Abstract
This paper reports on the Xenon project’s use of formal methods. Xenon is a higher-assurance secure hypervisor based on re-engineering the Xen open-source hypervisor. The Xenon project used formal specifications both for assurance and as guides for security re-engineering. We formally modelled the fundamental definition of security, the hypercall interface behaviour, and the internal modular design. We used three formalisms: CSP, Z, and Circus for this work. Circus is a combination of Standard Z, CSP with its semantics given in Hoare and He’s unifying theories of programming. Circus is suited for both event-based and state-based modelling. Here, we report our experiences to date with using these formalisms for assurance.
Similar content being viewed by others
References
Anderson R.: Security Engineering: A Guide to Building Dependable Distributed Systems. 2nd edn. Wiley, New York (2008)
Back R.-J., von Wright J.: Refinement Calculus: A Systematic Introduction. Graduate Text in Computer Science. Springer, New York (1998)
Barham, P., Dragovic, B., Fraiser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of 19th ACM Symposium on Operating Systems Principles (SOSP-19), Bolton Landing, New York, USA, October 2003
Butterfield A., Freitas L., Woodcock J.: Mechanising a formal model of flash memory. Sci. Comput. Program. 74(4), 219–237 (2009)
Chisnall D.: The Definitive Guide to the Xen Hypervisor. Prentice-Hall, Englewood Cliffs (2008)
Coker, G.: Xen security modules. Xen Summit 2007 Presentation, April 2007. http://www.xensource.com/xen/xensummit.html
The Common Criteria Project Sponsoring Organizations.: Common Criteria for Information Technology Security Evaluation, v. 3.1, rev. 1 (edn.), September 2006. Also referred to as ISO 15408
The Common Criteria Project Sponsoring Organizations.: Common Methodology for Information Technology Security Evaluation, v. 3.1, rev. 1 (edn.), September 2006
Denning, D.: A lattice model of secure information flow. Commun. ACM 19(5) (1976)
Freitas L., Woodcock J.: Mechanising Mondex with Z/Eves. Form. Asp. Comput. 20(1), 117–139 (2008)
Freitas L., Woodcock J.: A chain datatype in z. Int. J. Softw. Inform. 3(2–3), 357–374 (2009)
Greeve, D., Wilding, M., Vanfleet, W.M.: A separation kernel formal security policy. In: Proceedings of ACL2 Workshop, Boulder, Colorado, USA, July 2003
Hoare C.: Communicating Sequential Processes. Prentice-Hall, Englewood Cliffs (1985)
IA-32 Intel Architecture Software Developer’s Manual: vol. 3A: System Programming Guide, part 1. Technical Report 253668-020US, Intel Corp., June 2006
ISO/IEC.: ISO/IEC 13568: Information Technology—Z Formal Specification Notation—Syntax, Type System and Semantics (2002)
Jackson D.: A direct path to dependable software. Commun. ACM 52(4), 78–88 (2009)
Klein G., Andronick J., Elphinstone K., Heiser G., Cock D., Derrin P., Elkaduwe D., Engelhardt K., Kolanski R., Norrish M., Sewell T., Tuch H., Winwood S.: seL4: Formal verification of an OS kernel. Commun. ACM 53(6), 107–115 (2010)
Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cook, D., Derrin, P., Elkaduwe, D., Englehardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: Proceedings of 22nd ACM Symposium on Operating System Principles, Big Sky, MT, USA, October 2009
Leinenbach D., Santen T.: Verifying the microsoft hyper-v hypervisor with vcc. In: Cavalcanti, A., Dams, D. (eds) FM 2009: Formal Methods. Lecture Notes in Computer Science, vol. 5850, pp. 806–809. Springer, Berlin (2009)
Lipton R., Lawrence S.: A linear-time algorithm for deciding subject security. JACM 24(3), 455–464 (1977)
Mantel, H.: The framework of selective interleaving functions and the modular assembly kit. In: Proceedings of Formal Methods in Security Engineering, Fairfax, Virginia, USA, November 2005
McDermott, J.: Fine-grained inspection for higher-assurance software security in open source. In: Proceedings of 43rd Hawaii International Conference on Systems and Sciences, pp. 1–10, Kauai, HI, January 2010
McDermott, J., Freitas, L.: A formal security policy model for Xenon. In: Proceedings of Formal Methods in Security Engineering (FMSE ’08), October 2008
McDermott J., Kirby J., Montrose B., Johnson T., Kang M.: Re-engineering Xen internals for higher-assurance security. Inform. Secur. Tech. Rep. 13(1), 17–24 (2008)
McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, California, USA, May 1994
Oliveira M., Cavalcanti A., Woodcock J.: A UTP semantics for Circus. Form. Asp. Comput. 21(1), 3–32 (2007)
Oliveira M.V.M., Cavalcanti A.L.C., Woodcock J.C.P.: A denotational semantics for Circus. In: Aichernig, B., Derrick, J. (eds) REFINE’2006, Eletronic Notes in Theoretical Computer Science, Elsevier, Amsterdam (2006)
Roscoe A.: The Theory and Practice of Concurrency. Prentice-Hall, Englewood Cliffs (1997)
Roscoe, A., Woodcock, J., Wulf, L.: Non-interference through determinism. In: Proc. ESORICS, Brighton, UK, November 1994
Ryan P., Schneider S.: Modelling and Analysis of Security Protocols. Addison-Wesley, Reading (2001)
Sailer, R., Jaeger, T., Valdez, E., Cáceres, R., Perez, R., Berger, S., Griffin, J., van Doorn, L.: Building a MAC-based security architecture for the Xen open-source hypervisor. In: Proceedings of 21st Annual Computer Security Applications Conference, Tucson, Arizona, USA, December 2005
Woodcock J., Davies J.: Using Z: Specification, Refinement, and Proof. International Series in Computer Science. Prentice-Hall, Englewood Cliffs (1996)
Woodcock, J.C.P., Cavalcanti, A.L.C., Gaudel, M.-C., Freitas, L.J.S.: Operational Semantics for Circus. Form. Asp. Comput. (2009, in press)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Freitas, L., McDermott, J. Formal methods for security in the Xenon hypervisor. Int J Softw Tools Technol Transfer 13, 463–489 (2011). https://doi.org/10.1007/s10009-011-0195-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10009-011-0195-9