Applying Formal Methods in the Certification of a Security-Critical Software System
Dr. Constance Heitmeyer
Software EngineeringNRL's Center for High Assurance Computer Systems
A major problem in verifying the security of software is that the code’s large size makes it much too costly to verify the software code in its entirety. This talk describes a novel and practical approach to verifying the security of code which substantially reduces the cost of verification. In this approach, a compact security model containing only information needed to reason about the security properties of interest is constructed, and security properties are represented formally in terms of the model. To reduce the cost of verification, the code to be verified is partitioned into three categories: Only the first category, less than 10% of the code in our application, requires formal verification; the proof of the other two categories is relatively trivial. Our approach was developed to support a Common Criteria evaluation of the separation kernel of an embedded software system. This talk describes 1) the techniques and theory for verifying the kernel code and 2) the artifacts produced: a Top Level Specification (TLS) of the model; a formal statement of the security properties, a mechanized proof that the TLS satisfies the property, the partitioning of the code, the annotation of the code with pre- and postconditions, and a demonstration that the annotated code conforms to the TLS. The talk also presents the formal basis for the argument that the kernel code conforms to the TLS and consequently satisfies the security property. The talk concludes by describing the lessons learned and several important topics in code verification that require further research.
Dr. Constance Heitmeyer heads the Software Engineering Section of NRL's Center for High Assurance Computer Systems. Her research focuses on the formal modeling and analysis of critical software systems. She has published more than 140 technical papers covering a range of software-related research topics, including requirements specification and validation, verification using model checking and theorem proving, invariant generation, model-based test generation, security modeling, and real-time computing. A frequent invited speaker on software topics, Ms. Heitmeyer is the chief designer of NRL's Requirements Toolset, a set of tools for specifying, validating, and verifying critical systems, which has been transferred to over 200 industry, government, and university groups. One of Ms. Heitmeyer’s major objectives is to transition the results of her research to software practice. Recently, she led a team which produced evidence demonstrating the security of software implementing an embedded DoD software device; the evidence was used in a Common Criteria evaluation supporting U.S. government certification of the device.