A Formal Model for MILS Integration

The central artifact in a MILS system is its policy architecture. This identifies the logical components of the system and their channels for communications, and specifies which components are trusted. The components of the policy architecture are logically separate but may share physical resources under the control of trusted resource-sharing components, such as separation kernels or partitioning communications systems. Assurance for a MILS system involves four steps: • Assurance that individual trusted policy components enforce their local policies, • Assurance that the individual trusted policy components, in the context of the policy architecture, compose to enforce the overall system policy, • Assurance for individual resource-sharing components, • Assurance that the individual resource-sharing components compose to enforce the policy architecture. This report introduces a formal model for policy architectures and outlines formal approaches for accomplishing the four assurance tasks listed above. The policy architecture model imposes some modest constraints on the formal methods of assurance employed, but developers are otherwise free to employ whichever methods best suit the task concerned.