Kernel Implements Processes The relationship between the abstract kernel and an individual task is pictured in Figure 4, and is formalized by the theorem AK-IMPLEMENTS-PARALLEL-TASKS. Intuitively, this theorem says that for a given good abstract kernel state AK and abstract kernel oracle ORACLE, the final state reached by task I can equivalently be achieved by running TASK-PROCESSOR on the initial task state, with an oracle constructed by the function CONTROL-ORACLE. The oracle constructed for TASK-PROCESSOR accounts for the precise sequence of delays to task I in the abstract kernel. Task project AK Figure 4: AK Implements Parallel Tasks THEOREM AK-IMPLEMENTS-PARALLEL-TASKS (IMPLIES (AND (GOOD-AK AK) (FINITE-NUMBERP I (LENGTH (AK-PSTATES AK)))) (EQUAL (PROJECT I (AK-PROCESSOR AK ORACLE)) (TASK-PROCESSOR (PROJECT I AK) I (CONTROL-ORACLE I AK ORACLE)))) 6. The Target Machine The target machine TM is a simple von Neumann computer. It is not based on an existing physical machine becaus...

Hierarchies arise in the context of access control whenever the user population can be modeled as a set of partially ordered classes (represented as a directed graph). A user with access privileges for a class obtains access to objects stored at that class and all descendant classes in the hierarchy. The problem of key management for such hierarchies then consists of assigning a key to each class in the hierarchy so that keys for descendant classes can be obtained via efficient key derivation. We propose a solution to this problem with the following properties: (1) the space complexity of the public information is the same as that of storing the hierarchy; (2) the private information at a class consists of a single key associated with that class; (3) updates (i.e., revocations and additions) are handled locally in the hierarchy; (4) the scheme is provably secure against collusion; and (5) each node can derive the key of any of its descendant with a number of symmetric-key operations bounded by the length of the path between the nodes. Whereas many previous schemes had some of these properties, ours is the first that satisfies all of them. The security of our scheme is based on pseudorandom functions, without reliance on the Random Oracle Model. 18 Portions of this work were supported by Grants IIS-0325345 and CNS-06274488 from the

We present a multitasking operating system kernel, called KIT, written in the machine language of a uni-processor von Neumann computer. The kernel is proved to implement, on this shared computer, a fixed number of conceptually distributed communicating processes. In addition to implementing processes, the kernel provides the following verified services: process scheduling, error handling, message passing, and an interface to asynchronous devices. The problem is stated in the Boyer-Moore logic, and the proof is mechanically checked with the Boyer-Moore theorem prover.

This paper describes the development of a virtual-machine monitor (VMM) security kernel for the VAX architecture. The paper particularly focuses on how the system’s hard-ware, microcode, and soft ware are aimed at meeting Al-levcl security requirernents while maintaining the standard interfaces and applications of the VMS and ULTRIX–32 op-erating systems. The VAX security kernel supports multiple concurrent virtual machines on a single VAX system, provid-ing isolation and controlled sharing of sensitive data. Rigor-ous engineering standards were applied during development to comply with the assurance requirements for verification and crmfigurat ion management. The VAX security kernel has been developed with a heavy emphasis on performance and on system management tools. The kernel performs suf-ficiently well that all of its development is now carried out in virtual machines running on the kernel itself, rather than in a conventional time-sharing system. 1

(NGSCB). The system provides high assurance computing in a manner consistent with the commercial requirements of mass market systems. This poses a number of challenges and we describe the system architecture we have used to overcome them. We pay particular attention to reducing the trusted computing base to a small and manageable size. This includes operating the system without trusting the BIOS, most devices and device drivers and the bulk of the code of mass market operating systems. Furthermore, we seek to strengthen access control and network authentication in mass market systems by authenticating executable code at all system layers. We have implemented a prototype of the system and expect the full system to be mass deployed. 1

Device drivers typically execute in supervisor mode and thus must be fully trusted. This paper describes how to move them out of the trusted computing base, by running them without supervisor privileges and constraining their interactions with hardware devices. An implementation of this approach in the Nexus operating system executes drivers in user space, leveraging hardware isolation and checking their behavior against a safety specification. These Nexus drivers have performance comparable to inkernel, trusted drivers, with a level of CPU overhead acceptable for most applications. For example, the monitored driver for an Intel e1000 Ethernet card has throughput comparable to a trusted driver for the same hardware under Linux. And a monitored driver for the Intel i810 sound card provides continuous playback. Drivers for a disk and a USB mouse have also been moved successfully to operate in user space with safety specifications. 1

Various system architectures have been proposed for high assurance enforcement of multilevel security. This paper provides an analysis of the relative merits of three architectural types – one based on a security kernel, another based on a traditional separation kernel, and a third based on a least-privilege separation kernel. We introduce the Least Privilege architecture, which incorporates security features from the recent “Separation Kernel Protection Profile,” and show how it can provide several unique aspects of security and assurance, although each architecture has advantages.

We investigate the problem of supporting a high-assurance operating system on open hardware architectures, which support a large and diverse collection of peripheral devices. The paper focuses on the problems that arise in this context for the management of DMA devices and memory. Our solution combines aspects of virtual machine monitors (VMM) and Exokernels with new software and hardware techniques. In particular, we remove drivers for DMA devices from the base layer without compromising safety. Furthermore, we describe an algorithm that allows guest operating systems to operate directly on the address translation hardware without compromising safety. Beyond our initial goals, we believe that these techniques can be of more general interest in the construction of VMMs and Exokernels. The paper presents a limited prototype implementation for x86 processors and performance measurements. The techniques presented in this paper are being implemented for wide deployment in future versions of x86-class processors and Microsoft’s Next Generation Secure Computing Base (NGSCB).

Computing systems in which the consequences of failure are very serious are termed safety-critical. Many such systems exist in application areas such as aerospace, defense, transportation, power-generation, and medicine. The software in these systems is typically large and complex, critical to system safety, and difficult to implement and verify. Even when great effort is expended to develop the software, there is no assurance that the software will operate with the required level of dependability. We have investigated a safety kernel architecture that addresses part of the problem of building and verifying dependable safety-critical software. An analogous construct, the security kernel, has been used successfully to enforce security policies in classified-information systems. Similar requirements known as safety policies must be enforced in safetycritical systems. Other researchers have developed some basic safety kernel concepts and have proposed safety kernel designs. However, man...

. In response to the strawman document #9# we propose that trust be treated as synonymous with integrity rather than synonymous with con#dence. We also propose that mandatory controls be taken to mean controls based on properties of the object and#or the subject. Label-based mandatory controls are then a special case of this more general notion. The TCSEC #11# presents criteria for establishing prescribed levels of con#dence in trusted systems with particular objectives. We consider how these criteria might be generalized to a broader context. Finally regarding architectures for trusted systems we suggest enhancements to the current security kernel approach. 1 INTRODUCTION This paper discusses three interrelated topics pertaining to data integrity. In the spirit of this workshop the concepts are not presented as #nal, de#nitive or absolute. They do raise manyinteresting questions whichmust be confronted, in one form or another; even if the terminology suggested here needs modi#catio...