A Separation Kernel Formal Security Policy

High assurance product evaluation requires precise, unambiguous speci cations. Some high assurance products are relied upon to process information containing military or commercial secrets, and it is important to guarantee that no unauthorized interference or eavesdropping can occur. A formal speci cation of what the system allows and guards against is called a formal security policy. The construction of a formal security policy that describes the needed behavior of a security-critical system under evaluation is now commonly required for a high level certi cation. A computing system that supports multiple independent levels of security (MILS, a.k.a. MSL or multiple security levels) provides protections to guarantee that information that is assigned di erent security levels is handled appropriately. The design of MILS/MSL systems guaranteed to perform correctly with respect to security considerations is a daunting challenge. An innovation rst published in the early 1980's for architecting secure systems involves the application of a separation kernel to reduce the security burden [6]. Interaction between applications is mediated by the separation kernel, which enforces a security policy of information ow and data isolation on those interactions. Architecting a MILS/MSL system using a separation kernel breaks the security challenge into two smaller challenges: (1) building and verifying a dependable separation kernel and (2) building applications that, relying upon protections a orded by the separation kernel,