The MK++ kernel, a descendant of Mach, was designed and implemented at the Open Group Research Institute. Independently, Computational Logic had developed a formal specification for the Mach kernel interface. We report on the adaptation of this specification to MK++, and its use in the derivation of a testing strategy for the MK++ implementation. The results and utility of the tests are discussed. 1. Introduction We report on an approach to specification-based 1 testing that we have used to check properties of a modern kernel, MK++. MK++ [28], [29], [30] is a descendant of the Mach kernel [27]. The Open Group Research Institute (RI) redesigned and implemented it for use in a trusted operating system. While similar to Mach in interface, MK++ was designed to provide a new base for kernel research and development and one which is able to satisfy high trust requirements for the DoD and industry. A formal specification provides an abstract, unambiguous contract between user and implement...

The formal methods project has produced tools and techniques that make formal methods more practical and accessible for software engineers. Results of the third and final phase of the formal methods project are presented and results from the first two phases reviewed. Software and documentation produced by the project are enumerated. 1. Introduction The formal methods project at the Open Group Research Institute (RI) has explored, implemented and tested techniques for using formal specification-based testing to test that software systems conform to their specifications with respect to legal state, functional correctness and non-interference. Emphasis has been on developing techniques that are practical and accessible for typical software engineers. The project has used MK++ 2 for its case study. During the first two phases of the project the RI was collaborating with Computational Logic, Inc. (CLI) on this project. During the first phase a formal model of MK++ [FSBS97a][SBF97a][SFS9...