Technical Report No. 182 - Abstract

Achim D. Brucker, Frank Rittinger, Burkhart Wolff
A CVS-Server Security Architecture - Concepts and Formal Analysis

We present a secure architecture of a CVS-server, its implementation (i.e.\ mainly its configuration) and its formal analysis. Our CVS-server uses cvsauth, that provides protection of passwords and protection of some internal data of the CVS repository. In contrast to other (security oriented) CVS-architectures, our approach makes it possible to CVS-server on an open filesystem, i.e.\ a filesystem where users can have direct access both by CVS-commands and by standard UNIX/POSIX commands such as mv. A key feature of our implementation is that it enforces a particular access control model, namely role-based access control (RBAC). For our secure architecture of the CVS-server, we provide a formal specification and security analysis. This is based on a refinement, mapping a system architecture on an implementation architecture abstractly describing CVS in our implementation. The system architecture describes the abstract system operations including the desired access control model RBAC and serves as backbone to describe overall security requirements formally. The implementation architecture --- to be seen as an abstract program --- describes the security mechanisms on the UNIX/POSIX filesystem level, namely discretionary access control (DAC). The purpose of the formal analysis of the secure CVS-server architecture is twofold: First, we describe our implementation, in particular the access control for our open architecture. Second, we provide a method to analyze formally security implementations (beyond the code level) for realistic applications in terms of off-the-shelf security technologies.