Certifying an entire operating system to be reliable is too large a task to be practicable. Instead, we are designing a Security Kernel which will provide information security. The kernel's job is to monitor information flow in order to prevent compromise of security. Sound design is encouraged by using a technique called Structured Specification, in which successively more detailed models of the Security Kernel are developed. The initial model, M O, is an abstract description which formalizes

more »

... overnmental security applied to computer systems. Subsequent levels of modeling provide increasingly more detail, and gradually the models begin to resemble a particular system (Multics in this case). The second model, M l, defines a treestructured file system, and an -interagent communication system while M~ adds details concerning segmentation in a dynamic ~ environment. It is intended that the final level of modeling will specify the primitive commands for the kernel of a Multics-like system and will enumerate precisely those assertions which must be proved about the implementation in order to establish correctness. I.