Kernel Implements Processes The relationship between the abstract kernel and an individual task is pictured in Figure 4, and is formalized by the theorem AK-IMPLEMENTS-PARALLEL-TASKS. Intuitively, this theorem says that for a given good abstract kernel state AK and abstract kernel oracle ORACLE, the final state reached by task I can equivalently be achieved by running TASK-PROCESSOR on the initial task state, with an oracle constructed by the function CONTROL-ORACLE. The oracle constructed for TASK-PROCESSOR accounts for the precise sequence of delays to task I in the abstract kernel. Task project AK Figure 4: AK Implements Parallel Tasks THEOREM AK-IMPLEMENTS-PARALLEL-TASKS (IMPLIES (AND (GOOD-AK AK) (FINITE-NUMBERP I (LENGTH (AK-PSTATES AK)))) (EQUAL (PROJECT I (AK-PROCESSOR AK ORACLE)) (TASK-PROCESSOR (PROJECT I AK) I (CONTROL-ORACLE I AK ORACLE)))) 6. The Target Machine The target machine TM is a simple von Neumann computer. It is not based on an existing physical machine becaus...

Abstract not found

We present a multitasking operating system kernel, called KIT, written in the machine language of a uni-processor von Neumann computer. The kernel is proved to implement, on this shared computer, a fixed number of conceptually distributed communicating processes. In addition to implementing processes, the kernel provides the following verified services: process scheduling, error handling, message passing, and an interface to asynchronous devices. The problem is stated in the Boyer-Moore logic, and the proof is mechanically checked with the Boyer-Moore theorem prover.

This paper describes the development of a virtual-machine monitor (VMM) security kernel for the VAX architecture. The paper particularly focuses on how the system’s hard-ware, microcode, and soft ware are aimed at meeting Al-levcl security requirernents while maintaining the standard interfaces and applications of the VMS and ULTRIX–32 op-erating systems. The VAX security kernel supports multiple concurrent virtual machines on a single VAX system, provid-ing isolation and controlled sharing of sensitive data. Rigor-ous engineering standards were applied during development to comply with the assurance requirements for verification and crmfigurat ion management. The VAX security kernel has been developed with a heavy emphasis on performance and on system management tools. The kernel performs suf-ficiently well that all of its development is now carried out in virtual machines running on the kernel itself, rather than in a conventional time-sharing system. 1

(NGSCB). The system provides high assurance computing in a manner consistent with the commercial requirements of mass market systems. This poses a number of challenges and we describe the system architecture we have used to overcome them. We pay particular attention to reducing the trusted computing base to a small and manageable size. This includes operating the system without trusting the BIOS, most devices and device drivers and the bulk of the code of mass market operating systems. Furthermore, we seek to strengthen access control and network authentication in mass market systems by authenticating executable code at all system layers. We have implemented a prototype of the system and expect the full system to be mass deployed. 1

project, which is producing an openly distributed worked example of how high assurance trusted computing components can be built. The TCX project encompasses four related activities: Creation of a prototype framework for rapid high assurance system development; Development of a reference-implementation trusted computing component; Evaluation of the component for high assurance; and Open dissemination of results related to the first three activities. The project’s open development methodology will provide widespread availability of key high assurance enabling technologies and ensure transfer of knowledge and capabilities for trusted computing to the next generation of developers, evaluators and educators. I.

Abstract. This paper gives a high-level introduction to the topic of formal, interactive, machine-checked software verification in general, and the verification of operating systems code in particular. We survey the state of the art, the advantages and limitations of machinechecked code proofs, and describe two specific ongoing larger-scale verification projects in more detail.

We investigate the problem of supporting a high-assurance operating system on open hardware architectures, which support a large and diverse collection of peripheral devices. The paper focuses on the problems that arise in this context for the management of DMA devices and memory. Our solution combines aspects of virtual machine monitors (VMM) and Exokernels with new software and hardware techniques. In particular, we remove drivers for DMA devices from the base layer without compromising safety. Furthermore, we describe an algorithm that allows guest operating systems to operate directly on the address translation hardware without compromising safety. Beyond our initial goals, we believe that these techniques can be of more general interest in the construction of VMMs and Exokernels. The paper presents a limited prototype implementation for x86 processors and performance measurements. The techniques presented in this paper are being implemented for wide deployment in future versions of x86-class processors and Microsoft’s Next Generation Secure Computing Base (NGSCB).

This paper provides a retrospective view of the design of SRI's Provably Secure Operating System (PSOS), a formally specified tagged-capability hierarchical system architecture. It examines PSOS in the light of what has happened in computer system developments since 1980, and assesses the relevance of the PSOS concepts in that light.

The US military has a vision of information superiority that requires secure and timely sharing of information between geographically separated platforms and users. Often, however, the producers and consumers of information, as well as the information itself, reside in different security domains, necessitating some form of Cross Domain Solution. A COTS marketplace of modular, highassurance components with composable security properties would not only make this vision of cross-domain information sharing achievable, but could also help to make it much more affordable than is currently feasible. As part