A separation model for virtual machine monitors

Author

Kelem, Nancy L. ; Feiertag, Richard J.

Author_Institution

Trusted Inf. Syst. Inc., Mountain View, CA, USA

fYear

1991

fDate

20-22 May 1991

Firstpage

78

Lastpage

86

Abstract

A security policy is given for separation virtual machine monitors (SVMMs) and the authors interpret J.M. Rushby´s (1981) separation model for SVMMs. Applying Rushby´s technique yields a practical method for demonstrating that an implementation of an SVMM adheres to the abstract isolation axiom of the separation model, thus providing relatively strong assurance for a low level of effort. The authors describe the relevant characteristics of SVMMs and note the applicable formal modeling requirements. A summary of the SVMM separation model, which is a modification of the original model presented by Rushby, is given. The separation model technique permits a proof of separability among the operating systems under control of the kernel of an SVMM. An interpretation of the elements of the separation model using concepts from SVMMs is given

Keywords

security of data; supervisory programs; virtual machines; SVMM; abstract isolation axiom; formal modeling requirements; kernel; security policy; separation model; separation virtual machine monitors; Access control; Communication system security; Computer security; Information security; Information systems; Kernel; Operating systems; Resource management; Virtual machine monitors; Virtual machining;

fLanguage

English

Publisher

ieee

Conference_Titel

Research in Security and Privacy, 1991. Proceedings., 1991 IEEE Computer Society Symposium on

Conference_Location

Oakland, CA

Print_ISBN

0-8186-2168-0

Type

conf

DOI

10.1109/RISP.1991.130776

Filename

130776