Proving the adequacy of protection in an operating system

Abstract

The best that can be expected from traditional debugging and testing techniques is that the number of bugs will be reduced to a tolerable level. However, programs that either implement or relate to protection in an operating system are examples of programs for which: 1) the number of residual bugs that can be tolerated is zero; 2) it is necessary to know, or at least have convincing objective evidence, that the number of bugs is indeed zero; and 3) the concern extends to bugs which would not arise under normal circumstances and which may be very difficult to find either by testing or by normal use.