John Rushby. Proof of Separability---A verification technique for a class of security kernels. In Proc. 5th International Symposium on Programming, volume 137 of Lecture Notes in Computer Science, pages 352--367, Turin, Italy, April 1982. Springer-Verlag.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....approach, based on separability, will greatly simplify the developer s overall design, verification and validation effort. 1 Introduction In this paper we discuss a generic approach to the design, verification and validation of secure systems. This approach, based on Rushby s separability model [7, 8], provides a standard methodology that can be used by system designers and verifiers in the implementation of a wide range of secure systems. This approach will assist in greatly simplifying the system design, verification and validation effort by providing a proven template from which to build ....

....and discusses the verification and validation of the system. Section 4 then presents an exemplary secure system design using the technique presented in this paper. 2 System Model In the early 1980 s, John Rushby presented the separability concept for secure system design and implementation [7, 8]. The basic idea behind this concept is to model the behavior of a secure system as if it were a physically distributed system. In a distributed system, we have well defined lines of communication between the individual machines. If we can develop a separation kernel for a secure system such that ....

[Article contains additional citation context not shown here]

J.M. Rushby. Proof of separability: A verification technique for a class of security kernels. Proc. International Symposium on Programming, Lecture Notes in Computer Science, 137:352--367, 1982.

....software proposed by Robinson and his co workers [Robinson 77] calls for a sequence of abstract machines, each 21 related by an implements relation. Kemmerer [Kemmerer 82] acknowledges a debt to Milner and Hoare in the verification of a portion of the security kernel of UCLA Secure Unix. Rushby [Rushby 81a] described an approach to kernel verification similar to ours. Several other research efforts have used the Boyer Moore logic and theorem prover to specify and verify components of computing systems. Hunt [Hunt 85] proved an interpreter equivalence theorem to establish the correctness of the ....

J. Rushby. Proof of Separability: A Verification Technique for a Class of Security Kernels. Technical Report SSM/8, Computing Laboratory, University of Newcastle upon Tyne, May, 1981.

No context found.

John Rushby. Proof of Separability---a verification technique for a class of security kernels. In Proc. 5th International Symposium on Programming, pages 352--367, Turin, Italy, April 1982. Volume 137 of Lecture Notes in Computer Science, Springer-Verlag.

....its client processes that is consistent with the HDM security model, while it itself operates in a far more complex and demanding environment. Once again, I do not see it as a weakness of the HDM model that it does not address these issues that is the task of other, specialized security models [6, 10]. Just as it does not address the issue of the secure implementation of verified interface specifications, nor the security problems of an operating system nucleus, so the HDM security model does not confront security issues other than disclosure through information flow. In particular, the ....

John Rushby. Proof of Separability---A verification technique for a class of security kernels. In Proc. 5th International Symposium on Programming, volume 137 of Lecture Notes in Computer Science, pages 352--367, Turin, Italy, April 1982. Springer-Verlag.

....does not begin to address the real behavior of the program when x is the processor status word The task of verifying a separation kernel is rather different than conventional program verification. A technique for accomplishing the task is described informally in [10] and more formally in [11]. An application of the technique is described in [8] Although a separation kernel must essentially be written in assembler (or in assembler disguised as a high level language) one of the merits of the TCB structure advocated here is that it isolates all the machine dependencies in the (very ....

John Rushby. Proof of Separability---A verification technique for a class of security kernels. In Proc. 5th International Symposium on Programming, volume 137 of Lecture Notes in Computer Science, pages 352--367, Turin, Italy, April 1982. Springer-Verlag.

....required of the system components which it supports. Finally, in Section 4, I shall outline a precise specification of the role of a separation kernel and sketch an appropriate method of verification which I call Proof of Separability and which is developed formally in a companion paper to this [31]. The mathematical model which underlies this method of verification explicitly addresses the interpretive character of a security kernel and provides a sound formal basis for verifying the security relevant aspects of interrupt handling and other issues concerning the flow of control which are ....

....to add some explicit notion of interpretation to the state machine model. This extended model would make it possible to address such concerns as parallelism, language semantics, and interrupt handling. 29] A model with some of these characteristics is described in a companion paper to this [31] and is used to justify a new method for verifying kernels which enforce the policy of isolation. An informal explanation of this method is given in the next section. Proof of Separability The purpose of a separation kernel is to simulate a distributed environment. To the software in each ....

[Article contains additional citation context not shown here]

John Rushby. Proof of Separability---a verification technique for a class of security kernels. In Proc. 5th International Symposium on Programming, volume 137 of Lecture Notes in Computer Science, pages 352--367, Turin, Italy, April 1982. Springer-Verlag.

....at least we know that no other malfunction can cause the weapon to be fired without being aimed. A specification of how domains should be wired up is referred to as a channel control policy [12] and a method for formally verifying that a separation kernel enforces such a policy is described in [13]. More sophisticated sequencing properties can be enforced by a separation kernel which monitors the status of information that moves over its communication paths. By the status of information, we include not just its syntactic type (e.g. text ) but also its semantic state (e.g. not ....

John Rushby. Proof of Separability---a verification technique for a class of security kernels. In Proc. 5th International Symposium on Programming, pages 352--367, Turin, Italy, April 1982. Springer-Verlag Lecture Notes in Computer Science, Vol. 137.

No context found.

John Rushby. Proof of Separability---A verification technique for a class of security kernels. In Proc. 5th International Symposium on Programming, volume 137 of Lecture Notes in Computer Science, pages 352--367, Turin, Italy, April 1982. Springer-Verlag.

No context found.

John Rushby. Proof of Separability---A verification technique for a class of security kernels. In Proc. 5th International Symposium on Programming, Volume 137 of Springer-Verlag Lecture Notes in Computer Science, pages 352--367, Turin, Italy, April 1982.

No context found.

J. Rushby. Proof of Separability: A Verification Technique for a Class of Security Kernels. Technical Report SSM/8, Computing Laboratory, University of Newcastle upon Tyne, May, 1981.

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC