Shared resource matrix methodology

@article{Kemmerer1983SharedRM,
  title={Shared resource matrix methodology},
  author={Richard A. Kemmerer},
  journal={ACM Transactions on Computer Systems (TOCS)},
  year={1983},
  volume={1},
  pages={256 - 277},
  url={https://api.semanticscholar.org/CorpusID:12608300}
}
A methodology for discovering storage and timing channels that can be used through all phases of the software life cycle to increase confidence that all channels have been identified is presented.
View on ACM
dl.acm.org
268 Citations
Highly Influential Citations
18
Background Citations
92
Methods Citations
50
Results Citations
3

Figures and Tables from this paper

268 Citations

A Practical Approach to Identifying Storage and Timing Channels

A practical methodology for discovering storage and timing channels that can be used through all phases of the software life cycle to increase the assurance that all channels have been identified.

A practical approach to identifying storage and timing channels: twenty years later

    R. Kemmerer
    Computer Science
    18th Annual Computer Security Applications…
  • 2002
A methodology for discovering storage and timing channels that can be used through all phases of the software life cycle to increase confidence that all channels have been identified is presented.

A Formal Method for the Identification of Covert Storage Channels in Source Code

A formal method for the identification of covert storage channels is presented and its application to the source code of the Secure Xenix* kernel is illustrated and it leads to the discovery of all storage channels in kernel implementations.

The Formal Development of a Secure Transaction Mechanism

The experience of using formal specification and refinement to develop the TP mechanism in a manner which is amenable to reasoning about its correctness is described.

On the Identification of Covert Storage Channels in Secure Systems

A practical method based on the identification of all visible/alterable kernel variables by using information-flow analysis of language code that helps discover all potential storage channels is kernel code and helps avoid discovery of false flow violations and their unnecessary analysis.

Formal Methods and Automated Tool for Timing-Channel Identification in TCB Source Code

We characterize the properties of timing channels that are reflected in source code and present formal methods for the identification of these channels in source code of trusted computing bases

Research on Identifying Method of Covert Channels in Database System

This paper proposes a more efficient, more authentic and safely isolated identifying method of covert channels in database system, which contributes to the follow-up process.

Formal JVIethods and Automated Tool for Timing-Channel Identification in TCB Source Codet

The properties of timing channels that are reflected in source code and formal methods for the identification of these channels in sourcecode of trusted computing bases (TCBs) are characterized and presented.

Covert flow trees: a technique for identifying and analyzing covert storage channels

Algorithms for automating the construction of CFT and potential covert channel operation sequences are presented and two example systems are analyzed and their results are compared to two other analysis techniques performed on identical systems.

Execution leases: A hardware-supported mechanism for enforcing strong non-interference

A new method for creating architectures that both makes the complete information-flow properties of the machine fully explicit and available to the programmer and allows those properties to be verified all the way down to the gate-level implementation the design is proposed.
...

14 References

A Technique for Proving Specifications are Multilevel Secure

A technique for verifying that a design for an operating system or subsystem expressed in terms of a formal specification is consistent with a particular model of multilevel security, which gives assurance that the given design is multileVEL secure by this particular model.

Specification and verification of the UCLA Unix security kernel

The work represents, to the authors' knowledge, the first significant attempt to verify a large-scale, production level software system including all aspects from initial specification to verification of implemented code.

Program confinement in KVM/370

The techniques used in KVM/370 to confine programs (to prevent data leakage) so that the security of the system is preserved are discussed.

A lattice model of secure information flow

The model provides a unifying view of all systems that restrict information flow, enables a classification of them according to security objectives, and suggests some new approaches to formulating the requirements of secure information flow among security classes.

Security Kernel validation in practice

The technique used to carry out the first step of the proof of the correctness of a security kernel on a PDP-11/45 is described: validating a formal specification of the program with respect to axioms for a secure system.

A note on the confinement problem

A set of examples attempts to stake out the boundaries of the problem by defining a program during its execution so that it cannot transmit information to any other program except its caller.

A Practical Executive for Secure Communications

The Secure HUB Executive, e verified secure operating system oriented toward supporting communications and other real-time applications, has been developed and is portable to a wide range of mini- and microcomputers.

Data Security

The general nature of controls of each type are described, the kinds of problems they can and cannot solve, and their inherent limitations and weaknesses are described.

A comment on the confinement problem

An approach to proving that an operating system enforces confinement, by preventing borrowed programs from writing information in storage in violation of a formally stated security policy, is presented.