Kernel Implements Processes The relationship between the abstract kernel and an individual task is pictured in Figure 4, and is formalized by the theorem AK-IMPLEMENTS-PARALLEL-TASKS. Intuitively, this theorem says that for a given good abstract kernel state AK and abstract kernel oracle ORACLE, the final state reached by task I can equivalently be achieved by running TASK-PROCESSOR on the initial task state, with an oracle constructed by the function CONTROL-ORACLE. The oracle constructed for TASK-PROCESSOR accounts for the precise sequence of delays to task I in the abstract kernel. Task project AK Figure 4: AK Implements Parallel Tasks THEOREM AK-IMPLEMENTS-PARALLEL-TASKS (IMPLIES (AND (GOOD-AK AK) (FINITE-NUMBERP I (LENGTH (AK-PSTATES AK)))) (EQUAL (PROJECT I (AK-PROCESSOR AK ORACLE)) (TASK-PROCESSOR (PROJECT I AK) I (CONTROL-ORACLE I AK ORACLE)))) 6. The Target Machine The target machine TM is a simple von Neumann computer. It is not based on an existing physical machine becaus...

Abstract not found

We present a multitasking operating system kernel, called KIT, written in the machine language of a uni-processor von Neumann computer. The kernel is proved to implement, on this shared computer, a fixed number of conceptually distributed communicating processes. In addition to implementing processes, the kernel provides the following verified services: process scheduling, error handling, message passing, and an interface to asynchronous devices. The problem is stated in the Boyer-Moore logic, and the proof is mechanically checked with the Boyer-Moore theorem prover.

A VERIFIED CODE GENERATOR FOR A SUBSET OF GYPSY Publication No. William David Young, Ph.D. The University of Texas at Austin, 1988 Supervising Professors: Robert S. Boyer, J Strother Moore This report describes the specification and mechanical proof of a code generator for a subset of Gypsy 2.05 called Micro-Gypsy. Micro-Gypsy is a high-level language containing many of the Gypsy control structures, simple data types and arrays, and predefined and user-defined procedure definitions including recursive procedure definitions. The language is formally specified by a recognizer and interpreter written as functions in the Boyer-Moore logic. The target language for the Micro-Gypsy code generator is the Piton high-level assembly language verified by J Moore to be correctly implemented on the FM8502 hardware. The semantics of Piton is specified by another interpreter written in the logic. A Boyer-Moore function maps a Micro-Gypsy state containing program and data structures into an initial Pit...

The threat of attack by computer viruses is in reality a very small part of a much more general threat, specifically attacks aimed at subverting computer security. This paper examines computer viruses as malicious logic in a research and development environment, relates them to various models of security and integrity, and examines current research techniques aimed at controlling the threats viruses in particular, and malicious logic in general, pose to computer systems. Finally, a brief examination of the vulnerabilities of research and development systems that malicious logic and computer viruses may exploit is undertaken. 1.

Abstract. Language-based approaches to security typically use static type systems to control information flow, relying on type inference to distinguish secure programs from insecure ones. This paper advocates a novel approach to language-based security: by structuring software with monads (a form of abstract data type for effects), we are able to maintain separation of effects by construction. The thesis of this work is that well-understood properties of monads and monad transformers aid in the construction and verification of secure software. We introduce a formulation of non-interference based on monads (rather than the typical trace-based formulation). Using this formulation, we prove a noninterference style property for a simple instance of our abstract system model. Because monads may be easily and safely represented within any higher-order, typed functional language, monadic event systems may be directly realized within such a language. 1

This report explores the influences of hardware on verifiable secure system design and envisions a mutually beneficial collaboration between the hardware verification and security communities. Hardware verification techniques offer the possibility of significantly enhanced assurance for secure systems at the lowest levels of system design and implementation. Security can provide an important and challenging applications arena in which hardware-oriented formal approaches can be tried and refined. We discuss some of the important concepts and issues that arise in trying to apply formal techniques to secure systems at the hardware level: the meaning of ‘‘security’’ in the context of hardware; the way to identify appropriate security properties at each level of system description, including the hardware level; and, a number of specific concerns related to hardware and its use in secure system development.

Success in achieving a high degree of security in a system depends on the degree of care put into designing and implementing the security controls. But even the most careful application of the best software engineering practices is inadequate unless you clearly understand the system’s security requirements. The purpose of a security model is to express those requirements precisely. A security model has several properties: • It is precise and unambiguous. • It is simple and abstract, and therefore easy to comprehend. • It is generic: it deals with security properties only and does not unduly constrain the functions of the system or its implementation. • It is an obvious representation of the security policy. For high-security systems, especially those based on a security kernel, the requirement for precision is satisfied by writing the model in a formal mathematical notation. However, the concept of modeling a system does not require the use of mathematical techniques. Even for medium-grade security, if your goal is to modify an existing system to improve its security. properties, writing a natural-language model can be well worth your while.

Abstract not found