Verifying System Components with Memory

Verifying System Components with Memory Jim Alves-Foss Idaho Center for Applied Logic Department of Computer Science University of Idaho Moscow, ID 83843 November 7, 1991

Verifying System Components with Memory Abstract This paper presents the speci cation of a generic class of components that have memory, the programmable- lter class. This class consists of components that process inputs one at a time and send a corresponding output derived from the current input and previous inputs. Systems in this class are secure not only if the security classi cation of the outputs is at the same or higher level as the corresponding input but also if the output is independent of any previous higher level inputs. We show that a subset of this class of components satis es McCullough's restrictiveness security property. As an example we take the generic class and specialize a simple database component which we instantiate to specify a simple multi-level le server.

1 Introduction The development of complex computer software is made more manageable by using modular programming techniques and programming constructs such as abstract data types. These approaches can be applied to both the speci cation and implementation phases of the software development. Alves-Foss and Levitt [1] have shown that similar approaches can be applied to the veri cation of system speci cations using an event-system model. This paper extends that work by presenting a veri ed class of system components that have memory. In [1] Alves-Foss and Levitt present a class of components called set- lters. This class consists of system components that process inputs one at a time and send a corresponding output derived from the current input. These outputs are generated using only the current input and are not a product of any previous inputs. Systems in this class are secure if the security classi cation of the outputs is at the same or higher level as the corresponding input. Although a large number of system components fall into the set- lter classi cation, there exists another large class of components that do not fall into the set- lter classi cation. Among these components are those that derive their outputs from previous inputs as well as the current input. These components are those that have memory. This paper presents the speci cation of a generic class of components that have memory, the programmable- lter class. This class consists of components that process inputs one at a time and send a corresponding output derived from the current input and previous inputs. Systems in this class are secure not only if the security classi cation of the outputs is at the same or higher level as the corresponding input but also if the output is independent of any previous higher level inputs. We show that a subset of this class of components satis es McCullough's restrictiveness security property. All speci cations and proofs presented in this paper have been developed in the HOL theorem proving system. In Section 2 we give a brief introduction to the HOL system. In Section 3 we discuss the formal system model and security policy presented in [1]. In Section 4 we give a review of the generic classi cations of [1]. In Section 5 we present the actual HOL speci cation of the programmable lter class of system components and the veri cation that a speci c subclass of these components satis es McCullough's restrictiveness security policy. In Section 6 we specialize this subclass of components to demonstrate how we can create a simple database component speci cation. In 1

Section 7 we present an example of an instantiation of the database component to de ne a simple multi-level le server for the Rushby-Randell Secure Distributed system [14].

2 The HOL System To formally model the security properties of a secure distributed system and to ensure the accuracy of our proofs, we felt that it was necessary to develop the proofs and properties using a mechanical veri cation system. This prevents proofs from containing logical mistakes, and assures that the foundations on which the work is based are sound. Due to the nature of the proofs, which include quanti cation over sets of objects, we felt that a system which supports higher-order logic and a typed lambda calculus would facilitate our eorts. The HOL system was selected for this project due to its support for higher-order logic, generic speci cations and polymorphic type constructs. Furthermore its availability, ruggedness, local support, and a growing world-wide user base made it a very attractive selection. HOL is a general theorem proving system developed at the University of Cambridge [7, 3] that is based on Church's theory of simple types, or higher-order logic [4]. Although Church developed higher-order logic as a foundation for mathematics, it can be used for reasoning about computational systems of all kinds. Similar to predicate logic in allowing quanti cation over variables, higher-order logic also allows quanti cation over predicates and functions thus permitting more general systems to be described. HOL is not a fully automated theorem prover but is more than simply a proof checker, falling somewhere between these two extremes. HOL has several features that contribute to its use as a veri cation environment: built{in theories, rules of inference for higher-order logic, proof tactics, a proof management system, and a metalanguage for extending the prover.

Notations and Conventions. Throughout this paper, we present several de nitions and theo-

rems developed in the HOL system. To make this work more understandable to the reader unfamiliar with HOL syntax, we have run the HOL output through a preprocessor. This preprocessor transfers HOL special symbols into their logic symbol counterparts. These include: 1. quanti ers 8, 9,  2. the Hilbert choice operator " such that "x. Px returns an element that satis es the predicate P if one exists, and an element of the correct type otherwise 3. logical operators :, ^, _, >, , =, ,