{"title":"Formal model of a trusted file server","authors":"J. C. Williams, G. Dinolt","doi":"10.1109/SECPRI.1989.36290","DOIUrl":null,"url":null,"abstract":"The authors present a formal, mathematical model for a trusted file server (TFS) for a multilevel secure distributed computer system. The goal is to produce formal verification from the top-level specification down through code for the entire system of which a TFS is one component. By viewing the TFS as a black box, it is possible to specify its security as a relation that must hold invariantly between an output stream of responses and an input stream of requests. Using the proposed approach, the authors have provided a small (perhaps minimal) set of compromise security constraints on the TFS. They have produced an implementation of the TFS in Gypsy and verified that the implementation satisfies this model. It is also shown that the specified relation is stronger than noninterference, and that a noninterference model cannot cover the security-relevant functionality of deleting or changing the size of a file.<<ETX>>","PeriodicalId":126792,"journal":{"name":"Proceedings. 1989 IEEE Symposium on Security and Privacy","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1989-05-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings. 1989 IEEE Symposium on Security and Privacy","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SECPRI.1989.36290","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2
Abstract
The authors present a formal, mathematical model for a trusted file server (TFS) for a multilevel secure distributed computer system. The goal is to produce formal verification from the top-level specification down through code for the entire system of which a TFS is one component. By viewing the TFS as a black box, it is possible to specify its security as a relation that must hold invariantly between an output stream of responses and an input stream of requests. Using the proposed approach, the authors have provided a small (perhaps minimal) set of compromise security constraints on the TFS. They have produced an implementation of the TFS in Gypsy and verified that the implementation satisfies this model. It is also shown that the specified relation is stronger than noninterference, and that a noninterference model cannot cover the security-relevant functionality of deleting or changing the size of a file.<>
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
