Government, industry, and academia: Teaming to design high confidence information security applications

A trusted computing base requires true separation of processes. Modern approaches relegate separation to a component of the operating system called the kernel. Although the kernel represents only a small portion of the code of the entire operating system, it is among the most intensively used portions. With separation as the focus, this paper will describe a kernel that provides strict separation between processes, allowing for the remainder of the operating system, residing outside the kernel, to run only as processes in user mode under control of the kernel. The kernel is therefore tasked with implementing the critical operating system functions of providing access to resources, communications between processes, and scheduling of process threads. Strict separation between processes enables the evaluation of a system to check that the system meets its security policy. It is to this end that the Department of Defense in conjunction with Motorola Space and Systems Technology Group outlined the development of a separation kernel with the use of the correct by construction methodology supported by the Specware system under development at Kestrel Institute. Since the initial prototype of the kernel, Motorola has extended and incorporated this separation kernel design into their smart card and cryptographic processor technologies.