Title :
Verifying the EROS confinement mechanism
Author :
Shapiro, Jonathan S. ; Weber, Sam
Author_Institution :
IBM Thomas J. Watson Res. Center, Yorktown Heights, NY, USA
Abstract :
Capability systems can be used to implement higher-level security policies including the *-property if a mechanism exists to ensure confinement. The implementation can be efficient if the “weak” access restriction described in this paper is introduced. In the course of developing EROS, a pure capability system, it became clear that verifying the correctness of the confinement mechanism was necessary in establishing the security of the operating system. We present a verification of the EROS confinement mechanism with respect to a broad class of capability architectures (including EROS). We give a formal statement of the requirements, construct a model of the architecture´s security policy and operational semantics, and show that architectures covered by this model enforce the confinement requirements if a small number of initial static checks on the confined subsystem are satisfied. The method used generalizes to any capability system
Keywords :
operating systems (computers); program verification; security of data; EROS confinement mechanism verification; formal specification; higher-level security policies; operating system security; operational semantics; pure capability system; weak access restriction; Access control; Computer architecture; Contracts; Formal specifications; Genetic mutations; Information security; Operating systems; Protection; Runtime; Testing;
Conference_Titel :
Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on
Conference_Location :
Berkeley, CA
Print_ISBN :
0-7695-0665-8
DOI :
10.1109/SECPRI.2000.848454
