Semi-formal method for security policies and design specifications

doi:10.16511/j.cnki.qhdxxb.2017.25.024

Download: PDF(1274 KB)
Export: BibTeX | EndNote | Reference Manager | ProCite | RefWorks

Abstract Inadequacies in IT products can result from misunderstandings of the security requirements. Semi-formal methods can accurately describe the security requirements and implement reasonable requirements that avoid causing security flaws. Thus, semi-formal descriptions and verification methods are used in this study for security policies and design specifications represented by collections of the security requirements and module designs of security functionality interfaces. The system uses a loosely coupled partitioning method for the subsystem and module. Semi-formal methods are given to describe the security policy and design specification derived from existing semi-formal tools. The approach is applied to an IC card chip product to show that its security policies are adequate and the security design provides reasonable security. This approach can be used to evaluate all kinds of IT products.

Keywords security policy design specification semi-formal

ZTFLH:

TP309

Issue Date: 15 July 2017

	Service

	E-mail this article
	E-mail Alert
	RSS
	Articles by authors

	DENG Hui
	SHI Hongsong
	ZHANG Baofeng
	YANG Yongsheng
	LIU Hui

Cite this article:

DENG Hui,SHI Hongsong,ZHANG Baofeng, et al. Semi-formal method for security policies and design specifications[J]. Journal of Tsinghua University(Science and Technology), 2017, 57(7): 695-701.

URL:

http://jst.tsinghuajournals.com/EN/10.16511/j.cnki.qhdxxb.2017.25.024 OR http://jst.tsinghuajournals.com/EN/Y2017/V57/I7/695

[1]	Bañón M. Security evaluation, testing and specification [C]//In SC27 Security Techniques of 25 Years of Information Security Standardization (1990—2015). London, UK:Gipping Press, 2015: 124-130.
[2]	ISO/IEC 15408. Information Technology-Security Techniques-Evaluation Criteria for IT Security [S]. Wellington, New Zealand: ISO/IEC, 2009.
[3]	GB/T 18336. 信息技术安全技术信息技术安全评估准则[S]. 北京: 中国国家标准化管理委员会, 2016.GB/T 18336. Information Technology-Security Techniques-Evaluation Criteria for IT Security [S]. Beijing: Standardization Administration of the People's Republic of China, 2016. (in Chinese)
[4]	Bundesam FVr Sicherheit der Informationstechnik. Guideline for the development and evaluation of formal security policy models in the scope of ITSEC and Common Criteria, version 2.0[Z/OL]. (December 2007). http://www.bsi.bund.de/cae/servlet/contentblob/478122/publicationFile/30243/Guideline_FMSP_v20_pdf. url: http://www.bsi.bund.de/cae/servlet/contentblob/478122/publicationfile/30243/guideline_fmsp_v20_pdf.
[5]	Narasamdya I, Périn M. Certification of smart-card applications in Common Criteria: Proving representation correspondences[Z/OL]. (November 2008). http://www-verimag.imag.fr. url: http://www-verimag.imag.fr.
[6]	Schellhorn G, Reif W, Schairer A, et al. Verification of a formal security model for multiapplicative smart cards [J]. Lecture Notes in Computer Science, 2000, 1(1):17-36.
[7]	GB/T 22186. 信息安全技术具有中央处理器的IC卡芯片安全技术要求[S]. 北京: 中国国家标准化管理委员会, 2016.GB/T 22186. Information Security Techniques-Security Technical Requirements for IC Card Chip with CPU [S]. Beijing: Standardization Administration of the People's Republic of China, 2016. (in Chinese)
[8]	ASN.1. Abstract Syntax Notation One [S]. Wellington, New Zealand: ISO/ITU-T, 2001.
[9]	Schmuller J. UML基础、案例与应用[M]. 李虎, 王英美, 万里威, 译. 北京: 人民邮电出版社, 2002.Schmuller J. Sams Teach Yourself UML in 24 Hours [M]. LI Hu, WANG Yingmei, WAN Liwei, trans. Beijing: Posts & Telecom Press, 2002. (in Chinese)