Abstract
This paper proposes a new hybrid method to formally verify whether the security specification of a target information system satisfies security functional requirements defined in ISO/IEC 15408 evaluation criteria for security. We classify at first the security functional requirements of ISO/IEC 15408 into two classes: static requirements concerning static properties and dynamic requirements concerning dynamic behavior of target systems, and then formalize the static requirements with Z notation and the dynamic requirements with temporal logic. Thus, we can verify static properties using theorem-proving and dynamic behavior using model-checking. As a result, developers can easily use the method to verify whether the security specification of a target information system satisfies both static and dynamic security functional requirements defined in ISO/IEC 15408. The new method is an evolution and improvement of our early verification method where only Z notation was adapted and to verify dynamic behavior of target systems is difficult.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Advanced Information Systems Engineering Laboratory, Saitama University: Formal Descriptions of ISO/IEC 15408 Part 2, http://www.aise.ics.saitama-u.ac.jp/
Berard, B., Bidoit, M., Finkel, A., Laroussinie, F., Petit, A., Petrucci, L., Schnoebelen, P.: Systems and Software Verification –Model-Checking Techniques and Tools. Springer, Heidelberg (1999)
Cimatti, A., Clarke, E., Giunchiglia, F., Roveri, M.: NuSMV: a New Symbolic Model Verifier. In: Halbwachs, N., Peled, D.A. (eds.) CAV 1999. LNCS, vol. 1633, pp. 495–499. Springer, Heidelberg (1999)
Clarke, E., Grumberg, O., Peled, D.: Model Checking. MIT Press, Cambridge (2000)
Common Criteria Project: Evaluated Product Files, http://www.commoncriteriaportal.org/public/files/epfiles/
Dupuy, S., Ledru, Y., Chabre-Peccoud, M.: An Overview of RoZ: A Tool for Integrating UML and Z Specifications. In: Wangler, B., Bergman, L.D. (eds.) CAiSE 2000. LNCS, vol. 1789, pp. 417–430. Springer, Heidelberg (2000)
Fischer, C.: CSP-OZ: a Combination of Object-Z and CSP. In: Proceedings of the 2nd IFIP Workshop on Formal Methods for Open Object-Based Distributed Systems, pp. 423–438. Chapman & Hall, Australia (1997)
ISO/IEC 15408 Standard: Information Technology - Security Techniques - Evaluation Criteria for IT Security (1999)
Jacky, J.: The Way of Z: Practical Programming with Formal Methods. Cambridge University Press, Cambridge (1997)
Latella, D., Majzik, I., Massink, M.: Automatic Verification of a Behavioural Subset of UML Statechart Diagrams using the SPIN Model Checker. Formal Aspects of Computing 11(6), 637–664 (1999)
Morimoto, S., Shigematsu, S., Goto, Y., Cheng, J.: Formal Verification of Security Specifications with Common Criteria. In: Proceedings of the 22nd Annual ACM Symposium on Applied Computing, pp. 1506–1512. ACM Press, New York (2007)
Saaltink, M.: The Z/EVES System. In: Till, D., Bowen, J.P., Hinchey, M.G. (eds.) ZUM 1997. LNCS, vol. 1212, pp. 72–85. Springer, Heidelberg (1997)
Schäfer, T., Knapp, A., Merz, S.: Model Checking UML State Machines and Collaborations. Electronic Notes in Theoretical Computer Science 55(3), 357–369 (2001)
YAHODA: Verification Tools Database, http://anna.fi.muni.cz/yahoda/
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Morimoto, S., Shigematsu, S., Goto, Y., Cheng, J. (2008). Classification, Formalization and Verification of Security Functional Requirements. In: Geffert, V., Karhumäki, J., Bertoni, A., Preneel, B., Návrat, P., Bieliková, M. (eds) SOFSEM 2008: Theory and Practice of Computer Science. SOFSEM 2008. Lecture Notes in Computer Science, vol 4910. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77566-9_54
Download citation
DOI: https://doi.org/10.1007/978-3-540-77566-9_54
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77565-2
Online ISBN: 978-3-540-77566-9
eBook Packages: Computer ScienceComputer Science (R0)