Structured specification of a Security Kernel

K. G. Walter, J. M. Gilligan, S. I. Schaen, W. F. Ogden, W. C. Rounds, D. G. Shumway, D. D. Schaeffer, K. J. Biba, F. T. Bradshaw, S. R. Ames
1975 SIGPLAN notices  
Certifying an entire operating system to be reliable is too large a task to be practicable. Instead, we are designing a Security Kernel which will provide information security. The kernel's job is to monitor information flow in order to prevent compromise of security. Sound design is encouraged by using a technique called Structured Specification, in which successively more detailed models of the Security Kernel are developed. The initial model, M O, is an abstract description which formalizes
more » ... overnmental security applied to computer systems. Subsequent levels of modeling provide increasingly more detail, and gradually the models begin to resemble a particular system (Multics in this case). The second model, M l, defines a treestructured file system, and an -interagent communication system while M~ adds details concerning segmentation in a dynamic ~ environment. It is intended that the final level of modeling will specify the primitive commands for the kernel of a Multics-like system and will enumerate precisely those assertions which must be proved about the implementation in order to establish correctness. I.
doi:10.1145/390016.808450 fatcat:sjudbi2tdfcufk5gxituoxdys4