Petri net-based verification of security protocol implementation in software evolution

Abstract

Implementation of security protocol in software plays an important role to protect the whole system from vulnerabilities. In order to protect the system from new threats, software needs to adapt to new security requirements thus security upgrades and patches are implemented to the software. Previous works only focus on logical correctness of the security protocol but we focus on the successful implementation of security protocol in a program. A program evolves as programmers apply security patches to its source code. Hence, the process of verifying important security protocol implementation is difficult. In this paper, we propose model-driven security verification throughout software evolution. It consists of two major methods: 1) reverse engineering method to translate a program into Petri net model; 2) model-driven verification method to confirm that the security protocol implementation is valid. Concretely, for a program X that implements a security protocol specification A, does its derivation Y also implement A? The answer is yes if Y inherits the behaviour of X. We apply behavioural inheritance analysis to verify security protocol implementation. We also illustrate the methods with an example in software evolution.