Florian Kammüller

Florian Kammüller

In this paper, we propose the use of interactive theorem proving for explainable machine learning. After presenting our proposition, we illustrate it on the dedicated application of explaining security attacks using the Isabelle Infrastructure framework and its process of dependability engineering. This formal framework and process provides the logics for specification and modeling. Attacks on security of the system are explained by specification and proofs in the Isabelle Infrastructure framework. Existing case studies of dependability engineering in Isabelle are used as feasibility studies to illustrate how different aspects of explanations are covered by the Isabelle Infrastructure framework.

Florian Kammüller

In this paper, we introduce a process of formal system development supported by interactive theorem proving in a dedicated Isabelle framework. This Isabelle Infrastructure framework implements specification and verification in a cyclic process supported by attack tree analysis closely inter-connected with formal refinement of the specification. The process is cyclic: in a repeated iteration the refinement adds more detail to the system specification. It is a known hard problem how to find the next refinement step: this problem is addressed by the attack based analysis using Kripke structures and CTL logic. We call this cyclic process the Refinement-Risk cycle (RR-cycle). It has been developed for security and privacy of IoT healthcare systems initially but is more generally applicable for safety as well, that is, dependability in general. In this paper, we present the extensions to the Isabelle Infrastructure framework implementing a formal notion of property preserving refinement interleaved with attack tree analysis for the RR-cycle. The process is illustrated on the specification development and privacy analysis of the mobile Corona-virus warning app.

Florian Kammüller, Chelsea Mira Alvarado

Unawareness of privacy risks together with approval seeking motivations make humans enter too much detail into the likes of Facebook, Twitter, and Instagram. To test whether the rationality principle applies, we construct a tool that shows to a user what is known publicly on social networking sites about her. In our experiment, we check whether this revelation changes human behaviour. To extrapolate and generalize, we use the insights gained by practical experimentation. Unaware users can become targeted by attackers. They then become unintentional insiders. We demonstrate this by extending the Isabelle Insider framework to accommodate a formal model of unintentional insiders, an open problem with long standing.

Florian Kammüller, Manfred Kerber

Avionics is one of the fields in which verification methods have been pioneered and brought a new level of reliability to systems used in safety critical environments. Tragedies, like the 2015 insider attack on a German airplane, in which all 150 people on board died, show that safety and security crucially depend not only on the well functioning of systems but also on the way how humans interact with the systems. Policies are a way to describe how humans should behave in their interactions with technical systems, formal reasoning about such policies requires integrating the human factor into the verification process. In this paper, we report on our work on using logical modelling and analysis of infrastructure models and policies with actors to scrutinize security policies in the presence of insiders. We model insider attacks on airplanes in the Isabelle Insider framework. This application motivates the use of an extension of the framework with Kripke structures and the temporal logic CTL to enable reasoning on dynamic system states. Furthermore, we illustrate that Isabelle modelling and invariant reasoning reveal subtle security assumptions. We summarize by providing a methodology for the development of policies that satisfy stated properties.

Florian Kammüller

In this paper, we show a security engineering process based on a formal notion of refinement fully formalized in the proof assistant Isabelle. This Refinement-Risk Cycle focuses on attack analysis and security refinement supported by interactive theorem proving. Since we use a fully formalized model of infrastructures with actors and policies we can support a novel way of formal security refinement for system specifications. This formal process is built practically as an extension to the Isabelle Infrastructure framework with attack trees. We define a formal notion of refinement on infrastructure models. Thanks to the formal foundation of Kripke structures and branching time temporal logic in the Isabelle Infrastructure framework, these stepwise transformations can be interleaved with attack tree analysis thus providing a fully formal security engineering framework. The process is illustrated on an IoT healthcare case study introducing GDPR requirements and blockchain.

Florian Kammüller

In this paper, we present a first step towards a formalisation of the Quantum Key Distribution algorithm in Isabelle. We focus on the formalisation of the main probabilistic argument why Bob cannot be certain about the key bit sent by Alice before he does not have the chance to compare the chosen polarization scheme. This means that any adversary Eve is in the same position as Bob and cannot be certain about the transmitted keybits. We introduce the necessary basic probability theory, present a graphical depiction of the protocol steps and their probabilities, and finally how this is translated into a formal proof of the security argument.

Florian Kammüller, Oladapo O. Ogunyanwo, Christian W. Probst

In this paper, we investigate the implications of the General Data Privacy Regulation (GDPR) on the design of an IoT healthcare system. On 25th May 2018, the GDPR has become mandatory within the European Union and hence also for all suppliers of IT products. Infringements on the regulation are now fined with penalties of up 20 Million EUR or 4\% of the annual turnover of a company whichever is higher. This is a clear motivation for system designers to guarantee compliance to the GDPR. We propose a data labeling model to support access control for privacy-critical patient data together with the Fusion/UML process to design GDPR compliant system. We illustrate this design process on the case study of IoT based monitoring of Alzheimer's patients that we work on in the CHIST-ERA project SUCCESS.

Florian Kammüller

In this paper, we present a proof theory for attack trees. Attack trees are a well established and useful model for the construction of attacks on systems since they allow a stepwise exploration of high level attacks in application scenarios. Using the expressiveness of Higher Order Logic in Isabelle, we succeed in developing a generic theory of attack trees with a state-based semantics based on Kripke structures and CTL. The resulting framework allows mechanically supported logic analysis of the meta-theory of the proof calculus of attack trees and at the same time the developed proof theory enables application to case studies. A central correctness and completeness result proved in Isabelle establishes a connection between the notion of attack tree validity and CTL. The application is illustrated on the example of a healthcare IoT system and GDPR compliance verification.

Jaap Boender, Florian Kammüller, Rajagopal Nagarajan

Quantum Information Processing, which is an exciting area of research at the intersection of physics and computer science, has great potential for influencing the future development of information processing systems. The building of practical, general purpose Quantum Computers may be some years into the future. However, Quantum Communication and Quantum Cryptography are well developed. Commercial Quantum Key Distribution systems are easily available and several QKD networks have been built in various parts of the world. The security of the protocols used in these implementations rely on information-theoretic proofs, which may or may not reflect actual system behaviour. Moreover, testing of implementations cannot guarantee the absence of bugs and errors. This paper presents a novel framework for modelling and verifying quantum protocols and their implementations using the proof assistant Coq. We provide a Coq library for quantum bits (qubits), quantum gates, and quantum measurement. As a step towards verifying practical quantum communication and security protocols such as Quantum Key Distribution, we support multiple qubits, communication and entanglement. We illustrate these concepts by modelling the Quantum Teleportation Protocol, which communicates the state of an unknown quantum bit using only a classical channel.