Vulnerabilities in Synchronous IPC Designs
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
Using build-integrated static checking to preserve correctness invariants
Proceedings of the 11th ACM conference on Computer and communications security
Application security support in the operating system kernel
ASIACCS '06 Proceedings of the 2006 ACM Symposium on Information, computer and communications security
Design of the EROS trusted window system
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Delegating responsibility in digital systems: Horton's "who done it?"
HOTSEC'07 Proceedings of the 2nd USENIX workshop on Hot topics in security
A Verification Approach for System-Level Concurrent Programs
VSTTE '08 Proceedings of the 2nd international conference on Verified Software: Theories, Tools, Experiments
Kernel design for isolation and assurance of physical memory
Proceedings of the 1st workshop on Isolation and integration in embedded systems
Non-delegatable authorities in capability systems
Journal of Computer Security
Robustly secure computer systems: a new security paradigm of system discontinuity
NSPW '07 Proceedings of the 2007 Workshop on New Security Paradigms
A Verified Shared Capability Model
Electronic Notes in Theoretical Computer Science (ENTCS)
Towards multilaterally secure computing platforms-with open source and trusted computing
Information Security Tech. Report
Provable Security: how feasible is it?
HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
ITP'11 Proceedings of the Second international conference on Interactive theorem proving
Parametric verification of address space separation
POST'12 Proceedings of the First international conference on Principles of Security and Trust
Content-based isolation: rethinking isolation policy design on client systems
Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Comprehensive formal verification of an OS microkernel
ACM Transactions on Computer Systems (TOCS)
| Hi-index | 0.00 |
Capability systems can be used to implement higher-level security policies including the property if a mechanism exists to ensure confinement. The implementation can be efficient if the 驴weak驴 access restriction described in this paper is introduced. In the course of developing EROS, a pure capability system, it became clear that verifying the correctness of the confinement mechanism was necessary in establishing the security of the operating system. This paper presents a verification of the EROS confinement mechanism with respect to a broad class of capability architectures (including EROS). We give a formal statement of the requirements, construct a model of the architecture's security policy and operational semantics, and show that architectures covered by this model enforce the confinement requirements if a small number of initial static checks on the confined subsystem are satisfied. The method used generalizes to any capability system.