This paper presents a general methodology for the design, implementation, and proof of large software systems, each described as a hierarchy of abstract machines. The design and implementation occur in five stages as described in this paper. Formal proof may take place at each stage. We expect the methodology to simplify the proof effort in such a way as to make proof a feasible tool in the development of reliable software. In addition to the anticipated advantages in proof, we feel that the methodology improves a designer's ability to formulate and organize the issues involved in the design of large systems, with additional benefits in system reliability. These advantages remain even if proof is not attempted. We are currently applying this methodology to the design and proof of a secure operating system. Each level in the system acts as a manager of all objects of a particular type (e .g ., directories, segments, linkage sections), and enforces all of the protection rules involved in the manipulation of these objects. In this paper we illustrate the methodology by examining three of the system levels, including specifications, for a simplified version of these levels. We also demonstrate some proofs of security-related properties and of correctness of implementation.
Read full abstract