Skip to main content
SpringerLink
Log in

Formal methods for security in the Xenon hypervisor

  • VSTTE 2009-2010
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

This paper reports on the Xenon project’s use of formal methods. Xenon is a higher-assurance secure hypervisor based on re-engineering the Xen open-source hypervisor. The Xenon project used formal specifications both for assurance and as guides for security re-engineering. We formally modelled the fundamental definition of security, the hypercall interface behaviour, and the internal modular design. We used three formalisms: CSP, Z, and Circus for this work. Circus is a combination of Standard Z, CSP with its semantics given in Hoare and He’s unifying theories of programming. Circus is suited for both event-based and state-based modelling. Here, we report our experiences to date with using these formalisms for assurance.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Anderson R.: Security Engineering: A Guide to Building Dependable Distributed Systems. 2nd edn. Wiley, New York (2008)

    Google Scholar 

  2. Back R.-J., von Wright J.: Refinement Calculus: A Systematic Introduction. Graduate Text in Computer Science. Springer, New York (1998)

    Google Scholar 

  3. Barham, P., Dragovic, B., Fraiser, K., Hand, S., Harris, T., Ho, A., Neugebauer, R., Pratt, I., Warfield, A.: Xen and the art of virtualization. In: Proceedings of 19th ACM Symposium on Operating Systems Principles (SOSP-19), Bolton Landing, New York, USA, October 2003

  4. Butterfield A., Freitas L., Woodcock J.: Mechanising a formal model of flash memory. Sci. Comput. Program. 74(4), 219–237 (2009)

    Article  MathSciNet  MATH  Google Scholar 

  5. Chisnall D.: The Definitive Guide to the Xen Hypervisor. Prentice-Hall, Englewood Cliffs (2008)

    Google Scholar 

  6. Coker, G.: Xen security modules. Xen Summit 2007 Presentation, April 2007. http://www.xensource.com/xen/xensummit.html

  7. The Common Criteria Project Sponsoring Organizations.: Common Criteria for Information Technology Security Evaluation, v. 3.1, rev. 1 (edn.), September 2006. Also referred to as ISO 15408

  8. The Common Criteria Project Sponsoring Organizations.: Common Methodology for Information Technology Security Evaluation, v. 3.1, rev. 1 (edn.), September 2006

  9. Denning, D.: A lattice model of secure information flow. Commun. ACM 19(5) (1976)

  10. Freitas L., Woodcock J.: Mechanising Mondex with Z/Eves. Form. Asp. Comput. 20(1), 117–139 (2008)

    Article  Google Scholar 

  11. Freitas L., Woodcock J.: A chain datatype in z. Int. J. Softw. Inform. 3(2–3), 357–374 (2009)

    Google Scholar 

  12. Greeve, D., Wilding, M., Vanfleet, W.M.: A separation kernel formal security policy. In: Proceedings of ACL2 Workshop, Boulder, Colorado, USA, July 2003

  13. Hoare C.: Communicating Sequential Processes. Prentice-Hall, Englewood Cliffs (1985)

    MATH  Google Scholar 

  14. IA-32 Intel Architecture Software Developer’s Manual: vol. 3A: System Programming Guide, part 1. Technical Report 253668-020US, Intel Corp., June 2006

  15. ISO/IEC.: ISO/IEC 13568: Information Technology—Z Formal Specification Notation—Syntax, Type System and Semantics (2002)

  16. Jackson D.: A direct path to dependable software. Commun. ACM 52(4), 78–88 (2009)

    Article  Google Scholar 

  17. Klein G., Andronick J., Elphinstone K., Heiser G., Cock D., Derrin P., Elkaduwe D., Engelhardt K., Kolanski R., Norrish M., Sewell T., Tuch H., Winwood S.: seL4: Formal verification of an OS kernel. Commun. ACM 53(6), 107–115 (2010)

    Article  Google Scholar 

  18. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cook, D., Derrin, P., Elkaduwe, D., Englehardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: Proceedings of 22nd ACM Symposium on Operating System Principles, Big Sky, MT, USA, October 2009

  19. Leinenbach D., Santen T.: Verifying the microsoft hyper-v hypervisor with vcc. In: Cavalcanti, A., Dams, D. (eds) FM 2009: Formal Methods. Lecture Notes in Computer Science, vol. 5850, pp. 806–809. Springer, Berlin (2009)

    Google Scholar 

  20. Lipton R., Lawrence S.: A linear-time algorithm for deciding subject security. JACM 24(3), 455–464 (1977)

    Article  MATH  Google Scholar 

  21. Mantel, H.: The framework of selective interleaving functions and the modular assembly kit. In: Proceedings of Formal Methods in Security Engineering, Fairfax, Virginia, USA, November 2005

  22. McDermott, J.: Fine-grained inspection for higher-assurance software security in open source. In: Proceedings of 43rd Hawaii International Conference on Systems and Sciences, pp. 1–10, Kauai, HI, January 2010

  23. McDermott, J., Freitas, L.: A formal security policy model for Xenon. In: Proceedings of Formal Methods in Security Engineering (FMSE ’08), October 2008

  24. McDermott J., Kirby J., Montrose B., Johnson T., Kang M.: Re-engineering Xen internals for higher-assurance security. Inform. Secur. Tech. Rep. 13(1), 17–24 (2008)

    Article  Google Scholar 

  25. McLean, J.: A general theory of composition for trace sets closed under selective interleaving functions. In: Proceedings of IEEE Symposium on Research in Security and Privacy, Oakland, California, USA, May 1994

  26. Oliveira M., Cavalcanti A., Woodcock J.: A UTP semantics for Circus. Form. Asp. Comput. 21(1), 3–32 (2007)

    Article  Google Scholar 

  27. Oliveira M.V.M., Cavalcanti A.L.C., Woodcock J.C.P.: A denotational semantics for Circus. In: Aichernig, B., Derrick, J. (eds) REFINE’2006, Eletronic Notes in Theoretical Computer Science, Elsevier, Amsterdam (2006)

    Google Scholar 

  28. Roscoe A.: The Theory and Practice of Concurrency. Prentice-Hall, Englewood Cliffs (1997)

    Google Scholar 

  29. Roscoe, A., Woodcock, J., Wulf, L.: Non-interference through determinism. In: Proc. ESORICS, Brighton, UK, November 1994

  30. Ryan P., Schneider S.: Modelling and Analysis of Security Protocols. Addison-Wesley, Reading (2001)

    Google Scholar 

  31. Sailer, R., Jaeger, T., Valdez, E., Cáceres, R., Perez, R., Berger, S., Griffin, J., van Doorn, L.: Building a MAC-based security architecture for the Xen open-source hypervisor. In: Proceedings of 21st Annual Computer Security Applications Conference, Tucson, Arizona, USA, December 2005

  32. Woodcock J., Davies J.: Using Z: Specification, Refinement, and Proof. International Series in Computer Science. Prentice-Hall, Englewood Cliffs (1996)

    Google Scholar 

  33. Woodcock, J.C.P., Cavalcanti, A.L.C., Gaudel, M.-C., Freitas, L.J.S.: Operational Semantics for Circus. Form. Asp. Comput. (2009, in press)

Download references

Author information

Authors and Affiliations

  1. School of Computing Science, Newcastle University, Newcastle upon Tyne, UK

    Leo Freitas

  2. Naval Research Laboratory, Washington, DC, USA

    John McDermott

Authors
  1. Leo Freitas
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John McDermott
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Leo Freitas.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Freitas, L., McDermott, J. Formal methods for security in the Xenon hypervisor. Int J Softw Tools Technol Transfer 13, 463–489 (2011). https://doi.org/10.1007/s10009-011-0195-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-011-0195-9

Keywords

Search

Navigation