Communicating sequential processes
Communicating sequential processes
Using Z: specification, refinement, and proof
Using Z: specification, refinement, and proof
A lattice model of secure information flow
Communications of the ACM
Protection in operating systems
Communications of the ACM
The Theory and Practice of Concurrency
The Theory and Practice of Concurrency
Refinement Calculus: A Systematic Introduction
Refinement Calculus: A Systematic Introduction
Non-Interference Through Determinism
ESORICS '94 Proceedings of the Third European Symposium on Research in Computer Security
Process Algebra and Non-interference
CSFW '99 Proceedings of the 12th IEEE workshop on Computer Security Foundations
Possibilistic Definitions of Security - An Assembly Kit
CSFW '00 Proceedings of the 13th IEEE workshop on Computer Security Foundations
A General Theory of Composition for Trace Sets Closed under Selective Interleaving Functions
SP '94 Proceedings of the 1994 IEEE Symposium on Security and Privacy
CSP and determinism in security modelling
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
A general theory of security properties
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Secure information flow in computer systems.
Secure information flow in computer systems.
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
The framework of selective interleaving functions and the modular assembly kit
Proceedings of the 2005 ACM workshop on Formal methods in security engineering
Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Model driven security: From UML models to access control infrastructures
ACM Transactions on Software Engineering and Methodology (TOSEM)
Applying Formal Methods to a Certifiably Secure Software System
IEEE Transactions on Software Engineering
Mechanising Mondex with Z/Eves
Formal Aspects of Computing
Re-engineering Xen internals for higher-assurance security
Information Security Tech. Report
Security policy modeling using Z notation for common criteria version 3.1
ICACT'09 Proceedings of the 11th international conference on Advanced Communication Technology - Volume 1
Formal modelling of separation kernel components
ICTAC'10 Proceedings of the 7th International colloquium conference on Theoretical aspects of computing
Separation virtual machine monitors
Proceedings of the 28th Annual Computer Security Applications Conference
XEBHRA: a virtualized platform for cross domain information sharing
Proceedings of the Eighth Annual Cyber Security and Information Intelligence Research Workshop
Hi-index | 0.00 |
The up-front choice of security policy and formalism used to model it is critical to the success of projects that seek to enforce information-flow security. This paper reports on the Xenon project's choice of policy and formalism. Xenon is a high-assurance separation hypervisor based on re-engineering the Xen open-source hypervisor. Xenon's formal policy both guides the re-engineering and serves as a basis for formal modelling. Definitions of information-flow security can be difficult to apply, because in general they are not preserved by refinement. Roscoe, Woodcock, and Wulf have defined an information-flow policy that is preserved by refinement, but it is defined in a purely event-based formalism that does not directly support refinement into state-rich implementations like hypervisor internals. Circus is a combination of Z, CSP, and Hoare and He's unifying theories of programming. Circus is suited for both event-based and state-based modelling. In this paper, we show how to define an information-flow policy in Circus that is also preserved by refinement. Because Circus retains the human-readability of Z, heuristic application of the policy to re-engineering is simplified and a larger open source community can be supported. Because Circus can easily model state-rich implementations of event-based security policies, the Xenon model can support complete policy-to-code modelling in a single language.