# Security Policy

## Introduction

This example demonstrates how to specify a system specification.

## Natural Language Description

We consider a smart card that we want to certify at EAL5+ level. It is necessary to model the security policy and to verify by proof that it is consistent.

We define:&#x20;

* the objects implemented in the security policy and&#x20;
* the expected security properties,

in terms of access rights to the various memories according to the type of process executing a given operation.

![](/files/ePtLGS17b0hNQWDhOp7W)

### Global model&#x20;

* Representing the operation of the CPU, MPU memory system&#x20;
* Focused on memory access management

### Objects

process mode       USER or SUPERVISOR                              tMODE&#x20;

memory type         RAM, PUBLIC ROM or SECURE ROM      tMEMORY&#x20;

memory content    DATA or CODE                                          tCONTENT &#x20;

operation                READ, WRITE or EXECUTE                      tOPERATION&#x20;

access                    GRANTED or NOT GRANTED                  tRESULT

### Implementation of the security policy

Each time an attempt is made to perform an operation to a memory slot for a process mode, then the access is:&#x20;

* either allowed (GRANTED) or&#x20;
* not yet allowed (NOT GRANTED)

## Modelling principles

The memory is abstract (we do not manipulate addresses but memory cells): abstract set MEMORY.&#x20;

Indication functions allow to associate to each memory cell&#x20;

* Its type (memory map): MEMORY\_TYPE : MEMORY --> tMEMORY&#x20;
* Its content: MEMORY\_CONTENT : MEMORY --> tCONTENT

Four variables are defined:&#x20;

* currentCell                      currentCell : MEMORY&#x20;
* currentOperation            currentOperation : tOPERATION&#x20;
* currentMode                   currentMode : tMODE&#x20;
* currentResult                  currentResult : tRESULT

Properties are permanently checked by these four variables.

Below is the skeleton of the B machine politique.mch:

```
MACHINE politique
SETS
  	MEMORY;
	tMEMORY={RAM, ROM_SECURE, ROM_PUBLIC};
	tCONTENT={DATA, CODE};
	tMODE={USER, SUPERVISOR};
	tOPERATION={OP_READ, OP_WRITE, OP_EXECUTE, OP_NONE};
	tRESULT={GRANTED, NOT_GRANTED}
CONSTANTS
	MEMORY_TYPE, MEMORY_CONTENT
PROPERTIES
	MEMORY_TYPE : MEMORY --> tMEMORY & 
	MEMORY_CONTENT :  MEMORY --> tCONTENT
VARIABLES
	currentCell, currentOperation, currentMode, currentResult
INVARIANT
	currentCell : MEMORY &
	currentOperation : tOPERATION &
	currentMode : tMODE &
	currentResult : tRESULT 
INITIALISATION
	currentCell :: MEMORY ||
	currentOperation :: tOPERATION ||
	currentMode :: tMODE ||
	currentResult :: tRESULT 
OPERATIONS
Init =
ANY cell, operation WHERE
	cell : MEMORY &
	operation : tOPERATION
THEN
	currentCell := cell ||
	currentOperation := operation ||
	currentResult := NOT_GRANTED
END;

ChangeMode =
ANY mode WHERE
	mode : tMODE & not(mode=currentMode) &
	currentOperation = OP_EXECUTE &
	currentResult = GRANTED
THEN
	currentMode := mode
END
END	
```

This specification needs to be completed with more operations and invariants. One operation and one invariant are given below.&#x20;

#### operation EXECUTE access in RAM:&#x20;

If the current memory location is RAM, the memory cell contains CODE, and the current operation is EXECUTE, then access is granted.

```
	executeRAM =
	SELECT 
		MEMORY_TYPE(currentCell) = RAM &
		MEMORY_CONTENT(currentCell) = CODE &
		currentOperation = OP_EXECUTE 
	THEN
		currentResult := GRANTED
	END
```

#### invariant ROM\_SECURE out of reach from USER

A memory cell of type ROM\_SECURE can only be read in SUPERVISOR mode.

```
	MEMORY_TYPE(currentCell)=ROM_SECURE &
	currentOperation = OP_READ &
	currentMode = USER
=>
	currentResult = NOT_GRANTED
```

:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://b-method.gitbook.io/training-resources-for-atelier-b/examples-and-case-studies/security-policy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.