Applying the Composition Principle to Verify a Hierarchy of Security Servers

This paper describes how the composition principle of Abadi and Lamport can be applied to specify and compose systems where access control policies are distributed among a hierarchy of agents. Examples of such systems are layered secure operating systems, where the mandatory access control policy is enforced by the lowest system layer and discretionary and application-speciic policies are implemented by outer layers, and microkernel operating systems, where the access control policy may be distributed among a hierarchy of server processes. We speciically consider the case of a microkernel operating system type architecture, in which resource management policies are enforced by server processes outside of the kernel, and where the system access control policy is a composition of the distinct policies implemented by the servers. As an example, we have speciied a two-server system, including both safety and progress properties. We formally veriied the composition of the two server processes using the HOL theorem proving system.