article

Free access

On attaining reliable software for a secure operating system

Authors:

Lawrence Robinson,

Karl N. Levitt,

Peter G. Neumann,

Ashok R. SaxenaAuthors Info & Claims

ACM SIGPLAN Notices, Volume 10, Issue 6

Pages 267 - 284

https://doi.org/10.1145/390016.808449

Published: 01 April 1975 Publication History

Abstract

This paper presents a general methodology for the design, implementation, and proof of large software systems, each described as a hierarchy of abstract machines. The design and implementation occur in five stages as described in this paper. Formal proof may take place at each stage. We expect the methodology to simplify the proof effort in such a way as to make proof a feasible tool in the development of reliable software. In addition to the anticipated advantages in proof, we feel that the methodology improves a designer's ability to formulate and organize the issues involved in the design of large systems, with additional benefits in system reliability. These advantages remain even if proof is not attempted.

We are currently applying this methodology to the design and proof of a secure operating system. Each level in the system acts as a manager of all objects of a particular type (e .g ., directories, segments, linkage sections), and enforces all of the protection rules involved in the manipulation of these objects. In this paper we illustrate the methodology by examining three of the system levels, including specifications, for a simplified version of these levels. We also demonstrate some proofs of security-related properties and of correctness of implementation.

References

[1]

D. E. Bell and L. J. La Padula, Secure computer systems: Mathematical foundations and model, MITRE Corp., Bedford, MA (Sep. 1974).]]

[2]

R. L. Bisbey II and G. J. Popek, Encapsulation: An approach to operating system security, Proc. ACM Annual Conf., pp. 666-675 (1974).]]

[3]

E. L. Burke, Synthesis of a software security system, Proc. ACM Annual Conf., pp. 648-50 (Nov. 1974).]]

Digital Library

[4]

J. B. Dennis, and E. C. Van Horn, Programming semantics for multi-programmed computations, Comm. ACM 9, pp. 143-155 (Mar. 1966).]]

Digital Library

[5]

E. W. Dijkstra, Complexity controlled by hierarchical ordering of function and variability, in Report on a Conference on Software Engineering (Randell and Naur, eds.), NATO (1968).]]

[6]

E. W. Dijkstra, Notes on structured programming, in Structured Programming (O.J. ahl. E.W. Dijkstra, C.A.R. Hoare), Academic Press, N.Y., pp. 1-82 (1972).]]

Digital Library

[7]

R. S. Fabry, Capability-based addressing, Comm. ACM 17, pp. 403-412 (July 1974).]]

Digital Library

[8]

R.W. Floyd, Assigning meaning to programs, Mathematical Aspects of Computer Science, Vol. 19 (J. T. Schwartz, ed.), American Mathematics Society, Providence, RI, pp. 19-32 (1968).]]

[9]

R .P . Goldberg, A survey of virtual machine research, IEEE Computer, pp. 34-45 (June 1974).]]

Digital Library

[10]

G. S. Graham and P, J, Denning, Protection—principles and practice, Proc. AFIPS SJCC 40, pp. 417-429 (1972).]]

[11]

C.A.R. Hoare, Proof of correctness of data representations, ACTA Informatica l, pp. 271-281 (1972).]]

[12]

B.W. Lampson, Dynamic protection structures, Proc. AFIPS 1969 FJCC 35, AFIPS Press, Montvale, NJ, pp. 27-38 (1969).]]

Digital Library

[13]

B.W. Lampson, A note on the confinement problem, Comm. ACM 16, pp. 613-614 (Oct. 1973).]]

Digital Library

[14]

S. B. Lipner, A minicomputer security control system, COMPCON, pp. 26-28 (1974).]]

[15]

P G. Neumann, R. S. Fabry, K. N. Levitt, L. Robinson, and J . H. Wensley, On the design of a provably secure operating system, Proc. Workshop on Protection in Operating Systems, IRIA, Rocquencourt, France, pp. 161-175 (Aug. 1974).]]

[16]

E .I . Organick, The Multics System: An Examination of its Structure, MIT Press, Cambridge, MA (1972).]]

Digital Library

[17]

D .L. Parnas, "A technique for software module specification with examples," Comm. ACM 15, pp. 330-336 (May 1972).]]

Digital Library

[18]

D .L . Parnas, "On the criteria to be used in decomposing systems into modules," Comm.ACM 15, pp. 1053-58 (Dec. 1972).]]

Digital Library

[19]

D .L. Parnas, "Some conclusions from an experiment in software engineering techniques," Proc.FJCC, pp. 325-329 (1972).]]

[20]

D .L. Parnas, "Response to detected errors in well-structured programs," Technical Report, Department of Computer Science, Carnegie-Mellon University (July 1972).]]

[21]

G. J. Popek and C. Kline, The design of a verified protection system, Proc. Workshop on Protection in Operating Systems, IRIA, Rocquencourt, France, pp. 183-196 (Aug. 1974).]]

[22]

W.R. Price, Implications of a virtual memory mechanism for implementing protection in a family of operating systems, Ph.D. thesis, Carnegie-Mellon University, Department of Computer Science (June 1973).]]

Digital Library

[23]

D.D. Redell and R. S. Fabry, Selective revocation of capabilities, Proc. Workshop on Protection in Operating Systems, IRIA, Rocquencourt, France, pp. 197-209 (Aug. 1974).]]

[24]

L. Robinson and K. N. Levitt, Proof techniques for hierarchically structured programs, SRI (Jan. 1975). Submitted for publication]]

[25]

J .H . Saltzer, Ongoing research and development or information protection, ACM Operating Systems Review 8, pp. 8-24 (J u l . 1974).]]

Digital Library

[26]

M.D. Schroeder, Cooperation of mutually suspicious subsystems in a computer utility, Ph.D. thesis, MIT (1972). MAC TR-104.]]

Digital Library

[27]

W.A. Wulf et al., HYDRA: The kernel of a multiprocessor operating system, Comm.ACM 17, pp. 337-345 (Jul. 1974).]]

Digital Library

Cited By

HSIAO DKERR DMADNICK S(1979)OPERATING SYSTEM SECURITYComputer Security10.1016/B978-0-12-357650-7.50014-4(165-219)Online publication date: 1979
https://doi.org/10.1016/B978-0-12-357650-7.50014-4
Mohan C(1978)Survey of recent operating systems research, designs and implementationsACM SIGOPS Operating Systems Review10.1145/775323.77532912:1(53-89)Online publication date: 1-Jan-1978
https://dl.acm.org/doi/10.1145/775323.775329
Neumann PFeiertag RLevitt KRobinson LYeh RRamamoorthy C(1976)Software development and proofs of multi-level securityProceedings of the 2nd international conference on Software engineering10.5555/800253.807715(421-428)Online publication date: 13-Oct-1976
https://dl.acm.org/doi/10.5555/800253.807715
Show More Cited By

Index Terms

On attaining reliable software for a secure operating system

Recommendations

On attaining reliable software for a secure operating system
Proceedings of the international conference on Reliable software

This paper presents a general methodology for the design, implementation, and proof of large software systems, each described as a hierarchy of abstract machines. The design and implementation occur in five stages as described in this paper. Formal ...
A Formal Framework for ASTRAL Intralevel Proof Obligations

ASTRAL is a formal specification language for real-time systems. It is intended to support formal software development, and therefore has been formally defined. This paper focuses on how to formally prove the mathematical correctness of ASTRAL ...
Constructive Methods in Program Verification

Most current approaches to mechanical program verification transform a program and its specifications into first-order formulas and try to prove these formulas valid. Since the first-order predicate calculus is not decidable, such approaches are ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGPLAN Notices

ACM SIGPLAN Notices Volume 10, Issue 6

International Conference on Reliable Software

June 1975

563 pages

ISSN:0362-1340

EISSN:1558-1160

DOI:10.1145/390016

Issue’s Table of Contents

Proceedings of the international conference on Reliable software
April 1975
567 pages
ISBN:9781450373852
DOI:10.1145/800027
Chairmen:
Martin L. Shooman,
Raymond T. Yeh

Copyright © 1975 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 April 1975

Published in SIGPLAN Volume 10, Issue 6

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

34
Total Citations
View Citations
463
Total Downloads

Downloads (Last 12 months)82
Downloads (Last 6 weeks)23

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

HSIAO DKERR DMADNICK S(1979)OPERATING SYSTEM SECURITYComputer Security10.1016/B978-0-12-357650-7.50014-4(165-219)Online publication date: 1979
https://doi.org/10.1016/B978-0-12-357650-7.50014-4
Mohan C(1978)Survey of recent operating systems research, designs and implementationsACM SIGOPS Operating Systems Review10.1145/775323.77532912:1(53-89)Online publication date: 1-Jan-1978
https://dl.acm.org/doi/10.1145/775323.775329
Neumann PFeiertag RLevitt KRobinson LYeh RRamamoorthy C(1976)Software development and proofs of multi-level securityProceedings of the 2nd international conference on Software engineering10.5555/800253.807715(421-428)Online publication date: 13-Oct-1976
https://dl.acm.org/doi/10.5555/800253.807715
Koster C(1976)Visibility and typesACM SIGMOD Record10.1145/984344.8071368:2(179-190)Online publication date: 1-Mar-1976
https://dl.acm.org/doi/10.1145/984344.807136
Koster C(1976)Visibility and typesACM SIGPLAN Notices10.1145/942574.80713611:SI(179-190)Online publication date: 1-Mar-1976
https://dl.acm.org/doi/10.1145/942574.807136
Koster COrganick ELedgard HTaylor R(1976)Visibility and typesProceedings of the 1976 conference on Data : Abstraction, definition and structure10.1145/800237.807136(179-190)Online publication date: 22-Mar-1976
https://dl.acm.org/doi/10.1145/800237.807136
Popek GKline C(2005)Issues in kernel designOperating Systems10.1007/3-540-08755-9_5(209-227)Online publication date: 25-May-2005
https://doi.org/10.1007/3-540-08755-9_5
Minsky N(1991)Law-governed systemsSoftware Engineering Journal10.1049/sej.1991.00316:5(285-302)Online publication date: 1-Sep-1991
https://dl.acm.org/doi/10.1049/sej.1991.0031
Minsky NRozenshtein D(1989)A software development environment for law-governed systemsProceedings of the third ACM SIGSOFT/SIGPLAN software engineering symposium on Practical software development environments10.1145/64135.65010(65-75)Online publication date: 3-Jan-1989
https://dl.acm.org/doi/10.1145/64135.65010
Minsky NRozenshtein D(1988)A software development environment for law-governed systemsACM SIGPLAN Notices10.1145/64140.6501024:2(65-75)Online publication date: 3-Nov-1988
https://dl.acm.org/doi/10.1145/64140.65010
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Issue’s Table of Contents