Specification and Refinement of Secure IT - Systems — Extended

Dependable IT-systems [11] of relevant size can only be built if all dependability attributes have a clear meaning. This meaning must be consistent both with the common understanding of the people building and using the ITsystem, and with the tools they use and the development process they adhere to. Therefore, a formal meaning of all dependability attributes is needed which is compatible with the usual refinement process of systems engineering. Consider the meaning of security attributes. Some relationships with established formal notions are clear whereas others are not understood so well. Confidentiality, integrity, and availability are seen as the generic properties of security [17, 5]. Some authors propose to add accountability as a fourth one [4], others propose to refine confidentiality, integrity and availability according to the kind of information they relate to [18]. Then, e.g. accountability can be interpreted as an integrity property concerning the circumstances of an action, anonymity can be interpreted as a confidentiality property concerning the circumstances of a communication, and so on. The relationship between the security attributes integrity and availability, and formal notions compatible with refinement is roughly clear. For terminating computations, integrity corresponds to partial correctness, and availability corresponds to assured termination combined with sufficient computational resources to fulfill real-time requirements. Integrity and availability together correspond to total correctness and sufficient computational resources. For reactive systems, integrity means that the defined processes satisfy certain required predicates, and availability corresponds to fairness and liveness combined with sufficient computational resources. To date, the relationship between confidentiality and formal notions of refinement is less well understood. One of the reasons is that a possibilistic framework is not enough to prove security in general and confidentiality in particular. Such a framework only makes it possible to find some security flaws. To positively prove security, a probabilistic framework is needed.