Abstract
The separation kernel concept was developed as an architecture to simplify formal kernel security verification, and is the basis for many implementations of integrated modular avionics in the aerospace domain. This paper reports on a feasibility study conducted for the European Space Agency, to explore the resources required to formally verify the correctness of such a kernel, given a reference specification and a implementation of same. The study was part of an activity called Methods and Tools for On-Board Software Engineering (MTOBSE) which produced a natural language Reference Specification for a Time-Space Partitioning (TSP) kernel, describing partition functional properties such as health monitoring, inter-partition communication, partition control, resource access, and separation security properties, such as the security policy and authorisation control. An abstract security model, and the reference specification were both formalised using Isabelle/HOL. The C sources of the open-source XtratuM kernel were obtained, and an Isabelle/HOL model of the code was semi-automatically produced. Refinement relations were written manually and some proofs were explored. We describe some of the details of what has been modelled and report on the current state of this work. We also make a comparison between our verification explorations, and the circumstances of NICTA’s successful verification of the sel4 kernel.
Funded by ESTEC CONTRACT No. 4000106016, and supported, in part, by Science Foundation Ireland grant 10/CE/I1855
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Funded by ESTEC CONTRACT No. 4000106016
- 2.
C-99 refers to the revised standard of ANSI C, or C-89, released in 1999
References
Rushby, J.M.: Design and verification of secure systems. SIGOPS Oper. Syst. Rev. 15, 12–21 (1981)
Alves-Foss, J., Oman, P.W., Taylor, C., Harrison, S.: The MILS architecture for high-assurance embedded systems. IJES 2(3/4), 239–247 (2006)
Criteria, C.: Common criteria for information technology security evaluation, version 2.3. Technical report ISO/IEC 15408:2005, Common Criteria (2005)
Directorate, I.A.: Protection profile for separation kernels in environments requiring high robustness. Technical report, U.S. Government, June 2007
ARINC, Arinc specification 653–2: Avionics application software standard interface part 1 - required services. Technical report, Aeronautical Radio INC (2005)
Baumann, C., Beckert, B., Blasum, H., Bormer, T.: Better avionics software reliability by code verification a glance at code verification methodology in the verisoft xt project. In: Embedded World 2009 Conference (2009)
Klein, G., et al.: seL4: formal verification of an OS kernel. CACM 53, 107–115 (2010)
Crespo, A., Ripoll, I., Masmano, M.: Partitioned embedded architecture based on hypervisor: The xtratum approach. In: Eighth European Dependable Computing Conference, EDCC-8 2010, Valencia, Spain, 28–30 April, pp. 67–72. IEEE Computer Society (2010)
Consortium, A.-I.: AIR II (2013). http://air.di.fc.ul.pt/air-ii/. Accessed 5 Nov 2013
Heitmeyer, C., Archer, M., Leonard, E., McLean, J.: Applying formal methods to a certifiably secure software system. IEEE Trans. Softw. Eng. 34, 82–98 (2008)
Dam, M., Guanciale, R., Khakpour, N., Nemati, H., Schwarz, O.: Formal verification of information flow security for a simple arm-based separation kernel. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer & #38; Communications Security, CCS ’13, pp. 223–234 (2013)
de Amorim, A.A., Collins, N., DeHon, A., Demange, D., Hritcu, C., Pichardie, D., Pierce, B.C., Pollack, R., Tolmach, A.: A verified information-flow architecture. In: 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) (2014)
de Ferluc, R.: Report D10 – TSP Services Specification. IMA-SP/D10 Issue 2.1, ESTEC. Contract ESTEC 4000100764, March 2012
Butterfield, A., Sanan, D.: Reference specification for a partitioning kernel and a separation kernel. Technical Report Version 4.1, Lero. ESTEC Contract No. 4000106016, 3 parts: MTOBSE_D03i4-SRS,-ICD,-ADD (2013)
Abadi, M., Lamport, L.: The existence of refinement mappings. Theor. Comput. Sci. 82, 253–284 (1991)
Alves-Foss, J., Rinker, B., Benke, M., Marshall, J., O’Connel, P., Taylor, C.: The idaho partitioning machine. Technical report (2002)
Paulson, L.C. (ed.): Isabelle: A Generic Theorem Prover. LNCS, vol. 828. Springer, Heidelberg (1994)
Winwood, S., Klein, G., Sewell, T., Andronick, J., Cock, D., Norrish, M.: Mind the gap: a verification framework for low-level C. In: Berghofer, S., Nipkow, T., Urban, C., Wenzel, M. (eds.) TPHOLs 2009. LNCS, vol. 5674, pp. 500–515. Springer, Heidelberg (2009)
Berghofer, S., Wenzel, M.: Inductive datatypes in HOL - lessons learned in formal-logic engineering. In: Bertot, Y., Dowek, G., Hirschowitz, A., Paulin, C., Théry, L. (eds.) TPHOLs 1999. LNCS, vol. 1690, p. 19. Springer, Heidelberg (1999)
C. SPARC International Inc., The SPARC architecture manual: version 8. Upper Saddle River, NJ, USA: Prentice-Hall Inc. (1992)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63, 1278–1308 (1975)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Sanán, D., Butterfield, A., Hinchey, M. (2014). Separation Kernel Verification: The Xtratum Case Study. In: Giannakopoulou, D., Kroening, D. (eds) Verified Software: Theories, Tools and Experiments. VSTTE 2014. Lecture Notes in Computer Science(), vol 8471. Springer, Cham. https://doi.org/10.1007/978-3-319-12154-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-12154-3_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12153-6
Online ISBN: 978-3-319-12154-3
eBook Packages: Computer ScienceComputer Science (R0)