Specification Modeling and Validation Applied to Network Security Gateways

A network security gateway protects the computers of a home or small office from Internet-based attacks by remote adversaries. It allows all the protected machines to share a single connection to the Internet and may allow secure access, via a VPN tunnel, into a remote corporate network. It may provide other services as well. Because its main job is security, it is critical to have high confidence that it meets its requirements. This is only partially obtainable through testing, because while testing can check that expected behaviors occur, attackers may exploit unexpected behaviors. Therefore, I am exploring tools and techniques for applying more sophisticated tools to validating the implementations of these devices. The primary difficulties are a lack of detailed knowledge of the behavior of standard platform components (such as the Linux operating system) and, of course, incompleteness in known requirements of the overall system. In this presentation, I will demonstrate how I use executable specification modeling and lightweight formal methods tools to help discover, validate, and refine requirements models. This process iteratively constructs a formal, executable model of (an abstraction of) the implementation and validates behaviors and properties, while suggesting experiments to perform on the implementation to reduce ignorance. The tool suite used is the Interactive Specification Acquisition Tools (ISAT) reactive system design suite[2].