Gerald J. Popek and David R. Farber. A model for verification of data security in operating systems. Communications of the ACM, 21(9):737--749, September 1978.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....is widely considered to offer the most promising basis for the construction of truly secure computer systems, at least in the short term. A number of kernelized systems have been constructed [12,19,25] and various models of security have been formulated to serve as the basis for their verification [6, 9, 28]. Despite the enthusiasm for this approach, there remain certain difficulties and problems in its application (see, for example [1] I shall expand on these later, but briefly they include the difficulty of verifying the trusted processes that seem necessary in most applications, concern about ....

....this approach is that it is concerned only to protect the physical representations of information, rather than information itself. Thus it does not control the leakage of information through covert signalling paths [15, 17] nor is the notion of such information flow expressible in the model [28, 32] which underlies the verification of these kernels. In military applications, all unauthorized flow of information, whether due to direct access or indirect leakage, is unacceptable and, in consequence, security kernels intended for these applications must not only enforce the security policy of ....

Gerald J. Popek and David R. Farber. A model for verification of data security in operating systems. Communications of the ACM, 21(9):737--749, September 1978.

....problem. What then might one expect in these layers We propose the enforcement kernel implement mandatory controls which are for the most part based on static properties of subjects and objects. To separate policy from mechanism the kernel should be table driven. This is by no means a new idea [4, 8, 23] and has obvious appeal. The separation of trusted functions outside the kernel, into application independent and application dependent, is intended to encourage reuse of trusted functions across applications. We propose the mandatory policy of the kernel be defined in terms of types of subjects ....

Popek, G.J. and Farber, D.A. "A Model for Verification of Data Security in Operating Systems." Communications of ACM 21(9):737-749 (1978).

....design, implement and verify a security kernel. A security policy given by Bell and LaPadula [Bell 75] was the first attempt to formalize a specification for a security kernel. Alternative formulations of security were given by Feiertag, Levitt and Robinson [Feiertag 77] and by Popek and Farber [Popek 78] The goals of each security kernel project were similar in outline: design a security kernel, prove that the design satisfies a formally described security policy, implement the kernel, and prove the implementation correct. Some projects were intended to complete only an initial portion of this ....

G.J. Popek, D.A. Farber. A Model for Verification of Data Security in Operating Systems. CACM 21(9):737-749, September, 1978.

....the restriction that high level user input cannot interfere with low level user output. The original formulation of Noninterference, due to Goguen and Meseguer [GM82] is based directly on the work of Feiertag [Fei80] and indirectly on earlier work by Cohen [Coh77] and by Popek and Farber [PF78] Goguen and Meseguer consider a deterministic system whose output to user u is given by the function out(u; hist:read(u) where hist:read(u) is an input history (trace) of the system whose last input is read(u) a read command executed by user u. 2 Security is defined in terms of purges of ....

G Popek and D. Farber. A model for verification of data security in operating systems. Communications of the ACM, 21(9):237--249, September 1978.

....in the object, and a set of operations on the data structures in the object. The process interacts with its environment by invoking the operations of the environment objects. This model is similar to the ones used in software specification and verification [10] and in operating system design [11]. An object is modeled as a state machine M [12] represented by a 4 tuple: M = S; S 0 ; O; T , where S is the state space of M . S 0 denotes the initial state; O is a set of transition operations; and T is the transition function. Each operation in O, when executed, causes the object to ....

Popek, G.J. and Farber, D.A., "A Model for Verification of Data Security in Operating Systems", Communication ACM, Vol. 21, No. 9, September 1978

....of the formal model is intended to simplify its application to defining pre conditions and post conditions for system operations. To make explicit the entities that a given operation may change, we define the concept of potential modi f ication based, in part, on the work of Popek and Farber [18]. Potential modification is similar to strong dependency , developed by Cohen [19] System State In this section we define what it is to be a system state and what it is for a system state to be secure. We assume the existence of the following sets. OP is a set of operations. L is a set of ....

Popek G.J., and Farber, D.A. A model for verification of data security in operating systems. Commun. ACM, 21, 9 (Sept. 1978) pp. 737-749.

No context found.

Gerald J. Popek and David R. Farber. A model for verification of data security in operating systems. Communications of the ACM, 21(9):737--749, September 1978.

No context found.

Popek, G.J., Farber, D. 'A Model for Verification of Data Security in Operating Systems', Communications of the ACM, September 1978.

No context found.

Popek, G. J., and D. A. Farber, "A Model for Verification of Data Security in Operating Systems," Communications of the ACM, Vol. 21. No. 9, September 1978, pp. 737-749.

No context found.

G.J. Popek, D.A. Farber. A Model for Verification of Data Security in Operating Systems. CACM 21(9):737-749, September, 1978.

No context found.

POPE78 ________, and D. A. Farber, "A Model for Verification of Data Security in Operating Systems," Communications of the ACM, pp. 737-749, Vol. 21, September 1978.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC