Testing Decision Procedures for Security - by - Contract : Extended

The traditional realm of formal methods is off-line verification of formal properties of hardware and software. We report a different approach that uses formal methods (namely the integration of automata modulo theory with decision procedures) on-the-fly, at the time an application is downloaded on a mobile application such as PDA or a smart phone. The idea behind security-by-contract is that a mobile applications comes equipped with a signed contract describing the security relevant behavior of the application and such contract should be matched against the mobile platform policy. Both specified as automata modulo theories and the operation is an on-the-fly emptiness test where edges are not only finite states of labels, but rather expressions which capture infinite transitions such as “connect only to urls starting with https://”. We will talk about prototype implementation, its integration with a state of the art decision solver (based on MathSAT and NuSMV) and the preliminary experiments for contract-policy matching. 1 Prototype Implementation We implemented language inclusion as on-the-fly emptiness test a-la-SPIN with oracle calls to the decision procedures available in NuSMV [1]. Therefore, our design decision of automata modulo theories AMT makes reasoning about infinite transitions systems with finite states possible without symbolic manipulation procedures of zones and regions, or finite representation by equivalence classes whose memory intensive characteristic is not suitable for our application. Our final objective is to do a run-time matching of the mobile’s platform policy (called policy) against the midlet’s security claims (called contract) expressed as AMT . First, we implemented the contractmatching prototype in Java for Desktop version. Then, we ported the prototype into .NET on an HTC P3600 (3G PDA phone). We made experiments on both implementations to see the feasibility and to select the best design alternative. Our algorithm checks whether or not the contract matches the policy using on-the-fly emptiness check. The on-the-fly procedure takes as input a contract automaton and a complemented policy automaton. The decision procedure part interacts with the SMT solver NuSMV1 for satisfiability checks. The instance of the NuSMV class is created only once at the beginning of the On-the-Fly procedure; then we declare variables, add constraints and remove constraints from the library every time we call the solver. We used software Java SDK version 6 and Apache Ant2 to compile the java sources and to run the tools automatically (see [2] for details). 2 Experiments on Desktop and on Device To decide the best configuration of integration with decision procedure, we made different design decisions and run experiments on the alternatives. This analysis is important because of the resource constraints of mobile device; for achieving our goal even small changes in time makes sense. ∗This work is partly supported by the project EU-FP6-IST-STREP-S3MS (www.s3ms.org). We would like to thank M. Roveri and A. Cimatti for the support in the usage of the NuSMV and MathSAT libraries and for hammering down a decision procedure for URLs. We also acknowledge Marco Dalla Torre for support in the integration of the tools. 1http://nusmv.fbk.eu/ 2http://ant.apache.org/