A CVS-Server Security Architecture — Concepts and Formal Analysis

By Achim D. Brucker, Frank Rittinger, and Burkhart Wolff.

We present a secure architecture of a CVS-server, its implementation (i.e. mainly its configuration) and its formal analysis. Our CVS-server is uses cvsauth, that provides protection of passwords and protection of some internal data of the CVS repository. In contrast to other (security oriented) CVS-architectures, our approach allows the CVS-server run on an open filesystem, i.e. a filesystem where users can have direct access both by CVS-commands and by standard UNIX/POSIX commands such as mv. For our secure architecture of the CVS-server, we provide a formal specification and security analysis. The latter is based on a refinement mapping high-level security requirements on the architecture on low-level security mechanisms on the UNIX/POSIX filesystem level. The purpose of the formal analysis of the secure CVS-server architecture is twofold: First, it is the bases for the specification of mutual security properties such as non-repudiation, authentication and access control for this architecture. Second, the mapping of the architecture on standard security implementation technology is described. Thus, our approach can be seen as a method to give a formal underpinning for the usually tricky business of system administrators.

Keywords:
Security Architecture, Concurrent Versions System (CVS), Z, Formal Methods, Refinement, Access Control

Please cite this work as follows:
A. D. Brucker, F. Rittinger, and B. Wolff, “A CVS-Server security architecture — concepts and formal analysis,” Albert-Ludwigs-Universität Freiburg, 182, 2002. Author copy: http://logicalhacking.com/publications/brucker.ea-cvs-server-2002-b/

BibTeX
@TechReport{ brucker.ea:cvs-server:2002-b,
  author      = {Achim D. Brucker and Frank Rittinger and Burkhart Wolff},
  institution = {Albert-Ludwigs-Universit{\"a}t Freiburg},
  language    = {USenglish},
  number      = {182},
  areas       = {security, formal methods, software},
  title       = {A {CVS-Server} Security Architecture --- Concepts and Formal
                 Analysis},
  abstract    = {We present a secure architecture of a CVS-server, its
                 implementation (i.e. mainly its configuration) and its formal
                 analysis. Our CVS-server is uses cvsauth, that provides
                 protection of passwords and protection of some internal data
                 of the CVS repository. In contrast to other (security
                 oriented) CVS-architectures, our approach allows the
                 CVS-server run on an open filesystem, i.e. a filesystem where
                 users can have direct access both by CVS-commands and by
                 standard UNIX/POSIX commands such as \texttt{mv}. For our
                 secure architecture of the CVS-server, we provide a formal
                 specification and security analysis. The latter is based on a
                 refinement mapping high-level security requirements on the
                 architecture on low-level security mechanisms on the
                 UNIX/POSIX filesystem level. The purpose of the formal
                 analysis of the secure CVS-server architecture is twofold:
                 First, it is the bases for the specification of mutual
                 security properties such as non-repudiation, authentication
                 and access control for this architecture. Second, the mapping
                 of the architecture on standard security implementation
                 technology is described. Thus, our approach can be seen as a
                 method to give a formal underpinning for the usually tricky
                 business of system administrators.},
  keywords    = {Security Architecture, Concurrent Versions System (CVS), Z,
                 Formal Methods, Refinement, Access Control},
  year        = {2002},
  num_pages   = {100},
  note        = {Author copy: \url{http://logicalhacking.com/publications/brucker.ea-cvs-server-2002-b/}},
}