Title :
A separation model for virtual machine monitors
Author :
Kelem, Nancy L. ; Feiertag, Richard J.
Author_Institution :
Trusted Inf. Syst. Inc., Mountain View, CA, USA
Abstract :
A security policy is given for separation virtual machine monitors (SVMMs) and the authors interpret J.M. Rushby´s (1981) separation model for SVMMs. Applying Rushby´s technique yields a practical method for demonstrating that an implementation of an SVMM adheres to the abstract isolation axiom of the separation model, thus providing relatively strong assurance for a low level of effort. The authors describe the relevant characteristics of SVMMs and note the applicable formal modeling requirements. A summary of the SVMM separation model, which is a modification of the original model presented by Rushby, is given. The separation model technique permits a proof of separability among the operating systems under control of the kernel of an SVMM. An interpretation of the elements of the separation model using concepts from SVMMs is given
Keywords :
security of data; supervisory programs; virtual machines; SVMM; abstract isolation axiom; formal modeling requirements; kernel; security policy; separation model; separation virtual machine monitors; Access control; Communication system security; Computer security; Information security; Information systems; Kernel; Operating systems; Resource management; Virtual machine monitors; Virtual machining;
Conference_Titel :
Research in Security and Privacy, 1991. Proceedings., 1991 IEEE Computer Society Symposium on
Conference_Location :
Oakland, CA
Print_ISBN :
0-8186-2168-0
DOI :
10.1109/RISP.1991.130776
