Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to main content
SpringerLink
Log in

A survey on formal specification and verification of separation kernels

  • Review Article
  • Published:
Frontiers of Computer Science Aims and scope Submit manuscript

    We’re sorry, something doesn't seem to be working properly.

    Please try refreshing the page. If that doesn't work, please contact support so we can address the problem.

Abstract

Separation kernels are fundamental software of safety and security-critical systems, which provide their hosted applications with spatial and temporal separation as well as controlled information flows among partitions. The application of separation kernels in critical domain demands the correctness of the kernel by formal verification. To the best of our knowledge, there is no survey paper on this topic. This paper presents an overview of formal specification and verification of separation kernels. We first present the background including the concept of separation kernel and the comparisons among different kernels. Then, we survey the state of the art on this topic since 2000. Finally, we summarize research work by detailed comparison and discussion.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Rushby J. Design and verification of secure systems. ACM SIGOPS Operating Systems Review, 1981, 15(5): 12–21

    Article  Google Scholar 

  2. Alves-Foss J, Oman P W, Taylor C, Harrison W S. The MILS architecture for high-assurance embedded systems. International journal of embedded systems, 2006, 2(3-4): 239–247

    Article  Google Scholar 

  3. Denning D E. A lattice model of secure information flow. Communications of the ACM, 1976, 19(5): 236–243

    Article  MathSciNet  MATH  Google Scholar 

  4. Gjertsen T, Nordbotten N A. Multiple independent levels of security (MILS) — a high assurance architecture for handling information of different classification levels. Technical Report. 2008

    Google Scholar 

  5. ARINC Airlines Electronic Engineering Committee. ARINC 653–avionics application software standard interface. 2003

    Google Scholar 

  6. Wind river Vx Works MILS platform. Technical Report, 2013

    Google Scholar 

  7. Green Hills Software, Inc. Safety-critical products: Integrity-178b real-time operationg system. Technical Report. 2005

    Google Scholar 

  8. LynuxWorks, Inc. Lynxsecure: software security driven by an embedded hypervisor. Technical Report. 2012

    Google Scholar 

  9. LynuxWorks, Inc. Lynxos-se: time-and space-partitioned RTOS with open-standards apis. Technical Report. 2008

    Google Scholar 

  10. Robert K, Stephan W. The pikeos concept—history and design. Technical Report. 2007

    Google Scholar 

  11. Delange J, Lec L. Pok, an ARINC 653-compliant operating system released under the BSD license. In: Proceedings of the 13th Real-Time Linux Workshop. 2011

    Google Scholar 

  12. Masmano M, Ripoll I, Crespo A, Metge J. Xtratum: a hypervisor for safety critical embedded systems. In: Proceedings of the 11th Real-Time Linux Workshop. 2009

    Google Scholar 

  13. Woodcock J, Larsen PG, Bicarregui J, Fitzgerald J. Formal methods: practice and experience. ACM Computing Surveys, 2009, 41(4): 1729–1739

    Article  Google Scholar 

  14. National Security Agency. Common criteria for information technology security evaluation. 3.1 r4 edition, 2012

    Google Scholar 

  15. National Security Agency. U.S. government protection profile for separation kernels in environments requiring high robustness. Technical Report. 2007

    Google Scholar 

  16. Federal Aviation Authority. Software considerations in airborne systems and equipment certification. Technical Report RTCA/DO-178B. RTCA, Inc., 1992

    Google Scholar 

  17. Federal Aviation Authority. Software considerations in airborne systems and equipment certification. Technical Report RTCA/DO-178C. RTCA, Inc., 2011

    Google Scholar 

  18. Wilding M M, Greve D A, Richards R J, Hardin D S. Formal verification of partition management for the AAMP7G microprocessor. In: Hardin D S, eds. Design and Verification of Microprocessor Systems for High-Assurance Applications. Berlin: Springer, 2010, 175–191

    Chapter  Google Scholar 

  19. Baumann C, Beckert B, Blasum H, Bormer T. Formal verification of a microkernel used in dependable software systems. In: Buth B, Rade G, Seyfarth T, eds. Computer Safety, Reliability, and Security. Berlin: Springer, 2009, 187–200

    Chapter  Google Scholar 

  20. Baumann C, Bormer T. Verifying the PikeOS microkernel: first results in the Verisoft XT avionics project. In: Proceedings of Doctoral Symposium on Systems Software Verification. 2009

    Google Scholar 

  21. Baumann C, Beckert B, Blasum H, Bormer T. Ingredients of operating system correctness (lessons learned in the formal verification of PikeOS). In: Proceedings of Embedded World Conference. 2010

    Google Scholar 

  22. Baumann C, Bormer T, Blasum H, Tverdyshev S. Proving memory separation in a microkernel by code level verification. In: Proceedings of the 14th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops. 2011, 25–32

    Chapter  Google Scholar 

  23. Richards R J. Modeling and security analysis of a commercial real-time operating system kernel. In: Hardin D S, eds. Design and Verification of Microprocessor Systems for High-Assurance Applications. Berlin: Springer, 2010, 301–322

    Chapter  Google Scholar 

  24. Heitmeyer C L, Archer M, Leonard E I, McLean J. Formal specification and verification of data separation in a separation kernel for an embedded system. In: Proceedings of the 13th ACM conference on Computer and communications security. 2006, 346–355

    Google Scholar 

  25. Heitmeyer C L, Archer M, Leonard E I, McLean J. Applying formal methods to a certifiably secure software system. IEEE Transactions on Software Engineering, 2008, 34(1): 82–98

    Article  Google Scholar 

  26. Penix J, Visser W, Engstrom E, Larson A, Weininger N. Verification of time partitioning in the DEOS scheduler kernel. In: Proceedings of the 22nd international conference on Software engineering. 2000, 488–497

    Google Scholar 

  27. Penix J, Visser W, Park S, Pasareanu C, Engstrom E, Larson A, Weininger N. Verifying time partitioning in the DEOS scheduling kernel. Formal Methods in System Design, 2005, 26(2): 103–135

    Article  MATH  Google Scholar 

  28. Ha V, Rangarajan M, Cofer D, Rues H, and Dutertre B. Feature-based decomposition of inductive proofs applied to real-time avionics software: an experience report. In: Proceedings of the 26th International Conference on Software Engineering. 2004, 304–313

    Google Scholar 

  29. Bulkeley W. Crash-proof code. MIT Technology Review, 2011, 114(3): 53–54

    Google Scholar 

  30. Klein G, Elphinstone K, Heiser G, Andronick J, Cock D, Derrin P, Elkaduwe D, Engelhardt K, Kolanski R, Norrish M, Sewell T, Tuch H, Winwood S. seL4: formal verification of an OS kernel. In: Proceedings of the 22nd ACM SIGOPS Symposium on Operating Systems Principles. 2009, 207–220

    Chapter  Google Scholar 

  31. Klein G, Andronick J, Elphinstone K, Heiser G, Cock D, Derrin P, Elkaduwe D, Engelhardt K, Kolanski R, Norrish M, Sewell T, Tuch H, Winwood S. seL4: formal verification of an operating-system kernel. Communications of the ACM, 2010, 53(6): 107–115

    Article  Google Scholar 

  32. Klein G. Operating system verification —an overview. Sadhana, 2009, 34(1): 27–69

    Article  MathSciNet  MATH  Google Scholar 

  33. Ames S R, Gasser M, Schell R R. Security kernel design and implementation: an introduction. Computer, 1983, 16(7): 14–22

    Article  Google Scholar 

  34. Mark V, William B, Ben C, Jahn L, Carol T, Gordon U. MILS: architecture for high-assurance embedded computing. CrossTalk: The Journal of Defense Software Engineering, 2005, 12–16

    Google Scholar 

  35. The Open Group. Protection profile for partitioning kernels in environments requiring augmented high robustness. Technical Report. 2003

    Google Scholar 

  36. Parr G R, Edwards R. Integrated modular avionics. Air & Space Europe, 1999, 1(2): 72–75

    Article  Google Scholar 

  37. Levin T E, Irvine C E, Weissman C, Nguyen T D. Analysis of three multilevel security architectures. In: Proceedings of the 2007 ACM workshop on Computer security architecture. 2007, 37–46

    Chapter  Google Scholar 

  38. Rushby J. Partitioning in avionics architectures: requirements, mechanisms, and assurance. Technical Report. 2000

    Google Scholar 

  39. Leiner B, Schlager M, Obermaisser R, Huber B. A comparison of partitioning operating systems for integrated systems. In: Proceedings of the 26th International Conference on Computer Safety, Reliability, and Security. 2007, 342–355

    Chapter  Google Scholar 

  40. Ramamritham K, Stankovic J A. Scheduling algorithms and operating systems support for real-time systems. Proceedings of the IEEE, 1994, 82(1): 55–67

    Article  Google Scholar 

  41. Popek G J, Goldberg R P. Formal requirements for virtualizable third generation architectures. Communication of ACM, 1974, 17(7): 412–421

    Article  MathSciNet  MATH  Google Scholar 

  42. Goguen J A, Meseguer J. Security policies and security models. In: Proceedings of IEEE Symposium on Security and Privacy. 1982

    Google Scholar 

  43. Martin W, White P, Taylor F S, Goldberg A. Formal construction of the mathematically analyzed separation kernel. In: Proceedings of IEEE International Conference on Automated Software Engineering. 2000, 133–141

    Google Scholar 

  44. Martin WB, White P D, Taylor F S. Creating high confidence in a separation kernel. Automated Software Engineering, 2002, 9(3): 263–284

    Article  MATH  Google Scholar 

  45. Murray T, Matichuk D, Brassil M, Gammie P, Klein G. Noninterference for operating system kernels. In: Proceedings of International Conference on Certified Programs and Proofs. 2012, 126–142

    Chapter  Google Scholar 

  46. Greve D, Wilding M, Vaneet W M. A separation kernel formal security policy. In: Proceedings of the ACL2 Workshop. 2003

    Google Scholar 

  47. Alves-foss J, Taylor C. An analysis of the gwv security policy. In: Proceedings of the ACL2 Workshop. 2004

    Google Scholar 

  48. Green Hills Software. Integrity-178b separation kernel security target. Technical Report. 2008

    Google Scholar 

  49. Greve D, Richards R, Wilding M. A summary of intrinsic partitioning verification. In: Proceedings of the ACL2 Workshop. 2004

    Google Scholar 

  50. Greve D. Information security modeling and analysis. In: Hardin D S, eds. Design and Verification of Microprocessor Systems for High-Assurance Applications. Berlin: Springer, 2010, 249–299

    Chapter  Google Scholar 

  51. Rushby J. A separation kernel formal security policy in PVS. Technical Report, CSL Technical Note, SRI International. 2004

    Google Scholar 

  52. Tverdyshev S. Extending the GWV security policy and its modular application to a separation kernel. In: Bobaru M, Havelund K, Holzmann G J, et al. eds. NASA Formal Methods. Berlin: Springer, 2011, 391–405

    Chapter  Google Scholar 

  53. Greve D, Wilding M, Vanfleet W M. High assurance formal security policy modeling. In: Proceedings of the 17th Systems and Software Technology Conference. 2005

    Google Scholar 

  54. Rushby J. Noninterference, transitivity, and channel-control security policies. Technical Report, SRI International, Computer Science Laboratory. 1992

    Google Scholar 

  55. Oheimb D. Information flow control revisited: noninfluence=noninterference+ nonleakage. In: Proceedings of the 9th European Symposium on Research Computer Security. 2004, 225–243

    Google Scholar 

  56. Mantel H, Sabelfeld A. A generic approach to the security of multithreaded programs. In: Proceedings of the 14th IEEE Workshop on Computer Security Foundations. 2001, 126–142

    Google Scholar 

  57. Murray T, Matichuk D, Brassil M, Gammie P, Bourke T, Seefried S, Lewis C, Gao X, Klein G. sel4: from general purpose to a proof of information flow enforcement. In: Proceedings of the 34th IEEE Symposium on Security and Privacy. 2013, 415–429

    Google Scholar 

  58. Ramirez A, Schmaltz J, Verbeek F, Langenstein B, Blasum H. On two models of noninterference: rushby and greve, wilding, and vanfleet. In: Proceedings of the 33rd International Conference on Computer Safety, Reliability, and Security. 2014, 246–261

    Google Scholar 

  59. Craig I. Formal Models of Operating System Kernels. London: Springer, 2006

    Google Scholar 

  60. Craig I. Formal Refinement for Operating System Kernels. London: Springer, 2007

    MATH  Google Scholar 

  61. Abrial J R, Schuman S, Meyer B. Specification language. In: McKeag R M, Macnaghten A M, eds. On the Construction of Programs. Cambridge: Cambridge University Press, 1980, 343–410

    Google Scholar 

  62. Velykis A, Freitas L. Formal modelling of separation kernel components. In: Proceedings of the 7th International colloquium conference on Theoretical aspects of computing. 2010, 230–244

    Google Scholar 

  63. Velykis A. Formal modelling of separation kernels. Dissertation for the Master Degree. York: University of York, 2009

    Google Scholar 

  64. Jones C, O’Hearn P, Woodcock J. Verified software: a grand challenge. Computer, 2006, 39(4): 93–95

    Article  Google Scholar 

  65. Woodcock J, Davies J. Using Z: Specification, Refinement, and Proof. Upper Saddle River, NJ: Prentice-Hall, 1996

    Google Scholar 

  66. Abrial J R. The B-Book: Assigning Programs to Meanings. Cambridge: Cambridge University press, 1996

    Book  MATH  Google Scholar 

  67. André P. Assessing the formal development of a secure partitioning kernel with the Bmethod. In: Proceedings of ESAWorkshop on Avionics Data, Control and Software Systems. 2009

    Google Scholar 

  68. Leuschel M, Butler M. ProB: a model checker for B. In: Proceedings of International Symposium of Formal Methods. 2003, 855–874

    Google Scholar 

  69. Kawamorita K, Kasahara R, Mochizuki Y, Noguchi K. Application of formal methods for designing a separation kernel for embedded systems. World Academy of Science, Engineering and Technology, 2010, 506–514

    Google Scholar 

  70. Zhao Y W, Yang Z B, Sanan D, Liu Y. Event-based formalization of safety-critical operating system standards: an experience report on ARINC 653 using Event-B. In: Proceedings of the 26th IEEE International Symposium on Software Reliability Engineering. 2015, 281–292

    Google Scholar 

  71. Abrial J R, Hallerstede S. Refinement, decomposition, and instantiation of discrete models: application to Event-B. Fundamenta Informaticae, 2007, 77(1-2): 1–28

    MathSciNet  MATH  Google Scholar 

  72. Verbeek F, Schmaltz J, Tverdyshev S, Havle O, Blasum H, Langenstein B, Stephan W, Feliachi A, Nemouchi Y, Wotff B. Formal specification of a generic separation kernel. Archive of Formal Proofs, 2014

    Google Scholar 

  73. Verbeek F, Havle O, Schmaltz J, Tverdyshev S, Blasum H, Langenstein B, Stephan W, Wolff B, Nemouchi Y. Formal API specification of the PikeOS separation kernel. In: Havelund K, Holzmann G, Joshi R, eds. NASA Formal Methods. Springer, 2015, 375–389

    Google Scholar 

  74. Kaiser R, Wagner S. Evolution of the pikeos microkernel. In: Proceedings of the 1st International Workshop on Microkernels for Embedded Systems. 2007

    Google Scholar 

  75. Baumann C, Beckert B, Blasum H, Bormer T. Better avionics software reliability by code verification? A glance at code verification methodology in the Verisoft XT project. In: Proceedings of Embedded World Conference. 2009

    Google Scholar 

  76. Dam M, Guanciale R, Khakpour N, Nemati H, Schwarz O. Formal verification of information flow security for a simple arm-based separation kernel. In: Proceedings of the ACM SIGSAC Conference on Computer & Communications Security. 2013, 223–234

    Google Scholar 

  77. Zhao Y, Sanan D, Zhang F, Liu Y. Reasoning about information flow security of separation kernels with channel-based communication. In: Proceedings of the 22nd International Conference on Tools and Algorithms for the Construction and Analysis of Systems. 2016, 791–810

    Chapter  Google Scholar 

  78. Heiser G. The role of virtualization in embedded systems. In: Proceedings of the 1st Workshop on Isolation and Integration in Embedded Systems. 2008, 11–16

    Chapter  Google Scholar 

  79. McDermott J, Montrose B, Li M, Kirby J, Kang M. Separation virtual machine monitors. In: Proceedings of the 28th Annual Computer Security Applications Conference. 2012, 419–428

    Google Scholar 

  80. Crespo A, Ripoll I, Masmano M. Partitioned embedded architecture based on hypervisor: the XtratuM approach. In: Proceedings of the 8th European Dependable Computing Conference (EDCC). 2010, 67–72

    Google Scholar 

  81. Franklin J, Chaki S, Datta A, Seshadri A. Scalable parametric verification of secure systems: how to verify reference monitors without worrying about data structure size. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy. 2010, 365–379

    Chapter  Google Scholar 

  82. Franklin J, Chaki S, Datta A, McCune J M, Vasudevan A. Parametric verification of address space separation. Lecture Notes in Computer Science. 2012, 7215(1): 51–68

    Article  MATH  Google Scholar 

  83. Barthe G, Betarte G, Campo J D, Luna C. Formally verifying isolation and availability in an idealized model of virtualization. In: Proceedings of International Symposium on Formal Methods. 2011, 231–245

    Google Scholar 

  84. McDermott J, Kirby J, Montrose B, Johnson T, Kang M. Reengineering Xen internals for higher-assurance security. Information Security Technical Report, 2008, 13(1): 17–24

    Article  Google Scholar 

  85. McDermott J, Freitas L. A formal security policy for Xenon. In: Proceedings of the 6th ACM workshop on Formal methods in security engineering. 2008, 43–52

    Chapter  Google Scholar 

  86. Roscoe A, Woodcock J, Wulf L. Non-interference through determinism. In: Proceedings of the 3rd European Symposium on Research in Computer Security. 1994, 33–53

    Google Scholar 

  87. Carnevali L, Lipari G, Pinzuti A, Vicario E. A formal approach to design and verification of two-level hierarchical scheduling systems. In: Proceedings of the 16th Ada-Europe International Conference on Reliable Software Technologies. 2011, 118–131

    Google Scholar 

  88. Carnevali L, Pinzuti A, Vicario E. Compositional verification for hierarchical scheduling of real-time systems. IEEE Transactions on Software Engineering, 2013, 39(5): 638–657

    Article  Google Scholar 

  89. Asberg M, Pettersson P, Nolte T. Modelling, verification and synthesis of two-tier hierarchical fixed-priority preemptive scheduling. In: Proceedings of the 23rd Euromicro Conference on Real-Time Systems (ECRTS). 2011, 172–181

    Google Scholar 

  90. Fersman E, Krcal P, Pettersson P, Wang Y. Task automata: schedulability, decidability and undecidability. Information and Computation, 2007, 205(8): 1149–1172

    Article  MathSciNet  MATH  Google Scholar 

  91. Singhoff F, Plantec A. AADL modeling and analysis of hierarchical schedulers. ACM SIGAda Ada Letters, 2007, 27(3): 41–50

    Article  Google Scholar 

  92. Zerzelidis A, Wellings A. Getting more flexible scheduling in the RTSJ. In: Proceedings of the 9th IEEE International Symposium on Object and Component-Oriented Real-Time Distributed Computing. 2006

    Google Scholar 

  93. Zerzelidis A, Wellings A. A framework for flexible scheduling in the RTSJ. ACM Transactions on Embedded Computing Systems, 2010, 10(1): 501–512

    Article  Google Scholar 

  94. Zerzelidis A, Wellings A. Model-based verification of a framework for flexible scheduling in the real-time specification for Java. In: Proceedings of the 4th International Workshop on Java Technologies for Realtime and Embedded Systems, 2006, 20–29

    Google Scholar 

  95. Alves-Foss J. Multiple independent levels of security. In: Van Tilborg H C A, Jajodia S, eds. Encyclopedia of Cryptography and Security. Springer US, 2011, 815–818

    Google Scholar 

  96. Clarkson M, Schneider F. Hyperproperties. Journal of Computer Security, 2010, 18(6): 1157–1210

    Article  Google Scholar 

  97. Clarkson M R, Finkbeiner B, Koleini M, Micinski K K, Rabe M N, Sánchez C. Temporal logics for hyperproperties. In: Proceedings of International Conference on Principles of Security and Trust. 2014, 265–284

    Chapter  Google Scholar 

  98. Abrial J R. Formal methods in industry: achievements, problems, future. In: Proceedings of the 28th International Conference on Software Engineering. 2006, 761–768

    Google Scholar 

Download references

Acknowledgements

This work was supported by the Fundamental Research Project of Beihang University (YWF-14-JSJXY-002), the Project of National Laboratory of Software Development Environment (SKLSDE- 2013ZX-30 and SKLSDE-2015KF-04), the National Natural Science Foundation of China (Grant No. 61502231), the Natural Science Foundation of Jiangsu Province (BK20150753), and the Avionics Science Foundation of China (2015ZC52027). We thank Dr. Ning Hu of Aeronautics Computing Technique Research Institute of AVIC and Mingyuan Zhu of Beijing CoreTek Systems Technology Co., Ltd. for their helpful comments.

Author information

Authors and Affiliations

  1. State Key Laboratory of Software Development Environment (NLSDE), School of Computer Science and Engineering, Beihang Univerisity, Beijing, 100191, China

    Yongwang Zhao, Zhibin Yang & Dianfu Ma

  2. College of Computer Science and Technology, Nanjing University of Aeronautics and Astronautics, Nanjing, 210016, China

    Zhibin Yang

  3. Collaborative Innovation Center of Novel Software Technology and Industrialization, Nanjing, 210016, China

    Zhibin Yang

Authors
  1. Yongwang Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Zhibin Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dianfu Ma
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yongwang Zhao.

Additional information

Yongwang Zhao is an associate professor at Beihang University, China. He received his PhD degree in computer science from Beihang Unversity in 2009. His research interests include formal methods, OS kernels, information-flow security, and AADL.

Zhibin Yang is an associate professor at Nanjing University of Aeronautics and Astronautics, China. He received his PhD degree in computer science from Beihang University, China in February 2012. From April 2012 to December 2014, he was a Postdoc in IRIT of University of Toulouse, France. His research interests include safety-critical real-time system, formal verification, AADL, and synchronous languages.

Dianfu Ma is a professor at Beihang University, China. He was the executive director of Chinese Computer Federation, the secretary of the steering committee of Computer Science and Technology Education in Ministry of Education of China. He took charge of the National Basic Research Program (also called 973 Program), National High-tech 863 Program, National Natural Science Foundation of China, Key Technologies Research and Development Program, etc. He has published more than 50 academic papers in international journals or conferences. He received the 3rd prize of Science and Technology Innovation Award from Ministry of Education of China in 2003, and the 1st prize of Science and Technology Innovation Award of Beijing in 2011. His research interesting includes services computing, real-time systems, and high dependable software.

Electronic supplementary material

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Zhao, Y., Yang, Z. & Ma, D. A survey on formal specification and verification of separation kernels. Front. Comput. Sci. 11, 585–607 (2017). https://doi.org/10.1007/s11704-016-4226-2

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11704-016-4226-2

Keywords

Search

Navigation