Formal Verification of a Secure Model for Building E-Learning Systems

Internet is considered as common medium for Elearning to connect several parties with each other (instructors and students) as they are supposed to be far away from each other. Both wired and wireless networks are used in this learning environment to facilitate mobile access to educational systems. This learning environment requires a secure connection and data exchange. An E-learning model was implemented and evaluated by conducting student’s experiments. Before the approach is deployed in the real world a formal verification for the model is completed which shows that unreachability case does not exist. The model in this paper which is concentrated on the security of e-content has successfully validated the model using SPIN Model Checker where no errors were found. Keywords—Formal verification; SPIN Model Checking; Econtent; E-protection; Encryption and Decryption; Security of e-


INTRODUCTION
A formal verification for a secure e-learning system model was designed for implementation by computer centers in universities.Figure 1 indicates a secure model for building elearning systems [1].This study formally verifies the suggested model, which presents a wireless system that provides university users with remote access to the database files of students.A new security system is proposed to verify if e-learning application environment has weaknesses and to assess data cryptography at rest and in transit.[1] proposed a system that could validate user input for malicious data.In their proposed system, access switches connect all PCs, and a core switch then connects all wireless devices to the access point and secures them using open virtual private network (openVPN) on the client side with a MAC address.The application servers of students located in the computer center are connected to the core switch.This setup adds to a secure connection.The firewall guards the core switch and the entire network.The university is connected remotely using OpenVPN and Pretty Good Privacy (PGP).
The study applies a SPIN model checker to verify the proposed model.The model is presented as a Unified Modelling Language (UML) state diagram using the ArgoUML CASE tool.

A. Formal Verification
A significant area in formal methods is the concept of formal verification.Formal methods include mathematical techniques and tools that are applied for models, specifications, and verification of systems [2].These factors focus on the formal behavior description of systems, and specifications reflect the degrees of these systems.
In formal verification, the state space of the system utilizes model checkers for determining the specification properties [3].If these properties are valid, model checkers will return empty files.However, errors will result in a file which is generated by SPIN and called the TRAIL file (i.e., output file of the SPIN model checker) or will generate a counter example (i.e., output file of the SMV model checker) to present the process of the violation.Thus, the model checker could present as a series of model states that contain model variables and their values at that state, which aggravate the violations [4].
To check the model system, a finite state machine has to be verified.SPIN verification aims to check violations of safety and liveness factors [5].Safety properties should prevent errors from occurring.For example, the model should not be exposed to invariants and deadlocks, which would prevent the achievement of possible states.www.ijacsa.thesai.orgSPIN inspects a safety property by searching for traces that could direct to an -undesired‖ element.The lack of trace then satisfies the property [3].Therefore, the SPIN model checker evaluates assertions that can be utilized between any two statements in the state space [6].When the model checker determines a calculation that can cause false assertion, the program encounters an error or the assertion is unable to express a correct property [6].The evaluation is simulated with a true or false expression for a specific statement.If a statement progresses correctly, then the model checker will proceed to the next statement.However, if the statement is unable to progress correctly, then the program will terminate by indicating a trail showing the number of these errors [7].
Linear Tree Logic (LTL) can be applied in several cases to model the time sequence.These models can be translated by SPIN into a never claim, which is then executed together with the finite automaton that represents the Process or Protocol Meta Language (PROMELA) program.LTL may be used to verify certain properties of the system, such as safety, liveliness, and lack of deadlocks [8].
The application of SPIN to formal verification has been commonly used in evaluating security models.For instance, [9] analyzed the security of an approach using behavior-based anti-phishing, and [10] used the SPIN model checker for verifying the security of an anti-phishing model and they found no deadlocks on that model.This paper evaluates the approach's efficiency by means of formal methods.This research verifies the E-learning model presented in Figure 2 in a formal technique.The verification helps to check whether the model is viable (i.e.un-reachability case does not exist) so as to apply it in the real world.The Elearning model is verified in a formal manner using SPIN model checker.The approach in this paper uses UML state diagram to specify the state model and the state transitions based on the diagram.This UML diagram is translated into PROMELA language code (i.e. the input language of SPIN model checker) so it can be analyzed by SPIN.

B. Secure e-Learning Systems
Researchers have presented the security issues and weaknesses of e-learning systems from various perspectives.[11] elaborated that the security issues of an e-learning schema use four pillars that should be positioned to enhance overall security.These pillars boost e-learning security, present e-learning security policies and procedures, apply elearning security counter measures, and scrutinize the elearning security countermeasures.
On the other hand; [12] introduced the security features of e-learning authentication.Using web application for security requires utilizing the SKiP method to provide the same features of SSL.Moreover, using RIPEMD-160 hash function is suggested to provide security and authentication whereas [13] argued that Information Security Management (ISM) is essential to safeguarding the security of the e-learning environment.Combining ISM and information security technology could assure a better security implementation of the e-learning system.This step assures improved results of the successful implementation of security.[1] proposed a model that could deal with securing the e-content of the elearning system and improve mobile access to several learning systems.

III. MATERIALS AND METHODS
The verification methodology used in this research was successfully used in previous papers by [9] and [10] where this research focuses mainly on the formal verification of the proposed e-learning model using SPIN model checker.In this case, SPIN could be used to verify the model against vulnerabilities based on the system's mechanism that's shown in figure 2. Each part of the model is considered as a different process.These processes are recognized in PROMELA (Process or Protocol Meta Language).PROMELA reads the behavior of the processes that's described in the state diagram in figure 2. These model entities communicate with each other using some global channels.Accordingly, the E-learning model is designed in UML (Unified Modeling Language) state diagram using a case tool called ArgoUML.The generated UML model is then mapped into a PROMELA code using a tool called Hugo/RT which can capture the properties of the model and save it as a PROMELA program.For formal verification process the generated code is combined with some LTL properties that will be used for verifying the timing of the model responses as illustrated in Figure 2. As stated in Figure 2 student application server is connected to a core switch which is protected by a firewall for the wireless station as well as the users.The security system can work for multiple tasks, i.e. the measurement of the antiautomation and the validation of malicious data of users as well as ensuring the roles and privileges for the database, the internet and the e-learning courses and checking the vulnerabilities for these courses.

IV. RESULTS AND DISCUSSION
The PROMELA code for the e-learning model is translated and written to fit the SPIN model checker.The code is written as follows: 1 proctype E-learning (){ 2 printf("initiating E-learning Process...\n"); 3 DisplayMenuState: 4 UserInterface!DISPLAY_Options-> The states initiating E-remoteaccess, AccessToDatabase, AccessToInternet, and AccessToE-learningCourses after SecuritySystem have multiple entry points.Figure 3 shows the verification of the properties of these states with the LTL properties.The results indicate that the proposed e-learning model passes these properties during checking.Therefore, the SPIN model checker can validate the model as indicated by the absence of deadlocks or unreachable states.

V. CONCLUSION AND FUTURE WORK
This research met the objectives of the study by plotting the model and formally evaluating the proposed e-learning model.Further, the study effectively coded the model using PROMELA and validated the program using the SPIN model checker.The method checked for deadlocks and unreachable states, which did not emerge from the model.Future research could look into proposing another model checker, such as the Symbolic Model Verifier, which could be applied to gain clear results on the veracity of the behavior of the e-learning model.