Formal Techniques for an ITSEC-E4 Secure Gateway Pierre Bieber CERT-ONERA 2, avenue E. Belin 31055 Toulouse France Pierre.Bieber@cert.fr Abstract In this paper we describe the method used to develop a gateway capable of meeting the ITSEC E4 requirements. The security policy was formally modelled and proven con- sistent with the functional specifications by means of an in- teractive theorem prover. The formalisms were used to as- sist in the design of the security architecture. Keywords : ITSEC, formal methods, security policy 1. Introduction In this paper we describe the use of formal techniques during the development of a secure gateway called FOX. The aim of our work was to enable a security evaluation of the gateway at ITSEC [8] assurance-correctness level E4. At that level, the ITSEC requirements related to the use of formal methods are: “...A formal model of security policy shall be provided or referenced to define the underlying security policy to be enforced by the TOE [Target Of Evaluation]. An informal interpretation of this model in terms of the security target shall be provided...” “...The informal interpretation of the formal security policy model shall describe how the security target sat- isfies the underlying security policy...” In the first part of the paper, we describe the security policy of FOX. In the second, we present the formal secu- rity policy model. The consistency of the model is checked using tools associated with the B-method [1]. The third part describes the formal technique used during the FOX devel- opment that provides assistance when performing the inter- pretation of the security policy model. Finally, we explain the impact of the formal methods work on the design of the FOX gateway. 2. Security Policy of the FOX Gateway FOX [2] is a TCP/IP gateway (see [7], [6]) that inter- connects two local area networks (called high LAN and low LAN). FOX high LAN low LAN Figure 1. The FOX Secure Gateway. The aim of FOX is to protect the confidentiality and in- tegrity of the data used by the hosts of the high LAN. Hence, FOX controls both incoming and outgoing messages. FOX contains a set of filters that can analyze and transform ev- ery message transmitted from one LAN to the other. Each filter is designed to take into account some kind of security threat. For example, a filter limiting access by foreign hosts to applications on the high LAN could be accomplished by checking the requested port number in the incoming mes- sages. To counter masquerade attacks, a filter can be created that ensures that all incoming messages are signed with a previously established session key. Other filters can be de- signed that erase parts of the header of outgoing messages when the protocol software high hosts is not trusted. Mali- cious software might utilize normally empty header slots in order to transmit confidential data in a covert manner. FOX allows a security officer to select and dynamically change a combination of filters. As illustrated in figure 2, every incoming message is first handled by the communication function “comm low” that implements TCP, IP and Ethernet protocols. This func- tion extracts from the received message the various head- ers and the data and transmits them to the filters that were selected by the security officer (e.g., filter 1 and 2). Once the message is filtered, it may be sent onto the High LAN by the communication function “comm high”. Outgoing