Insider threats and auctions: Formalization, mechanized proof, and code generation

Research output: Contribution to journalJournal article – Annual report year: 2019Researchpeer-review

Documents

DOI

View graph of relations

This paper applies machine assisted formal methods to explore insider threats for auctions. Auction systems, like eBay, are an important problem domain for formal analysis because they challenge modelling concepts as well as analysis methods. We use machine assisted formal modelling and proof in Isabelle to demonstrate how security and privacy goals of auction protocols can be formally verified. Applying the costly scrutiny of formal methods is justified for auctions since privacy and trust are prominent issues and auctions are sometimes designed for one-off occasions where high bids are at stake. For example, when radio wave frequencies are on sale, auctions are especially created for just one occasion where fair and consistent behaviour is required. Investigating the threats in auctions and insider collusions, we model and analyze auction protocols for insider threats using the interactive theorem prover Isabelle. We use the existing example of a fictitious cocaine auction protocol from the literature to develop and illustrate our approach. Combining the Isabelle Insider framework with the inductive approach to verifying security protocols in Isabelle, we formalize the cocaine auction protocol, prove that this formal definition excludes sweetheart deals, and also that collusion attacks cannot generally be excluded. The practical implication of the formalization is demonstrated by code generation. Isabelle allows generating code from constructive specifications into the programming language Scala. We provide constructive test functions for cocaine auction traces, prove within Isabelle that these functions conform to the protocol definition, and apply code generation to produce an implementation of the executable test predicate for cocaine auction traces in Scala.

Original languageEnglish
JournalJournal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications
Volume8
Issue number1
Pages (from-to)44-78
ISSN2093-5374
DOIs
Publication statusPublished - 1 Jun 2018
CitationsWeb of Science® Times Cited: No match on DOI

    Research areas

  • Auctions, Code generation, Formal methods, Insider threats

ID: 188456453