Reasoning About Information Flow Security of Separation Kernels with Channel-Based Communication

Zhao, Yongwang; Sanán, David; Zhang, Fuyuan; Liu, Yang

doi:10.1007/978-3-662-49674-9_50

Cited by 11 publications

(16 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In order to develop ARINC 653 compliant secure separation kernels, it is necessary to assure security of the functionalities defined in ARINC 653. In [77], authors present a formal specification and its security proofs of separation kernels with ARINC 653 channel-based communication in Isabelle/HOL. They provide a mechanically checked formal specification which comprises a generic execution model for separation kernels and an event specification which models all IPC services defined in ARINC 653.…”

Section: • Arinc 653 Compliant Separation Kernelsmentioning

confidence: 99%

See 1 more Smart Citation

A survey on formal specification and verification of separation kernels

Zhao¹,

Yang

Ma³

2017

Front. Comput. Sci.

Self Cite

View full text Add to dashboard Cite

Separation kernels are fundamental software of safety and security-critical systems, which provide to their hosted applications spatial and temporal separation as well as controlled information flows among partitions. The application of separation kernels in critical domain demands the correctness of the kernel by formal verification. To the best of our knowledge, there is no survey paper on this topic. This paper presents an overview of formal specification and verification of separation kernels. We first present the background including the concept of separation kernel and the comparisons among different kernels. Then, we survey the state of the art on this topic since 2000. Finally, we summarize research work by detailed comparison and discussion.

show abstract

Section: • Arinc 653 Compliant Separation Kernelsmentioning

confidence: 99%

“…The general proofs of information flow security properties and unwinding conditions are available in [54,55] and an application of them on a concrete separation kernel is available in [77].…”

Section: • a General Verification Approach For Spatial Separation Promentioning

confidence: 99%

A survey on formal specification and verification of separation kernels

Zhao¹,

Yang

Ma³

2017

Front. Comput. Sci.

Self Cite

View full text Add to dashboard Cite

show abstract

“…The approaches to fixing them are also provided. In this paper, we have extended our previous work [37] by introducing the security model, the refinement framework, the second-level specification, the code review of VxWorks 653, and four new covert channels. The rest of this paper is organized as follows.…”

Section: Introductionmentioning

confidence: 99%

Refinement-Based Specification and Security Analysis of Separation Kernels

Zhao

Sanán

Zhang

et al. 2019

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

Assurance of information-flow security by formal methods is mandated in security certification of separation kernels. As an industrial standard for improving safety, ARINC 653 has been complied with by mainstream separation kernels. Due to the new trend of integrating safe and secure functionalities into one separation kernel, security analysis of ARINC 653 as well as a formal specification with security proofs are thus significant for the development and certification of ARINC 653 compliant Separation Kernels (ARINC SKs). This paper presents a specification development and security analysis method for ARINC SKs based on refinement. We propose a generic security model and a stepwise refinement framework. Two levels of functional specification are developed by the refinement. A major part of separation kernel requirements in ARINC 653 are modeled, such as kernel initialization, two-level scheduling, partition and process management, and inter-partition communication. The formal specification and its security proofs are carried out in the Isabelle/HOL theorem prover. We have reviewed the source code of one industrial and two open-source ARINC SK implementations, i.e. VxWorks 653, XtratuM, and POK, in accordance with the formal specification. During the verification and code review, six security flaws, which can cause information leakage, are found in the ARINC 653 standard and the implementations.

show abstract

“…This is to the best of our knowledge the first attempt on the verification of separation microkernels targeting multi-core architectures. Other works such as [15,16] verify functional correctness and non-interference for sequential micro-kernels, and the work in [2] focuses on the verification of sequential applications using the ARINC standard.…”

Section: Introductionmentioning

confidence: 99%

CSimpl: A Rely-Guarantee-Based Framework for Verifying Concurrent Programs

Sanán

Zhao

Hóu

et al. 2017

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

It is essential to deal with the interference of the environment between programs in concurrent program verification. This has led to the development of concurrent program reasoning techniques such as Rely-Guarantee. However, the source code of the programs to be verified often involves language features such as exceptions and procedures which are not supported by the existing mechanizations of those concurrent reasoning techniques. Schirmer et al. have solved a similar problem for sequential programs by developing a verification framework called Simpl, which provides a rich sequential language that can encode most of the features in real world programming languages. Since Simpl only aims to verify sequential programs, it does not support the specification nor the verification of concurrent programs. In this paper we introduce CSimpl, an extension of Simpl with concurrency-oriented language features and verification techniques. We prove the compositionality of the CSimpl semantics and we provide inference rules for the language constructors to reason about CSimpl programs using Rely-Guarantee. We show that the inference rules are sound w.r.t. the language semantics. Finally, we run a case study where we use CSimpl to specify and prove functional correctness of an abstract communication model of the XtratuM partitioning separation micro-kernel.

show abstract

Reasoning About Information Flow Security of Separation Kernels with Channel-Based Communication

Cited by 11 publications

References 24 publications

A survey on formal specification and verification of separation kernels

A survey on formal specification and verification of separation kernels

Refinement-Based Specification and Security Analysis of Separation Kernels

CSimpl: A Rely-Guarantee-Based Framework for Verifying Concurrent Programs

Contact Info

Product

Resources

About