Presentation is loading. Please wait.

Presentation is loading. Please wait.

Overview of the Multos construction process Chad R. Meiners.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Overview of the Multos construction process Chad R. Meiners."— Presentation transcript:

1 Overview of the Multos construction process Chad R. Meiners

2 Outline Examine the characteristics of Multos Examine the project requirements Examine the formal methodology Examine the developmental results Evaluate Praxis’s methods Evaluate the paper’s focus Evaluate infrastructural requirements of the methodology

3 Multos Multos is a secure operating system for running separate applications within a single smart card. Multos depends on a centralized certification authority to provide permission to load and delete applications from a card. Praxis was hired to develop the Multos certification authority.

4 Project Requirements ITSEC level E6 certification –Formal methods required –System requirements must be unambiguous Minimum developmental risk –Avoid pitfalls in later development cycles –Keep within developmental and budget constraints

5 System Requirements COTS hardware and infrastructure –Minimize the cost –Minimize time Multi-user requirements –System distributed for high throughput –System must be usable to clients Security –System must be trusted and usable

6 Methodology “Correctness by construction depends on knowing what the system needs to do and being sure that it does it.” -Anthony Hall and Roderick Chapman Requirements Specification Design Code

7 Requirements Translated business objectives into requirements Labeled each requirement Traced each label to a source –Includes tracing security requirements to threats Validate all requirements with the client

8 Specification System specified as a series of black boxes –User Interface The look and feel of the black boxes Prototype verified by clients –Formal top-level specification The functionality of the black boxes Typechecker used to verify and check system consistency

9 High Level Design Described how the black boxes function together Described the black boxes’ internal structures Addressed security concerns between the boxes

10 Security with Untrusted Components System security must not really on the security of untrusted components –Commercial database –Untrusted operating system Security achieved by (from the paper) –Hardware separation –Information encryption –Authentication codes –Individual processing of security-critical code

11 Detailed Design Describes the actual software modules to construct the system Most modules are directly derived from the formal top-level specification Complex areas are further modeled in Z –Key management –System startup

12 Formal Security Policy Model Security requirements written in Z Four types of requirements –Security invariants –Functional requirements –Operational constraints –Information separation Requirements checked with a typechecker

13 Code Code life of twenty years –Avoided using COTS software components –Implemented these components from scratch Multiple languages used for appropriate jobs –Spark Ada : Security Kernel –Ada 95 : System critical parts –C : Reuse cryptography code –C++ : GUI

14 Review All artifacts of the development cycle were reviewed and check for correctness and consistency Automated checking was used when possible Desk checking was performed when necessary

15 Testing System built incrementally in a top down fashion Each system test was a real system in the environment Tests derived from specifications and automated Tests were instrumented to check statement and branch coverage

16 Results The delivered system satisfied client requirements Low defect rate in the system –0.04 defects per KLOC –100,000 line of code Minimized the amount of effort spent fixing errors (6% of total effort)

17 Results of Tool Support Developers could concentrate on insuring correct system wide behavior –Z automatically checked for consistency –CSP model checked –SPARK eliminated an entire domain of errors Tool support was utilized whenever available

18 But was it a commercial success? Mobile Communication Mobile e-Commerce Mass Transit CA in UK CA in Japan Future CA in Hong Kong –Government Immigration card project

19 Other Praxis Projects SHOLIS Hercules II (C-130J) Flight Software Development

20 Praxis’s Methodology Specify early; specify often Black boxes –Allows for the formalization of interfaces and expectations –Works even for untrusted components Untrusted COTS components integrated via incorporating the lack of trust in the system design

21 Paper’s focus Concentrated on the developmental process of incorporating various formal tools Advocated the “right tool for the right job” approach Designed to demonstrate the approachability of formal methods

22 Developmental Infrastructure Requires the developer’s commitment to the approach –Personnel need to be trained in formal method techniques before starting the project –Formal methods must be considered at every step of the project –Must understand that FM is not a magic bullet Requires the client’s acceptance of the approach –Client must be willing to provide proper feedback to the developers –Must understand that FM is not a magic bullet

23 So where do the formal methods for security fit into this process? Used to model protocols before implementation Used to establish a set of trusted protocol for use in formally developed systems The methods we have learned so far must be grafted into a real development process

24 References Anthony Hall and Roderick Chapman. Correctness by construction: Developing a commercial secure system. IEEE Software, Jan/Feb:18-25, 2002. The Multos Website http://www.multos.com http://www.multos.com Praxis’s SPARK Website http://www.sparkada.com

25 Thanks Zhenxiao Yang: For questioning about the commercial success of Multos Brian Kellogg: For questioning about the existence of any bias in the paper

Download ppt "Overview of the Multos construction process Chad R. Meiners."

Similar presentations

Unit-V testing strategies and tactics.

Unit-V testing strategies and tactics.
Presentation by Prabhjot Singh

Presentation by Prabhjot Singh
Software Quality Assurance Plan

Software Quality Assurance Plan
Lecture # 2 : Process Models

Lecture # 2 : Process Models
Chapter 2 – Software Processes

Chapter 2 – Software Processes
Software Processes Coherent sets of activities for specifying, designing, implementing and testing software systems.

Software Processes Coherent sets of activities for specifying, designing, implementing and testing software systems.
DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.

DoD Information Technology Security Certification and Accreditation Process (DITSCAP) Phase III – Validation Thomas Howard Chris Pierce.
11.1 Lecture 11 CASE tools IMS2805 - Systems Design and Implementation.

11.1 Lecture 11 CASE tools IMS Systems Design and Implementation.
PowerPoint Presentation for Dennis, Wixom & Tegarden Systems Analysis and Design Copyright 2001 © John Wiley & Sons, Inc. All rights reserved. Slide 1.

PowerPoint Presentation for Dennis, Wixom & Tegarden Systems Analysis and Design Copyright 2001 © John Wiley & Sons, Inc. All rights reserved. Slide 1.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.

1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
1 Software Testing and Quality Assurance Lecture 15 - Planning for Testing (Chapter 3, A Practical Guide to Testing Object- Oriented Software)

1 Software Testing and Quality Assurance Lecture 15 - Planning for Testing (Chapter 3, A Practical Guide to Testing Object- Oriented Software)
Fundamentals of Information Systems, Second Edition

Fundamentals of Information Systems, Second Edition
SE 555 Software Requirements & Specification Requirements Validation.

SE 555 Software Requirements & Specification Requirements Validation.
1 Security Architecture and Analysis Management of System Development and Implementation –The System Development Process –Issues and Risks –Mitigation.

1 Security Architecture and Analysis Management of System Development and Implementation –The System Development Process –Issues and Risks –Mitigation.
1 Software Testing and Quality Assurance Lecture 1 Software Verification & Validation.

1 Software Testing and Quality Assurance Lecture 1 Software Verification & Validation.
Implementation. We we came from… Planning Analysis Design Implementation Identify Problem/Value. Feasibility Analysis. Project Management. Understand.

Implementation. We we came from… Planning Analysis Design Implementation Identify Problem/Value. Feasibility Analysis. Project Management. Understand.
Introduction to Software Testing

Introduction to Software Testing
Issues on Software Testing for Safety-Critical Real-Time Automation Systems Shahdat Hossain Troy Mockenhaupt.

Issues on Software Testing for Safety-Critical Real-Time Automation Systems Shahdat Hossain Troy Mockenhaupt.
BY RAJESWARI S SOFTWARE TESTING. INTRODUCTION Software testing is the process of testing the software product. Effective software testing will contribute.

BY RAJESWARI S SOFTWARE TESTING. INTRODUCTION Software testing is the process of testing the software product. Effective software testing will contribute.
Introduction to Computer Technology

Introduction to Computer Technology

Similar presentations

Ads by Google