Extending the GWV Security Policy and Its Modular Application to a Separation Kernel

Nowadays formal methods are required for high assurance security and safety systems. Formal methods allow a precise specification and a deep analysis of system designs. However, usage of formal methods in a certification process can be very expensive. In this context, we analyse the security policy proposed by Greve et al in the theorem prover Isabelle/HOL. We show how this policy with some extensions can be applied in a modular way, and hence, reduce the number of formal models and artifacts to certify. Thus, we show how the security policy for a separation kernel is derived from the security policy of the micro-kernel that forms the basis of the separation kernel.We apply our approach to an example derived from an industrial real-time operating system.

[1]  Steven P. Miller Will This Be Formal? , 2008, TPHOLs.

[2]  John Rushby A Separation Kernel Formal Security Policy in PVS , 2004 .

[3]  Lawrence Charles Paulson,et al.  Isabelle: A Generic Theorem Prover , 1994 .

[4]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[5]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[6]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[7]  Torben Amtoft,et al.  Specification and Checking of Software Contracts for Conditional Information Flow , 2008, FM.

[8]  David Aspinall,et al.  Formalising Java's Data Race Free Guarantee , 2007, TPHOLs.

[9]  David A. Greve,et al.  Information Security Modeling and Analysis , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.