A formal security policy for xenon

The up-front choice of security policy and formalism used to model it is critical to the success of projects that seek to enforce information-flow security. This paper reports on the Xenon project's choice of policy and formalism. Xenon is a high-assurance separation hypervisor based on re-engineering the Xen open-source hypervisor. Xenon's formal policy both guides the re-engineering and serves as a basis for formal modelling. Definitions of information-flow security can be difficult to apply, because in general they are not preserved by refinement. Roscoe, Woodcock, and Wulf have defined an information-flow policy that is preserved by refinement, but it is defined in a purely event-based formalism that does not directly support refinement into state-rich implementations like hypervisor internals. Circus is a combination of Z, CSP, and Hoare and He's unifying theories of programming. Circus is suited for both event-based and state-based modelling. In this paper, we show how to define an information-flow policy in Circus that is also preserved by refinement. Because Circus retains the human-readability of Z, heuristic application of the policy to re-engineering is simplified and a larger open source community can be supported. Because Circus can easily model state-rich implementations of event-based security policies, the Xenon model can support complete policy-to-code modelling in a single language.

[1]  Dorothy E. Denning,et al.  Secure information flow in computer systems. , 1975 .

[2]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[3]  Jim Woodcock,et al.  Using Z - specification, refinement, and proof , 1996, Prentice Hall international series in computer science.

[4]  A. W. Roscoe CSP and determinism in security modelling , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[5]  John McLean,et al.  A general theory of composition for trace sets closed under selective interleaving functions , 1994, Proceedings of 1994 IEEE Computer Society Symposium on Research in Security and Privacy.

[6]  Peter Y. A. Ryan,et al.  Process algebra and non-interference , 1999, Proceedings of the 12th IEEE Computer Security Foundations Workshop.

[7]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[8]  Jim Woodcock,et al.  Mechanising Mondex with Z/Eves , 2007, Formal Aspects of Computing.

[9]  Matthew Wilding,et al.  A Separation Kernel Formal Security Policy , 2003, ACL 2003.

[10]  Ana Cavalcanti,et al.  Operational Semantics for Circus , 2008 .

[11]  Heiko Mantel,et al.  Possibilistic definitions of security-an assembly kit , 2000, Proceedings 13th IEEE Computer Security Foundations Workshop. CSFW-13.

[12]  Roberto Gorrieri,et al.  A Taxonomy of Security Properties for Process Algebras , 1995, J. Comput. Secur..

[13]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[14]  Brian Randell,et al.  Distributed Secure Systems: Then and Now , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[15]  John Rushby A Separation Kernel Formal Security Policy in PVS , 2004 .

[16]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[17]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[18]  Heiko Mantel,et al.  The framework of selective interleaving functions and the modular assembly kit , 2005, FMSE '05.

[19]  Ralph-Johan Back,et al.  Refinement Calculus: A Systematic Introduction , 1998 .

[20]  John McLean,et al.  Proving Noninterference and Functional Correctness Using Traces , 1992, J. Comput. Secur..

[21]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[22]  Augusto Sampaio,et al.  A Refinement Strategy for Circus , 2003, Formal Aspects of Computing.

[23]  R.,et al.  A CLASSIFICATION OF SECURITY PROPERTIES FOR PROCESS ALGEBRAS 1 , 1994 .

[24]  John McLean,et al.  Applying Formal Methods to a Certifiably Secure Software System , 2008, IEEE Transactions on Software Engineering.

[25]  E. Kleiner,et al.  On the Decidability of the Safety Problem for Access Control Policies , 2007, AVoCS.

[26]  Myong H. Kang,et al.  Re-engineering Xen internals for higher-assurance security , 2008, Inf. Secur. Tech. Rep..

[27]  Stefan Berger,et al.  Building a MAC-based security architecture for the Xen open-source hypervisor , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[28]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[29]  E. Stewart Lee,et al.  A general theory of security properties , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[30]  Jim Woodcock,et al.  Non-interference through Determinism , 1994, J. Comput. Secur..