Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site axiom.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!allegra!bellcore!decvax!linus!axiom!smk
From: smk@axiom.UUCP
Newsgroups: net.unix-wizards
Subject: Re: Unix (In)Security
Message-ID: <11@axiom.UUCP>
Date: Tue, 18-Dec-84 23:12:21 EST
Article-I.D.: axiom.11
Posted: Tue Dec 18 23:12:21 1984
Date-Received: Fri, 21-Dec-84 00:47:18 EST
References: brl-tgr.6445 sask.141 milo.778 <3558@ecsvax.UUCP>
Organization: Axiom Technology, Newton MA
Lines: 15

KVM was an attempt at a secure kernel implementation of VM.  It got
farther than most secure OS projects.

You can't formally prove any complex system.  There is too much handwaving
in showing the formal specs/model really meet your requirements and the
design meets the specs.  With that much handwaving, you can have the perfect
spec and a design that implements something completely different.  Nothing
short of formal ties between the stages will satisfy me (not to mention the
proofs of correctness for the compiler/assembler/translator, the machine
instruction set itself -- as anyone working on a braindamaged micro can attest
to).
-- 
	--steve kramer
	{allegra,genrad,ihnp4,utzoo,philabs,uw-beaver}!linus!axiom!smk	(UUCP)
	linus!axiom!smk@mitre-bedford					(MIL)