The Caernarvon secure embedded operating system
David C. Toll, Paul A. Karger, et al.
EuroSys 2008
Capability systems can be used to implement higher-level security policies including the *-property if a mechanism exists to ensure confinement. The implementation can be efficient if the 'weak' access restriction described in this paper is introduced. In the course of developing EROS, a pure capability system, it became clear that verifying the correctness of the confinement mechanism was necessary in establishing the security of the operating system. This paper presents a verification of the EROS confinement mechanism with respect to a broad class of capability architectures (including EROS). We give a formal statement of the requirements, construct a model of the architecture's security policy and operational semantics, and show that architectures covered by this model enforce the confinement requirements if a small number of initial static checks on the confined subsystem are satisfied. The method used generalizes to any capability system.
David C. Toll, Paul A. Karger, et al.
EuroSys 2008
Joshua Anhalt, Asim Smailagic, et al.
IEEE Intelligent Systems and Their Applications
Sam Weber, Amitkumar Paradkar, et al.
ISSRE 2008
Sam Weber, Paul A. Karger, et al.
ICSEW 2005