Abstract
There is a growing interest on programming models based on the notion of contract. In particular, in the security realm one could imagine the situation where either downloaded code or software service exposes their security-relevant behavior in a contract (that must to be fulfilled). Assuming to have already a mechanism to ensure that the program/service adheres to the contract, it just remains to check that the contract matches with the user security policy. We refer to this testing procedure as contract-policy matching.
We specialize this framework in the ambit of mobile devices. The contract and the user policy are formally expressed by using (symbolic) transition systems.
Then, contract-policy matching amounts to simulation checking, i.e., a contract transition system is simulated by a policy one. This means that we check if for each transition corresponding to a certain security action of the contract (and so possibly performed by the program), the policy system has a similar transition and resulting contract system is again simulated by the resulting policy one.
Showing some running examples, we eventually present an implementation of simulation-matching algorithm, developed in J2ME and suitable to run also on smart phones.
Work partially supported by EU project ‘‘Software Engineering for Service-Oriented Overlay Computers”(SENSORIA), Artist2 ‘‘Network of Excellence on Embedded Systems Design” and ”Secure Software and Services for Mobile Systems” (S3MS).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Dragoni, N., Martinelli, F., Massacci, F., Mori, P., Schaefer, C., Walter, T., Vetillard, E.: Security-by-contract (SxC) for software and services of mobile systems. In: At your service: Service Engineering in the Information Society Technologies Program. MIT Press, Cambridge (2008)
Dragoni, N., Massacci, F., Naliuka, K., Siahaan, I.: Security-by-contract: Toward a semantics for digital signatures on mobile code. In: López, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 297–312. Springer, Heidelberg (2007)
Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and System Security 3(1), 30–50 (2000)
Martinelli, F., Matteucci, I.: An approach for the specification, verification and synthesis of secure systems. Electr. Notes Theor. Comput. Sci. 168, 29–43 (2007)
Aktug, I., Naliuka, K.: Conspec – A formal language for policy specification. Electr. Notes Theor. Comput. Sci. 197(1), 45–58 (2008)
Erlingsson, Ú., Schneider, F.B.: Sasi enforcement of security policies: a retrospective. In: NSPW 1999: Proceedings of the 1999 workshop on New security paradigms, pp. 87–95. ACM, New York (2000)
Milner, R.: Communicating and mobile systems: the π-calculus. Cambridge University Press, Cambridge (1999)
Martinelli, F., Matteucci, I.: Through modeling to synthesis of security automata. Electr. Notes Theor. Comput. Sci. 179, 31–46 (2007)
Hennessy, M., Lin, H.: Symbolic bisimulations. In: MFPS 1992: Selected papers of the meeting on Mathematical foundations of programming semantics, Amsterdam, The Netherlands, pp. 353–389. Elsevier Science Publishers, Amsterdam (1995)
Hennessy, M., Lin, H.: A Symbolic Approach to Value-Passing Processes. In: Handbook of Process Algebra. Elsevier, Amsterdam (2001)
Dragoni, N., Massacci, F., Naliuka, K., Siahaan, I., Quillinan, T., Matteucci, I., Schaefer, C.: Deliverable 2.1.4-Methodologies and tools for contract matching- S3MS European Project (2007)
Aktung, I.: Syntax and semantics of conspec (last visited 09/07/2008) (2007), https://trinity.dit.unitn.it/bscw/bscw.cgi/d33953/ConSpec
Desmet, L., Joosen, W., Massacci, F., Philippaerts, P., Piessens, F., Siahaan, I., Vanoverberghe, D.: Security-by-contract on the.net platform, vol. 13, pp. 25–32. Elsevier Advanced Technology Publications, Oxford (2008)
Matteucci, I.: Automated synthesis of enforcing mechanisms for security properties in a timed setting. Electr. Notes Theor. Comput. Sci. 186, 101–120 (2007)
Martinelli, F., Matteucci, I.: Partial model checking, process algebra operators and satisfiability procedures for (automatically) enforcing security properties. Technical report, IIT-CNR (2005) Presented at the International Workshop on Foundations of Computer Security (FCS 2005)
Ingolfsdottir, A., Lin, H.: Handbook of Processes Algebra. In: A Symbolic Approach to Value-passing Processes, ch. 7. Elsevier, Amsterdam (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Greci, P., Martinelli, F., Matteucci, I. (2008). A Framework for Contract-Policy Matching Based on Symbolic Simulations for Securing Mobile Device Application . In: Margaria, T., Steffen, B. (eds) Leveraging Applications of Formal Methods, Verification and Validation. ISoLA 2008. Communications in Computer and Information Science, vol 17. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88479-8_16
Download citation
DOI: https://doi.org/10.1007/978-3-540-88479-8_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-88478-1
Online ISBN: 978-3-540-88479-8
eBook Packages: Computer ScienceComputer Science (R0)