Communications of the ACM
A technique for software module specification with examples
Communications of the ACM
On the criteria to be used in decomposing systems into modules
Communications of the ACM
A note on the confinement problem
Communications of the ACM
HYDRA: the kernel of a multiprocessor operating system
Communications of the ACM
Programming semantics for multiprogrammed computations
Communications of the ACM
Ongoing research and development on information protection
ACM SIGOPS Operating Systems Review
COOPERATION OF MUTUALLY SUSPICIOUS SUBSYSTEMS IN A COMPUTER UTILITY
COOPERATION OF MUTUALLY SUSPICIOUS SUBSYSTEMS IN A COMPUTER UTILITY
Implications of a virtual memory mechanism for implementing protection in a family of operating systems
The multics system: an examination of its structure
The multics system: an examination of its structure
A software development environment for law-governed systems
SDE 3 Proceedings of the third ACM SIGSOFT/SIGPLAN software engineering symposium on Practical software development environments
Operating System Structures to Support Security and Reliable Software
ACM Computing Surveys (CSUR)
Specification and verification of the UCLA Unix security kernel
Communications of the ACM
Proof techniques for hierarchically structured programs
Communications of the ACM
An example of hierarchical design and proof
Communications of the ACM
Security Kernel validation in practice
Communications of the ACM
Communications of the ACM
Survey of recent operating systems research, designs and implementations
ACM SIGOPS Operating Systems Review
ICSE '79 Proceedings of the 4th international conference on Software engineering
An extensible file system for hydra
ICSE '78 Proceedings of the 3rd international conference on Software engineering
DAC '76 Proceedings of the 13th Design Automation Conference
Software reliability and design: A survey
DAC '76 Proceedings of the 13th Design Automation Conference
Engineering a security kernel for Multics
SOSP '75 Proceedings of the fifth ACM symposium on Operating systems principles
A comment on the confinement problem
SOSP '75 Proceedings of the fifth ACM symposium on Operating systems principles
The use of abstract data types to simplify program modifications
Proceedings of the 1976 conference on Data : Abstraction, definition and structure
Proceedings of the 1976 conference on Data : Abstraction, definition and structure
Software development and proofs of multi-level security
ICSE '76 Proceedings of the 2nd international conference on Software engineering
Reliable software and the design process
ACM SIGSOFT Software Engineering Notes
Hi-index | 0.08 |
This paper presents a general methodology for the design, implementation, and proof of large software systems, each described as a hierarchy of abstract machines. The design and implementation occur in five stages as described in this paper. Formal proof may take place at each stage. We expect the methodology to simplify the proof effort in such a way as to make proof a feasible tool in the development of reliable software. In addition to the anticipated advantages in proof, we feel that the methodology improves a designer's ability to formulate and organize the issues involved in the design of large systems, with additional benefits in system reliability. These advantages remain even if proof is not attempted. We are currently applying this methodology to the design and proof of a secure operating system. Each level in the system acts as a manager of all objects of a particular type (e .g ., directories, segments, linkage sections), and enforces all of the protection rules involved in the manipulation of these objects. In this paper we illustrate the methodology by examining three of the system levels, including specifications, for a simplified version of these levels. We also demonstrate some proofs of security-related properties and of correctness of implementation.