Programming semantics for multiprogrammed computations
Communications of the ACM
Verifying the EROS Confinement Mechanism
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Putting it all together – Formal verification of the VAMP
International Journal on Software Tools for Technology Transfer (STTT) - A View from Formal Methods 2003 (pp 301-354); Special Section on Recent Advances in Hardware Verification (pp 355-447)
On Refinement-Closed Security Properties and Nondeterministic Compositions
Electronic Notes in Theoretical Computer Science (ENTCS)
seL4: formal verification of an OS kernel
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
A Verified Shared Capability Model
Electronic Notes in Theoretical Computer Science (ENTCS)
Towards proving security in the presence of large untrusted components
SSV'10 Proceedings of the 5th international conference on Systems software verification
What if you could actually trust your kernel?
HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
What if you could actually trust your kernel?
HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
Extensible specifications for automatic re-use of specifications and proofs
SEFM'12 Proceedings of the 10th international conference on Software Engineering and Formal Methods
Noninterference for operating system kernels
CPP'12 Proceedings of the Second international conference on Certified Programs and Proofs
Comprehensive formal verification of an OS microkernel
ACM Transactions on Computer Systems (TOCS)
Hi-index | 0.00 |
Strong, machine-checked security proofs of operating systems have been in the too hard basket long enough. They will still be too hard for large mainstream operating systems, but even for systems designed from the ground up for security they have been counted as infeasible. There are high-level formal models, nice security properties, ways of architecting and engineering secure systems, but no implementation level proofs yet, not even with the recent verification of the seL4 microkernel. This needs to change.