Reflections on the verification of the security of an operating system kernel

Jonathan M. Silverman
1983 ACM SIGOPS Operating Systems Review  
This paper discusses the formal verification of the design of an operating system kernel's conformance to the multilevel security property. The kernel implements multiple protection structures to support both discretionary and nondiscretionary security policies. The design of the kernel was formally specified. Mechanical techniques were used to check that the design conformed to the multilevel security property. All discovered security flaws were then either closed or minimized. This paper
more » ... ders the multilevel security model, the verification methodology, and the verification tools used. This work is significant for two reasons. First, it is for a complete implementation of a commercially available secure computer system. Second, the verification used off-the-shelf tools and was not done by the verification environment researchers.
doi:10.1145/773379.806623 fatcat:ztlv4o26rvdenfp7fkhmuwyxxu