Abstract
The Logical Coprocessing Kernel (LOCK) began as a research project to stretch the state of the art in secure computing by trying to meet or even exceed the “A1” requirements of the Trusted Computer System Evaluation Criteria (TCSEC). Over the span os seven years, the project was transformed into an effort to develop and deploy a product: the Standard Mail Guard (SMG). Since the project took place under a US government contract, the development team needed to maintain detailed records of the time spent on the project. The records from 1987 to 1992 have been combined with information about software code size and error detection. This information has been used to examine the practical impacts of high assurance techniques on a large-scale software development program. Tasks are associated with the A1 formal assurance requirements added approximately 58% to the development cost of security-critical software. In exchange for these costs, the formal assurance tasks (formal specifications, proofs, and specification code correspondence) uncovered 68% of the security flaws detected in LOCK's critical security mechanisms. However, a study of flaw detection during the SMG program found that only 14% of all flaws detected were of the type that could be detected using formal assurance, and that the work of the formal assusrance team only accounted for 19% of all flaws detected. While formal assurance is clearly effective at detecting flaws, its practicality hinges on the degree to which the formally modeled system properties represent all of a system's esential properties.
- AIM TECHNOLOGY. 1988. AIM Technology published price list. AIM Technology, Santa Clara, CA.Google Scholar
- ANDERSON, J. P. 1972. Computer security technology planning study. Tech. Rep. ESD-TR-73-51. James P. Anderson and Co., Fort Washington, PA.Google Scholar
- BELL,D.E.AND LA PADULA, L. 1975. Secure computer system: Unified exposition and Multics interpretation. Tech. Rep. ESD-TR-75-306; ESD/AFSC; DTIC AD-A023588.Google Scholar
- BOEBERT, W. E. 1988. Annotated TCSEC. Tech. Rep. Honeywell Information Systems, Waltham, MA.Google Scholar
- BOEBERT,W.E.AND KAIN, R. Y. 1985. A practical alternative to hierarchical integrity policies. In Proceedings of the 8th National Conference on Computer Security. 18-27.Google Scholar
- BOEBERT,W.E.,KAIN,R.Y.,AND YOUNG, W. D. 1985. Secure computing: The secure Ada target approach. Scientific Honeyweller (June).Google Scholar
- BOEHM, B. 1981. Software Engineering Economics. Prentice-Hall, New York, NY. Google ScholarDigital Library
- CHESWICK,W.R.AND BELLOVIN, S. M. 1994. Firewalls and Internet Security: Repelling the Wily Hacker. Addison-Wesley Professional Computing Series. Addison-Wesley Longman Publ. Co., Inc., Reading, MA. Google ScholarDigital Library
- CHOKHANI, S. 1992. Trusted products evaluation. Commun. ACM 35, 7 (July), 64-76. Google ScholarDigital Library
- CLARK,D.AND WILSON, D. 1987. A comparison of commercial and military computer security policies. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland, CA). IEEE Computer Society Press, Los Alamitos, CA, 184-194.Google ScholarCross Ref
- DEMILLO,R.A.,LIPTON,R.J.,AND PERLIS, A. J. 1979. Social processes and proofs of theorems and programs. Commun. ACM 22, 5 (May). Google ScholarDigital Library
- DENNING, D. E. 1976. A lattice model of secure information flow. Commun. ACM 19, 2 (May), 236-243. Google ScholarDigital Library
- DOD. 1978. Security requirements for automatic data processing (ADP) systems. DOD Directive 5200.28.Google Scholar
- DOD. 1985. Specification practices. MIL-STD 490A.Google Scholar
- DOD. 1985. Department of Defense trusted computer system evaluation criteria. Department of Defense Standard DoD 5200.28-STD.Google Scholar
- DOD COMPUTER SECURITY CENTER. 1985. Computer security requirements: Guidance for applying the Department of Defense trusted computer system evaluation criteria in specific environments. CSC-STD-003-85.Google Scholar
- DOD. 1991. Department of Defense Federal acquisition regulation supplement: 48 code of Federal regulations.Google Scholar
- FRAIM, L. 1986. The challenge after A1: A view of the security market. In Proceedings of the 9th National Conference on Computer Security (Sept.). 41-46.Google Scholar
- GOOD,D.I.,AMBLER,A.L.,BROWNE,J.C.,BURGER, W., COHEN, R., HOCH, C., AND WELLS, R. 1977. Gypsy: A language for specification and implementation of verifiable programs. In Proceedings of the ACM Conference on Language Design for Reliable Software (Mar.). ACM Press, New York, NY. Google ScholarDigital Library
- GOOD,D.I.,COHEN,R.M.,HOCH,C.G.,HUNTER,L.W.,AND HARE, D. F. 1978. Report on the language Gypsy. Tech Rep. ICSCA-CMP-10. University of Texas at Austin, Austin, TX.Google Scholar
- HAIGH,T.J.AND YOUNG, W. D. 1987. Extending the noninterference version of MLS for SAT. IEEE Trans. Softw. Eng. 13,2. Google ScholarDigital Library
- KAIN, R. Y. 1988. Throughput benchmarks with AIM. Memorandum. LOCK program archives.Google Scholar
- LAMPSON, B. 1973. A note on the confinement problem. Commun. ACM 16, 10 (Oct.). Google ScholarDigital Library
- LEVIN,T.E.,PADILLA,S.J.,AND SCHELL, R. R. 1989. Engineering results from the A1 formal verification process. In Proceedings of the 12th NIST/NCSC National Conference on Computer Security (Gaithersburg, MD, Oct.). 65-74.Google Scholar
- LIPNER, S. 1985. Secure system development at Digital Equipment: Targeting the needs of a commercial and government customer base. In Proceedings of the 8th National Conference on Computer Security (Sept.). 47-54.Google Scholar
- NATIONAL COMPUTER SECURITY CENTER. 1997. Trusted network interpretation of the trusted computer system evaluation criteria. NCSC-TG-005, Version 1.Google Scholar
- NATIONAL COMPUTER SECURITY CENTER. 1994. Introduction to certification and accreditation. NCSC-TG-029, Version 1.Google Scholar
- NEUMANN,P.G.,ROBINSON, L., LEVITT,K.N.,BOYER,R.S.,AND SAXENA, A. R. 1975. Provably secure operating system. M79-225. Institute of Communication Research, Stanford University, Stanford, CA.Google Scholar
- O'BRIEN,R.C.AND ROGERS, C. 1991. Developing applications on LOCK. In Proceedings of the 14th NIST-NCSC National Conference on Computer Security (Washington,DC, Oct.).Google Scholar
- ROCHKIND, M. J. 1975. The source code control system. IEEE Trans. Softw. Eng. SE-1,4 (Dec.), 364-370.Google ScholarDigital Library
- SANDHU, R. S. 1993. Lattice-based access control models. IEEE Computer 26, 11, 9-19. Google ScholarDigital Library
- SAYDJARI,O.S.,BECKMAN,J.K.,AND LEAMAN, J. R. 1987. LOCKing computers securely. In Proceedings of the 10th National Conference on Computer Security.Google Scholar
- SAYDJARI,O.S.,BECKMAN,J.K.,AND LEAMAN, J. R. 1989. LOCK trek: Navigating uncharted space. In Proceedings of the IEEE Symposium on Research in Security and Privacy (Oakland, CA, May 1-3). IEEE Computer Society Press, Los Alamitos, CA.Google ScholarCross Ref
- SCHAFFER,M.A.AND WALSH, G. 1988. LOCK/ix: On implementing Unix on the LOCK TCB. In Proceedings of the 11th National Conference on Computer Security (NIST-NCSC, Balti-more, MD, Oct.17-20). National Institute of Standards and Technology, Gaithersburg, MD.Google Scholar
- SMITH, R. E. 1994. Constructing a high assurance mail guard. In Proceedings of the 17th National Conference on Computer Security (Baltimore, MD).Google Scholar
- SMITH, R. E. 1996. Sidewinder: Defense in depth using type enforcement. J. Syst. Manage.Google Scholar
- SMITH, R. E. 2000. Trends in government endorsed security product evaluations. In Proceedings of the 23rd National Conference on Information Systems Security (Baltimore, MD, Oct.).Google Scholar
- STONEBURNER,G.R.AND SNOW, D. A. 1989. The Boeing MLS LAN: Headed towards an INFOSEC security solution. In Proceedings of the 12th NIST/NCSC National Conference on Computer Security (Gaithersburg, MD, Oct.). 254-266.Google Scholar
- TAYLOR, T. 1991. FTLS-based security testing for LOCK. In Proceedings of the 14th NIST-NCSC National Conference on Computer Security (Washington,DC, Oct.).Google Scholar
- THOMSEN,D.AND SCHWARTAU, W. 1996. Is your network secure? BYTE (Jan.).Google Scholar
- WARE, W. 1970. Security controls for computer systems (U): Report of Defense Science Board Task Force on Computer Security. Rand Rep. R609-1. RAND, Santa Monica, CA.Google Scholar
- WEISSMAN, C. 1969. Security controls in the ADEPT-50 time-sharing system. In Proceedings of the 1969 Fall Joint Conference on Computers.Google ScholarDigital Library
Index Terms
- Cost profile of a highly assured, secure operating system
Recommendations
Applying Formal Methods to a Certifiably Secure Software System
A major problem in verifying the security of code is that the code's large size makes it much too costly to verify in its entirety. This article describes a novel and practical approach to verifying the security of code which substantially reduces the ...
Faithfully formalizing OSEK/VDX operating system specification
SoICT '12: Proceedings of the 3rd Symposium on Information and Communication TechnologyOSEK/VDX has proposed a standard for operating systems used in automotive systems. This standard is described in the form of informal specification. The informal specification is not suitable for applying formal methods to the whole of the software ...
Comments