Applying Formal Verification Techniques for Checking Compliance of Computer Systems and Protocols

Sep 30, 2015

Download: MP4 Video Size: 98.7MB  
Watch on YouTube

Abstract

While designing computer systems and their underlying protocols, architects impose functionality, security, and privacy requirements or policies with which the designed systems and protocols should comply with. These requirements and policies are generally written in natural language and more often than not they are not complied with in the implementations due to ambiguity, misinterpretation of the requirements, or developer errors. Non-compliance with the requirements can not only have security, privacy, and utility consequences but also can have safety implications. One possible solution is to express the requirements in some formal language. In addition to eliminating ambiguities and misinterpretations of the requirements, this also enables application of formal verification techniques to check for compliance of the implementation against the desired requirements or the policies. Formal verification techniques can be applied for checking compliance in potentially three different settings. In the first setting,compliance checking is performed statically before a system or a protocol is deployed. In the second setting, a runtime monitor can be deployed alongside the system or the protocol, and the monitor provably disallows the system or the protocol to take non-compliant actions. Finally, compliance can be be checked in a post-hoc fashion by capturing all the relevant runtime events in an audit log which can then be scrutinized for non-compliance. In this talk, I will present demonstrative examples of using formal verification techniques for compliance checking in each of these settings.