Communicating sequential processes
Communicating sequential processes
Using Z: specification, refinement, and proof
Using Z: specification, refinement, and proof
The Theory and Practice of Concurrency
The Theory and Practice of Concurrency
Refinement Calculus: A Systematic Introduction
Refinement Calculus: A Systematic Introduction
Non-Interference Through Determinism
ESORICS '94 Proceedings of the Third European Symposium on Research in Computer Security
Xen and the art of virtualization
SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
Building a MAC-Based Security Architecture for the Xen Open-Source Hypervisor
ACSAC '05 Proceedings of the 21st Annual Computer Security Applications Conference
Mechanising Mondex with Z/Eves
Formal Aspects of Computing
Re-engineering Xen internals for higher-assurance security
Information Security Tech. Report
Security Engineering: A Guide to Building Dependable Distributed Systems
Security Engineering: A Guide to Building Dependable Distributed Systems
A direct path to dependable software
Communications of the ACM - A Direct Path to Dependable Software
seL4: formal verification of an OS kernel
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
IFM'05 Proceedings of the 5th international conference on Integrated Formal Methods
Hi-index | 0.00 |
This paper reports on the Xenon project's use of formal methods. Xenon is a higher-assurance secure hypervisor based on re-engineering the Xen open-source hypervisor. The Xenon project used formal specifications both for assurance and as guides for security re-engineering. We formally modeled the fundamental definition of security, the hyper-call interface behavior, and the internal modular design. We used 3 formalisms: CSP, Z, and Circus for this work. Circus is a combination of Standard Z, CSP, with its semantics given in Hoare and He's unifying theories of programming. Circus is suited for both event-based and state-based modeling. In this extended abstract, we report our experiences with using these formalisms for assurance.