­¦ý°±·>œ œRoot Entry½  ¿F¿R²ãxpºÄ=$Ç|pº¿WordDocument§aG–(CompObj,w@@0jSummaryInformation(”›œ œœ !"#$%&'()*+,-./œRoot Entry½  ¿F¿R²ãxpºÝÞ+Ç|pº¿WordDocument§aG–(CompObj,w@@0jSummaryInformation(”›œ œœ01œrd for Windows 95A@Ó @@ÚÀmxpº@ýÍz|pºþØ œ¹Õ¹ú.ìó+,˜Æ0ÿHPxÄà êò Ý”University of California,Davisf ECS253 Scribe on May 30, 1997œ ¿FMicrosoft Word Document MSWordDocWord.Document.6Ù9¾qœýÖüÚ˜Oh´ë+'„0¥òÝ»ŒÏ¯ 0< d p | àîú§¨”ECS253 Scribe on May 30, 1997@Christina Chung Normal.dotChristina Chung61hMicrosoft WoЀhWý Ñe–(ž lllllll "V " " " " "" " (C8"8"8"8"8"8"8"8"ƒ#¾#¾#¾#<Ó#ñÑ%ñ'O(Xß(O8'Œl8" 8"8"8"8"8'z#ll8"8"z#z#z#8"Bl8"l8"ƒ#ÝÞ+Ç|pºÄî"llll8"ƒ#z#6z#ECS253 Scribe on May 30, 1997 Christina Chung Secure system Specification: formal top-level security system proved to be internally consistent Design: proved to meet specification Implementation: argue rigorously that it matches deign Hierarchical design ЀhWý te–(ž lllllll "V " " " " "" " (C8"8"8"8"8"8"8"8"ƒ#¾#¾#¾#<Ó#ñÑ%ñ'O(Xß(O8'Œl8" 8"8"8"8"8'z#ll8"8"z#z#z#8"Bl8"l8"ƒ#ÄxG~|pºÄî"llll8"ƒ#z#6z#ECS253 Scribe on May 30, 1997 Christina Chung Secure system Specification: formal top-level security system proved to be internally consistent Design: proved to meet specification Implementation: argue rigorously that it matches deign Hierarchical design methodology divide system into layers of abstraction specify system as state machines SPECIAL: v-functions: give values of state variables, can be primitive operations which obtain values directly or derived operations that obtain values base on the variables o-functions: transitiions ov-functions: both Example Module stack; vfun top(): integer; hidden; initially: top=0; exceptions: none; vfun data(i:integer):integer; hidden; initially: (i, (data(i)=undefined) exceptions: (i<0) or (i>size) ofun: push(x:integer); exceptions: top ( size effects: ëtop=top+1; ëdata(ëtop)=x; (j(ítop, ëdata(j)=data(j) end stack Note: pop is a ovfun since it changes the state and the return value Verification procedures: Stage 1: Interface definition (detection principle, alteration principle) Stage 2: Hierarchical decomposition (layer can only access things at its own layer or its neighbouring layer(s)) Stage 3: Module specification (formal specification of each module developed) Stage 4: Mapping functions: (define functions to capture how they intereact with lower level functions, ensure mapping is consistent and meet the specifications) Stage 5: Implementation (start from lower layer to higher layer) UCLA Secure Kernel top-down approach of specifications: Top level specification (in informal language) Abstract level specification Low level specification Code satisfying specifications (prove it meet with low level specification) check all accesses are verified, implicit procedures / functions are disallowed DEC VMM VMS ULTRIX (virtual machines) | | \ / \ / VMM (secure kernel) --------------- VAX (physical machine) Virtual machine modes Real machine modes User ---------------------- User Supervisor ---------------- Supervisor VM Executive ------------ Executive VM Kernel ---------------- Executive Kernel subjects: user processes, VMs objects: disks, tapes, terminals access classes: integrity level (intlvl), security (seclvl), integrity categories (intcat), security categories (seccat) equality: class(A) = class(B) dormination: A dorminates B if seclvl(A) ( seclvl(B) AND seccat(A) ( seccat(B) AND intlvl(A) ( intlvl(B) AND intcat(A) ( intcat(B) Levels: 0 VAX hardware 1 modified microcode (since there are 5 virtual machine modes) 2 hardware interrupt handlers 3 lower level schedulers (at VM manager level) 4 I/O services (real I/O, scheduled by lower level schedulers) 5 VM physical space manager (partition memory for VMs) 6 VM virtual space manager 7 higher level scheduler (VM scheduling mechanism to schedule processes in VMs) 8 audit 9 files 10 volumes (virtual disk volumes at VM level) 11 virtual terminals (user talks to security kernel to request VM) 12 virtual printers (labelling secret, top secret ...) 13 kernel interface (virtual I/O) 14 secure server/virtual VAX 15 VM 16 user Note: Level 0 to 14 is the secure kernel. §­/€ý=¶ÝßݮݩÝso-functions: transiti-;HI]^efwxâä߮؃ªº³²Â•Ò()45CDEFG]^gh¨Ú Û & ' @ A 3œ¸¸¸¸¸¸¸¸—¸¸ÛÛÛÌÛÛÛÛÁÛ·ÛÛÛÞ¤ÿ¹²uJÕJ£J J„ J¼]a J"]a J„]a]aJ"]]UÅ7./=êµÏ 5V` 3;I^œœœðºººðºººõõõõ{{ Ý 4h… òœ 4h… 8òœ 4h… hòœ 4h…^fx䮃²Ò)5D^h‚ýýý¿ýýý¿ýýÝÝÝ¿¿ òœ 4h… @ 4h… Ý 4h… p 4h…Ŧq¾‰Í 7 O õ Î Û G l þþþþþæù||||ùæù[[ hòœ 4h… òœ 4h… 8òœ 4h… hòœ 4h… ÿ òœ 4h…œ œ œl é   0 S z û ˆ Û  2 ´ Š Ë  L T c ¢ ¡ • þþþæùæææææùùùùùùæù|||| òœ 4h… 8òœ 4h… 8òœ 4h… hòœ 4h…DocumentSummaryInformation8 • /fÅ‹·Râ´»‘÷þþþþþþþþþþþþþæùùÄÄ~~ 4h… hòœ 4h… 8òœ 4h… òœ 4h…K@ÒNormala c"A@Ú°"Default Paragraph Fontž !! ‰v ž °P./=êµÌ 6Wa 3;I^fx䮃²Ò)5D^h‚w‰f߆þ,DêýË<aɪŽ¸%Hoì½Ë ' Ý æ ð  A I X ó  $ [ v ‘ ÷  G ~ Ý ‡ ˆ À ž ê$ê$ê$ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$`ê$*ê$*ê$*ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$2ê$*ê$*ê$Eê$Eê$`ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$Eê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$Eê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*3 ^l •  (- "IMäéîùº‡‰ý·  H N [ a z Ä ò û æ Š Õ × ð “ È Ô — ›     # + 1 7 = c l V Y ¡ Ÿ — 6Christina Chung#C:\chungy\ecs253\others\scribe2.doc@HP DeskJet 340 PrinterLPT1:HPWDJETHP DeskJet 340 PrinterHP DeskJet 340 Printer4îÔÄd ,,HP DeskJet 340 PrinterLPT1” – ,,HP DeskJet 340 Printer4îÔÄd ,,methodology divide system into layers of abstraction specify system as state machines SPECIAL: v-functions: give values of state variables, can be primitive operations which obtain values directly or derived operations that obtain values base on the variables o-functions: transitiions ov-functions: both Example Module stack; vfun top(): integer; hidden; initially: top=0; exceptions: none; vfun data(i:integer):integer; hidden; initially: (i, (data(i)=undefined) exceptions: (i<0) or (i>size) ofun: push(x:integer); exceptions: top ( size effects: ëtop=top+1; ëdata(ëtop)=x; (j(ítop, ëdata(j)=data(j) end stack Note: pop is a ovfun since it changes the state and the return value Verification procedures: Stage 1: Interface definition (detection principle, alteration principle) Stage 2: Hierarchical decomposition (layer can only access things at its own layer or its neighbouring layer(s)) Stage 3: Module specification (formal specification of each module developed) Stage 4: Mapping functions: (define functions to capture how they intereact with lower level functions, ensure mapping is consistent and meet the specifications) Stage 5: Implementation (start from lower layer to higher layer) UCLA Secure Kernel top-down approach of specifications: Top level specification (in informal language) Abstract level specification Low level specification Code satisfying specifications (prove it meet with low level specification) check all accesses are verified, implicit procedures / functions are disallowed DEC VMM VMS ULTRIX (virtual machines) | | \ / \ / VMM (secure kernel) --------------- VAX (physical machine) Virtual machine modes Real machine modes User ---------------------- User Supervisor ---------------- Supervisor VM Executive ------------ Executive VM Kernel ---------------- Executive Kernel subjects: user processes, VMs objects: disks, tapes, terminals access classes: integrity level (intlvl), security (seclvl), integrity categories (intcat), security categories (seccat) equality: class(A) = class(B) dormination: A dorminates B if seclvl(A) ( seclvl(B) AND seccat(A) ( seccat(B) AND intlvl(A) ( intlvl(B) AND intcat(A) ( intcat(B) Levels: 0 VAX hardware 1 modified microcode (since there are 5 virtual machine modes) 2 hardware interrupt handlers 3 lower level schedulers (at VM manager level) 4 I/O services (real I/O, scheduled by lower level schedulers) 5 VM physical space manager (partition memory for VMs) 6 VM virtual space manager 7 higher level scheduler (VM scheduling mechanism to schedule processes in VMs) 8 audit 9 files 10 volumes (virtual disk volumes at VM level) 11 virtual terminals (user talks to security kernel to request VM) 12 virtual printers (labelling secret, top secret ...) 13 kernel interface (virtual I/O) 14 secure server/virtual VAX 15 VM 16 user Note: Level 0 to 14 is the secure kernel. §­/€ý=¶ÝßݮݩÝso-functions: transiti-;HI]^efwxâä߮؃ªº³²Â•Ò()45CDEFG]^gh¨Ú Û & ' @ A 3œ¸¸¸¸¸¸¸¸—¸¸ÛÛÛÌÛÛÛÛÁÛ·ÛÛÛÞ¤ÿ¹²uJÕJ£J J„ J¼]a J"]a J„]a]aJ"]]UÅ7./=êµÏ 5V` 3;I^œœœðºººðºººõõõõ{{ Ý 4h… òœ 4h… 8òœ 4h… hòœ 4h…^fx䮃²Ò)5D^h‚ýýý¿ýýý¿ýýÝÝÝ¿¿ òœ 4h… @ 4h… Ý 4h… p 4h…Ŧq¾‰Í 7 O õ Î Û G l þþþþþæù||||ùæù[[ hòœ 4h… òœ 4h… 8òœ 4h… hòœ 4h… ÿ òœ 4h…l é   0 S z û ˆ Û  2 ´ Š Ë  L T c ¢ ¡ • þþþæùæææææùùùùùùæù|||| òœ 4h… 8òœ 4h… 8òœ 4h… hòœ 4h…• /fÅ‹·Râ´»‘÷þþþþþþþþþþþþþæùùÄÄ~~ 4h… hòœ 4h… 8òœ 4h… òœ 4h…K@ÒNormala c"A@Ú°"Default Paragraph Fontž !! ‰v ž °P./=êµÌ 6Wa 3;I^fx䮃²Ò)5D^h‚w‰f߆þ,DêýË<aɪŽ¸%Hoì½Ë ' Ý æ ð  A I X ó  $ [ v ‘ ÷  G ~ Ý ‡ ˆ À ž ê$ê$ê$ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$`ê$*ê$*ê$*ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$3ê$2ê$*ê$*ê$Eê$Eê$`ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$Eê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*ê$*3 ^l •  (- "IMäéîùº‡‰ý·  H N [ a z Ä ò û æ Š Õ × ð “ È Ô — ›     # + 1 7 = c l V Y ¡ Ÿ — 6Christina Chung#C:\chungy\ecs253\others\scribe2.doc@HP DeskJet 340 PrinterLPT1:HPWDJETHP DeskJet 340 PrinterHP DeskJet 340 Printer4îÔÄd ,,HP DeskJet 340 PrinterLPT1” – ,,HP DeskJet 340 Printer4îÔÄd ,,HP DeskJet 340 PrinterLPT1” – ,,ÄÙ Ù FFÙ Ù > 4h… hòœàËÈVWK h Ù ž @A@Ë@U@VA@@U@@s @CêTimes New Roman êSymbol &êArial5êCourier New"qà­hoFêF<þØ É$OECS253 Scribe on May 30, 1997Christina ChungChristina ChungerLPT1” – ,,HP DeskJet 340 PrinterHP DeskJet 340 PrinterLPT1” – ,,ÄÙ Ù Ù Ù > 4h… hòœàËÈVWK h Ù ž @A@Ë@U@VA@@U@@s @CêTimes New Roman êSymbol &êArial5êCourier New"qà­hoFêF=þØ É$OECS253 Scribe on May 30, 1997Christina ChungChristina ChungæÎ WuËàžãM_â1^[ãÂ]¬Vãt$ Ö–tãL$ÖŠtçFPv6QË¥œâF ν^¬UãÏÉÏ VWãuÖ–t~ã} 9>uwÅ}ÄsnpŸˆøø»¡ËçU¯RâM¯ø»WâM¸tŸˆøçMÙQu¸u¯VËWœã ”ŸøãEÙɯtɯt½3ŠÎ ½jνkPQxŸˆøP|Ÿˆø½Î3¿_^ãÂ]¬UãÏÉÏVWãu6»Ÿˆøã¯çE•P6ÄŸˆøãE ã