On attaining reliable software for a secure operating system

This paper presents a general methodology for the design, implementation, and proof of large software systems, each described as a hierarchy of abstract machines. The design and implementation occur in five stages as described in this paper. Formal proof may take place at each stage. We expect the methodology to simplify the proof effort in such a way as to make proof a feasible tool in the development of reliable software. In addition to the anticipated advantages in proof, we feel that the methodology improves a designer's ability to formulate and organize the issues involved in the design of large systems, with additional benefits in system reliability. These advantages remain even if proof is not attempted. We are currently applying this methodology to the design and proof of a secure operating system. Each level in the system acts as a manager of all objects of a particular type (e .g ., directories, segments, linkage sections), and enforces all of the protection rules involved in the manipulation of these objects. In this paper we illustrate the methodology by examining three of the system levels, including specifications, for a simplified version of these levels. We also demonstrate some proofs of security-related properties and of correctness of implementation.

[1]  Jerome H. Saltzer Ongoing research and development on information protection , 1974, OPSR.

[2]  Robert P. Goldberg,et al.  Survey of virtual machine research , 1974, Computer.

[3]  Elliott I. Organick,et al.  The multics system: an examination of its structure , 1972 .

[4]  Robert S. Fabry,et al.  Capability-based addressing , 1974, CACM.

[5]  William Robert Price,et al.  Implications of a virtual memory mechanism for implementing protection in a family of operating systems , 1973 .

[6]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[7]  William A. Wulf,et al.  HYDRA , 1974, Commun. ACM.

[8]  Butler W. Lampson,et al.  Dynamic protection structures , 1899, AFIPS '69 (Fall).

[9]  David Lorge Parnas,et al.  A technique for software module specification with examples , 1972, CACM.

[10]  D. L. Parnas,et al.  On the criteria to be used in decomposing systems into modules , 1972, Software Pioneers.

[11]  Edmund L. Burke Synthesis of a software security system , 1974, ACM '74.

[12]  Edsger W. Dijkstra,et al.  Notes on structured programming , 1970 .

[13]  D. E. Bell,et al.  Secure Computer Systems : Mathematical Foundations , 2022 .

[14]  Michael D. Schroeder,et al.  Cooperation of mutually suspicious subsystems in a computer utility , 1972 .

[15]  David A. Bell,et al.  Secure computer systems: mathematical foundations and model , 1973 .

[16]  Gerald J. Popek,et al.  Encapsulation: an approach to operating system security , 1974, ACM '74.

[17]  David Lorge. Parnas Response to detected errors in well-structured programs , 1972 .

[18]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[19]  DAVID L. PARNAS,et al.  Some conclusions from an experiment in software engineering techniques , 1972, AFIPS '72 (Fall, part I).