Security Analysis of Separation Kernels Specifications and a Framework for the Verification of Concurrent Implementations

Due to the new trend of integrating safe and secure functionalities into one separation kernel, security analysis of ARINC 653 as well as a formal specification with security proofs are thus significant for the development and certification of Separation Kernels (SKs). In this talk we present a specification development and security analysis method for ARINC SKs based on refinement. We present a security model for event-based non-Interference and a stepwise refinement framework that will allow us to check security on sequential SKs specifications. Moreover to be able to reason on SKs implementations running on top of multi-core architectures it is essential to deal with the interference of the environment between SKs instances running on different cores. Concurrent program reasoning techniques such as rely-guarantee can be leveraged to reason on multi-core SKs implementations. However the source code of the programs to be verified often involves language features such as exceptions and procedures which are not supported by the existing mechanizations of those concurrent reasoning techniques. CSimpl, is a rich specification language with concurrency-oriented language features and verification techniques that will allow reasoning on multi-core SKs implementations.Universidad de Málaga. Campus de Excelencia Internacional Andalucía Tech

On-the-fly model checking for C programs with extended CADP in FMICS-jETI ∗

A current trend in the software engineering community is to integrate different tools in a friendly and powerful development environment for use by final users. This is also the case for tools based on formal methods, which are very valuable for increasing confidence in the reliability of software. This paper contributes to one promising approach to make this integration possible, the project FMICS-JETI. This project aims to obtain an active repository of tools based on formal methods in such a way that users can access and combine all the tools simply by defining a graph with the tools and the files they manage. In particular, the paper explains how two new modules of the well known toolset CADP are added to FMICS-JETI. These new modules, named C.OPEN and ANNOTATOR extend CADP with functions to manage C programs in this toolset. 1

Towards formal verification of separation microkernel

The best approach to verifying an IMA separation kernel is to use a (fixed) time-space partitioning kernel with a multiple independent levels of separation (MILS) architecture. We describe an activity that explores the cost and feasibility of doing a formal verification of such a kernel to the Common Criteria (CC) levels mandated by the Separation Kernel Protection Profile (SKPP). We are developing a Reference Specification of such a kernel, and are using higher-order logic (HOL) to construct formal models of this specification and key separation properties. We then plan to do a dry run of part of a formal proof of those properties using the Isabelle/HOL theorem prover

C.OPEN and ANNOTATOR: Tools for On-the-Fly Model Checking C Programs ⋆

Abstract. This paper describes a set of verification components that open the way to perform on-the-fly software model checking with the Cadp toolbox, originally designed for verifying the functional correctness of Lotos specifications. Two new tools (named C.Open and Annotator) have been added to the toolbox. The approach taken fits well within the existing architecture of Cadp which doesn’t need to be altered to enable C program verification.