Abstract
The AAMP7G microprocessor, currently in use in Rockwell Collins high-assurance system products, uniquely supports strict time and space partitioning in hardware. In this chapter, we describe the formal modeling and proof effort that led to an NSA multiple independent levels of security (MILS) certification for the AAMP7G. The MILS certificate allows a single AAMP7G CPU to concurrently process Unclassified through Top Secret codeword information. We discuss the formal model architecture of the AAMP7G at several levels, including the microcode and instruction set levels. We describe how the ACL2 theorem prover was used to develop a formal security specification, called GWV, and outline a mathematical proof (machine-checked using ACL2) which established that the AAMP7G trusted microcode implements that security specification, in accordance with EAL 7 requirements. We also discuss the evaluation process, which validated that the formalizations accurately model what was actually designed and built. Finally, we provide an overview of a technique for compositional reasoning at the instruction set level, using a symbolic simulation-based technique.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alves-Foss J, Taylor C (2004) An analysis of the GWV security policy. In: Proceedings of the fifth international workshop on ACL2 and its applications, Austin, TX, Nov. 2004
Best D, Kress C, Mykris N, Russell J, Smith W (1982) An advanced-architecture CMOS/SOS microprocessor. IEEE Micro 2(3):11–26
Common Criteria for Information Technology Security Evaluation (CCITSE) (1999) Available at http://www.radium.ncsc.mil/tpep/library/ccitse/ccitse.html
Greve D (2004) Address enumeration and reasoning over linear address spaces. In: Proceedings of ACL2’04, Austin, TX, Nov. 2004
Greve D (2010) Information security modeling and analysis. In Hardin D (ed) Design and verification of microprocessor systems for high-assurance applications. Springer, Berlin, pp 249–299
Greve D, Wilding M, Hardin D (2000) High-speed, analyzable simulators. In: Kaufmann M, Manolios P, Moore JS (eds) Computer-aided reasoning: ACL2 case studies. Kluwer, Dordrecht, pp 89–106
Greve D, Wilding M, Vanfleet M (2003) A separation kernel formal security policy. In: Proceedings of ACL2’03
Greve D, Richards R, Wilding M (2004) A summary of intrinsic partitioning verification. In: Proceedings of ACL2’04, Austin, TX, Nov. 2004
Hardin D, Wilding M, Greve D (1998), Transforming the theorem prover into a digital design tool: from concept car to off-road vehicle. In: Hu A, Vardi M (eds) CAV’98, vol 1427 of LNCS. Springer, Berlin, pp 39–44
Hardin D, Smith E, Young W (2006) A robust machine code proof framework for highly secure applications. In: Proceedings of ACL2’06, Seattle, WA, Aug. 2006
Kaufmann M, Manolios P, Moore JS (2000) Computer-aided reasoning: an approach. Kluwer, Dordrecht
Matthews J, Moore JS, Ray S, Vroon D (2006) Verification condition generation via theorem proving. In: Proceedings of LPAR’06, vol 4246 of LNCS, pp 362–376
Moore JS (2003) Inductive assertions and operational semantics. In Geist D (ed) CHARME 2003, vol 2860 of LNCS. Springer, Berlin, pp 289–303
Moore JS, Boyer R (2002) Single-threaded objects in ACL2. In: Proceedings of PADL 2002, vol 2257 of LNCS. Springer, Berlin, pp 9–27
Richards R (2010) Modeling and security analysis of a commercial real-time operating system kernel. In Hardin D (ed) Design and verification of microprocessor systems for high-assurance applications. Springer, Berlin, pp 301–322
Richards R, Greve D, Wilding M, Vanfleet M (2004) The common criteria, formal methods, and ACL2. In: Proceedings of the fifth international workshop on ACL2 and its applications, Austin, TX, Nov. 2004
Rockwell Collins, Inc. (2003) AAMP7r1 reference manual
Rockwell Collins, Inc. (2005) Rockwell Collins receives MILS certification from NSA on microprocessor. Rockwell Collins press release, 24 August 2005. http://www.rockwellcollins.com/news/page6237.html
RTCA, Inc. (2000) Design assurance guidance for airborne electronic hardware, RTCA/DO-254
Rushby J (1981) Design and verification of secure systems. In: Proceedings of the eighth symposium on operating systems principles, vol 15, December 1981
Rushby J (1999) Partitioning for safety and security: requirements, mechanisms, and assurance. NASA contractor report CR-1999–209347
Wilding M, Hardin D, Greve D (1999) Invariant performance: a statement of task isolation useful for embedded application integration. In: Weinstock C, Rushby J (eds) Proceedings of dependable computing for critical applications – DCCA-7. IEEE Computer Society Dependable Computing Series
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Wilding, M.M., Greve, D.A., Richards, R.J., Hardin, D.S. (2010). Formal Verification of Partition Management for the AAMP7G Microprocessor. In: Hardin, D. (eds) Design and Verification of Microprocessor Systems for High-Assurance Applications. Springer, Boston, MA. https://doi.org/10.1007/978-1-4419-1539-9_6
Download citation
DOI: https://doi.org/10.1007/978-1-4419-1539-9_6
Published:
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4419-1538-2
Online ISBN: 978-1-4419-1539-9
eBook Packages: EngineeringEngineering (R0)