A formal security policy for xenon.

ABSTRACTThe up-front choice of security policy and formalism used to model it is critical to the success of projects that seek to enforce information-flow security. This paper reports on the Xenon project's choice of policy and formalism. Xenon is a high-assurance separation hypervisor based on re-engineering the Xen open-source hypervisor. Xenon's formal policy both guides the re-engineering and serves as a basis for formal modelling. Definitions of information-flow security can be difficult to apply, because in general they are not preserved by refinement. Roscoe, Woodcock, and Wulf have defined an information-flow policy that is preserved by refinement, but it is defined in a purely event-based formalism that does not directly support refinement into state-rich implementations like hypervisor internals. Circus is a combination of Z, CSP, and Hoare and He's unifying theories of programming. Circus is suited for both event-based and state-based modelling. In this paper, we show how to define an information-flow policy in Circus that is also preserved by refinement. Because Circus retains the human-readability of Z, heuristic application of the policy to re-engineering is simplified and a larger open source community can be supported. Because Circus can easily model state-rich implementations of event-based security policies, the Xenon model can support complete policy-to-code modelling in a single language.