Formal methods for security in the Xenon hypervisor

Authors:
Leo Freitas;John McDermott
Affiliations:
Newcastle University, School of Computing Science, Newcastle upon Tyne, UK;Naval Research Laboratory, Washington, DC, USA
Venue:
International Journal on Software Tools for Technology Transfer (STTT) - VSTTE 2009
Year:
2011

Citing 0
Cited 3

Separation virtual machine monitors

Proceedings of the 28th Annual Computer Security Applications Conference
UVHM: model checking based formal analysis scheme for hypervisors

ICT-EurAsia'13 Proceedings of the 2013 international conference on Information and Communication Technology
Safety-critical Java programs from Circus models

Real-Time Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper reports on the Xenon project’s use of formal methods. Xenon is a higher-assurance secure hypervisor based on re-engineering the Xen open-source hypervisor. The Xenon project used formal specifications both for assurance and as guides for security re-engineering. We formally modelled the fundamental definition of security, the hypercall interface behaviour, and the internal modular design. We used three formalisms: CSP, Z, and Circus for this work. Circus is a combination of Standard Z, CSP with its semantics given in Hoare and He’s unifying theories of programming. Circus is suited for both event-based and state-based modelling. Here, we report our experiences to date with using these formalisms for assurance.