|
||
|
| Home |
| Program |
| Registration |
| Call for Papers |
| Submit Papers |
|
Question or Comment
|
Using Formal Methods in a Security CertificationMatt Wilding Rockwell Collins In May 2005 the Rockwell Collins’ AAMP7G microprocessor was certified as capable of simultaneously processing information at all classification levels. The certification included a formal verification that the microprocessor implements secure partition separation. A formal low-level design model corresponding line-for-line with the microprocessor's microcode was proved to work properly. The AAMP7G separation correctness theorem and proof were developed using the ACL2 theorem prover, and the hundreds of pages of definitions and lemmas that lead ACL2 to accept the separation correctness proof were checked using this publically-available tool. In this talk I will describe how we analyzed the AAMP7G, what we needed to invent to accomplish the verification, and what is needed to make formal methods based certifications of this kind more routine. (The AAMP7G's formal verification was joint work with David Greve and Ray Richards) |