Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site axiom.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!bellcore!decvax!linus!axiom!smk From: smk@axiom.UUCP Newsgroups: net.unix-wizards Subject: Re: Unix (In)Security Message-ID: <11@axiom.UUCP> Date: Tue, 18-Dec-84 23:12:21 EST Article-I.D.: axiom.11 Posted: Tue Dec 18 23:12:21 1984 Date-Received: Fri, 21-Dec-84 00:47:18 EST References: brl-tgr.6445 sask.141 milo.778 <3558@ecsvax.UUCP> Organization: Axiom Technology, Newton MA Lines: 15 KVM was an attempt at a secure kernel implementation of VM. It got farther than most secure OS projects. You can't formally prove any complex system. There is too much handwaving in showing the formal specs/model really meet your requirements and the design meets the specs. With that much handwaving, you can have the perfect spec and a design that implements something completely different. Nothing short of formal ties between the stages will satisfy me (not to mention the proofs of correctness for the compiler/assembler/translator, the machine instruction set itself -- as anyone working on a braindamaged micro can attest to). -- --steve kramer {allegra,genrad,ihnp4,utzoo,philabs,uw-beaver}!linus!axiom!smk (UUCP) linus!axiom!smk@mitre-bedford (MIL)