A separation model for virtual machine monitors

Abstract

A security policy is given for separation virtual machine monitors (SVMMs) and the authors interpret J.M. Rushby's (1981) separation model for SVMMs. Applying Rushby's technique yields a practical method for demonstrating that an implementation of an SVMM adheres to the abstract isolation axiom of the separation model, thus providing relatively strong assurance for a low level of effort. The authors describe the relevant characteristics of SVMMs and note the applicable formal modeling requirements. A summary of the SVMM separation model, which is a modification of the original model presented by Rushby, is given. The separation model technique permits a proof of separability among the operating systems under control of the kernel of an SVMM. An interpretation of the elements of the separation model using concepts from SVMMs is given.<>