Professional Documents
Culture Documents
Engineering Secure Software and Systems 7Th International Symposium Essos 2015 Milan Italy March 4 6 2015 Proceedings 1St Edition Frank Piessens
Engineering Secure Software and Systems 7Th International Symposium Essos 2015 Milan Italy March 4 6 2015 Proceedings 1St Edition Frank Piessens
https://textbookfull.com/product/engineering-secure-software-and-
systems-8th-international-symposium-essos-2016-london-uk-
april-6-8-2016-proceedings-1st-edition-juan-caballero/
https://textbookfull.com/product/engineering-secure-software-and-
systems-6th-international-symposium-essos-2014-munich-germany-
february-26-28-2014-proceedings-1st-edition-jan-jurjens/
https://textbookfull.com/product/exploring-services-science-6th-
international-conference-iess-2015-porto-portugal-
february-4-6-2015-proceedings-1st-edition-henriqueta-novoa/
https://textbookfull.com/product/language-and-automata-theory-
and-applications-9th-international-conference-lata-2015-nice-
france-march-2-6-2015-proceedings-1st-edition-adrian-horia-dediu/
https://textbookfull.com/product/web-and-wireless-geographical-
information-systems-14th-international-
symposium-w2gis-2015-grenoble-france-
may-21-22-2015-proceedings-1st-edition-jerome-gensel/
https://textbookfull.com/product/dependable-software-engineering-
theories-tools-and-applications-4th-international-symposium-
setta-2018-beijing-china-september-4-6-2018-proceedings-xinyu-
Frank Piessens
Juan Caballero
Nataliia Bielova (Eds.)
Engineering
LNCS 8978
Secure Software
and Systems
7th International Symposium, ESSoS 2015
Milan, Italy, March 4–6, 2015
Proceedings
123
Lecture Notes in Computer Science 8978
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Switzerland
John C. Mitchell
Stanford University, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbruecken, Germany
Frank Piessens Juan Caballero
Nataliia Bielova (Eds.)
Engineering
Secure Software
and Systems
7th International Symposium, ESSoS 2015
Milan, Italy, March 4-6, 2015
Proceedings
13
Volume Editors
Frank Piessens
KU Leuven, Department of Computer Science
Celestijnenlaan 200A
3001 Heverlee, Belgium
E-mail: frank.piessens@cs.kuleuven.be
Juan Caballero
IMDEA Software Institute
Campus de Montegancedo S/N
28223 Pozuelo de Alarcón, Spain
E-mail: juan.caballero@imdea.org
Nataliia Bielova
Inria Sophia Antipolis – Mediterranee
2004 route des Lucioles, B.P. 93
06902 Sophia Antipolis Cedex, France
E-mail: nataliia.bielova@inria.fr
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of
the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology
now known or hereafter developed. Exempted from this legal reservation are brief excerpts in connection
with reviews or scholarly analysis or material supplied specifically for the purpose of being entered and
executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publication
or parts thereof is permitted only under the provisions of the Copyright Law of the Publisher’s location,
in ist current version, and permission for use must always be obtained from Springer. Permissions for use
may be obtained through RightsLink at the Copyright Clearance Center. Violations are liable to prosecution
under the respective Copyright Law.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
While the advice and information in this book are believed to be true and accurate at the date of publication,
neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or
omissions that may be made. The publisher makes no warranty, express or implied, with respect to the
material contained herein.
Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)
Preface
General Chair
Stefano Zanero Politecnico di Milano, Italy
Program Co-chairs
Frank Piessens Katholieke Universiteit Leuven, Belgium
Juan Caballero IMDEA Software Institute, Spain
Publication Chair
Nataliia Bielova Inria, France
Publicity Chair
Raoul Strackx Katholieke Universiteit Leuven, Belgium
Web Chair
Ghita Saevels Katholieke Universiteit Leuven, Belgium
Steering Committee
Jorge Cuellar Siemens AG, Germany
Wouter Joosen Katholieke Universiteit Leuven, Belgium
Fabio Massacci Universitá di Trento, Italy
Gary McGraw Cigital, USA
Bashar Nuseibeh The Open University, UK
Daniel Wallach Rice University, USA
Program Committee
Aslan Askarov Harvard University, USA
Leyla Bilge Symantec Research Labs, France
Stefano Calzavara Università Ca’ Foscari Venezia, Italy
Lorenzo Cavallaro Royal Holloway, University of London, UK
VIII Organization
Additional Reviewers
Gunes Acar William Harris Davide Papini
Daniel Arp Daniel Hedin Juan D. Parra Rodriguez
Musard Balliu Prachi Kumari Silvio Ranise
Bastian Braun Sebastian Lekies Manuel Rudolph
Jan Cederquist Tobias Marktscheffel Christian Wachsmann
Drew Davidson Dimiter Milushev Bogdan Warinschi
Lorenzo De Carli Martı́n Ochoa Fabian Yamaguchi
Matt Fredrikson Damien Octeau Hong-Sheng Zhou
Alexander Fromm Alessandro Oltramari
Organization IX
Sponsoring Institutions
Formal Methods
Formal Verification of Liferay RBAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Stefano Calzavara, Alvise Rabitti, and Michele Bugliesi
Machine Learning
Are Your Training Datasets Yet Relevant? An Investigation into
the Importance of Timeline in Machine Learning-Based Malware
Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein,
and Yves Le Traon
Access Control
Producing Hook Placements to Enforce Expected Access Control
Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Divya Muthukumaran, Nirupama Talele, Trent Jaeger, and Gang Tan
1 Introduction
Liferay1 is the leading opensource portal for the enterprise, adopted by impor-
tant companies like Allianz, Cisco, Lufthansa and Vodafone, just to name a
few [17]. Liferay allows portal administrators to conveniently manage both users
and contents in a unified web framework. Users are typically structured into
a hierarchy of organizations, where members of a child organization are also
members of the parent organization. Contents, instead, are collected into sites,
built as assemblies of different pages, portlets and social collaboration tools, like
blogs and wikis. Both organizations and sites belong to a top-level company, and
a single portal may host different companies at the same time.
For enterprises, the Liferay portal is at the core of the business process, since
security-critical portlets may allow, for instance, to access sensitive information
and/or to reorganize workflows. To ensure that private contents are only accessed
by the intended recipients and that business processes are only handled by autho-
rized users, Liferay implements a role-based access control (RBAC) mechanism.
F. Piessens et al. (Eds.): ESSoS 2015, LNCS 8978, pp. 1–16, 2015.
c Springer International Publishing Switzerland 2015
2 S. Calzavara, A. Rabitti, and M. Bugliesi
of users: since user privileges only depend on the assigned roles, this approach
simplifies the access control management task [7]. When role administration is
itself role-based, like in the case of Liferay, the RBAC model is typically called
administrative and abbreviated as ARBAC [20]. For the sake of simplicity and
for consistency with the Liferay documentation, in this paper we uniform the
two models and we just use the acronym RBAC everywhere.
Though extremely popular and widely deployed, real-world RBAC systems
are notoriously difficult to get right, since the set of roles dynamically assignable
to each user is easily under-estimated and occasional changes to the access con-
trol policy may introduce overlooked security flaws. The research community
has then proposed formal methods as an effective tool to strengthen complex
RBAC systems and ensure that they meet their intended goals [3,9,8,2,19].
Notable examples of useful security goals include role (un)reachability, ensur-
ing that a given role granting powerful privileges is never assigned to untrusted
users, or mutual exclusion properties, preventing the assignment of dangerous
combinations of permissions to the same user.
Despite its critical importance and these well-known problems, the access con-
trol system implemented in Liferay is poorly documented and lacks automated
tools to assist portal administrators in configuring it correctly. To make matters
worse, although strongly based on the RBAC model and named around it, the
access control mechanism implemented in Liferay does not constitute, strictly
speaking, an RBAC system. First, users of the portal may be allowed to imper-
sonate other users and inherit all the privileges granted to them: this implies
that, contrary to the RBAC model, the identity of the users is not immaterial
and the verification problem becomes more challenging. Moreover, besides reg-
ular roles, Liferay also features site roles, organization roles and owner roles,
used to constrain access rights exclusively to site members, organization mem-
bers and resource owners respectively. These special roles have an unconventional
semantics, reminiscent of a specific kind of parametrized roles [10,15,22]. Their
introduction breaks a desirable property of the standard RBAC model: user
privileges do not depend only on the assigned roles, but also on the state of the
Liferay portal, which further complicates verification.
1.2 Contributions
adoption of the abstract semantics does not introduce any loss of precision
in the security analysis;
3. we implement a tool, called LifeRBAC, which leverages the abstract se-
mantics and the modal logic to verify the security of real Liferay portals. We
show that the tool is effective at proving the absence of security flaws, while
efficient enough to be of practical use on a realistic case study.
Structure of the paper. Section 2 defines the formal semantics of Liferay RBAC.
Section 3 introduces the abstract semantics and studies the verification
problem. Section 4 presents the tool and the experiments. Section 5 discussed
related work. Section 6 concludes. The proofs of the formal results are given in
the long version of the paper [4].
Liferay users are organised into a hierarchy of groups, including companies, or-
ganizations and sites. Similarly, different items in the portal are assigned to
these groups on an ownership basis: for instance, a given portal page may be-
long to the site s, which in turn is under the control of the company c. Liferay
provides various tools to grant or deny access to a given resource based on the
group hierarchy: scoping allows to extend access rights on a group to each item
belonging to that group, while parametrized roles like organization roles and
site roles provide facilities for granting access privileges which are restricted to
organization-specific/site-specific resources and organization/site members. For
example, the assignment of an organization role Reader[o] may allow members
of the organization o to get read access to all the items belonging to o. Finally,
owner roles can be used to define access rights for individual resource owners.
2.1 Syntax
2.2 Semantics
As per previous studies [3,9], we find it convenient to decouple a system S into a
static policy P and a dynamic configuration σ. A policy is a pair P = (PR, GR),
while a configuration is a 5-tuple σ = (U, I, UR, UG, UU ). The reduction se-
β
mantics of Liferay RBAC has then the form P σ − → σ for some label β.
To specify the semantics, we start by defining to which groups is assigned a
given object o under a user-to-group mapping UG. Formally, we inductively de-
fine the set groups UG (o) through the self-explanatory inference rules in Table 1.
(P-RegG) (P-GroupI)
(P-RegI) (u, r) ∈ UR (u, g) ∈ UG
(u, r) ∈ UR (r, p, g, ↓) ∈ PR (g, r) ∈ GR
(r, p, o, −) ∈ PR g ∈ groups U G (o) (r, p, o, −) ∈ PR
S granted (u, p, o) S granted (u, p, o) S granted (u, p, o)
(P-GroupG) (P-Template)
(u, g) ∈ UG (g, r) ∈ GR (u, r[g]) ∈ UR (r[·], p) ∈ PR
(r, p, g , ↓) ∈ PR g ∈ groups U G (o) g ∈ groups U G (u) ∩ groups U G (o)
S granted (u, p, o) S granted (u, p, o)
(P-Owner)
(u, Ownerj [i]) ∈ UR (P-Impersonate)
(Ownerj [·], p) ∈ PR (u, u ) ∈ UU S[UU → ∅] granted (u , p, o)
S granted (u, p, i) S granted (u, p, o)
Convention: for any u and i occurring in the judgement we require u ∈ U and i ∈ I
(Assign-Role)
S granted (u1 , AssignRole, r) r = Ownerj [i]
assign role(u1 ,u2 ,r)
P (U, I, UR, UG, UU ) −−−−−−−−−−−−−→ (U, I, UR ∪ {(u2 , r)}, UG, UU )
(Remove-Role)
S granted (u1 , RemoveRole, r) r = Ownerj [i]
remove role(u1 ,u2 ,r)
P (U, I, UR, UG, UU ) −−−−−−−−−−−−−−→ (U, I, UR \ {(u2 , r)}, UG, UU )
(Assign-Group)
S granted (u1 , AssignGroup, g)
assign group(u1 ,u2 ,g)
P (U, I, UR, UG, UU ) −−−−−−−−−−−−−−→ (U, I, UR, UG ∪ {(u2 , g)}, UU )
(Remove-Group)
S granted (u1 , RemoveGroup, g)
remove group(u1 ,u2 ,g)
P (U, I, UR, UG, UU ) −−−−−−−−−−−−−−−→ (U, I, UR, UG \ {(u2 , g)}, UU )
(Impersonate)
u1 ∈
/ dom(UU ) S granted (u1 , Impersonate, u2 )
impersonate(u1 ,u2 )
P (U, I, UR, UG, UU ) −−−−−−−−−−−−−→ (U, I, UR, UG, UU ∪ {(u1 , u2 )})
(Deimpersonate)
deimpersonate(u1 ,u2 )
P (U, I, UR, UG, UU ) −−−−−−−−−−−−−−→ (U, I, UR, UG, UU \ {(u1 , u2 )})
(Add-User)
add user(u)
P (U, I, UR, UG, UU ) −−−−−−−−→ (U ∪ {u}, I, UR, UG, UU )
(Remove-User)
u∈/ dom(UU ) UR = {(u , r) ∈ UR | u = u} UG = {(u , g) ∈ UG | u = u}
remove user(u)
P (U, I, UR, UG, UU ) −−−−−−−−−−→ (U \ {u}, I, UR , UG , UU )
(Add-Item)
S granted (u, AddItem, g) g ∈ i.groups
add item(u,i)
P (U, I, UR, UG, UU ) −−−−−−−−−→ (U, I ∪ {i}, UR ∪ {(u, Owner0 [i])}, UG, UU )
(Remove-Item)
S granted (u, RemoveItem, i) UR = {(u , r) ∈ UR | r = Ownerj [i]}
P (U, I, UR, UG, UU ) −−−−−−−−−−−→ (U, I \ {i}, UR , UG, UU )
remove item(u,i)
permissions on them, by using the role template Owner0 [·] in rule (Add-Item).
We then notice that each user can only impersonate a single user at a time, by the
side-condition u1 ∈ dom(UU ) in rule (Impersonate); this implicitly ensures
that impersonation is not transitive, i.e., if u is impersonating u and u can
impersonate u , then u cannot impersonate u . Finally, when removing a user
u, we require that u is not impersonating anyone: this is technically convenient
and not limiting, since we can always apply rule (Deimpersonate) up to a
configuration where u is impersonating none and then remove him. Notice that
no permission is needed to deimpersonate an impersonated user.
→
−
β
We write P σ =⇒ σ if and only if there exist σ1 , . . . , σn−1 such that P
β1 β2 βn →
−
σ −→ σ1 ∧ P σ1 −→ σ2 ∧ . . . ∧ P σn−1 −−→ σ for some β = β1 , . . . , βn .
The formal semantics in the previous section can be useful to spot improper
privilege escalations by untrusted users of the portal, but it cannot be directly
used to prove the absence of undesired accesses by an exhaustive state space
exploration, since the corresponding labelled transition system has an infinite
number of states. We now discuss how we tackle the problem of policy verification
by abstract model-checking [6].
This is a simple modal logic, where the modality is equivalent to the “finally”
operator F available in full-fledged temporal logics like CTL, CTL∗ or LTL [5].
The (standard) satisfaction relations for state formulas and path formulas are
defined by the judgements P, σ |= φ and P, σ |= ϕ in Table 4. The path formula
♦φ is satisfied by P, σ whenever there exists a reachable configuration from σ
under P where the state formula φ holds true.
Though simple, the logic above allows to formalize several standard security
properties of interest for RBAC systems. For instance, we have:
(LP-And)
(LP-Finally)
→
− (LP-Not) P, σ |= ϕ1 (LP-Or)
⇒ σ P, σ |= φ
β
P σ= P, σ |= ϕ P, σ |= ϕ2 P, σ |= ϕi
P, σ |= ♦φ P, σ |= ¬ϕ P, σ |= ϕ1 ∧ ϕ2 P, σ |= ϕ1 ∨ ϕ2
α
→ σ is obtained from the rules in
The abstract reduction relation P σ −
Table 4 by excluding (Remove-Role), (Remove-Group), (Remove-User)
and (Remove-Item), and by dropping the side-condition u1 ∈ dom(UU ) from
rule (Impersonate).
→
−
β
We let P σ ==⇒ σ be the obvious generalization to the abstract semantics of
→
−
β
⇒ σ defined above. We then let P, σ |=α ϕ be the satisfaction
the relation P σ =
relation obtained from the rules in Table 4 by replacing (LP-Finally) with:
(ALP-Finally)
→
−
α( β )
α(P) α(σ) ====⇒ σ α(P), σ |= α(φ)
P, σ |=α ♦φ
Sat(α, P, σ, ψ):
match ψ with
| ¬ϕ → not Abs-Sat(α, P, σ, ϕ)
| ψ1 ∧ ψ2 → Sat(α, P, σ, ψ1 ) and Sat(α, P, σ, ψ2 )
| ψ1 ∨ ψ2 → Sat(α, P, σ, ψ1 ) or Sat(α, P, σ, ψ2 )
We first prove the soundness of the algorithm in Fig. 1, i.e., we show that,
assuming a mild syntactic restriction on the abstraction function α, a positive
answer by Sat(α, P, σ, ψ) implies that P, σ |= ψ holds true.
The next theorem states that any behaviour of the concrete semantics has a
counterpart in the abstract semantics. It also ensures that the abstract semantics
over-approximates the permissions granted to each user. The result would not
hold in general if the side-condition of rule (Impersonate) was included in the
abstract semantics: we omit further technical details due to space constraints.
→
−
β
Theorem 1 (Soundness). Let α be group-preserving. If P σ = ⇒ σ , then
→
− →−
there exists a sub-trace of β , call it −→ α( γ)
γ , such that α(P) α(σ) ====⇒ σ for
some σ such that α(σ ) α(P) σ .
Using the theorem above, we can prove the soundness of verification. Notice
that the only assumption needed for soundness is on the abstraction function α:
the result applies to any choice of P, σ and ψ.
We now identify conditions for the completeness of the algorithm in Fig. 1, i.e.,
we discuss under which assumptions a negative answer by Sat(α, P, σ, ψ) ensures
that P, σ |= ψ. This is important for the precision of the analysis.
To state and prove the completeness result, we focus on a particular class
of policies which does not allow to impersonate users. We remark that this
corresponds to a realistic use case, since Liferay can be configured to prevent
impersonation by setting the property portal.impersonation.enable to false
in the file webapps/ROOT/WEB-INF/classes/portal-developer.properties.
The next theorem states that any behaviour in the abstract semantics has
a counterpart in the concrete semantics, assuming that impersonation is never
used. It additionally ensures that the desired under-approximation is preserved
upon reduction.
4 Implementation: LifeRBAC
LifeRBAC is a Liferay plugin providing a simple user interface to let portal
administrators input security queries about the underlying RBAC system. The
plugin takes a snapshot of the portal and translates it into a corresponding
representation in our formal model, encoded in the ASLAN specification lan-
guage [18]. The initial state representation is joined with a set of (hand-coded)
transition rules, corresponding to the ASLAN implementation of the abstract se-
mantics, and the query is translated into a modal logic formula, which is verified
using the state-of-art model-checker SATMC [1].
4.2 Experiments
Inspired by a previously published case study [23], we consider an experimental
setting modelling a hypothetical university with 3 departments and 10 courses.
We represent the university as the only company in the portal and the depart-
ments as three different organizations; then, we create a private site for each
department and a corresponding child site for every course. We consider 15 role
templates: 6 templates are used to generate site roles, while 9 templates are used
to generate organization roles. We also include 14 regular roles to collect per-
missions which are not scoped to any specific site or organization. Overall, we
have 6 · 13 + 9 · 3 + 14 = 119 roles; for each of them, we model access permissions
to different resources as read/write privileges on specific web pages in the sites,
and we enable administrative permissions where appropriate, e.g., a user with
role Professor[c] for some course c can assign the parametrized role Student[c].
Finally, we create 1000 users with different role combinations.
Formal Verification of Liferay RBAC 13
other tests we performed). We leave as future work further study on the precise
analysis, to improve its performance by the usage of static slicing techniques [8].
5 Related Work
Abstraction techniques as an effective tool for RBAC verification have been
first concurrently proposed by Bugliesi et al. [3] and Ferrara et al. [9]. The first
paper proposes a formal semantics for grsecurity, an RBAC system built on
top of the Linux kernel, and then uses abstract model-checking to verify some
specific security properties of interest. Notably, the abstraction adopted in [3] is
fixed, while the results in this paper are parametric with respect to the choice
of an abstraction function. The authors of [9], instead, do not apply model-
checking techniques, but rather construct an imperative program abstracting
the dynamics of the RBAC system and apply standard results from program
verification to soundly approximate the role reachability problem. The proposed
abstraction is incomplete, i.e., the analysis may produce false positives. In recent
work [8], the same research group presented VAC, a tool for role reachability
analysis, which can be used both to prove RBAC policies correct and to find
errors in them (adopting different analysis backends).
A different approach to RBAC verification is based on SMT solving. Armando
and Ranise proposed a symbolic verification framework for RBAC systems with
an unbounded number of users [2]. More recent research holds great promise in
making similar techniques scale to verify large RBAC policies [19].
Formal Verification of Liferay RBAC 15
6 Conclusion
We presented a formal semantics for Liferay RBAC and we tackled the verifica-
tion problem through abstract model-checking, discussing sufficient conditions
for the soundness and the completeness of the analysis. We then implemented a
tool, LifeRBAC, which can be used to verify the security of real Liferay portals
and we reported on experiments showing the effectiveness of our solution.
As a future work, we plan to strengthen the completeness result to policies
involving impersonation. Moreover, we want to extend LifeRBAC to support
error finding in the underlying RBAC policy, to include a counter-example gen-
eration module for flawed policies, and to make it significantly faster by adapting
static slicing techniques from the literature [8].
References
1. Armando, A., Carbone, R., Compagna, L.: SATMC: A SAT-based model checker
for security-critical systems. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014
(ETAPS). LNCS, vol. 8413, pp. 31–45. Springer, Heidelberg (2014)
2. Armando, A., Ranise, S.: Automated symbolic analysis of ARBAC-policies. In:
Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710,
pp. 17–34. Springer, Heidelberg (2011)
3. Bugliesi, M., Calzavara, S., Focardi, R., Squarcina, M.: Gran: Model checking gr-
security RBAC policies. In: Computer Security Foundations (CSF), pp. 126–138
(2012)
4. Calzavara, S., Rabitti, A., Bugliesi, M.: Formal verification of Liferay RBAC (full
version), www.dais.unive.it/~ calzavara/papers/essos15-full.pdf
16 S. Calzavara, A. Rabitti, and M. Bugliesi
5. Clarke, E.M., Emerson, E.A., Sistla, A.P.: Automatic verification of finite-state con-
current systems using temporal logic specifications. ACM Trans. Program. Lang.
Syst. 8(2), 244–263 (1986)
6. Cousot, P., Cousot, R.: Refining model checking by abstract interpretation. Autom.
Softw. Eng. 6(1), 69–95 (1999)
7. Ferraiolo, D.F., Sandhu, R.S., Gavrila, S.I., Kuhn, D.R., Chandramouli, R.: Pro-
posed NIST standard for role-based access control. ACM Trans. Inf. Syst. Se-
cur. 4(3), 224–274 (2001)
8. Ferrara, A.L., Madhusudan, P., Nguyen, T.L., Parlato, G.: vac - verifier of ad-
ministrative role-based access control policies. In: Biere, A., Bloem, R. (eds.) CAV
2014. LNCS, vol. 8559, pp. 184–191. Springer, Heidelberg (2014)
9. Ferrara, A.L., Madhusudan, P., Parlato, G.: Security analysis of role-based access
control through program verification. In: Computer Security Foundations (CSF),
pp. 113–125 (2012)
10. Giuri, L., Iglio, P.: Role templates for content-based access control. In: ACM Work-
shop on Role-Based Access Control, pp. 153–159 (1997)
11. Gofman, M.I., Luo, R., Solomon, A.C., Zhang, Y., Yang, P., Stoller, S.D.: RBAC-
PAT: A policy analysis tool for role based access control. In: Kowalewski, S., Philip-
pou, A. (eds.) TACAS 2009. LNCS, vol. 5505, pp. 46–49. Springer, Heidelberg
(2009)
12. Guha, A., Saftoiu, C., Krishnamurthi, S.: The essence of JavaScript. In: D’Hondt,
T. (ed.) ECOOP 2010. LNCS, vol. 6183, pp. 126–150. Springer, Heidelberg (2010)
13. Jayaraman, K., Ganesh, V., Tripunitara, M.V., Rinard, M.C., Chapin, S.J.: Au-
tomatic error finding in access-control policies. In: ACM Conference on Computer
and Communications Security (CCS), pp. 163–174 (2011)
14. Jayaraman, K., Tripunitara, M.V., Ganesh, V., Rinard, M.C., Chapin, S.J.:
Mohawk: Abstraction-refinement and bound-estimation for verifying access con-
trol policies. ACM Trans. Inf. Syst. Secur. 15(4), 18 (2013)
15. Li, N., Mitchell, J.C.: A role-based trust-management framework. In: DARPA In-
formation Survivability Conference and Exposition (DISCEX), pp. 201–212 (2003)
16. Li, N., Tripunitara, M.V.: Security analysis in role-based access control. ACM
Trans. Inf. Syst. Secur. 9(4), 391–420 (2006)
17. Liferay Inc.: Liferay clients and case studies,
https://www.liferay.com/it/products/liferay-portal/stories
18. Mödersheim, S.: Deciding security for a fragment of ASLan. In: Foresti, S., Yung,
M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 127–144. Springer,
Heidelberg (2012)
19. Ranise, S., Truong, A., Armando, A.: Boosting model checking to analyse large
ARBAC policies. In: Jøsang, A., Samarati, P., Petrocchi, M. (eds.) STM 2012.
LNCS, vol. 7783, pp. 273–288. Springer, Heidelberg (2013)
20. Sandhu, R.S., Bhamidipati, V., Munawer, Q.: The ARBAC97 model for role-based
administration of roles. ACM Trans. Inf. Syst. Secur. 2(1), 105–135 (1999)
21. Sasturkar, A., Yang, P., Stoller, S.D., Ramakrishnan, C.R.: Policy analysis for
administrative role-based access control. Theor. Comput. Sci. 412(44), 6208–6234
(2011)
22. Stoller, S.D., Yang, P., Gofman, M.I., Ramakrishnan, C.R.: Symbolic reachability
analysis for parameterized administrative role-based access control. Computers &
Security 30(2-3), 148–164 (2011)
23. Stoller, S.D., Yang, P., Ramakrishnan, C.R., Gofman, M.I.: Efficient policy analysis
for administrative role based access control. In: ACM Conference on Computer and
Communications Security (CCS), pp. 445–455 (2007)
Formal Verification of Privacy Properties
in Electric Vehicle Charging
1 Introduction
In the current practice of charging for electric vehicles, the user of the vehicle
typically has a contract that allows her to charge the vehicle at any compatible
charging station. The contract is comparable to a mobile phone contract, as it
enables roaming by users to charging stations operated by other companies, such
as an electricity provider. However, the current standards for the implementation
of such contracts, which should guarantee energy delivery and payment, do not
fully consider the issue of location privacy for users. For example, a charging
station operator could identify users from specific energy providers, which usually
operate regionally. On the other hand, the company with which the user has a
contract can track her movements through the different charging stations or
energy providers involved.
One of the major challenges to design a protocol for electric vehicle charg-
ing is that the privacy of the user is difficult to express. One of the sources
of this complexity is the potential overlap between the responsibilities of dif-
ferent participants of the protocol. Broadly speaking, two different approaches
F. Piessens et al. (Eds.): ESSoS 2015, LNCS 8978, pp. 17–33, 2015.
c Springer International Publishing Switzerland 2015
18 M. Fazouane et al.
– On the technical side: we provide the first realistic privacy compliant electric
vehicle charging protocol improving the current draft of the ISO standard.
– On the formal side: we define privacy properties suitable for electric vehicle
charging protocols including a new form of unlinkability (of the users and
their uses).
– On the methodological side: we show how formal verification techniques can
be applied in a “real-world” setting.
Beyond this specific protocol, this work also paves the way for a more general
“privacy by re-design approach”.
The remainder of the paper is structured as follows. Section 2 introduces
POPCORN and discusses the relevant parts of the protocol and their relation to
each other. Section 3 provides the formalization of POPCORN and discusses the
relevant privacy properties. The results of our analysis are presented in Section 4,
followed by suggestions of enhancements in Section 5. Related work is discussed
in Section 6 and concluding remarks in Section 7.
In this paper we focus on a charging protocol for electric vehicles, which allows
charging of a vehicle at a charging station in exchange for financial compensa-
tion. In practice, electricity is provided on a contract basis; therefore, financial
compensation is implemented through contracts. Because energy providers of-
ten operate on a regional basis, roaming services are offered through a mobility
operator. Thus, the following parties are involved in such a protocol:
Another random document with
no related content on Scribd:
The Project Gutenberg eBook of Direct methods
This ebook is for the use of anyone anywhere in the United States
and most other parts of the world at no cost and with almost no
restrictions whatsoever. You may copy it, give it away or re-use it
under the terms of the Project Gutenberg License included with this
ebook or online at www.gutenberg.org. If you are not located in the
United States, you will have to check the laws of the country where
you are located before using this eBook.
Language: English
Graves deliberately flipped the ash from his cigar and then reset
the weed in his wide, slightly drooping mouth. His brilliant eyes
rested on the general’s face.
“General, I have here some papers for your inspection, in order
that you may become somewhat acquainted with my mission.
Needless to say, not a soul aside from ourselves and persons whom
I may find it necessary to tell must know even a detail of the matter.”
Very few men would have spoken as tersely and directly to
O’Malley. The general, however, merely nodded.
“I surmised as much,” he said quietly.
Graves drew a thin, long envelope from his pocket and presented
it to O’Malley. It did not take the general long to read the enclosure. It
was signed by a very great and powerful government official, and left
no doubt as to Mr. Graves’ position.
The general reread the last sentence.
“—and is hereby empowered to use any methods he sees fit to
accomplish his mission, which is one of the gravest importance to
the welfare of the United States.”
“So-o-o,” said the general at length, laying down the document
slowly. “And what is it you wish, Mr. Graves?”
“First let me find out whether I am correct on all points or not. You
have gathered here, as I understand it, the veteran pilots of the Air
Service to take part in the coming bombing tests. You likewise have
concentrated here for the use of the Air Brigade the most up-to-date
material the Air Service has.”
“Correct. Right here, Mr. Graves, is probably the best organization
of its size the Air Service of any country has ever known. With those
Martin bombers out there, manned by the pilots of this brigade, we
are ready this minute to back up all our claims, and you know we
made some!”
O’Malley joined in Graves’ spontaneous laugh over that last
forceful statement. The general’s adventures in trying to put across
some of the things he wished to do in the Air Service had been
diversified, to say the least. He was a firebrand whom every one
simply had to like or dislike—there was no middle ground.
The flyers of his service idolized him. Flyers, being on the whole
of a type a little different from the general run, it follows that many
good men would dislike and distrust O’Malley for the same things
which his young men loved.
“Well, general, here is my mission in a nutshell. You know by the
papers, if through no other means, of the series of tremendous mail
robberies, totaling millions, which culminated in the half-million dollar
haul near Cleveland two months ago.”
O’Malley nodded.
“Operatives of our service, after months of patient and very skilful
work, have run down what we believe to be the greatest criminal
organization of its kind the country ever saw. It is almost a certainty
that every mail robbery of any size since 1919 has been engineered
and carried to a successful completion by this organization.
“The group is so powerful and so wise that its ramifications are
almost unbelievable. We don’t know all about them yet, but we do
know that its organization includes agents all over the country for the
safe disposal of securities and other valuables; that it includes
brokers, business men, cracksmen, gunmen, government
employees. The brains of the gang, the man to whom all credit for
the conception and execution of these tremendous crimes and the
organization of the whole thing goes is Stanislaus Hayden.
“I won’t bore you with his history—suffice it to say that he is one of
the most remarkable combinations of brilliancy, far-sightedness, and
executive ability that I have ever known about. If he were anything
but a mentally and morally warped specimen, he might have been
another Morgan or Stinnes.
“Now here is the situation. Hayden is at present in West Virginia.
He is living on the top of a mountain in Farran County, miles from the
nearest town. With him are several underlings—I believe them to be
some of the men who actually pull the robberies themselves. Just
why they are living in seclusion up there I do not exactly know, but I
presume that it is first of all a good hiding place, and secondly that it
keeps Hayden away from the surveillance of the police. He has been
mixed up in some monumental deals—or at least suspected so
strongly that he is watched—but for two years he has fooled us
completely on this new organization of his. What makes him
unusually dangerous aside from his ability is the loyalty he inspires in
those under him—rather a combination of loyalty and fear, I should
say. Anyway, a few small potatoes whom we have nabbed quietly will
tell nothing. Apparently they realize that he is a really great
commander-in-chief, and trust him to help them.”
“But how did he⸺”
“How he got into West Virginia I do not know. A year ago he
dropped from sight, and the operative who finally traced him down
has no idea when he came into that part of the country. I believe that
the gang planned to quit operations before long, and that for months
Hayden has been a hermit simply making his pile with the idea of
retiring on his money in the near future. He would not be safe in any
city in the country to carry on his operations.”
Graves talked as precisely as ever. Every word was clear-cut and
incisive. His slim, long-fingered hands were motionless except as he
carried his cigar to his lips. He paused a moment to get up and drop
the stub into the ash receiver.
“As I said, Hayden is staying on the top of a mountain in Farran
County with some henchmen. There is no question that all of them
would fight to the death—you know what the Postmaster General
announced recently about mail-robbers, do you not?”
“It was plenty,” nodded O’Malley.
“There are several facets to the situation. In the first place, that
little nucleus of men is well supplied with artillery and ammunition
ranging from machine-guns down. In the second place, their dwelling
place is so strategically advantageous that it might take a hundred
men dead and wounded before they could be captured. The only
road leading to the hunting cabin where Hayden has his
headquarters is narrow and winding, like all those mountain roads,
and by reason of a three or four hundred foot precipice and some
other details of the country a dozen men could hold the place for a
considerable time against ten times their number.
“But most important, we want Hayden alive, and the fact that we
have him must be unknown. As I said, we know vaguely, without
many details, that he heads this vast organization. But we have
come to a stone wall in our efforts to find who the biggest culprits
under him are, or all the ramifications of the conspiracy. We believe
that Hayden is the only living man—at least the only one we can get
our hands on—who can tell all. And the moment he was killed or it
was known that he was captured, every criminal under him would be
gone. The organization would probably disappear in a night. My
mission is to capture him, alive, and with nobody but the men with
him in that cabin knowing it. We will see to it that they do not spread
the news, because every escape they have will be guarded, and
they will be in a state of siege up there without any method of
sending news to the outside world. Their immediate capture is
unimportant, but we can take no chances of an attack for fear of
killing Hayden. If we get him, we can make him talk, I believe. We
will use almost any measures.”
“You have quite a contract, I should say,” remarked the general,
tapping on his desk with a penholder. “I thought I might have a
glimmering of what you wanted from us, but what you say about
getting him alive changes things.”
“No, I don’t want any bombs dropped on him,” returned Graves
with a smile. It was a singularly warm and winning smile, lightening
the subtle hardness of his face. The sardonic hint around his mouth
disappeared, and his eyes seemed to reflect the smile in their
depths.
“Now as to what I do want,” he went on after a moment. He
seemed to be incapable of detouring for more than the smallest of
intervals from the business at hand. “It would be impossible for any
of our operatives to get close enough to the place to capture Hayden
without publicity, or without fighting for their lives, except in the
manner I have in mind. Before I describe to you my proposed
method of getting Hayden, I want my men. Then I need only discuss
the matter once.”
“Just as you choose.”
“I want two pilots and a Martin bomber, equipped with extra gas
and oil and heavy machine-gun equipment—all she’ll handle, in case
we need them. These two pilots—the ideal ones for my purpose—
would be A. 1. flyers, first. That is probably the easiest of my
requirements.”
“You can’t throw a stone out of this window without hitting a real
pilot,” stated the general. “We have the finest personnel in the
world.”
“I am inclined to believe you are right, general. Now secondly, it
would be advisable that they be older men—none of your brilliant
kids. Nobody must know that Hayden is captured—before a breath
of it gets out we must make him talk, and then come down on his
men all over the country in one swoop that will be the biggest coup in
the history of the Department of Justice, so far as straight criminality
goes. For this and other reasons, these fellows must be men of the
utmost discretion.”
“I can readily see your point,” agreed O’Malley, lighting a cigaret.
“Next, I want men who have knocked around quite a bit—
resourceful, able to handle themselves in any kind of a shindig
whatsoever, and not afraid of ⸺ or high water. Rather the soldier of
fortune type, you know—I think you get my idea. They will be asked
to volunteer to do this thing with me, as a sporting proposition and as
a duty to the United States. Although this method of capturing
Hayden is rather forced on me by circumstances, I believe that you
can fix me up with men whom I can depend on.”
The irrepressible O’Malley’s mouth widened into a grin as Graves
finished.
“You are paying the Air Service a great compliment, Graves,” he
said.
Graves relaxed briefly.
“You’ve got an outfit, I know,” he admitted. “I wouldn’t trust the
accomplishing one of the biggest things I’ve ever worked on to
strangers if I didn’t believe it.”
Then he started hammering away again. The general got the
impression of resistless tenacity about him—the feeling that until his
job was done the aristocratic, meticulous Mr. Graves could never be
swerved for an instant from his progress toward the goal he was
endeavoring to reach.
“Can you produce two such men—and if so, how quickly,
general?”
O’Malley did not answer for fully two minutes. He placed two
immaculately booted and spurred feet on his desk, sunk into his
chair, and thoughtfully smoked. Then he reached for the bell on his
desk.
The adjutant entered and saluted.
“Get me Lieutenants Broughton and Hinkley, Evans. Tell them to
report to me at once. Use every effort to get them, regardless of
whether they are on the post or not.”
“Yes, sir.”
Captain Evans saluted stiffly and went out.
“I think these two men fit your description best, Graves. I’ll admit
I’m curious to know just what you want with them. Broughton is an
old first-sergeant out of the artillery. Got his commission in the
artillery and transferred to the Air Service. A ⸺ good big-ship pilot,
too. Hinkley is a long, lean, sardonic bird who has the coldest nerve I
ever saw and gives not three hoots in hallelujah for anything or
anybody. Both of them flew on Border patrol for two years—
Broughton out of Nogales and Hinkley—an observer until recently—
at Marfa. Broughton is a nut about guns, and one of the best pistol
shots I ever saw. Can draw and throw a gun and fan it and all that.
I’m a fair shot myself, but he is wonderful. How good Hinkley is on
that stuff I don’t know, but I do know he’s been a captain in the army
of Brazil, and a sailor from the Horn to Bering Sea. Both of them
around thirty, I think.”
“They sound available,” granted Graves.
He relapsed into silence. After a moment or two he took out
another cigar, offered it to the general, who refused, and finally lit it
himself. His gaze rested for a moment on the line of great bombers
which he could partially see through the open window.
“Bombing today?” he inquired.
“Just practise. Those ships out there are all loaded with thousand-
pounders—we practise tomorrow on the hulk of an old battleship out
in Chesapeake Bay. The first test is only two weeks away.”
“Going to make the grade?” inquired Graves easily.
He seemed to have suddenly shed his former terse directness.
And that he was talking to the famous General O’Malley, chief of Air
Service, did not seem to cut any figure with him at all.
“Are we going to make the grade?” repeated the general, his eyes
flashing. He hit the desk a resounding blow with his fist. “We’ll sink
anything they put up in ten minutes. Fellows like these two you’re
going to meet now and the rest of the men who fly those ships out
there are going up and show the world⸺”
A knock on the door interrupted him.
“Come in!” he shouted.
Captain Evans obeyed.
“Broughton and Hinkley are on their way, sir,” he reported.
“Good. Send ’em in as soon as they get here. Now, Graves, let
me tell you⸺” and the general was off on the passion of his life,
which was flying in general and his flyers in particular.
Graves deftly inserted the proper question at the proper time, and
before long the dynamic general had blueprints and specifications
and maps out to strengthen his arguments further.
He was in the midst of describing what a two-thousand-pound
bomb would do to a battleship, Times Square, a dock, or anything
else it hit when Captain Evans entered again.
“Evans, you bother me to death. What the⸺”
“Lieutenants Broughton and Hinkley are here, sir,” returned the
adjutant, standing at attention. Captain Evans was very correct.
“Oh yes. Send ’em in. From now on, Graves, it’s your funeral.
Come in, boys. Mr. Graves, may I present Mr. Broughton and Mr.
Hinkley. Sit down. All right, fire away, Graves.”
II.
“You gentlemen are here, upon General O’Malley’s
recommendation, in order to let me give you an opportunity to
volunteer for a special mission upon the success of which depends
to a considerable extent the lives of many hundred people. Even
more important, it has considerable bearing on the future welfare of
this country. Least important—in itself, without considering the
ramifications resulting from it—it means the capture of a very
important and dangerous criminal.”
Graves’ remarkable eyes flitted from one flyer to the other as he
studied the effect of his words. Broughton was a thickset, tanned
young man possessed of a certain reserve which involuntarily
commanded the respect of Graves. He was blond-haired and blue-
eyed, and his gaze was as steady as it was noncommittal. Tall, lath-
like, Hinkley had an air of careless recklessness about him, helped
along by the pronouncedly sardonic cast of his face. Like Broughton,
he preserved silence.
“With General O’Malley’s permission, I will go over some of the
ground I have already covered with him for the benefit of you
gentlemen,” Graves went on after a moment.
He proceeded to tell the airmen of Hayden, his importance and
the difficulty of capturing him without great publicity and loss of life.
“The only dope we have on the exact layout of his headquarters
was obtained through field-glasses by operatives who climbed
adjoining mountains and studied the place from all sides. He lives on
the very peak of a mountain, without another cabin within miles. But
one rough road, winding around the mountain side on a very steep
grade, leads to it. For several miles before it reaches the summit of
the mountain the cliff drops away sheer from one side of the road,
and on the other rises with almost equal steepness. There are so
many sheer ravines, and so forth, that it would be almost impossible
to get even two hundred men up by any other way than the road;
that is, providing they carried machine-guns and other supplies
which would be necessary if they stood any chance of capturing
Hayden. He has several guards, sufficiently armed, who have every
strategic point guarded. Hayden is absolutely without hope, if his
presence in this country is known. Capture means ⸺ for him, and
he is almost as sure of it as I am. Being a man of force and brilliancy,
although he is crazy, and possessed of a weird magnetism which
induces real fanaticism among his followers, the few men up there
will undoubtedly fight for him to the death. My job—in which I would
like to have you gentlemen help me—is to capture him without
publicity or loss of life.”
“If there’s a chance we may be working for you on this picnic, it
might not be discourteous for us to ask who you are?”
It was Hinkley speaking. He was lounging lazily in his chair, one
long leg drooping over the other. Graves smiled.
“Here, perhaps, is enough to satisfy you,” he returned, handing
Hinkley the document which had been laying on the desk since
O’Malley had laid it down.
“I don’t know just who he is myself,” confided O’Malley as Hinkley
glanced over the signed note. “But I have a feeling that I’d give a
month’s pay to be in on what he is going to do.”
Broughton smiled at his irrepressible chief.
“That remains to be seen, general,” he said gently—the first word
he had spoken since entering the office.
“Mysterious, but impressive, Jim,” laughed the irreverent Hinkley
as he passed the sheet of paper over to Broughton.
The flyer read it slowly, and handed it back to Graves without
comment.
“My scheme is this,” said Graves, leaning back once more and
setting the cigar in one corner of his mouth. “That’s wild country—no
place to land. The only cleared spot for twenty miles—or in other
words near enough to Hayden to suit my needs—is right around his
cabin. It is small and rough and on a grade so steep that according
to my information it would make a man puff to climb it. I want you
gentlemen to fly me over there in a Martin bomber, which I
understand is about the safest of ships in a crackup. This ship will be
equipped with extra gas and oil tanks to insure large cruising radius.
No ship with ordinary gas capacity could safely make the hop, I
understand; in any event would not have fuel enough for any
reconnaisance.
“In the ship there will also be provisions, machine guns, Colts and
plenty of ammunition. I want you gentlemen to fool around with the
motor when we are over Hayden’s headquarters, make a supposed
forced landing, and endeavor to crack up the ship without hurting
any of us. I will be in the uniform of a colonel. You will also be in full
uniform.
“Naturally we will crack up in Hayden’s front yard. It is the only
cleared spot, as I said. He will not like our presence, nor will any of
his henchman be very enthusiastic. But we’ll be ‘in,’ and it’s a ⸺
sight easier to get out than it would be to get in.
“What we do from then on is on the knees of the gods, so to
speak. Some way or other we must invent a way to get Hayden and
get him out of there. It’s a man’s-size job, all right, but we’ve got to
figure on a little luck and then taking advantage of it.
“You men are recommended as flyers, and also as men who’ve
had some diversified experience. This is not flattery, it is a statement
of facts. I expect that you can handle yourselves in any company,
and that you’ll be able to come to bat in a pinch when we get up
there.
“It’s a hard contract, and you will get nothing out of it except a
document in the secret archives of the War Department which may
sometimes help you. Now first, what do you think of the plan insofar
as it concerns the flying end of things, and secondly, do you want to
declare yourselves in on it?”
Graves had been talking as clearly and without excitement as
always, and now he waited with equal calmness for a reply. General
O’Malley was sunk deep in his swivel-chair, watching the younger
men with a half-smile on his face. In his heart was a growing respect
for the equable Mr. Graves.
“How much flying have you done, Graves?” he inquired
impulsively.
“I made my second flight today, coming down from Washington.
What do you say, gentlemen?”
“Can’t get you off the track a minute,” said O’Malley genially. “I’ll
subside.”
There was silence for a moment. Hinkley smoked a cigaret,
blowing rings at the ceiling with an air of complete indifference.
Broughton was gazing steadily at Graves, his scrutiny untroubled by
the fact that Graves noticed it. The stocky, slightly stolid-looking pilot
was the first to speak.
“A deal of that kind is ticklish business without those in it knowing
their helpers a ⸺ sight better than we know each other, sir, but one
thing and another about it sort of sells the proposition to me. Count
me in, I guess.”
“Suits me,” declared Hinkley. “When do we go?”
“The first minute that the ship is ready. From Washington I got this
dope—tell me if I’m wrong. A Martin lasts around five hours in the air
if you take a chance and win on the oil staying with you. Fifty extra
gallons of gas in each motor, and approximately fifty per cent. more
oil than usual, will assure us of seven hours in the air if we need it. It
may take time to find our man.”
Broughton nodded.
“When can the extra tanks be installed, general? Major Jenks of
the Engineering Division said that it was a comparatively simple job.
As I understand it there is plenty of room in a Martin, and of course
to any ship that can lift your two thousand pounders the extra weight
will be a bagatelle.”
“For a landsman you’re pretty wise,” the general complimented
him. “I’ll have the exact estimate in about ten minutes.”
He pressed the bell and instructed Evans to have the engineer
officer of the field report at his office immediately. Then the four men
plunged into a discussion of guns, food, and other details. Graves
had exact figures at his finger tips. Not a detail was brought up which
he did not settle as smoothly and quickly as he talked. There was
something ruthlessly direct about him—an air of resistless efficiency
that was queerly at variance with his appearance, which inclined
rather more toward being that of a student than a man of physical
achievement.
Mutual respect grew in the minds of the flyers and of Graves. He
was no amateur at reading character and estimating men, and he
found the airmen to his liking.
The engineer officer, ordered to use every facility at his command
to expedite the changing of the Martin, said that on the morning of
the second day the ship would be ready for test. At noon it should be
ready to go.
“Good,” said Graves. “I guess we’ve covered everything,
gentlemen. Hinkley and Broughton will attend to gathering the
equipment, general, providing you furnish them proper authority. I
will be back about nine a.m., day after tomorrow. I guess there is no
need for me to emphasize the need for absolute secrecy—you all
realize that. If any of you want to reach me, you can call the
Monticello Hotel in Norfolk and ask for Room 220. Don’t ask for
Graves.
“Thank you for your help—I’ll see you day after tomorrow. Good-
by until then.”
With a smile and slight bow, he left.
III.
“I wish I was back in Texas. This muggy heat makes me sweat like
⸺.”
“Any amount of heat that can wring moisture out of your skin and
bones deserves respect, Larry,” returned Broughton, shifting his
body a trifle so that he could lie more comfortably.