Skip to main content

Security Of Java for rigorous and reliable networks

Final Activity Report Summary - SOJOURN (Security of java for rigorous and reliable networks)

Our society increasingly relies on information technology to provide essential information and services, including in security- or privacy sensitive domains such as banking or health care. Here security protocols play a central role to secure communication over digital networks, for example the SSL protocol for securing Internet connections. The correctness and security of software components implementing such protocols is crucial to the security of any services using these networks.

The highest degree of confidence in the security of such software components can be obtained by formal methods, which provide mathematical proofs to certify that software has the required properties. The SOJOURN project investigated this possibility; more in particular through the use of the formal specification language JML and the associated verification tool ESC/Java2. As a concrete case study the project studied an existing open source implementation of SSH, a security protocol used for remote logins.

A concrete result of the project was that the particular implementation studied was found to be seriously flawed. Of more general interest was the systematic way in which this flaw was found. The methodology used was to formally specify a security protocol as a finite state machine, translate this specification to JML and use ESC/Java2 to prove (or disprove) that the implementation obeys this specification. The methodology highlights the value of finite state machines as simple but effective specification formalism.

Other results of the project are in the field of (Java) program specification and verification. Here the main achievements are the extension of the ESC/Java2 tool to deal with alias control properties (using so-called universes) and the investigation of a notion of immutable object that can be statically enforced and which is guaranteed to be safe even in the presence of hostile code.