and the necessary class invariants. The package is conservative, i.e., all properties are derived entirely from axiomatic definitions. As an application, we use the package for an object-oriented core-language called IMP++, for which correctness of a Hoare-Logic with respect to an operational semantics is proven.
brucker.ea:model-based:2008
BookSection
Heidelberg
Springer-Verlag
2008
Testcom/FATES 2008
5047
https://www.brucker.ch/bibliography/abstract/brucker.ea-model-based-2008
https://doi.org/10.1007/978-3-540-68524-1_9
103-118
BruckerAchimD
BrüggerLukas
WolffBurkhart
SuzukiKenji
HigashinoTeruo
Model-based Firewall Conformance Testing
Firewalls are a cornerstone of todays security infrastructure for networks. Their configuration, implementing a firewall policy, is inherently complex, hard to understand, and difficult to validate. We present a substantial case study performed with the model-based testing tool HOL-TestGen. Based on a formal model of firewalls and their policies in HOL, we first present a derived theory for simplifying policies. We discuss different test plans for test specifications. Finally, we show how to integrate these issues to a domain-specific firewall testing tool HOL-TestGen/FW.
brucker.ea:extensible:2008-b
ArticleInAPeriodical
Heidelberg
Springer-Verlag
2008
Journal of Automated Reasoning
41
3
https://www.brucker.ch/bibliography/abstract/brucker.ea-extensible-2008-b
https://doi.org/10.1007/s10817-008-9108-3
219-249
BruckerAchimD
WolffBurkhart
An Extensible Encoding of Object-oriented Data Models in HOL
We present an extensible encoding of object-oriented data models into HOL. Our encoding is supported by a datatype package that leverages the use of the shallow embedding technique to object-oriented specification and programming languages. The package incrementally compiles an object-oriented data model, i.e., a class model, to a theory containing object-universes, constructors, accessor functions, coercions (casts) between dynamic and static types, characteristic sets, and co-inductive class invariants. The package is conservative, i.e., all properties are derived entirely from constant definitions, including the constraints over object structures. As an application, we use the package for an object-oriented core-language called IMP++, for which we formally prove the correctness of a Hoare-Logic with respect to a denotational semantics.
wahler.ea:efficient:2010
ArticleInAPeriodical
Heidelberg
Springer-Verlag
2010
April
Software and Systems Modeling
9
2
https://www.brucker.ch/bibliography/abstract/wahler.ea-efficient-2010
https://doi.org/10.1007/s10270-009-0123-6
225-255
WahlerMichael
BasinDavid
BruckerAchimD
KoehlerJana
Efficient Analysis of Pattern-Based Constraint Specifications
Precision and consistency are important prerequisites for class models to conform to their intended domain semantics. Precision can be achieved by augmenting models with design constraints and consistency can be achieved by avoiding contradictory constraints. However, there are different views of what constitutes a contradiction for design constraints. Moreover, state-of-the-art analysis approaches for proving constrained models consistent either scale poorly or require the use of interactive theorem proving. In this paper, we present a heuristic approach for efficiently analyzing constraint specifications built from constraint patterns. This analysis is based on precise notions of consistency for constrained class models and exploits the semantic properties of constraint patterns, thereby enabling syntax-based consistency checking in polynomial-time. We introduce a consistency checker implementing these ideas and we report on case studies in applying our approach to analyze industrial-scale models. These studies show that pattern-based constraint development supports the creation of concise specifications and provides immediate feedback on model consistency.
brucker.ea:semantics:2009
ArticleInAPeriodical
Heidelberg
Springer-Verlag
2009
July
Acta Informatica
46
4
https://www.brucker.ch/bibliography/abstract/brucker.ea-semantics-2009
https://doi.org/10.1007/s00236-009-0093-8
255-284
BruckerAchimD
WolffBurkhart
Semantics, Calculi, and Analysis for Object-oriented Specifications
We present a formal semantics for an object-oriented specification language. The formal semantics is presented as a conservative shallow embedding in Isabelle/HOL and the language is oriented towards OCL formulae in the context of UML class diagrams. On this basis, we formally derive several equational and tableaux calculi, which form the basis of an integrated proof environment including automatic proof support and support for the analysis of this type of specifications. We show applications of our proof environment to data refinement based on an adapted standard refinement notion. Thus, we provide an integrated formal method for refinement-based object-oriented development.
brucker.ea:hol-testgen:2009
BookSection
Heidelberg
Springer-Verlag
2009
Fundamental Approaches to Software Engineering (FASE09)
5503
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-2009
https://doi.org/10.1007/978-3-642-00593-0_28
417-420
BruckerAchimD
WolffBurkhart
ChechikMarsha
WirsingMartin
HOL-TestGen: An Interactive Test-case Generation Framework
We present HOL-TestGen, an extensible test environment for specification-based testing build upon the proof assistant Isabelle. HOL-TestGen leverages the semi-automated generation of test theorems (a form of a partition), and their refinement to concrete test data, as well as the automatic generation of a test driver for the execution and test result verification. HOL-TestGen can also be understood as a unifying technical and conceptual framework for presenting and investigating the variety of unit and sequence test techniques in a logically consistent way.
brucker.ea:extending:2009
BookSection
New York, NY, USA
ACM Press
2009
ACM symposium on access control models and technologies (SACMAT)
https://www.brucker.ch/bibliography/abstract/brucker.ea-extending-2009
https://doi.org/10.1145/1542207.1542239
197-206
BruckerAchimD
PetritschHelmut
CarminatiBarbara
JoshiJames
Extending Access Control Models with Break-glass
Access control models are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access control, i.e., the underlying policy, is needed. Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, break-glass techniques are usually added on top of standard access control solutions in an ad-hoc manner and, therefore, lack an integration into the underlying access control paradigm and the systems’ access control enforcement architecture. We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard access control models and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies.
brucker.ea:delegation:2009
Proceedings
Los Alamitos, CA, USA
IEEE Computer Society
2009
July
IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY)
https://www.brucker.ch/bibliography/abstract/brucker.ea-delegation-2009
https://doi.org/10.1109/POLICY.2009.35
84-91
BruckerAchimD
PetritschHelmut
SchaadAndreas
Delegation Assistance
Today’s IT systems typically comprise a fine-grained access control mechanism based on complex policies. The strict enforcement of these policies, at runtime, always contains the risk of hindering people in their regular work. An efficient support for assisted delegation can help in resolving the conflict between too tight access control and the required flexibility as well as support the resolution of conflicts. Here, assisted delegation means that, additional to denying the access, a user is informed about a list of users that could either grant him access to the requested resource or which could execute this task in behalf of the user. In this paper, we present an approach for determining a set of users which are able to resolve an access control conflict. This set is based on various information sources and are ordered with respect to different distance functions. We show that one distance function can be used to serve different types of contextual input, e. g., role hierarchies, geospatial information as well as shared business object structure data or social network graphs.
brucker.ea:modellierung:2009
ArticleInAPeriodical
Hannover, Germany
Heise Zeitschriften Verlag
2009
March
iX
3
https://www.brucker.ch/bibliography/abstract/brucker.ea-modellierung-2009
118-121
BruckerAchimD
SchaadAndreas
WolterChristian
Prozessmodellierung: Einbinden von Sicherheitsregeln in Geschäftsprozesse
An updated version of this article was published in the \glqq iX special – Sicher im Netz\grqq (October 2010).
brucker.ea:modellierung:2010
ArticleInAPeriodical
Hannover, Germany
Heise Zeitschriften Verlag
2010
October
iX special – Sicher im Netz
3
https://www.brucker.ch/bibliography/abstract/brucker.ea-modellierung-2010
152-155
BruckerAchimD
SchaadAndreas
WolterChristian
Prozessmodellierung: Einbinden von Sicherheitsregeln in Geschäftsprozesse
kohler.ea:proactive:2009
BookSection
Los Alamitos, CA, USA
IEEE Computer Society
2009
August
International Conference on Computational Science and Engineering (CSE)
3
https://www.brucker.ch/bibliography/abstract/kohler.ea-proactive-2009
https://doi.org/10.1109/CSE.2009.177
207-304
KohlerMathias
BruckerAchimD
SchaadAndreas
ProActive Caching: Generating Caching Heuristics for Business Process Environments
Today’s complex and multi-layered enterprise systems demand fine-grained access control mechanisms supporting dynamic security policies for large and distributed repositories. Thus, the efficient evaluation of security policies becomes an important factor for the overall system performance, specifically with respect to systems with a high degree of user interaction like workflow systems. Caching approaches may help to address this situation. We propose ProActive Caching, a two-phased caching approach: in an offline phase, we automatically determine a workflow-specific heuristic for pre-computing cache entries. In an online phase, we use the previously determined heuristic for the cache management. The latter includes also the pre-computation of cache entries which already provides a performance improvement while evaluating a policy object for the first time. In this paper, we present a method for the automatic generation of a workflow specific caching heuristic, i.e., the offline phase.
brucker.ea:integrating:2009
BookSection
Heidelberg
Springer-Verlag
2009
Workshop on Formal Aspects in Security and Trust (FAST 2009)
5983
https://www.brucker.ch/bibliography/abstract/brucker.ea-integrating-2009
https://doi.org/10.1007/978-3-642-12459-4_18
248-262
BruckerAchimD
MödersheimSebastianA
DeganoPierpaolo
GuttmanJoshua
Integrating Automated and Interactive Protocol Verification
A number of current automated protocol verification tools are based on abstract interpretation techniques and other over-approximations of the set of reachable states or traces. The protocol models that these tools employ are shaped by the needs of automated verification and require subtle assumptions. Also, a complex verification tool may suffer from implementation bugs so that in the worst case the tool could accept some incorrect protocols as being correct. These risks of errors are also present, but considerably smaller, when using an LCF-style theorem prover like Isabelle. The interactive security proof, however, requires a lot of expertise and time. We combine the advantages of both worlds by using the representation of the over-approx\-imated search space computed by the automated tools as a “proof idea” in Isabelle. Thus, we devise proof tactics for Isabelle that generate the correctness proof of the protocol from the output of the automated tools. In the worst case, these tactics fail to construct a proof, namely when the representation of the search space is for some reason incorrect. However, when they succeed, the correctness only relies on the basic model and the Isabelle core.An extended version of this paper is available as IBM Research Technical Report, RZ3750.
brucker.ea:integrating:2009-b
Report
IBM Research Zurich
2009
RZ3750
https://www.brucker.ch/bibliography/abstract/brucker.ea-integrating-2009-b
BruckerAchimD
MödersheimSebastianA
Integrating Automated and Interactive Protocol Verification (Extended Version)
A number of current automated protocol verification tools are based on abstract interpretation techniques and other over-approximations of the set of reachable states or traces. The protocol models that these tools employ are shaped by the needs of automated verification and require subtle assumptions. Also, a complex verification tool may suffer from implementation bugs so that in the worst case the tool could accept some incorrect protocols as being correct. These risks of errors are also present, but considerably smaller, when using an LCF-style theorem prover like Isabelle. The interactive security proof, however, requires a lot of expertise and time. We combine the advantages of both worlds by using the representation of the over-approx\-imated search space computed by the automated tools as a “proof idea” in Isabelle. Thus, we devise proof tactics for Isabelle that generate the correctness proof of the protocol from the output of the automated tools. In the worst case, these tactics fail to construct a proof, namely when the representation of the search space is for some reason incorrect. However, when they succeed, the correctness only relies on the basic model and the Isabelle core.
brucker.ea:ocl-null:2009
BookSection
Heidelberg
Springer-Verlag
2009
Models in Software Engineering
6002
https://www.brucker.ch/bibliography/abstract/brucker.ea-ocl-null-2009
https://doi.org/10.1007/978-3-642-12261-3_25
261-275
BruckerAchimD
KriegerMatthiasP
WolffBurkhart
GoshSudipto
Extending OCL with Null-References
From its beginnings, OCL is based on a strict semantics for undefinedness, with the exception of the logical connectives of type Boolean that constitute a three-valued propositional logic. Recent versions of the OCL standard added a second exception element, which, similar to the null references in object-oriented programming languages, is given a non-strict semantics. Unfortunately, this extension has been done in an ad hoc manner, which results in several inconsistencies and contradictions. In this paper, we present a consistent formal semantics (based on our HOL-OCL approach) that includes such a non-strict exception element. We discuss the possible consequences concerning class diagram semantics as well as deduction rules. The benefits of our approach for the specification-pragmatics of design level operation contracts are demonstrated with a small case-study.Selected best papers from all satellite events of the MoDELS 2009 conference.
brucker.ea:efficient:2010
BookSection
Heidelberg
Springer-Verlag
2010
International Symposium on Engineering Secure Software and Systems (ESSoS)
5965
https://www.brucker.ch/bibliography/abstract/brucker.ea-efficient-2010
https://doi.org/10.1007/978-3-642-11747-3_12
157-165
BruckerAchimD
PetritschHelmut
MassacciF
WallachD
ZannoneN
Idea: Efficient Evaluation of Access Control Constraints
Business requirements for modern enterprise systems usually comprise a variety of dynamic constraints, i.e., constraints that require a complex set of context information only available at runtime. Thus, the efficient evaluation of dynamic constraints, e.g., expressing separation of duties requirements, becomes an important factor for the overall performance of the access control enforcement. Especially in highly distributed systems, e.g., systems based on the service-oriented architecture (SOA) paradigm, the time for evaluating access control constraints depends significantly on the protocol between the central policy decision point (PDP) and the distributed policy enforcement points (PEP). In this paper, we present an policy-driven approach for generating customized protocol for the communication between the PDP and the pep. Moreover, we provide a detailed comparison of several approaches for querying context information during the evaluation of access control constraints.
brucker.ea:information:2010
BookSection
Los Alamitos, CA, USA
IEEE Computer Society
2010
International Conference on Availability, Reliability and Security (ARES)
https://www.brucker.ch/bibliography/abstract/brucker.ea-information-2010
https://doi.org/10.1109/ARES.2010.107
156-163
BruckerAchimD
HutterDieter
Information Flow in Disaster Management Systems
Collaborations between organizations in the public sector, e.g., fire brigades, polices, military units, is often done via liaison officers. A liaison officer liaises between two organizations by providing a single point of contact and ensuring the efficient communication and coordination of their activities. Usually an organization embeds a liaison officer in another organization to provide face-to-face coordination. Liaison officers demand special requirements to the security mechanism of the IT infrastructure of the organization that act as host for a liaison officer. This holds, in particular, for Disaster Management Information Systems (DMIS). Such systems need, on the one hand, to support various ways of communication in a flexible and ad hoc manner. On the other hand, these systems need to protect, by law, the leakage of sensitive data. In this paper, we present a novel mechanism, based on role-based access control (RBAC), for supporting the flexible and secure information exchange between organizations using liaison officers. Our mechanism enables liaison officers to decide on their own authority which information they wants share with their home organizations while allowing the host organization to limit the access of liaisons officers to their system in a fine-grained manner.
brucker.ea:firewall:2010
BookSection
Los Alamitos, CA, USA
IEEE Computer Society
2010
Third International Conference on Software Testing, Verification, and Validation (ICST)
https://www.brucker.ch/bibliography/abstract/brucker.ea-firewall-2010
https://doi.org/10.1109/ICST.2010.50
345-354
BruckerAchimD
BrüggerLukas
KearneyPaul
WolffBurkhart
Verified Firewall Policy Transformations for Test-Case Generation
We present an optimization technique for model-based generation of test cases for firewalls. Based on a formal model for firewall policies in higher-order logic, we derive a collection of semantics-preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage. The correctness of the rules and the algorithm is established by formal proofs in Isabelle/HOL. Finally, we use the normalized policies to generate test cases with the domain-specific firewall testing tool HOL-TestGen/FW. The resulting procedure is characterized by a gain in efficiency of two orders of magnitude and can handle configurations with hundreds of rules as occur in practice. Our approach can be seen as an instance of a methodology to tame inherent state-space explosions in test case generation for security policies.
brucker.ea:attribute-based:2010
BookSection
Heidelberg
Springer-Verlag
2010
Workshop In Information Security Theory And Practice (WISTP)
6033
https://www.brucker.ch/bibliography/abstract/brucker.ea-attribute-based-2010
https://doi.org/10.1007/978-3-642-12368-9_18
237-244
BruckerAchimD
PetritschHelmut
WeberStefanG
SamaratiPierangela
TunstallMichael
PoseggaJoachim
Attribute-based Encryption with Break-glass
Attribute-based Encryption (ABE) allows for implementing fine-grained decentralized access control based on properties or attributes a user has. Thus, there is no need for writing detailed, user-based policies in advance. This makes ABE in particular interesting for implementing se- curity mechanisms in dynamic environments such as ubiquitous comput- ing, disaster management, or health-care. For supporting the latter two application areas, common ABE approaches lack one important feature: break-glass, i. e., the controlled overruling of access control restrictions. In this paper we present an integration of break-glass into an approach for end-to-end secure information sharing using ABE techniques.
altenhofen.ea:issues:2010
BookSection
Heidelberg
Springer-Verlag
2010
International Workshop on Formal Methods for Industrial Critical Systems (FMICS)
6371
https://www.brucker.ch/bibliography/abstract/altenhofen.ea-issues-2010
https://doi.org/10.1007/978-3-642-15898-8_2
17-32
AltenhofenMichael
BruckerAchimD
KowalewskiStefan
RoveriMarco
Practical Issues with Formal Specifications: Lessons Learned from an Industrial Case Study
Many software companies still seem to be reluctant to use formal specifications in their development processes. Nevertheless, the trend towards implementing critical business applications in distributed environments makes such applications an attractive target for formal methods. Additionally, the rising complexity also increases the willingness of the development teams to apply formal techniques. In this paper, we report on our experiences in formally specifying several core components of one of our commercially available products. While writing the formal specification, we experienced several issues that had a noticeable consequences on our work. While most of these issues can be attributed to the specific method and tools we have used, we do consider some of the problems as more general, impeding the practical application of formal methods, especially by non-experts, in large scale industrial development.
kohler.ea:caching:2010
BookSection
New York, NY, USA
ACM Press
2010
International Workshop on Security Measurements and Metrics (MetriSec)
https://www.brucker.ch/bibliography/abstract/kohler.ea-caching-2010
https://doi.org/10.1145/1853919.1853930
1-8
KohlerMathias
BruckerAchimD
Caching Strategies: An Empirical Evaluation
Modern enterprise systems comprise a fine-grained enforcement of complex access control policies. Consequently, the efficient evaluation of security policies is a significant factor for the overall system performance. Moreover, modern enterprise systems are inherently based on process and workflow models. These models enable new approaches for improving the performance of security evaluations. Caching is widely used for improving the performance and the reliability of systems. The dynamic nature of today’s workflow systems, both in terms of changing workflows and in terms of dynamic security policies impose particular challenges on the caching of access control decisions. We present a caching strategy that exploits business process models for avoiding cache misses. Moreover, we provide a detailed performance analysis of different caching strategies for static and dynamic aspects of access control policies, providing the required metrics for informed design decisions.
brucker.ea:ocl-testing:2010
BookSection
Heidelberg
Springer-Verlag
2010
MoDELS Workshops
6627
https://www.brucker.ch/bibliography/abstract/brucker.ea-ocl-testing-2010
https://doi.org/10.1007/978-3-642-21210-9_33
334-348
BruckerAchimD
KriegerMatthiasP
LonguetDelphine
WolffBurkhart
DingelJürgen
SolbergArnor
A Specification-based Test Case Generation Method for UML/OCL
Automated test data generation is an important method for the verification and validation of UML/OCL specifications. In this paper, we present an extension of DNF-based test case generation methods to cyclic class-diagrams and recursive query operations on them. A key feature of our approach is a implicit representation of object graphs avoiding a representation based on object-id’s; thus, our approach avoids the generation of isomorphic object graphs by using a concise and still human-readable symbolic representation.Selected best papers from all satellite events of the MoDELS 2010 conference. Workshop on OCL and Textual Modelling.
brucker.ea:framework:2011
Proceedings
Los Alamitos, CA, USA
IEEE Computer Society
2011
June
IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY)
https://www.brucker.ch/bibliography/abstract/brucker.ea-framework-2011
https://doi.org/10.1109/POLICY.2011.47
105-112
BruckerAchimD
PetritschHelmut
A Framework for Managing and Analyzing Changes of Security Policies
Modern enterprise systems need to comply to complex security policies. Due to legal regulations such as Basel II or HIPAA, the enforcement of these security policies needs to be carefully monitored and analyzed. The monitoring of complex and often dynamic access control requirements results in a vast amount of information that needs to be analyzed both in case of incidents and during regular audits. We present an extensible framework for managing and analyzing security policies during their whole life cycle. Our framework integrates versioning of policies and logfiles with policy animation, static analysis, and debugging techniques. For example, this combination allows for comparing different versions of security policies or the replaying and animation of system traces based on logfiles.
braune.ea:service-oriented:2011
Proceedings
GI
GI
2011
February
Software Engineering 2011 – Workshopband
P-184
https://www.brucker.ch/bibliography/abstract/braune.ea-service-oriented-2011
225-232
BrauneStephan
BruckerAchimD
KleserGerald
LiKeqin
MeijlerTheoDirk
PaulheimHeiko
ProbstFlorian
ReussnerRalf
PretschnerAlexander
JähnichenStefan
A Service-Oriented Architecture for Emergency Management Systems
The complexity and openness of today’s modern societies result in the threat of serious cascading effects when natural disasters or terrorist attacks strike. Thus, there is a high demand for state of the art IT support in the field of emergency management systems. In this paper, we identify the core requirements of future emergency management systems and present a new generation of modular, service-oriented and semantic-web-based architecture for emergency management systems. Our emergency management system offers innovative functionality in the context of distributed information sources, collaborative work environments, and consistent situation pictures.Innovative Systeme zur Unterstützung der zivilen Sicherheit: Architekturen und Gestaltungskonzepte.
probst.ea:soknos:2010
Proceedings
2010
November
VDE-Kongress 2010 – E-Mobility
https://www.brucker.ch/bibliography/abstract/probst.ea-soknos-2010
ProbstFlorian
PaulheimHeiko
BruckerAchimD
SchulteStefan
SoKNOS – Informationsdienste für das Katastrophenmanagement
Dieser Beitrag gibt einen Überblick über das vom BMBF geförderte Forschungsprojekt SoKNOS (Service-orientierte ArchiteKturen zur Unterstützung von Netzwerken im Rahmen Öffentlicher Sicherheit). Im SoKNOS Projekt wurden Konzepte entwickelt, die beteiligten Organisationen im Umfeld öffentlicher Sicherheit im Katastrophenfall darin unterstützen, schnell und sicher agieren zu können. Dies beinhaltet unter anderem neue Methoden zur flexiblen Integration heterogener Informationen und Systeme, zur situations- und benutzergerechten Darstellung und Auswertung dieser Informationen, zum teilautomatisierten Austausch relevanter Nachrichten, zur Kooperation zwischen Organisationen und zum Domänen-spezifischen Design von IT-Sicherheitsmechanismen. In SoKNOS wurden die Forschungsbereiche IT-Sicherheit, Service-orientierte Architekturen (SOA), Arbeitsplatz der Zukunft und moderne Benutzerschnittstellen, Integration Geographischer Informationssysteme (GIS), sowie semantische Technologien adressiert. Im Folgenden werden exemplarisch Ergebnisse vorgestellt, welche durch die Kapselung einzelner Systemfunktionen in Dienste dazu beitragen, das Katastrophenmanagement flexibler und modularer zu gestalten.
brucker.ea:model-based:2011
Proceedings
New York, NY, USA
ACM Press
2011
ACM symposium on access control models and technologies (SACMAT)
https://www.brucker.ch/bibliography/abstract/brucker.ea-model-based-2011
https://doi.org/10.1145/1998441.1998461
133-142
BruckerAchimD
BrüggerLukas
KearneyPaul
WolffBurkhart
An Approach to Modular and Testable Security Models of Real-world Health-care Applications
We present a generic modular policy modelling framework and instantiate it with a substantial case study for model-based testing of some key security mechanisms of applications and services of the NPfIT. NPfIT, the National Programme for IT, is a very large-scale development project aiming to modernise the IT infrastructure of the NHS in England. Consisting of heterogeneous and distributed applications, it is an ideal target for model-based testing techniques of a large system exhibiting critical security features. We model the four information governance principles, comprising a role-based access control model, as well as policy rules governing the concepts of patient consent, sealed envelopes and legitimate relationship. The model is given in HOL and processed together with suitable test specifications in the HOL-TestGen system, that generates test sequences according to them. Particular emphasis is put on the modular description of security policies and their generic combination and its consequences for model-based testing.
brucker.ea:theorem-prover:2012
ArticleInAPeriodical
Heidelberg
Springer-Verlag
2013
Formal Aspects of Computing (FAC)
25
5
https://www.brucker.ch/bibliography/abstract/brucker.ea-theorem-prover-2012
https://doi.org/10.1007/s00165-012-0222-y
683-721
BruckerAchimD
WolffBurkhart
On Theorem Prover-based Testing
HOL-TestGen is a specification and test case generation environment extending the interactive theorem prover Isabelle/HOL. As such, HOL-TestGen allows for an integrated workflow supporting interactive theorem proving, test case generation, and test data generation. The HOL-TestGen method is two-staged: first, the original formula is partitioned into test cases by transformation into a normal form called test theorem. Second, the test cases are analyzed for ground instances (the test data) satisfying the constraints of the test cases. Particular emphasis is put on the control of explicit test-hypotheses which can be proven over concrete programs. Due to the generality of the underlying framework, our system can be used for black-box unit, sequence, reactive sequence and white-box test scenarios. Although based on particularly clean theoretical foundations, the system can be applied for substantial case-studies.
brucker.ea:formal-fw-testing:2014
ArticleInAPeriodical
John Wiley & Sons
2015
Software Testing, Verification & Reliability (STVR)
25
1
https://www.brucker.ch/bibliography/abstract/brucker.ea-formal-fw-testing-2014
https://doi.org/10.1002/stvr.1544
34-71
BruckerAchimD
BrüggerLukas
WolffBurkhart
Formal Firewall Conformance Testing: An Application of Test and Proof Techniques
Firewalls are an important means to secure critical ICT infrastructures. As configurable off-the-shelf prod\-ucts, the effectiveness of a firewall crucially depends on both the correctness of the implementation itself as well as the correct configuration. While testing the implementation can be done once by the manufacturer, the configuration needs to be tested for each application individually. This is particularly challenging as the configuration, implementing a firewall policy, is inherently complex, hard to understand, administrated by different stakeholders and thus difficult to validate. This paper presents a formal model of both stateless and stateful firewalls (packet filters), including NAT, to which a specification-based conformance test case gen\-eration approach is applied. Furthermore, a verified optimisation technique for this approach is presented: starting from a formal model for stateless firewalls, a collection of semantics-preserving policy transformation rules and an algorithm that optimizes the specification with respect of the number of test cases required for path coverage of the model are derived. We extend an existing approach that integrates verification and testing, that is, tests and proofs to support conformance testing of network policies. The presented approach is supported by a test framework that allows to test actual firewalls using the test cases generated on the basis of the formal model. Finally, a report on several larger case studies is presented.
marienfeld.ea:usdl-security:2012
BookSection
New York, NY, USA
Springer-Verlag
2012
Handbook of Service Description: USDL and its Methods
https://www.brucker.ch/bibliography/abstract/marienfeld.ea-usdl-security-2012
https://doi.org/10.1007/978-1-4614-1864-1_12
295-326
MarienfeldFlorian
HöfigEdzard
BezziMichele
FlüggeMatthias
PattbergJonas
SermeGabriel
BruckerAchimD
RobinsonPhilip
DawsonStephen
TheilmannWolfgang
BarrosAlistair
OberleDaniel
Service levels, Security, and Trust
This chapter covers the scientific background for the Service Level Module of the Unified Service Description Language (USDL). In addition to general service level concepts, we expand on two specific service level fields: security and trust. For that end we first review the state of the art in service level modeling, then we explain the design of the Service Level Module and position it among the rest of USDL. For security, two possible perspectives, a high level business view and a low level engineering approach, are introduced. With regards to trust, USDL is suitable to specify how a service can be rated by its consumers and to ensure that ratings of competing services are comparable, and hence to determine trustworthiness. Additionally, we present a description of non-security-related elements that can be exploited for trust estimation.
monakova.ea:securing:2012
Proceedings
New York, NY, USA
ACM Press
2012
ACM Symposium on Applied Computing (SAC)
https://www.brucker.ch/bibliography/abstract/monakova.ea-securing-2012
https://doi.org/10.1145/2245276.2232045
1667-1673
MonakovaGanna
BruckerAchimD
SchaadAndreas
Security and Safety of Assets in Business Processes
Business processes and service compositions are defined independent of the realizing systems. The visualization of security and safety constraints on the business process model level appears to be a promising approach to system independent specification of the security and safety requirements. Such requirements can be realized through business process annotation and used for communication or documentation, but they also can have an execution semantics that allows for automating the security and safety controls. In this paper, we present a tool-supported framework that extends modeling and execution of business processes with specification, execution and monitoring of the security and safety constraints that are used to protect business assets. We illustrate our approach on basis of a case study modeling a supply chain for perishable goods.
brucker.ea:securebpmn:2012
Proceedings
New York, NY, USA
ACM Press
2012
ACM symposium on access control models and technologies (SACMAT)
https://www.brucker.ch/bibliography/abstract/brucker.ea-securebpmn-2012
https://doi.org/10.1145/2295136.2295160
123-126
BruckerAchimD
HangIsabelle
LückemeyerGero
RuparelRaj
SecureBPMN: Modeling and Enforcing Access Control Requirements in Business Processes
Modern enterprise systems have to comply to regulations such as Basel III resulting in complex security requirements. These requirements need to be modeled at design-time and enforced at runtime. Moreover, modern enterprise systems are often business-process driven, i. e., the system behavior is described as high-level business processes that are executed by a business process execution engine. Consequently, there is a need for an integrated and tool-supported methodology that allows for specifying and enforcing compliance and security requirements for business process-driven enterprise systems. In this paper, we present a tool chain supporting both the design-time modeling as well as the run-time enforcement of security requirements for business process-driven systems.
brucker.ea:tap:2012
Conference
Heidelberg
Springer-Verlag
2012
7305
https://www.brucker.ch/bibliography/abstract/brucker.ea-tap-2012
https://doi.org/10.1007/978-3-642-30473-6
BruckerAchimD
JulliandJacques
Tests and Proofs - 6th International Conference, TAP 2012, Praque, Czech Republic, Mai 31 – June 1, 2012. Proceedings
monakova.ea:monitoring:2012
Proceedings
Heidelberg
Springer-Verlag
2012
Future Security
318
https://www.brucker.ch/bibliography/abstract/monakova.ea-monitoring-2012
https://doi.org/10.1007/978-3-642-33161-9_3
9-20
MonakovaGanna
SeverinCristina
BruckerAchimD
FlegelUlrich
SchaadAndreas
AschenbruckNils
MartiniPeter
MeierMichael
TölleJens
Monitoring Security and Safety of Assets in Supply Chains
In the today’s world of the global economy supply chains become more and more complicated. Widely distributed supply chains open more possibilities for attacks on both IT as well physical level. The potential threats can span over multiple supply chains. For example, if the same truck is used to transport chemicals and then the same truck is used to transport food, a contamination threat arises that neither of the supply chains can detect when analysed independently. In this paper, we present a tool-supported framework that extends modelling and execution of supply chains processes with specification, execution and monitoring of the security and safety constraints that are used to protect supply chain assets. The tool allows to detect not only threats scoped to a single supply chain, but cross-cutting threats that can only be detected through analysis of the whole system.
brucker.ea:secure:2012
Proceedings
Heidelberg
Springer-Verlag
2012
Joint Workshop on Security in Business Processes (SBP)
132
https://www.brucker.ch/bibliography/abstract/brucker.ea-secure-2012
https://doi.org/10.1007/978-3-642-36285-9_66
662-674
BruckerAchimD
HangIsabelle
RosaMarcelloLa
SofferPnina
Secure and Compliant Implementation of Business Process-driven Systems
Today’s businesses are inherently process-driven. Consequently, the use of business-process driven systems, usually implemented on top of service-oriented or cloud-based infrastructures, is increasing. At the same time, the demand on the security, privacy, and compliance of such systems is increasing as well. As a result, the costs—with respect to computational effort at runtime as well as financial costs—for operating business-process driven systems increase steadily. In this paper, we present a method for statically checking the security and conformance of the system implementation, \eg, on the source code level, to requirements specified on the business process level. As the compliance is statically guaranteed—already at design-time—this method reduces the number of run-time checks for ensuring the security and compliance and, thus, improves the runtime performances. Moreover, it reduces the costs of system audits, as there is no need for analyzing the generated log files for validating the compliance to the properties that are already statically guaranteed.
brucker.ea:featherweight:2012
Proceedings
2012
Workshop on OCL and Textual Modelling (OCL 2012)
https://www.brucker.ch/bibliography/abstract/brucker.ea-featherweight-2012
https://doi.org/10.1145/2428516.2428520
19-24
BruckerAchimD
WolffBurkhart
Featherweight OCL: A study for the consistent semantics of OCL 2.3 in HOL
At its origins, OCL was conceived as a strict semantics for undefinedness, with the exception of the logical connectives of type Boolean that constitute a three-valued propositional logic. Recent versions of the OCL standard added a second exception element, which, similar to the null references in programming languages, is given a non-strict semantics. In this paper, we report on our results in formalizing the core of OCL in higher-order logic (HOL). This formalization revealed several inconsistencies and contradictions in the current version of the OCL standard. These inconsistencies and contradictions are reflected in the challenge to define and implement OCL tools (e.g., interpreters, code-generators, or theorem provers) in a uniform manner.The semantics for the Boolean operators proposed in this paper was adopted by the OCL 2.4 standard.
brucker.ea:path-expressions:2013
Proceedings
CEUR-WS.org
2013
Proceedings of the MODELS 2013 OCL Workshop (OCL 2013)
1092
https://www.brucker.ch/bibliography/abstract/brucker.ea-path-expressions-2013
23-32
BruckerAchimD
LonguetDelphine
TuongFrédéric
WolffBurkhart
CabotJordi
GogollaMartin
RáthIstván
WillinkEdwardD
On the Semantics of Object-oriented Data Structures and Path Expressions
\UML/ØCL is perceived as the de-facto standard for specifying object-oriented models in general and data models in particular. Since recently, all data types of \UML/ØCL comprise two different exception elements: ınlineoclinvalid (“bottom” in semantics terminology) and ınlineoclnull (for “non-existing element”). This has far-reaching consequences on both the logical and algebraic properties of ØCL expressions as well as the path expressions over object-oriented data structures, ıe, class models. In this paper, we present a formal semantics for object-oriented data models in which all data types and, thus, all class attributes and path expressions, support ınlineoclinvalid and ınlineoclnull. Based on this formal semantics, we present a set of ØCL test cases that can be used for evaluating the support of ınlineoclnull and ınlineoclinvalid in ØCL tools.An extended version of this paper is available as LRI Technical Report 1565.
brucker.ea:summary-aachen:2013
Proceedings
CEUR-WS.org
2013
Proceedings of the MODELS 2013 OCL Workshop (OCL 2013)
1092
https://www.brucker.ch/bibliography/abstract/brucker.ea-summary-aachen-2013
103-111
BruckerAchimD
ChioreanDan
ClarkTony
DemuthBirgit
GogollaMartin
PlotnikovDimitri
RumpeBernhard
WillinkEdwardD
WolffBurkhart
CabotJordi
GogollaMartin
RathIstvan
WillinkEdward
Report on the Aachen OCL Meeting
As a continuation of the OCL workshop during the MODELS 2013 conference in October 2013, a number of OCL experts decided to meet in November 2013 in Aachen for two days to discuss possible short term improvements of OCL for an upcoming OMG meeting and to envision possible future long-term developments of the language. This paper is a sort of “minutes of the meeting” and intended to quickly inform the OCL community about the discussion topics.
brucker.ea:path-expressions:2013-b
Report
Laboratoire en Recherche en Informatique (LRI), Université Paris-Sud 11, France
2013
1565
https://www.brucker.ch/bibliography/abstract/brucker.ea-path-expressions-2013-b
BruckerAchimD
LonguetDelphine
TuongFrédéric
WolffBurkhart
On the Semantics of Object-oriented Data Structures and Path Expressions (Extended Version)
\UML/ØCL is perceived as the de-facto standard for specifying object-oriented models in general and data models in particular. Since recently, all data types of \UML/ØCL comprise two different exception elements: ınlineoclinvalid (“bottom” in semantics terminology) and ınlineoclnull (for “non-existing element”). This has far-reaching consequences on both the logical and algebraic properties of ØCL expressions as well as the path expressions over object-oriented data structures, ıe, class models. In this paper, we present a formal semantics for object-oriented data models in which all data types and, thus, all class attributes and path expressions, support ınlineoclinvalid and ınlineoclnull. Based on this formal semantics, we present a set of ØCL test cases that can be used for evaluating the support of ınlineoclnull and ınlineoclinvalid in ØCL tools.
compagna.ea:bp-compliance:2013
Proceedings
Los Alamitos, CA, USA
IEEE Computer Society
2013
IEEE Sixth International Conference on Software Testing, Verification and Validation (ICST)
https://www.brucker.ch/bibliography/abstract/compagna.ea-bp-compliance-2013
https://doi.org/10.1109/ICST.2013.63
455-462
CompagnaLuca
GuilleminotPierre
BruckerAchimD
OriolManuel
PenixJohn
Business Process Compliance via Security Validation as a Service
Modern enterprise systems are often process-based, i. e., they allow for the direct execution of business processes that are specified in a high-level language such as BPMN. Moreover, modern enterprises need to comply to more and more security and compliance regulations. In this paper, we present a service based, called Security Validation as a Service (SVaaS) for validating the compliance of the business processes (BPs) during design-time. Basically, while modeling a BP the business analyst specifies as well the security and compliance requirements the BP should comply to. By pressing a button, these requirements are validated and the results are presented in a graphical format to the business analysis. At the core of SVaaS lies a rigorous and industrially viable approach in which the security validation business logic is handled server-side (SVaaS Server) in the Cloud, while the client-side user interface that business analysts use is handled by a light-weight (SVaaS Connector). As proof-of-concept we created a SVaaS prototype in which the SVaaS Server is deployed on the SAP NetWeaver Cloud and two SVaaS Connectors are built to enable two well-known BPM clients, SAP NetWeaver BPM and Activiti, to consume SVaaS against industrial relevant BPs.
brucker.ea:test-program-generation:2013
BookSection
Heidelberg
Springer-Verlag
2013
TAP 2013: Tests And Proofs
7942
https://www.brucker.ch/bibliography/abstract/brucker.ea-test-program-generation-2013
https://doi.org/10.1007/978-3-642-38916-0_5
76-95
BruckerAchimD
FeliachiAbderrahmane
NemouchiYakoub
WolffBurkhart
ViganòLuca
VeanesMargus
Test Program Generation for a Microprocessor: A Case-Study
Certifications demonstrating that certain security or safety requirements are met by a system are becoming increasingly important for a wide range of products. Certifying large systems like operating systems up to Common Criteria EAL 4 is common practice today, and higher certification levels are at the brink of becoming reality. To reach EAL 7 one has to formally verify properties on the specification as well as test the implementation thoroughly. In this paper, we present a case study that uses a formal model of a microprocessor for generat- ing test programs. These test programs validate that a microprocessor implements the specified instruction set correctly. We built our case study on an existing model that was, together with an operating system, developed in Isabelle/HOL. We use HOL-TestGen, a model-based testing environment which is an extension of Isabelle/HOL. We develop a number of conformance test scenarios, where processor models were used to synthesize test programs that were run against real hardware in the loop. Our test case generation approach directly benefits from the existing models and formal proofs in Isabelle/HOL.
brucker.ea:hol-testgen-fw:2013
BookSection
Heidelberg
Springer-Verlag
2013
International Colloquium on Theoretical Aspects of Computing (ICTAC)
8049
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-fw-2013
https://doi.org/10.1007/978-3-642-39718-9_7
112-121
BruckerAchimD
BrüggerLukas
WolffBurkhart
LiuZhiming
WoodcockJim
ZhuHuibiao
HOL-TestGen/FW: An Environment for Specification-based Firewall Conformance Testing
The HOL-TestGen environment is conceived as a system for modeling and semi-automated test generation with an emphasis on expressive power and generality. However, its underlying technical framework Isabelle/HOL supports the customization as well as the development of highly automated add-ons working in specific application domains. In this paper, we present HOL-TestGen/FW, an add-on for the test framework HOL-TestGen, that allows for testing the conformance of firewall implementations to high-level security policies. Based on generic theories specifying a security-policy language, we developed specific theories for network data and firewall policies. On top of these firewall specific theories, we provide mechanisms for policy transformations based on derived rules and adapted code-generators producing test drivers. Our empirical evaluations shows that HOL-TestGen/FW is a competitive environment for testing firewalls or high-level policies of local networks.
brucker.ea:framework:2013
BookSection
Los Alamitos, CA, USA
IEEE Computer Society
2013
International Conference on Information Privacy, Security, Risk and Trust (PASSAT)
https://www.brucker.ch/bibliography/abstract/brucker.ea-framework-2013
https://doi.org/10.1109/SocialCom.2013.97
647-652
BruckerAchimD
MalmignatiFrancesco
MerabtiMadjid
ShiQi
ZhouBo
A Framework for Secure Service Composition
Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements much more difficult. As the requirements for security and trustworthiness, in nearly all sectors, are increasing dramatically, there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications. In this paper, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the “security as an afterthought” paradigm.
brucker:securebpmn:2013
ArticleInAPeriodical
Oldenbourg Wissenschaftsverlag
2013
December
it - Information Technology
55
6
https://www.brucker.ch/bibliography/abstract/brucker-securebpmn-2013
https://doi.org/10.1524/itit.2013.2004
239-246
BruckerAchimD
Integrating Security Aspects into Business Process Models
Modern enterprise systems are often process-driven and, thus, rely heavily on process-aware information systems. In such systems, high-level process-models play an important role both for communicating business requirements between domain experts and system experts as well as basis for the system implementation. Since several years, enterprise system need to fulfil an increasing number of the security and compliance requirements. Thus, there is an increasing demand for integrating high-level security and compliance requirements into process models, ıe, a common language for domain experts, system experts, and security experts. We present a security modelling language, called SecureBPMN, that can easily be integrated into business process modelling languages. In this paper, we exemplary integrate SecureBPMN into BPMN and, thus, present a common language for describing business process models together with their security and compliance requirements.Special Issue on “Security in Business Processes.”
brucker.ea:featherweight:2014
ArticleInAPeriodical
2014
January
Archive of Formal Proofs
http://www.isa-afp.org/entries/Featherweight_OCL.shtml, Formal proof development
BruckerAchimD
TuongFrédéric
WolffBurkhart
Featherweight OCL: A Proposal for a Machine-Checked Formal Semantics for OCL 2.5
The Unified Modeling Language (UML) is one of the few modeling languages that is widely used in industry. While UML is mostly known as diagrammatic modeling language (e.g., visualizing class models), it is complemented by a textual language, called Object Constraint Language (OCL). OCL is based on a three-valued logic that turns UML into a formal language. Unfortunately the semantics of this specification language, captured in the Annex A of the OCL standard, leads to different interpretations of corner cases. We formalize the core of OCL: denotational definitions, a logical calculus and operational rules that allow for the execution of OCL expressions by a mixture of term rewriting and code compilation. Our formalization reveals several inconsistencies and contradictions in the current version of the OCL standard. Overall, this document is intended to provide the basis for a machine-checked text Annex A of the OCL standard targeting at tool implementors.
brucker.ea:sast-expierences:2014
Proceedings
GI
GI
2014
March
GI Sicherheit 2014
228
https://www.brucker.ch/bibliography/abstract/brucker.ea-sast-expierences-2014
91-101
BruckerAchimD
SodanUwe
KatzenbeisserStefan
LotzVolkmar
WeipplEdgar
Deploying Static Application Security Testing on a Large Scale
Static Code Analysis (SCA), if used for finding vulnerabilities also called Static application Security Testing (SAST), is an important technique for detecting software vulnerabilities already at an early stage in the software development life-cycle. As such, SCA is adopted by an increasing number of software vendors. The wide-spread introduction of SCA at a large software vendor, such as SAP, creates both technical as well as non-technical challenges. Technical challenges include high false positive and false negative rates. Examples of non-technical challenges are the insufficient security awareness among the developers and manages or the integration of SCA into a software development life-cycle that facilitates agile development. Moreover, software is not developed following a greenfield approach: SAP’s security standards need to be passed to suppliers and partners in the same manner as SAP’s customers begin to pass their security standards to SAP. In this paper, we briefly present how the SAP’s Central Code Analysis Team introduced SCA at SAP and discuss open problems in using SCA both inside SAP as well as across the complete software production line, i.e., including suppliers and partners.
sohr.ea:zertapps:2014
Proceedings
GI
GI
2014
March
GI Sicherheit 2014
228
https://www.brucker.ch/bibliography/abstract/sohr.ea-zertapps-2014
283-291
SohrKarsten
BartschSteffen
VolkamerMelanie
BergerBernhardJ
BoddenEric
BruckerAchimD
MasebergSönke
KusMehmet
HeiderJens
KatzenbeisserStefan
LotzVolkmar
WeipplEdgar
Zertifizierte Datensicherheit für mobile Anwendungen
Smartphones erfreuen sich einer stetig wachsenden Beliebtheit. Ein Grund hierfür ist die Vielzahl verschiedenster mobiler Anwendungen. Mit den Chancen, die sich hierdurch für den Benutzer, aber auch Organisationen bieten, sind Risiken verbunden, die beispielsweise zu einer Verletzung der Privatsphäre führen können. In diesem Beitrag diskutieren wir, wie statische Programmanalyse dabei helfen kann, Android-Anwendungen bzgl. der Sicherheit zu zertifizieren.
bachmann.ea:security-testing:2014
ArticleInAPeriodical
2014
April
Datenschutz und Datensicherheit (DuD)
38
4
https://www.brucker.ch/bibliography/abstract/bachmann.ea-security-testing-2014
https://doi.org/10.1007/s11623-014-0102-0
257-261
BachmannRuediger
BruckerAchimD
Developing Secure Software: A Holistic Approach to Security Testing
Security vulnerabilities are a serious threat to software vendors and their customers: they can result in both monetary loss as well as loss of reputation. Thus, implementing a rigid secure software development lifecycle is a competitive advantage for a software vendor. A holistic security testing approach must cover the whole software development lifecycle across all software products and all security threats. In this article, we discuss a holistic security testing approach that was developed at SAP, a large vendor of enterprise software.
meland.ea:aniketos-platform:2014
BookSection
Heidelberg
Springer-Verlag
2014
Secure and Trustworthy Service Composition: The Aniketos Approach
8900
https://www.brucker.ch/bibliography/abstract/meland.ea-aniketos-platform-2014
https://doi.org/10.1007/978-3-319-13518-2_4
MelandPerHåkon
RiosErkuden
TountopoulosVasilis
BruckerAchimD
BruckerAchimD
DalpiazFabiano
GiorginiPaolo
MelandPerHåkon
RiosErkuden
The Aniketos Platform
brucker:aniketos-securebpmn:2014
BookSection
Heidelberg
Springer-Verlag
2014
Secure and Trustworthy Service Composition: The Aniketos Approach
8900
https://www.brucker.ch/bibliography/abstract/brucker-aniketos-securebpmn-2014
https://doi.org/10.1007/978-3-319-13518-2_8
110-120
BruckerAchimD
BruckerAchimD
DalpiazFabiano
GiorginiPaolo
MelandPerHåkon
RiosErkuden
Using SecureBPMN for Modelling Security-Aware Service Compositions
Today, many systems are built by orchestrating existing services, custom developed services, as well as interaction with users. These orchestrations, also called composition plans, are often described using high-level modelling languages that allow for simplifying 1) the implementation of systems by using generic execution engines and 2) the adaption of deployed systems to changing business needs. Thus, composition plans play an important role for both communicating business requirements between domain experts and system experts, and serving as a basis for the system implementation. At the same time, ICT systems need to fulfil an increasing number of security and compliance requirements. Thus, there is a demand for integrating security and compliance requirements into composition plans. We present SecureBPMN, a language for modelling security properties that can easily be integrated into languages used for describing service orchestrations. Moreover, we integrate SecureBPMN into BPMN and, thus, present a common language for describing service orchestration (in terms of business process models) together with their security and compliance requirements.
brucker.ea:aniketos-scf:2014
BookSection
Heidelberg
Springer-Verlag
2014
Secure and Trustworthy Service Composition: The Aniketos Approach
8900
https://www.brucker.ch/bibliography/abstract/brucker.ea-aniketos-scf-2014
https://doi.org/10.1007/978-3-319-13518-2_9
121-135
BruckerAchimD
MalmignatiFrancesco
MerabtiMadjid
ShiQi
ZhouBo
BruckerAchimD
DalpiazFabiano
GiorginiPaolo
MelandPerHåkon
RiosErkuden
Aniketos Service Composition Framework: Analysing and Ranking of Secure Services
Modern applications are inherently heterogeneous: they are built by composing loosely coupled services that are, usually, offered and operated by different service providers. While this approach increases the flexibility of the composed applications, it makes the implementation of security and trustworthiness requirements much more difficult. Therefore there is a need for new approaches that integrate security requirements right from the beginning while composing service-based applications, in order to ensure security and trustworthiness. In this chapter, we present a framework for secure service composition using a model-based approach for specifying, building, and executing composed services. As a unique feature, this framework integrates security requirements as a first class citizen and, thus, avoids the “security as an afterthought” paradigm.
brucker.ea:aniketos-compliance:2014
BookSection
Heidelberg
Springer-Verlag
2014
Secure and Trustworthy Service Composition: The Aniketos Approach
8900
https://www.brucker.ch/bibliography/abstract/brucker.ea-aniketos-compliance-2014
https://doi.org/10.1007/978-3-319-13518-2_10
136-149
BruckerAchimD
CompagnaLuca
GuilleminotPierre
BruckerAchimD
DalpiazFabiano
GiorginiPaolo
MelandPerHåkon
RiosErkuden
Compliance Validation of Secure Service Compositions
The Aniketos Secure Composition Framework supports the specification of secure and trustworthy composition plans in term of BPMN\@. The diversity of security and trust properties that is supported by the Aniketos framework allows, on the one hand, for expressing a large number of security and compliance requirements. On the other hand, the resulting expressiveness results in the risk that high-level compliance requirements (\eg, separation of duty) are not implemented by low-level security means (\eg, role-based access control configurations). In this chapter, we present the Composition Security Validation Module (CSVM). The CSVM provides a service for checking the compliance of secure and trustworthy composition plans to the service designer. As proof-of-concept we created a prototype in which the CSVM module is deployed on the SAP NetWeaver Cloud and two CSVM Connectors are built supporting two well-known BPMN tools: SAP NetWeaver BPM and Activiti Designer.
asim.ea:aniketos-monitoring:2014
BookSection
Heidelberg
Springer-Verlag
2014
Secure and Trustworthy Service Composition: The Aniketos Approach
8900
https://www.brucker.ch/bibliography/abstract/asim.ea-aniketos-monitoring-2014
https://doi.org/10.1007/978-3-319-13518-2_13
192-202
AsimMuhammad
YautsiukhinArtsiom
BruckerAchimD
LempereurBrett
ShiQi
BruckerAchimD
DalpiazFabiano
GiorginiPaolo
MelandPerHåkon
RiosErkuden
Security Policy Monitoring of Composite Services
One important challenge the Aniketos platform has to address is the effective monitoring of services at runtime to ensure that services behave as promised. A service developer plays the role that is responsible for constructing service compositions and the service provider is responsible for offering them to consumers of the Aniketos platform. Typically, service consumers will have different needs and requirements; they have varying business goals and different expectations from a service, for example in terms of functionality, quality of service and security needs. Given this, it is important to ensure that a service should deliver for which it has been selected and should match the consumer’s expectations. If it fails, the system should take appropriate subsequent reactions, e.g., notifications to the service consumer or service designer. In this chapter, we present the policy-driven monitoring framework which is developed as part of the Aniketos project. The monitoring framework allows different user-specified policies to be monitored simultaneously. The monitor- ing is performed at the business level, as well as at the implementation level, which allows for checking the policies of composite services as well as atomic ones. The framework sends an alarm in case of policy violation to notify the interested parties and triggers re-composition or re-configuration of the service.
brucker.ea:aniketos:2014
Book
Heidelberg
Springer-Verlag
2014
8900
https://www.brucker.ch/bibliography/abstract/brucker.ea-aniketos-2014
https://doi.org/10.1007/978-3-319-13518-2
BruckerAchimD
DalpiazFabiano
GiorginiPaolo
MelandPerHåkon
RiosErkuden
Secure and Trustworthy Service Composition: The Aniketos Approach
brucker.ea:stvr-tap-vol-1:2014
ArticleInAPeriodical
2014
November
Software Testing, Verification & Reliability (STVR)
24
7
https://www.brucker.ch/bibliography/abstract/brucker.ea-stvr-tap-vol-1-2014
https://doi.org/10.1002/stvr.1560
497-498
BruckerAchimD
JulliandJacques
Editorial for the special issue of STVR on tests and proofs volume 1: tests and proofs in model-based testing
brucker.ea:stvr-tap-vol-2:2014
ArticleInAPeriodical
2014
December
Software Testing, Verification & Reliability (STVR)
24
8
https://www.brucker.ch/bibliography/abstract/brucker.ea-stvr-tap-vol-2-2014
https://doi.org/10.1002/stvr.1558
591-592
BruckerAchimD
JulliandJacques
Editorial for the special issue of STVR on tests and proofs volume 2: tests and proofs for improving the generation time and quality of test data suites
brucker.ea:ocl:2014
Conference
CEUR-WS.org
2014
1285
https://www.brucker.ch/bibliography/abstract/brucker.ea-ocl-2014
BruckerAchimD
DaniaCarolina
GeorgGeri
GogollaMartin
14th International Workshop on OCL and Textual Modeling, OCL 2014, Valencia, Spain, September 30, 2014. Proceedings
brucker.ea:ocl:2015
Conference
CEUR-WS.org
2015
1512
https://www.brucker.ch/bibliography/abstract/brucker.ea-ocl-2015
BruckerAchimD
EgeaMarina
GogollaMartin
TuongFrédéric
15th International Workshop on OCL and Textual Modeling, OCL 2015, Ottawa, Canada, September 28, 2015. Proceedings
brucker.ea:ocl:2016
Conference
CEUR-WS.org
2016
1756
https://www.brucker.ch/bibliography/abstract/brucker.ea-ocl-2016
BruckerAchimD
CabotJordi
HerreraAdolfoSánchez-Barbudo
16th International Workshop on OCL and Textual Modeling, OCL 2016, Saint-Malo, France, October 2, 2016. Proceedings
brucker.ea:ocl-community:2014
Proceedings
CEUR-WS.org
2014
Proceedings of the MODELS 2014 OCL Workshop (OCL 2014)
1285
https://www.brucker.ch/bibliography/abstract/brucker.ea-ocl-community-2014
83-99
BruckerAchimD
ClarkTony
DaniaCarolina
GeorgGeri
GogollaMartin
JouaultFrédéric
TenienteErnest
WolffBurkhart
BruckerAchimD
DaniaCarolina
GeorgGeri
GogollaMartin
Panel Discussion: Proposals for Improving OCL
During the panel session at the OCL workshop, the OCL community discussed, stimulated by short presentations by OCL experts, potential future extensions and improvements of the OCL. As such, this panel discussion continued the discussion that started at the OCL meeting in Aachen in 2013 and on which we reported in the proceedings of the last year’s OCL workshop. This collaborative paper, to which each OCL expert contributed one section, summarises the panel discussion as well as describes the suggestions for further improvements in more detail.
brucker.ea:upf:2014
ArticleInAPeriodical
2014
September
Archive of Formal Proofs
http://www.isa-afp.org/entries/UPF.shtml, Formal proof development
BruckerAchimD
BrüggerLukas
WolffBurkhart
The Unified Policy Framework (UPF)
We present the Unified Policy Framework (UPF), a generic framework for modelling security (access-control) policies. UPF emphasizes the view that a policy is a policy decision function that grants or denies access to resources, permissions, etc. In other words, instead of modelling the relations of permitted or prohibited requests directly, we model the concrete function that implements the policy decision point in a system. In more detail, UPF is based on the following four principles: 1) Functional representation of policies, 2) No conflicts are possible, 3) Three-valued decision type (allow, deny, undefined), 4) Output type not containing the decision only.
brucker.ea:upf-firewall:2017
ArticleInAPeriodical
2017
January
Archive of Formal Proofs
http://www.isa-afp.org/entries/UPF_Firewall.shtml, Formal proof development
BruckerAchimD
BrüggerLukas
WolffBurkhart
Formal Network Models and Their Application to Firewall Policies
We present a formal model of network protocols and their application to modeling firewall policies. The formalization is based on the Unified Policy Framework (UPF). The formalization was originally developed with for generating test cases for testing the security configuration actual firewall and router (middle-boxes) using HOL-TestGen. Our work focuses on modeling application level protocols on top of tcp/ip.
salnitri.ea:river:2015
Proceedings
Springer-Verlag
2015
Enterprise, Business-Process and Information Systems Modeling BPMDS
214
https://www.brucker.ch/bibliography/abstract/salnitri.ea-river-2015
https://doi.org/10.1007/978-3-319-19237-6_16
246-262
SalnitriMattia
BruckerAchimD
GiorginiPaolo
GaaloulK
SchmidtR
NurcanS
GuerreiroS
MaQ
From Secure Business Process Models to Secure Artifact-Centric Specifications
Making todays’ systems secure is an extremely difficult and challenging problem. Socio and technical issues interplay and contribute in creating vulnerabilities that cannot be easily prevented without a comprehensive engineering method. This paper presents a novel approach to support process-aware secure systems modeling and automated generation of secure artifact-centric implementations. It combines social and technical perspectives in developing secure complex systems. This work is the result of an academic and industrial collaboration, where SecBPMN2, a research prototype, has been integrated with SAP River, an industrial artifact-centric language.
othmane.ea:fix-effort:2015
BookSection
Heidelberg
Springer-Verlag
2015
Information Security Conference (ISC 2015)
https://www.brucker.ch/bibliography/abstract/othmane.ea-fix-effort-2015
https://doi.org/10.1007/978-3-319-23318-5_6
ben OthmaneLotfi
ChehraziGolriz
BoddenEric
TsalovskiPetar
BruckerAchimD
MiseldinePhilip
BoydColin
GligoriskiDanilo
Factors Impacting the Effort Required to Fix Security Vulnerabilities: An Industrial Case Study
To what extent do investments in secure software engineering pay off? Right now, many development companies are trying to answer this important question. A change to a secure development lifecycle can pay off if it decreases significantly the time, and therefore the cost required to find, fix and address security vulnerabilities. But what are the factors involved and what influence do they have? This paper reports about a qualitative study conducted at SAP to identify the factors that impact the vulnerability fix time. The study involves interviews with 12 security experts. Through these interviews, we identified 65 factors that fall into classes which include, beside the vulnerabilities characteristics, the structure of the software involved, the diversity of the used technologies, the smoothness of the communication and collaboration, the availability and quality of information and documentation, the expertise and knowledge of developers, and the quality of the code analysis tools. These results will be an input to a planned quantitative study to evaluate and predict how changes to the secure software development lifecycle will likely impact the effort to fix security vulnerabilities.
brucker.ea:ipc-testing:2015
BookSection
Heidelberg
Springer-Verlag
2015
Working Conference on Verified Software: Theories, Tools, and Experiments
https://www.brucker.ch/bibliography/abstract/brucker.ea-ipc-testing-2015
https://doi.org/10.1007/978-3-319-29613-5_3
BruckerAchimD
HavleOto
NemouchiYakoub
WolffBurkhart
GurfinkelArie
SeshiaSanjitA
Testing the IPC Protocol for a Real-Time Operating System
In this paper, we adapt model-based testing techniques to concurrent code, namely for test generations of an (industrial) OS kernel called PikeOS\@. Since our data-models are complex, the problem is out of reach of conventional model-checking techniques. Our solution is based on symbolic execution implemented inside the interactive theorem proving environment Isabelle/HOL extended by a plugin with test generation facilities called HOL-TestGen. As a foundation for our symbolic computing techniques, we refine the theory of monads to embed interleaving executions with abort, synchronization, and shared memory to a general but still optimized behavioral test framework. This framework is instantiated by a model of PikeOS inter-process communication system-calls. Inheriting a micro-architecture going back to the L4 kernel, the system calls of the IPC-API are internally structured by atomic actions; according to a security model, these actions can fail and must produce error-codes. Thus, our tests reveal errors in the enforcement of the security model.
brucker.ea:formal-semantics-ocl-2.5:2015
Report
LRI, Univ Paris Sud, CNRS, Centrale Supélec, Université Paris-Saclay, France
2015
September
1582
https://www.brucker.ch/bibliography/abstract/brucker.ea-formal-semantics-ocl-2.5-2015
BruckerAchimD
TuongFrédéric
WolffBurkhart
Featherweight OCL: A Proposal for a Machine-Checked Formal Semantics for OCL 2.5
The Unified Modeling Language (UML) is one of the few modeling languages that is widely used in industry. While UML is mostly known as diagrammatic modeling language (e.g., visualizing class models), it is complemented by a textual language, called Object Constraint Language (OCL). OCL is a textual annotation language, originally based on a three-valued logic, that turns UML into a formal language. Unfortunately the semantics of this specification language, captured in the “Annex A” of the OCL standard, leads to different interpretations of corner cases. Many of these corner cases had been subject to formal analysis since more than ten years. The situation complicated with the arrival of version 2.3 of the OCL standard. OCL was aligned with the latest version of UML: this led to the extension of the three-valued logic by a second exception element, called null. While the first exception element invalid has a strict semantics, null has a non strict interpretation. The combination of these semantic features lead to remarkable confusion for implementors of OCL compilers and interpreters. In this paper, we provide a formalization of the core of OCL in HOL. It provides denotational definitions, a logical calculus and operational rules that allow for the execution of OCL expressions by a mixture of term rewriting and code compilation. Moreover, we describe a coding-scheme for UML class models that were annotated by code-invariants and code contracts. An implementation of this coding-scheme has been undertaken: it consists of a kind of compiler that takes a UML class model and translates it into a family of definitions and derived theorems over them capturing the properties of constructors and selectors, tests and casts resulting from the class model. However, this compiler is not included in this document. Our formalization reveals several inconsistencies and contradictions in the current version of the OCL standard. They reflect a challenge to define and implement OCL tools in a uniform manner. Overall, this document is intended to provide the basis for a machine-checked text “Annex A” of the OCL standard targeting at tool implementors.
felderer.ea:security-testing:2016
ArticleInAPeriodical
Academic Press
2016
March
Advances in Computers
101
https://www.brucker.ch/bibliography/abstract/felderer.ea-security-testing-2016
https://doi.org/10.1016/bs.adcom.2015.11.003
1-51
FeldererMichael
BüchlerMatthias
JohnsMartin
BruckerAchimD
BreuRuth
PretschnerAlexander
Security Testing: A Survey
Identifying vulnerabilities and ensuring security functionality by security testing is a widely applied measure to evaluate and improve the security of software. Due to the openness of modern software-based systems, applying appropriate security testing techniques is of growing importance and essential to perform effective and efficient security testing. Therefore, an overview of actual security testing techniques is of high value both for researchers to evaluate and refine the techniques and for practitioners to apply and disseminate them. This chapter fulfills this need and provides an overview of recent security testing techniques. For this purpose, it first summarize the required background of testing and security engineering. Then, basics and recent developments of security testing techniques applied during the secure software development lifecycle, i.e., model-based security testing, code-based testing and static analysis, penetration testing and dynamic analysis, as well as security regression testing are discussed. Finally, the security testing techniques are illustrated by adopting them for an example three-tiered web-based business application.
longuet.ea.ea:ocl-reflection:2014
Proceedings
CEUR-WS.org
2014
Proceedings of the MODELS 2014 OCL Workshop (OCL 2014)
1285
https://www.brucker.ch/bibliography/abstract/longuet.ea.ea-ocl-reflection-2014
43-52
LonguetDelphine
TuongFrédéric
WolffBurkhart
BruckerAchimD
DaniaCarolina
GeorgGeri
GogollaMartin
Towards a Tool for Featherweight OCL: A Case Study On Semantic Reflection
We show how modern proof environments comprising code generators and reflection facilities can be used for the effective construction of a tool for OCL . For this end, we define a UML / OCL meta-model in HOL, a meta-model for Isabelle/ HOL in HOL , and a compiling function between them over the vocabulary of the libraries provided by Featherweight OCL . We use the code generator of Isabelle to generate executable code for the compiler, which is bound to a USE tool-like syntax integrated in Isabelle/Featherweight OCL . It generates for an arbitrary class model an object-oriented datatype theory and proves the relevant properties for casts, type-tests, constructors and selectors automatically.
brucker.ea:recent-developments:2016
Proceedings
CEUR-WS.org
2016
Proceedings of the International Workshop on OCL and Textual Modeling (OCL 2016)
1756
https://www.brucker.ch/bibliography/abstract/brucker.ea-recent-developments-2016
157-165
BruckerAchimD
CabotJordi
DanielGwendal
GogollaMartin
HerreraAdolfoSánchez-Barbudo
HilkenFrank
TuongFrédéric
WillinkEdwardD
WolffBurkhart
BruckerAchimD
CabotJordi
HerreraAdolfoSánchez-Barbudo
Recent Developments in OCL and Textual Modelling
The panel session of the 16th OCL workshop featured a lightning talk session for discussing recent developments and open questions in the area of OCL and textual modelling. During this session, the OCL community discussed, stimulated through short presentations by OCL experts, tool support, potential future extensions, and suggested initiatives to make the textual modelling community even more successful. This collaborative paper, to which each OCL expert contributed one section, summarises the discussions as well as describes the recent developments and open questions presented in the lightning talks.
othmane.ea:time:2015
Report
Technische Universität Darmstadt
2015
November
TUD-CS-2015-1268
https://www.brucker.ch/bibliography/abstract/othmane.ea-time-2015
ben OthmaneLotfi
ChehraziGolriz
BoddenEric
TsalovskiPetar
BruckerAchimD
Time for Addressing Software Security Issues: Prediction Models and Impacting Factors
Finding and fixing software vulnerabilities has become a major struggle for most software-development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process and we show how the issue fix time could be used to monitor the fixing process. We use three machine-learning methods and evaluate their predictive power in predicting the time to fix issues. Interestingly, the models indicate that the impact of vulnerability type has a small impact on issue fix time. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. SAP can use the models to implement a continuous improvement of its secure software development process and to measure the impact of individual improvements. Other companies can use similar models and mechanisms an be a learning organization.
brucker.ea:cordova-security:2016
BookSection
Heidelberg
Springer-Verlag
2016
International Symposium on Engineering Secure Software and Systems (ESSoS)
9639
https://www.brucker.ch/bibliography/abstract/brucker.ea-cordova-security-2016
https://doi.org/10.1007/978-3-319-30806-7_5
72-88
BruckerAchimD
HerzbergMichael
CaballeroJuan
BoddenEric
On the Static Analysis of Hybrid Mobile Apps: A Report on the State of Apache Cordova Nation
Developing mobile applications is a challenging business: developers need to support multiple platforms and, at the same time, need to cope with limited resources, as the revenue generated by an average app is rather small. This results in an increasing use of cross-platform development frameworks that allow developing an app once and offering it on multiple mobile platforms such as Android, iOS, or Windows. Apache Cordova is a popular framework for developing multi-platform apps. Cordova combines HTML5 and JavaScript with native application code. Combining web and native technologies creates new security challenges as, e.g., an XSS attacker becomes more powerful. In this paper, we present a novel approach for statically analysing the foreign language calls. We evaluate our approach by analysing the top Cordova apps from Google Play. Moreover, we report on the current state of the overall quality and security of Cordova apps.
dashevskyi.ea:foss-costs:2016
BookSection
Heidelberg
Springer-Verlag
2016
International Symposium on Engineering Secure Software and Systems (ESSoS)
9639
https://www.brucker.ch/bibliography/abstract/dashevskyi.ea-foss-costs-2016
https://doi.org/10.1007/978-3-319-30806-7_12
190-206
DashevskyiStanislav
BruckerAchimD
MassacciFabio
CaballeroJuan
BoddenEric
On the Security Cost of Using a Free and Open Source Component in a Proprietary Product
The work presented in this paper is motivated by the need to estimate the security effort of consuming Free and Open Source Software (FOSS) components within a proprietary software supply chain of a large European software vendor. To this extent we have identified three different cost models: centralized (the company checks each component and propagates changes to the different product groups), distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and hybrid (only the least used components are checked individually by each development team). We investigated publicly available factors (\eg, development activity such as commits, code size, or fraction of code size in different programming languages) to identify which one has the major impact on the security effort of using a FOSS component in a larger software product.
brucker.ea:hol-testgen:2016
Report
Laboratoire en Recherche en Informatique (LRI), Université Paris-Sud 11, France
2016
April
1586
https://www.brucker.ch/bibliography/abstract/brucker.ea-hol-testgen-2016
BruckerAchimD
BrüggerLukas
FeliachiAbderrahmane
KellerChantal
KriegerMatthiasP
LonguetDelphine
NemouchiYakoub
TuongFrédéric
WolffBurkhart
HOL-TestGen 1.8.0 User Guide
brucker.ea:monadic-sequence-testing:2016
BookSection
Heidelberg
Springer-Verlag
2016
TAP 2016: Tests And Proofs
9762
https://www.brucker.ch/bibliography/abstract/brucker.ea-monadic-sequence-testing-2016
https://doi.org/10.1007/978-3-319-41135-4_2
BruckerAchimD
WolffBurkhart
AichernigBernhardK
FuriaCarloA
Monadic Sequence Testing and Explicit Test-Refinements
We present an abstract framework for sequence testing that is implemented in Isabelle/HOL-TestGen. Our framework is based on the theory of state-exception monads, explicitly modelled in HOL, and can cope with typed input and output, interleaving executions including abort, and synchronisation. The framework is particularly geared towards symbolic execution and has proven effective in several large case-studies involving system models based on large (or infinite) state. On this basis, we rephrase the concept of test-refinements for inclusion, deadlock and IOCO-like tests, together with a formal theory of its rela- tion to traditional, IO-automata based notions.
brucker:secdevops:2016
ArticleInAPeriodical
D-53842 Troisdorf, Germany
SIGS DATACOM GmbH
2016
May
31
OBJEKTspektrum
https://www.brucker.ch/bibliography/abstract/brucker-secdevops-2016
BruckerAchimD
Sicherheitstests für Secure DevOps (SecDevOps)
Eine erfolgreiche Anwendung der DevOps-Strategie erlaubt Organisationen eine deutlich schnellere Auslieferung an den Kunden. Dies ist nur durch einen hohen Grad an Testautomatisierung möglich. Dies gilt nicht nur für die Tests funktionaler Eigenschaften, sondern auch für die Sicherheitstests. Da diese meist nur halbautomatisiert oder gar vollständig manuell erfolgen, stellt die Einführung des DevOps-Modells eine große Herausforderung für die Sicherheitsexperten innerhalb der Softwareentwicklung dar. Zeitgleich bietet das Zusammenwachsen von Entwicklung und Betrieb aber auch eine neue Chance: die flexible Nutzung des Spielraumes zwischen defensiven Entwicklungstechniken sowie dem Reagieren auf Angriffe während des Betriebes. Deswegen ist die Einführung einer DevOps-Strategie für jede Softwareentwicklungsabteilung ein guter Zeitpunkt, die Sicherheitsteststrategie zu überdenken und an die neuen Anforderungen anzupassen.Online Themenspecial DevOps 2016.
othmane.ea:fix-effort:2016
ArticleInAPeriodical
Heidelberg
Springer-Verlag
2017
Data Science and Engineering (DSEJ)
2
2
https://www.brucker.ch/bibliography/abstract/othmane.ea-fix-effort-2016
https://doi.org/10.1007/s41019-016-0019-8
107-124
ben OthmaneLotfi
ChehraziGolriz
BoddenEric
TsalovskiPetar
BruckerAchimD
Time for Addressing Software Security Issues: Prediction Models and Impacting Factors
Finding and fixing software vulnerabilities have become a major struggle for most software development companies. While generally without alternative, such fixing efforts are a major cost factor, which is why companies have a vital interest in focusing their secure software development activities such that they obtain an optimal return on this investment. We investigate, in this paper, quantitatively the major factors that impact the time it takes to fix a given security issue based on data collected automatically within SAP’s secure development process, and we show how the issue fix time could be used to monitor the fixing process. We use three machine learning methods and evaluate their predictive power in predicting the time to fix issues. Interestingly, the models indicate that vulnerability type has less dominant impact on issue fix time than previously believed. The time it takes to fix an issue instead seems much more related to the component in which the potential vulnerability resides, the project related to the issue, the development groups that address the issue, and the closeness of the software release date. This indicates that the software structure, the fixing processes, and the development groups are the dominant factors that impact the time spent to address security issues. SAP can use the models to implement a continuous improvement of its secure software development process and to measure the impact of individual improvements. The development teams at SAP develop different types of software, adopt different internal development processes, use different programming languages and platforms, and are located in different cities and countries. Other organizations, may use the results–with precaution–and be learning organizations.
othmane.ea:data-analytics:2017
BookSection
CRC Press
2017
December
Empirical Research for Software Security: Foundations and Experience
https://www.brucker.ch/bibliography/abstract/othmane.ea-data-analytics-2017
69-94
ben OthmaneLotfi
BruckerAchimD
DashevskyiStanislav
TsalovskiPeter
ben OthmaneLotfi
JaatunMartinGilje
WeipplEdgar
An Introduction to Data Analytics For Software Security
In this chapter, we report on our own experiences in empirical secure software research at, SAP SE, the largest European software vendor. Based on this, we derive an actionable recommendations for building the foundations of an expressive data science for software security: we focus on using data analytics for improving the secure software development. Data analytics is the science of examining raw data with the purpose of drawing conclusions about that information using machine learning methods or statistical learning methods. Data analytical techniques have been successfully used in both the cyber-security domain as well as the software engineering domain. For example, Jackobe and Rudis showed how to learn virus propagation and characteristics of data breaches form public data. Data analytical methods are also commonly used to investigate software engineering challenges such as effort prediction. Thus, applying these techniques to the intersection of both areas to help practitioners to develop more secure software with less effort, seems promising.
brucker.ea:secure-services:2017
ArticleInAPeriodical
John Wiley & Sons
2017
December
Software: Practice and Expierence (SPE)
47
12
https://www.brucker.ch/bibliography/abstract/brucker.ea-secure-services-2017
https://doi.org/10.1002/spe.2513
1912-1943
BruckerAchimD
ZhouBo
MalmignatiFrancesco
ShiQi
MerabtiMadjid
Modelling, Validating, and Ranking of Secure Service Compositions
In the world of large-scale applications, software-as-a-service (SaaS) in general and use of micro-services, in particular, is bringing service-oriented architectures (SOA) to a new level: systems in general and systems that interact with human users (e.g., socio-technical systems) in particular are built by composing micro-services that are developed independently and operated by different parties. At the same time, SaaS applications are used more and more widely by enterprises as well as public services for providing critical services, including those processing security or privacy of relevant data. Therefore providing secure and reliable service compositions is increasingly needed to ensure the success of SaaS solutions. Building such service compositions securely, is still an unsolved problem. In this paper, we present a framework for modelling, validating, and ranking secure service compositions that integrate both automated services as well as services that interact with humans. As a unique feature, our approach for ranking services integrates validated properties (e. g., based on the result of formally analysing the source code of a service implementation) as well as contractual properties that are part of the service- level-agreement and, thus, not necessarily ensured on a technical level.
brucker.ea:core-dom:2018
Proceedings
New York, NY, USA
ACM Press
2018
The 2018 Web Conference Companion (WWW)
https://www.brucker.ch/bibliography/abstract/brucker.ea-core-dom-2018
https://doi.org/10.1145/3184558.3185980
741-749
BruckerAchimD
HerzbergMichael
ChampinPierre-Antoine
GandonFabienL
LalmasMounia
IpeirotisPanagiotisG
A Formal Semantics of the Core DOM in Isabelle/HOL
At its core, the Document Object Model (DOM) defines a tree-like data structure for representing documents in general and HTML documents in particular. It forms the heart of any rendering engine of modern web browsers. Formalizing the key concepts of the DOM is a pre-requisite for the formal reasoning over client-side JavaScript programs as well as for the analysis of security concepts in modern web browsers. In this paper, we present a formalization of the Core DOM, with focus on the node-tree and the operations defined on node-trees, in Isabelle/HOL. We use the formalization to verify the functional correctness of the most important functions defined in the DOM standard. Moreover, our formalization is (1) extensible, i.e., can be extended without the need of re-proving already proven properties and (2) executable, i.e., we can generate executable code from our specification.
asim.ea:policy-monitoring:2018
ArticleInAPeriodical
John Wiley & Sons
2018
Journal of Software: Evolution and Process
https://www.brucker.ch/bibliography/abstract/asim.ea-policy-monitoring-2018
https://doi.org/10.1002/smr.1944
AsimMuhammad
YautsiukhinArtsiom
BruckerAchimD
BakerThar
ShiQi
LempereurBrett
Security Policy Monitoring of BPMN-based Service Compositions
Service composition is a key concept of Service- Oriented Architecture that allows for combining loosely coupled services that are offered and operated by different service providers. Such environments are expected to dynamically respond to changes that may occur at runtime, including changes in the environment and individual services themselves. Therefore, it is crucial to monitor these loosely-coupled services throughout their lifetime. In this paper, we present a novel framework for monitoring services at runtime and ensuring that services behave as they have promised. In particular, we focus on monitoring non-functional properties that are specified within an agreed security contract. The novelty of our work is based on the way in which monitoring information can be combined from multiple dynamic services to automate the monitoring of business processes and proactively report compliance violations. The framework enables monitoring of both atomic and composite services and provides a user friendly interface for specifying the monitoring policy. We provide an information service case study using a real composite service to demonstrate how we achieve compliance monitoring. The transformation of security policy into monitoring rules, which is done automatically, makes our framework more flexible and accurate than existing techniques.
bill.ea:recent-developments:2017
Proceedings
Heidelberg
Springer-Verlag
2017
STAF 2017 Workshops
10748
https://www.brucker.ch/bibliography/abstract/bill.ea-recent-developments-2017
157-165
BillRobert
BruckerAchimD
GogollaJordiCabotMartin
VallecilloAntonio
WilinkEdwardD
SeidlMartina
ZschallerSteffen
Workshop in OCL and Textual Textual Modelling: Report on Recent Trends and Panel Discussion
This paper reports on the panel session of the 17th Workshop in OCL and Textual Modeling, As in previous years, the panel session featured several lightning talks for presenting recent developments and open questions in the area of OCL and textual modeling. During this session, the OCL community discussed, stimulated through short pre- sentations by OCL experts, proposals for improving OCL to increase the attractiveness of textual modeling. This paper contains a summary of the workshop from the workshop organisers as well as summaries of two lightning talks provided by their presenters.
dashevskyi.ea:vulnerability-screening:2018
ArticleInAPeriodical
2019
October
IEEE Trans. Software Eng.
45
10
https://www.brucker.ch/bibliography/abstract/dashevskyi.ea-vulnerability-screening-2018
https://doi.org/10.1109/TSE.2018.2816033
945-966
DashevskyiStanislav
BruckerAchimD
MassacciFabio
A Screening Test for Disclosed Vulnerabilities in FOSS Components
Free and Open Source Software (FOSS) components are ubiquitous in both proprietary and open source applications. Each time a vulnerability is disclosed in a FOSS component, a software vendor using this an application must decide whether to update the FOSS component, patch the application itself, or just do nothing as the vulnerability is not applicable to the older version of the FOSS component used. This is particularly challenging for enterprise software vendors that consume thousands of FOSS components and offer more than a decade of support and security fixes for their applications. Moreover, customers expect vendors to react quickly on disclosed vulnerabilities—in case of widely discussed vulnerabilities such as Heartbleed, within hours. To address this challenge, we propose a screening test: a novel, automatic method based on thin slicing, for estimating quickly whether a given vulnerability is present in a consumed FOSS component by looking across its entire repository. We show that our screening test scales to large open source projects (e.g., Apache Tomcat, Spring Framework, Jenkins) that are routinely used by large software vendors, scanning thousands of commits and hundred thousands lines of code in a matter of minutes. Further, we provide insights on the empirical probability that, on the above mentioned projects, a potentially vulnerable component might not actually be vulnerable after all.
dashevskyi.ea:foss-efforts:2018
Proceedings
2018
Workshop on the Economics of Information Security (WEIS)
https://www.brucker.ch/bibliography/abstract/dashevskyi.ea-foss-efforts-2018
DashevskyiStanislav
BruckerAchimD
MassacciFabio
On the Effort for Security Maintenance of Open Source Components
The work presented in this paper is motivated by the need to estimate the security effort of maintaining Free and Open Source Software (FOSS) components within the software supply chain of a large international software vendor. We investigated publicly available factors (from number of active users to commits, from code size to usage of popular programming languages, etc.) to identify which ones impact three potential effort models: centralized (the company checks each component and propagates changes to the product groups), distributed (each product group is in charge of evaluating and fixing its consumed FOSS components), and hybrid (seldom used components are checked individually by each development team, the rest is centralized). We use Grounded Theory to extract the factors from a six months study at the vendor. We report the results on a sample of 166 FOSS components used by the vendor.
brucker.ea:standard-compliance-testing:2018
BookSection
Heidelberg
Springer-Verlag
2018
TAP 2018: Tests And Proofs
10889
https://www.brucker.ch/bibliography/abstract/brucker.ea-standard-compliance-testing-2018
https://doi.org/10.1007/978-3-319-92994-1_9
159-166
BruckerAchimD
HerzbergMichael
DuboisCathrine
WolffBurkhart
Formalizing (Web) Standards: An Application of Test and Proof
Most popular technologies are based on informal or semiformal standards that lack a rigid formal semantics. Typical examples include web technologies such as the DOM or HTML, which are defined by the Web Hypertext Application Technology Working Group (WHATWG) and the World Wide Web Consortium (W3C). While there might be API specifications and test cases meant to assert the compliance of a certain implementation, the actual standard is rarely accompanied by a formal model that would lend itself for, e.g., verifying the security or safety properties of real systems. Even when such a formalization of a standard exists, two important questions arise: first, to what extend does the formal model comply to the standard and, second, to what extend does the implementation comply to the formal model and the assumptions made during the verification? In this paper, we present an approach that brings all three involved artifacts - the (semi-)formal standard, the formalization of the standard, and the implementations - closer together by combining verification, symbolic execution, and specification based testing.
hess.ea:tr-stateful-protocol:2018
Report
DTU Compute, Technical University Denmark
2018
2018-03
https://www.brucker.ch/bibliography/abstract/hess.ea-tr-stateful-protocol-2018
HessAndreasV
MödersheimSebastianA
BruckerAchimD
Stateful Protocol Composition (Extended Version)
We prove a parallel compositionality result for protocols with a shared mutable state, i.e., stateful protocols. For protocols satisfying certain compositionality conditions our result shows that analyzing the component protocols in isolation is sufficient to prove security of the more complex composition. Our main contribution is an extension of the compositionality paradigm to stateful protocols where participants main- tain shared databases. We also support declassification of shared secrets. As a final contribution we prove the core of our result in Isabelle/HOL, providing a strong correctness guarantee of our proofs.
brucker.ea:isabelle-ontologies:2018
BookSection
Heidelberg
Springer-Verlag
2018
Conference on Intelligent Computer Mathematics (CICM)
11006
https://www.brucker.ch/bibliography/abstract/brucker.ea-isabelle-ontologies-2018
https://doi.org/10.1007/978-3-319-96812-4_3
BruckerAchimD
Ait-SadouneIdir
CrisafulliPaolo
WolffBurkhart
Using the Isabelle Ontology Framework: Linking the Formal with the Informal
While Isabelle is mostly known as part of Isabelle/HOL (an interactive theorem prover), it actually provides a framework for developing a wide spectrum of applications. A particular strength of the Isabelle framework is the combination of text editing, formal verification, and code generation. Up to now, Isabelle’s document preparation system lacks a mechanism for ensuring the structure of different document types (as, e.g., required in certification processes) in general and, in particular, mechanism for linking informal and formal parts of a document. In this paper, we present Isabelle/DOF, a novel Document Ontology Framework on top of Isabelle. Isabelle/DOF allows for conventional typesetting as well as formal development. We show how to model document ontologies inside Isabelle/DOF, how to use the resulting meta-information for enforcing a certain document structure, and discuss ontology-specific IDE support.
hess.ea:stateful:2018
BookSection
Heidelberg
Springer-Verlag
2018
ESORICS
11098
https://www.brucker.ch/bibliography/abstract/hess.ea-stateful-2018
https://doi.org/10.1007/978-3-319-99073-6
427-446
HessAndreasV
MödersheimSebastianA
BruckerAchimD
LopezJavier
ZhouJianying
Stateful Protocol Composition
We prove a parallel compositionality result for protocols with a shared mutable state, i.e., stateful protocols. For protocols satisfying certain compositionality conditions our result shows that verifying the component protocols in isolation is sufficient to prove security of their composition. Our main contribution is an extension of the compositionality paradigm to stateful protocols where participants maintain shared databases. Because of the generality of our result we also cover many forms of sequential composition as a special case of stateful parallel composition. Moreover, we support declassification of shared secrets. As a final contribution we prove the core of our result in Isabelle/HOL, providing a strong correctness guarantee of our proofs.
foster.ea:efsm:2018
BookSection
Heidelberg
Springer-Verlag
2018
ICFEM
11232
https://www.brucker.ch/bibliography/abstract/foster.ea-efsm-2018
https://doi.org/10.1007/978-3-030-02450-5
373-387
FosterMichael
TaylorRamsayG
BruckerAchimD
DerrickJohn
DongJinSong
SunJing
Formalising Extended Finite State Machine Transition Merging
Model inference from system traces, e.g. for analysing legacy components or generating security tests for distributed components, is a common problem. Extended Finite State Machine (EFSM) models, managing an internal state as a set of registers, are particular well suited for capturing the behaviour of stateful components however, existing inference techniques for (E)FSMs lack the ability to infer the internal state and its updates functions. In this paper, we present a novel approach for inferring EFSMs from system traces that also infers the updates of the internal state. Our approach supports the merging of transitions that update the internal data state. Finally, our model is formalised in Isabelle/HOL, allowing for the machine-checked verification of system properties.
brucker.ea:afp-core-dom:2018
ArticleInAPeriodical
2018
December
Archive of Formal Proofs
http://www.isa-afp.org/entries/Core_DOM.html, Formal proof development
BruckerAchimD
HerzbergMichael
The Core DOM
In this AFP entry, we formalize the core of the Document Object Model (DOM). At its core, the DOM defines a tree-like data structure for representing documents in general and HTML documents in particular. It is the heart of any modern web browser. Formalizing the key concepts of the DOM is a prerequisite for the formal reasoning over client-side JavaScript programs and for the analysis of security concepts in modern web browsers. We present a formalization of the core DOM, with focus on the node-tree and the operations defined on node-trees, in Isabelle/HOL. We use the formalization to verify the functional correctness of the most important functions defined in the DOM standard. Moreover, our formalization is 1) extensible, i.e., can be extended without the need of re-proving already proven properties and 2) executable, i.e., we can generate executable code from our specification.
brucker.ea:isabelledof:2019
BookSection
Heidelberg
Springer-Verlag
2019
Software Engineering and Formal Methods (SEFM)
11724
https://www.brucker.ch/bibliography/abstract/brucker.ea-isabelledof-2019
https://doi.org/10.1007/978-3-030-30446-1_15
275-292
BruckerAchimD
WolffBurkhart
ÖlveczkyPeterC
SalaünGwen
Isabelle/DOF: Design and Implementation
DOF is a novel framework for defining ontologies and enforcing them during document development and evolution. A major goal of DOF is the integrated development of formal certification documents (e. g., for Common Criteria or CENELEC 50128) that require consistency across both formal and informal arguments. To support a consistent development of formal and informal parts of a document, we provide Isabelle/DOF, an implementation of DOF on top of the formal methods framework Isabelle/HOL. A particular emphasis is put on a deep integration into Isabelleâs IDE, which allows for smooth ontology development as well as immediate ontological feedback during the editing of a document. In this paper, we give an in-depth presentation of the design concepts of DOFâs Ontology Definition Language (ODL) and key aspects of the technology of its implementation. Isabelle/DOF is the first ontology language supporting machine-checked links between the formal and informal parts in an LCF-style interactive theorem proving environment. Sufficiently annotated, large documents can easily be developed collabo- ratively, while ensuring their consistency, and the impact of changes (in the formal and the semi-formal content) is tracked automatically.
foster.ea:incorporating:2019
BookSection
Heidelberg
Springer-Verlag
2019
Software Engineering and Formal Methods (SEFM)
11724
https://www.brucker.ch/bibliography/abstract/foster.ea-incorporating-2019
https://doi.org/10.1007/978-3-030-30446-1_14
257-272
FosterMichael
BruckerAchimD
TaylorRamsayG
NorthSiobhán
DerrickJohn
ÖlveczkyPeterC
SalaünGwen
Incorporating Data into EFSM Inference
Models are an important way of understanding software systems. If they do not already exist, then we need to infer them from system behaviour. Most current approaches infer classical FSM models that do not consider data, thus limiting applicability. EFSMs provide a way to concisely model systems with an internal state but existing inference techniques either do not infer models which allow outputs to be computed from inputs, or rely heavily on comprehensive white-box traces that reveal the internal program state, which are often unavailable. In this paper, we present an approach for inferring EFSM models, including functions that modify the internal state. Our technique uses black-box traces which only contain information visible to an external observer of the system. We implemented our approach as a prototype.
brucker.ea:web-components:2019
BookSection
Heidelberg
Springer-Verlag
2020
Formal Aspects of Component Software (FACS)
12018
https://www.brucker.ch/bibliography/abstract/brucker.ea-web-components-2019
https://doi.org/10.1007/978-3-030-40914-2_3
BruckerAchimD
HerzbergMichael
JongmansSung-Shik
ArbabFarhad
A Formally Verified Model of Web Components
The trend towards ever more complex client-side web applications is unstoppable. Compared to traditional software development, client-side web development lacks a well-established component model, i.e., a method for easily and safely reusing already developed functionality. To address this issue, the web community started to adopt shadow trees as part of the Document Object Model (DOM): shadow trees allow developers to ”partition” a DOM instance into parts that should be safely separated, e.g., code modifying one part should not, unintentionally, affect other parts of the DOM. While shadow trees provide the technical basis for defining web components, the DOM standard neither defines the concept of web components nor specifies the safety properties that web components should guarantee. Consequently, the standard also does not discuss how or even if the methods for modifying the DOM respect component boundaries. In this paper, we present a formally verified model of web components and define safety properties which ensure that different web components can only interact with each other using well-defined interfaces. Moreover, our verification of the application programming interface (API) of the DOM revealed numerous invariants that implementations of the DOM API need to preserve to ensure the integrity of components.
brucker.ea:ontologies-certification:2019
BookSection
Heidelberg
Springer-Verlag
2019
Integrated Formal Methods (iFM)
11918
https://www.brucker.ch/bibliography/abstract/brucker.ea-ontologies-certification-2019
https://doi.org/10.1007/978-3-030-34968-4_4
BruckerAchimD
WolffBurkhart
AhrendtWolfgang
TarifaSilviaLizethTapia
Using Ontologies in Formal Developments Targeting Certification
A common problem in the certification of highly safety or security critical systems is the consistency of the certification documentation in general and, in particular, the linking between semi-formal and formal content of the certification documentation. We address this problem by using an existing framework, Isabelle/DOF, that allows writing certification documents with consistency guarantees, in both, the semi-formal and formal parts. Isabelle/DOF supports the modeling of document ontologies using a strongly typed ontology definition language. An ontology is then enforced inside documents including formal parts, e.g., system models, verification proofs, code, tests and validations of corner-cases. The entire set of documents is checked within Isabelle/HOL, which includes the definition of ontologies and the editing of integrated documents based on them. This process is supported by an IDE that provides continuous checking of the document consistency. In this paper, we present how a specific software-engineering certification standard, namely CENELEC 50128, can be modeled inside Isabelle/DOF. Based on an ontology covering a substantial part of this standard, we present how Isabelle/DOF can be applied to a certification case-study in the railway domain.
brucker.ea:emerging:2019
Proceedings
CEUR-WS.org
2019
OCL 2019
2513
https://www.brucker.ch/bibliography/abstract/brucker.ea-emerging-2019
91-104
BruckerAchimD
DanielGwendal
GogollaMartin
JouaultFrédéric
Christophe Ponsard
RamonValéry
WillinkEdwardD
BruckerAchimD
DanielGwendal
JouaultFrédéric
Emerging Topics in Textual Modelling
The 19th edition of the OCL workshop featured a lightning talk session where authors were invited to present their recent work and open questions related to textual modeling in general and OCL in particular. These 5 minute presentations triggered fruitful discussions within the OCL community on the usage of textual modeling, model validation, and specific technical points of the OCL specification. This community paper provides an overview of the presented contributions (one per section), as well as a summary of the questions and discussions they have triggered during the session.
brucker.ea:ocl:2019
Conference
CEUR-WS.org
2019
2513
https://www.brucker.ch/bibliography/abstract/brucker.ea-ocl-2019
BruckerAchimD
DanielGwendal
JouaultFrédéric
19th International Workshop on OCL and Textual Modeling, OCL 2019, Munich, Ottawa, Canada, September 16, 2019. Proceedings
hess.ea:stateful:2020
ArticleInAPeriodical
2020
April
Archive of Formal Proofs
http://www.isa-afp.org/entries/Stateful_Protocol_Composition_and_Typing.html, Formal proof development
HessAndreasV
MödersheimSebastian
BruckerAchimD
Stateful Protocol Composition and Typing
We provide in this AFP entry several relative soundness results for security protocols. In particular, we prove typing and compositionality results for stateful protocols (i.e., protocols with mutable state that may span several sessions), and that focuses on reachability properties. Such results are useful to simplify protocol verification by reducing it to a simpler problem: Typing results give conditions under which it is safe to verify a protocol in a typed model where only ”well-typed” attacks can occur whereas compositionality results allow us to verify a composed protocol by only verifying the component protocols in isolation. The conditions on the protocols under which the results hold are furthermore syntactic in nature allowing for full automation. The foundation presented here is used in another entry to provide fully automated and formalized security proofs of stateful protocols.
hess.ea:automated:2020
ArticleInAPeriodical
2020
April
Archive of Formal Proofs
http://www.isa-afp.org/entries/Automated_Stateful_Protocol_Verification.html, Formal proof development
HessAndreasV
MödersheimSebastian
BruckerAchimD
SchlichtkrullAnders
Automated Stateful Protocol Verification
In protocol verification we observe a wide spectrum from fully automated methods to interactive theorem proving with proof assistants like Isabelle/HOL. In this AFP entry, we present a fully-automated approach for verifying stateful security protocols, i.e., protocols with mutable state that may span several sessions. The approach supports reachability goals like secrecy and authentication. We also include a simple user-friendly transaction-based protocol specification language that is embedded into Isabelle.
hess.ea:performing:2021
Proceedings
IEEE
2021
34th IEEE Computer Security Foundations Symposium (CSF)
1
https://www.brucker.ch/bibliography/abstract/hess.ea-performing-2021
https://doi.org/10.1109/CSF51468.2021.00006
143-158
HessAndreasV
MödersheimSebastian
BruckerAchimD
SchlichtkrullAnders
Performing Security Proofs of Stateful Protocols
In protocol verification we observe a wide spectrum from fully automated methods to interactive theorem proving with proof assistants like Isabelle/HOL. The latter provide overwhelmingly high assurance of the correctness, which automated methods often cannot: due to their complexity, bugs in such automated verification tools are likely and thus the risk of erroneously verifying a flawed protocol is non-negligible. There are a few works that try to combine advantages from both ends of the spectrum: a high degree of automation and assurance. We present here a first step towards achieving this for a more challenging class of protocols, namely those that work with a mutable long-term state. To our knowledge this is the first approach that achieves fully automated verification of stateful protocols in an LCF-style theorem prover. The approach also includes a simple user-friendly transaction-based protocol specification language embedded into Isabelle, and can also leverage a number of existing results such as soundness of a typed model.
brucker.ea:model:2020
ArticleInAPeriodical
2020
J. Object Technol.
https://www.brucker.ch/bibliography/abstract/brucker.ea-model-2020
BruckerAchimD
TuongFrééric
WolffBurkhart
Model Transformation as Conservative Theory-Transformation
Model transformations play a central role in model-driven software development. Hence, logical unsafe model transformation can result in erroneous systems. Still, most model transformations are written in languages that do not provide built-in safeness guarantees. We present a new technique to construct tool support for domain-specific languages (DSLs) inside the interactive theorem prover environment Isabelle. Our approach is based on modeling the DSL formally in higher-order logic (HOL), modeling the API of Isabelle inside it, and defining the transformation between these two. Reflection via the powerful code generators yields code that can be integrated as extension into Isabelle and its user interface. Moreover, we use code generation to produce tactic code which is bound to appropriate command-level syntax. Our approach ensures the logical safeness (conservativity) of the theorem prover extension and, thus, provides a certified tool for the DSL in all aspects: the deductive capacities of theorem prover, code generation, and IDE support. We demonstrate our approach by extending Isabelle/HOL with support for UML/OCL and, more generally, providing support for a formal object-oriented modeling method.
foster.ea:efsm-inference:2020
ArticleInAPeriodical
2020
September
Archive of Formal Proofs
http://www.isa-afp.org/entries/Extended_Finite_State_Machine_Inference.html, Formal proof development
FosterMichael
BruckerAchimD
TaylorRamsayG
DerrickJohn
Inference of Extended Finite State Machines
In this AFP entry, we provide a formal implementation of a state-merging technique to infer extended finite state machines (EFSMs), complete with output and update functions, from black-box traces. In particular, we define the subsumption in context relation as a means of determining whether one transition is able to account for the behaviour of another. Building on this, we define the direct subsumption relation, which lifts the subsumption in context relation to EFSM level such that we can use it to determine whether it is safe to merge a given pair of transitions. Key proofs include the conditions necessary for subsumption to occur and that subsumption and direct subsumption are preorder relations. We also provide a number of different heuristics which can be used to abstract away concrete values into registers so that more states and transitions can be merged and provide proofs of the various conditions which must hold for these abstractions to subsume their ungeneralised counterparts. A Code Generator setup to create executable Scala code is also defined.
foster.ea:efsm:2020
ArticleInAPeriodical
2020
September
Archive of Formal Proofs
http://www.isa-afp.org/entries/Extended_Finite_State_Machines.html, Formal proof development
FosterMichael
BruckerAchimD
TaylorRamsayG
DerrickJohn
A Formal Model of Extended Finite State Machines
In this AFP entry, we provide a formalisation of extended finite state machines (EFSMs) where models are represented as finite sets of transitions between states. EFSMs execute traces to produce observable outputs. We also define various simulation and equality metrics for EFSMs in terms of traces and prove their strengths in relation to each other. Another key contribution is a framework of function definitions such that LTL properties can be phrased over EFSMs. Finally, we provide a simple example case study in the form of a drinks machine.
brucker.ea:afp-core-sc-dom:2020
ArticleInAPeriodical
2020
September
Archive of Formal Proofs
http://www.isa-afp.org/entries/Core_SC_DOM.html, Formal proof development
BruckerAchimD
HerzbergMichael
The Safely Composable DOM
In this AFP entry, we formalize the core of the Safely Composable Document Object Model (SC DOM). The SC DOM improve the standard DOM by strengthening the tree boundaries set by shadow roots: in the SC DOM, the shadow root is a sub-class of the document class (instead of a base class). This modifications also results in changes to some API methods (e.g., getOwnerDocument) to return the nearest shadow root rather than the document root. As a result, many API methods that, when called on a node inside a shadow tree, would previously “break out” and return or modify nodes that are possibly outside the shadow tree, now stay within its boundaries. This change in behavior makes programs that operate on shadow trees more predictable for the developer and allows them to make more assumptions about other code accessing the DOM.
brucker.ea:afp-shadow-dom:2020
ArticleInAPeriodical
2020
September
Archive of Formal Proofs
http://www.isa-afp.org/entries/Shadow_DOM.html, Formal proof development
BruckerAchimD
HerzbergMichael
Shadow DOM: A Formal Model of the Document Object Model with Shadow Roots
In this AFP entry, we extend our formalization of the core DOM with Shadow Roots. Shadow roots are a recent proposal of the web community to support a component-based development approach for client-side web applications. Shadow roots are a significant extension to the DOM standard and, as web standards are condemned to be backward compatible, such extensions often result in complex specification that may contain unwanted subtleties that can be detected by a formalization. Our Isabelle/HOL formalization is, in the sense of object-orientation, an extension of our formalization of the core DOM and enjoys the same basic properties, i.e., it is extensible, i.e., can be extended without the need of re-proving already proven properties and executable, i.e., we can generate executable code from our specification. We exploit the executability to show that our formalization complies to the official standard of the W3C, respectively, the WHATWG.
brucker.ea:afp-shadow-sc-dom:2020
ArticleInAPeriodical
2020
September
Archive of Formal Proofs
http://www.isa-afp.org/entries/Shadow_SC_DOM.html, Formal proof development
BruckerAchimD
HerzbergMichael
Shadow SC DOM: A Formal Model of the Safelty Composable Document Object Model with Shadow Roots
In this AFP entry, we extend our formalization of the safely composable DOM with Shadow Roots. Shadow roots are a recent proposal of the web community to support a component-based development approach for client-side web applications. Shadow roots are a significant extension to the DOM standard and, as web standards are condemned to be backward compatible, such extensions often result in complex specification that may contain unwanted subtleties that can be detected by a formalization. Our Isabelle/HOL formalization is, in the sense of object-orientation, an extension of our formalization of the core DOM and enjoys the same basic properties, i.e., it is extensible, i.e., can be extended without the need of re-proving already proven properties and executable, i.e., we can generate executable code from our specification. We exploit the executability to show that our formalization complies to the official standard of the W3C, respectively, the WHATWG.
brucker.ea:afp-dom-components:2020
ArticleInAPeriodical
2020
September
Archive of Formal Proofs
http://www.isa-afp.org/entries/DOM_Components.html, Formal proof development
BruckerAchimD
HerzbergMichael
A Formalization of Web Components
While the DOM with shadow trees provide the technical basis for defining web components, the DOM standard neither defines the concept of web components nor specifies the safety properties that web components should guarantee. Consequently, the standard also does not discuss how or even if the methods for modifying the DOM respect component boundaries. In AFP entry, we present a formally verified model of web components and define safety properties which ensure that different web components can only interact with each other using well-defined interfaces. Moreover, our verification of the application programming interface (API) of the DOM revealed numerous invariants that implementations of the DOM API need to preserve to ensure the integrity of components.
brucker.ea:afp-sc-dom-components:2020
ArticleInAPeriodical
2020
September
Archive of Formal Proofs
http://www.isa-afp.org/entries/SC_DOM_Components.html, Formal proof development
BruckerAchimD
HerzbergMichael
A Formalization of Safely Composable Web Components
While the (safely composable) DOM with shadow trees provide the technical basis for defining web components, it does neither defines the concept of web components nor specifies the safety properties that web components should guarantee. Consequently, the standard also does not discuss how or even if the methods for modifying the DOM respect component boundaries. In AFP entry, we present a formally verified model of safely composable web components and define safety properties which ensure that different web components can only interact with each other using well-defined interfaces. Moreover, our verification of the application programming interface (API) of the DOM revealed numerous invariants that implementations of the DOM API need to preserve to ensure the integrity of components.
brucker.ea:confidential-lca:2021
Proceedings
Heidelberg
Springer-Verlag
2021
BPMN 2021 Workshops
https://www.brucker.ch/bibliography/abstract/brucker.ea-confidential-lca-2021
BruckerAchimD
YalmanSakine
MarrellaAndrea
WeberBarbara
Confidentiality Enhanced Life-Cycle Assessment
The environmental impact of products is an important factor in buying decisions of customers and it is also an increasing concern of law makers. Hence, companies are interested in determining the ecological footprint of their products. Life-cycle assessment (LCA) is a standardized method for computing the ecological footprint of a product. Today, LCA is usually not computed in real-time and neither is LCA using actual sensor data: in contrast it is computed “offline” using “historic” values based on exemplary measurements. With the rise of the Internet of Things (IoT), LCA computations can be based on actual production processes. While an LCA based on actual sensor data is desirable from an ecological perspective, it also can reveal trade secrets, e.g., details about production processes or business relationships. In this paper, we present an approach, using secure multi-party computation, to enable the confidential data sharing required for an LCA computation using sensor data.
marmsoler.ea:solidity-semantics:2021
BookSection
Heidelberg
Springer-Verlag
2021
Software Engineering and Formal Methods (SEFM)
https://www.brucker.ch/bibliography/abstract/marmsoler.ea-solidity-semantics-2021
MarmsolerDiego
BruckerAchimD
CalinescuRadu
PasareanuCorina
A Denotational Semantics of Solidity in Isabelle/HOL
Smart contracts are programs, usually automating legal agreements such as financial transactions. Thus, bugs in smart contracts can lead to large financial losses. For example, an incorrectly initialized contract was the root cause of the Parity Wallet bug that made USD 280mil worth of Ether inaccessible. Ether is the cryptocurrency of the Ethereum blockchain that uses Solidity for expressing smart contracts. In this paper, we address this problem by presenting an executable denotational semantics for Solidity in the interactive theorem prover Isabelle/HOL. This formal semantics builds the foundation of an interactive program verification environment for Solidity programs and allows for inspecting Solidity programs by (symbolic) execution. We combine the latter with grammar-based fuzzing to ensure that our formal semantics complies to the Solidity implementation on the Ethereum Blockchain. Finally, we demonstrate the formal verification of Solidity programs by two examples: constant folding and memory optimization.
marmsoler.ea:conformance:2022
BookSection
Heidelberg
Springer-Verlag
2022
TAP 2022: Tests And Proofs
https://www.brucker.ch/bibliography/abstract/marmsoler.ea-conformance-2022
MarmsolerDiego
BruckerAchimD
KovacsLaura
MeinkeKarl
Conformance Testing of Formal Semantics using Grammar-based Fuzzing
A common problem in verification is to ensure that the formal specification models the real-world system, i.e., the implementation, faithfully. Testing is a technique that can help to bridge the gap between a formal specification and its implementation. Fuzzing in general and grammar-based fuzzing in particular are successfully used for finding bugs in implementations. Traditional fuzzing applications rely on an implicit test specification that informally can be described as “the program under test does not crash”. In this paper, we present an approach using grammar-based fuzzing to ensure the conformance of a formal specification, namely the formal semantics of the Solidity Programming language, to a real-world implementation. For this, we derive an executable test-oracle from the formal semantics of Solidity in Isabelle/HOL. The derived test oracle is used during the fuzzing of the implementation to validate that the formal semantics and the implementation are in conformance.
brucker:nano-json:2022
ArticleInAPeriodical
2022
July
Archive of Formal Proofs
http://www.isa-afp.org/entries/Nano_JSON.html, Formal proof development
BruckerAchimD
Nano JSON: Working with JSON formatted data in Isabelle/HOL and Isabelle/ML
JSON (JavaScript Object Notation) is a common format for exchanging data, based on a collection of key/value-pairs (the JSON objects) and lists. Its syntax is inspired by JavaScript with the aim of being easy to read and write for humans and easy to parse and generate for machines. Despite its origin in the JavaScript world, JSON is language-independent and many programming languages support working with JSON-encoded data. This makes JSON an interesting format for exchanging data with Isabelle/HOL. This AFP entry provides a JSON-like import-expert format for both Isabelle/ML and Isabelle/HOL. On the one hand, this AFP entry provides means for Isabelle/HOL users to work with JSON encoded data without the need using Isabelle/ML. On the other and, the provided Isabelle/ML interfaces allow additional extensions or integration into Isabelle extensions written in Isabelle/ML. While format is not fully JSON compliant (e.g., due to limitations in the range of supported Unicode characters), it works in most situations: the provided implementation in Isabelle/ML and its representation in Isabelle/HOL have been used successfully in several projects for exchanging data sets of several hundredths of megabyte between Isabelle and external tools.
marmsoler.ea:isabelle-solidity:2022
ArticleInAPeriodical
2022
July
Archive of Formal Proofs
http://www.isa-afp.org/entries/Solidity.html, Formal proof development
MarmsolerDiego
BruckerAchimD
Isabelle/Solidity: A deep Embedding of Solidity in Isabelle/HOL
Smart contracts are automatically executed programs, usually representing legal agreements such as financial transactions. Thus, bugs in smart contracts can lead to large financial losses. For example, an incorrectly initialized contract was the root cause of the Parity Wallet bug that saw 280M worth of Ether destroyed. Ether is the cryptocurrency of the Ethereum blockchain that uses Solidity for expressing smart contracts. We address this problem by formalizing an executable denotational semantics for Solidity in the interactive theorem prover Isabelle/HOL. This formal semantics builds the foundation of an interactive program verification environment for Solidity programs and allows for inspecting them by (symbolic) execution. We combine the latter with grammar based fuzzing to ensure that our formal semantics complies to the Solidity implementation on the Ethereum Blockchain. Finally, we demonstrate the formal verification of Solidity programs by two examples: constant folding and a simple verified token.
brucker.ea:feedforward-nn-verification:2023
BookSection
Heidelberg
Springer-Verlag
2023
Formal Methods (FM 2023)
https://www.brucker.ch/bibliography/abstract/brucker.ea-feedforward-nn-verification-2023
BruckerAchimD
StellAmy
ChechikMarsha
KatoenJoost-Pieter
LeuckerMartin
Verifying Feedforward Neural Networks for Classification in Isabelle/HOL
Neural networks are being used successfully to solve classification problems, e.g., for detecting objects in images. It is well known that neural networks are susceptible if small changes applied to their input result in misclassification. Situations in which such a slight input change, often hardly noticeable by a human expert, results in a misclassification are called adversarial attacks. Such attacks can be life-threatening if, for example, they occur in image classification systems used in autonomous cars or medical diagnosis. Systems employing neural networks, e.g., for safety or security critical functionality, are a particular challenge for formal verification, which usually expects a program (e.g., given as source code in a programming language). Such a program does, per se, not exist for neural networks. In this paper, we address this challenge by presenting a formal embedding of feedforward neural networks into Isabelle/HOL, together with a discussion of properties that are desirable for neural networks in critical applications. Our Isabelle-based prototype can import neural networks trained in TensorFlow, and we demonstrate our approach using a neural network trained for the classification of digits.
hess.ea:stateful-protocol-composition:2023
ArticleInAPeriodical
New York, NY, USA
ACM Press
2023
ACM Transactions on Privacy and Security
https://www.brucker.ch/bibliography/abstract/hess.ea-stateful-protocol-composition-2023
HessAndreasV
MödersheimSebastianA
BruckerAchimD
Stateful Protocol Composition in Isabelle/HOL
Communication networks like the Internet form a large distributed system where a huge number of components run in parallel, such as security protocols and distributed web applications. For what concerns security, it is obviously infeasible to verify them all at once as one monolithic entity; rather, one has to verify individual components in isolation. While many typical components like TLS have been studied intensively, there exists much less research on analyzing and ensuring the security of the composition of security protocols. This is a problem since the composition of systems that are secure in isolation can easily be insecure. The main goal of compositionality is thus a theorem of the form: given a set of components that are already proved secure in isolation and that satisfy a number of easy-to-check conditions, then also their parallel composition is secure. Said conditions should of course also be realistic in practice, or better yet, already be satisfied for many existing components. Another benefit of compositionality is that when one would like to exchange a component with another one, all that is needed is the proof that the new component is secure in isolation and satisfies the composition conditions—without having to re-prove anything about the other components. This paper has three contributions over previous work in parallel compositionality. First, we extend the compositionality paradigm to stateful systems: while previous approaches work only for simple protocols that only have a local session state, our result supports participants who maintain long-term databases that can be shared among several protocols. This includes a paradigm for declassification of shared secrets. This result is in fact so general that it also covers many forms of sequential composition as a special case of stateful parallel composition. Second, our compositionality result is formalized and proved in Isabelle/HOL, providing a strong correctness guarantee of our proofs. This also means that one can prove, without gaps, the security of an entire system in Isabelle/HOL, namely the security of components in isolation, the composition conditions, and thus derive the security of the entire system as an Isabelle theorem. For the components one can also make use of our tool PSPSP that can perform automatic proofs for many stateful protocols. Third, for the compositionality conditions we have also implemented an automated check procedure in Isabelle.