Formal model of a trusted file server

Abstract

The authors present a formal, mathematical model for a trusted file server (TFS) for a multilevel secure distributed computer system. The goal is to produce formal verification from the top-level specification down through code for the entire system of which a TFS is one component. By viewing the TFS as a black box, it is possible to specify its security as a relation that must hold invariantly between an output stream of responses and an input stream of requests. Using the proposed approach, the authors have provided a small (perhaps minimal) set of compromise security constraints on the TFS. They have produced an implementation of the TFS in Gypsy and verified that the implementation satisfies this model. It is also shown that the specified relation is stronger than noninterference, and that a noninterference model cannot cover the security-relevant functionality of deleting or changing the size of a file.<>