ad-all& ford aerospace and.connunications corp palo … · jecting the kernel specification to...

AD-All& 563 FORD AEROSPACE AND.CONNUNICATIONS CORP PALO ALTO CA A-ETC F/6 17/2C0(ASOS) KERNEL VERIFICATION RESULTS. KERNELIZED SECURE OPERATING--ETC(U)

UNCLASSIFIED W L-TR9001I NL

-mIIIEI2I..-IIIIIIEEE-EE-EIIIEEIIEEE-EEE--EIIEE-Em--....II-EEE.....EE.l

UlI . ' f l -i 1111.L 140

QjQ .25 NGL~ 1.6

MICROCOPY RESOLUTION TEST CHART

WDL-TR9001December 1980

COD

SECURE MINICOMPUTER OPERATING SYSTEM.,(KSOS)

. KERNEL VERIFICATION RESULTS.

Department of Defense Kernelized Secure Operating System

Contract MDA 903-77-C-0333

CDRL 0002BG

C -TPrepared for: MAR03

Defense Supply Service - WashingtonRoom I D245, The PentagonWashington, DC 20310 E

Approved for ptblic -elease; distribution unlimited.

Ford Aerospace &Communications CorporationWestern DevelopmentLaboratories Division

3939 Fabian WayPalo Alto. California 94303

S2 03 ,;3 031

CONTENTS

1. Introduction 1

2. KSOS Verification Achievments 22.1 The HLS Formula Generator 22.2 Proof of the Kernel Specifications 2

2.2.1 Analysis of the Specification Proofs 72.2.2 Additional Lessons Learned from the Kernel Specification

Proofs 72.3 Prototype Tools for Specification and Code Proofs 8

2.3.1 Summary of Tools and Manual Steps 122.3.2 Additional Notes 132.3.3 Sample MLS Tool Outputs and Their Interpretation 13

2.4 Code Proof for a Simplified Module 152.5 Manual Code/Specification Analysis 15

3. Non-Achievments 17

4. Appendix A - Kernel Formal Specifications 18

5. Appendix B - Sample Code Proof 19

Accession For

NTIS GRA&IDTIC TAB

- J'i;t i icotKio:

ility CodesI T I;_v 1 and/or

I cial

-_NON"

- KSOS Kernel Verification Results

S1. Introduction

The original KSOS verification goals were the following:

1. The instantiation of the multilevel security model to SPECIALJ

2. The design and development of a computer tool (the MLS formula generator)whose input would be SPECIAL specifications, and whose output would beconjectures, the proof of which would imply that the specifications donot contain any violations of the multilevel security model;

3. The proofs that the specifications for the KSOS security perimeter (Ker-nel and NKSR) conform to the security model. In the event of violations,the proof process should pinpoint the violations so that they may beeliminated or bandwidth-limitedj

4. The development of support tools so that illustrative code proofs couldbe carried out. The goal of these code proofs is to demonstrate thefeasibility of performing full code proofs at a later date,

5. The carrying out of illustrative code proofs.

KSOS has succeeded in instantiating the multilevel security model to SPECIALand developing the MLS formula generator, in producing proofs of the kernelspecifications, in producing prototype support tools that could be used incode proofs, in producing a code proof for a version of the SMXflow module,and in producing some mapping functions (manually) showing the correspondenceof VFUNS to Modula structures for certain kernel modules.. Due to a variety oforganizational and technical factors indicated below, KSOS~has been less thansuccessful in producing specification proofs for the NKSR, 4n producinghuman-engineered, fully documented support tools for code proofs, and in pro-ducing code proofs other than for simplified modules.

December 1980 - 1 - WDL-TR9001

KSOS Kernel Veriftation Results

2. KSOS Verification Achievments

This section provides details of the achievements mentioned above, andindicates their benefits.

2.1 The MLS Formula Generator

The instantiation of the MLS model to SPECIAL, and a description of theMLS formula generator are found in the report "A Technique for Proving Specif-ications are Multilevel Secure", SRI CSL-109, January 1980. Although thistool has limitations, as mentioned below, the concept upon which it is basedrepresents an important breakthrough in verifying security properties of sys-tems. Its main virtue is that the designer of a system need only supply thespecifications of the system as input; in contrast to other verification sys-tems (e.g., INA JO), it is not necessary to supply additional assertions.Several current limitations and areas for improvement are mentioned in theabove-cited report: a variety of restrictions of SPECIAL are imposed on thedesigner; the semantics of SPECIAL is defined only within the code for theformula generator and in the definitions and axioms of the theorem prover; thehuman interface is clumsy and provides little help in analyzing the output;and it is largely ad-hoc in construction and behavior creating the possibilityof failed proofs that should succeed and unsound proofs in the face of secu-rity flaws. In addition to this list, we have noted in our utilization ofthe tool that a large majority of formulas that are sent to the theorem proverare not much more complex than x <- x, which might be filtered out by a morepowerful simplifier.

2.2 Proof of the Kernel Specifications

Between November 1979 and February 1980 there was intensive activity sub-jecting the kernel specification to analysis using the MLS and Theorem Provingtools. The specifications for all 34 top level kernel calls, and their sup-porting specifications, were processed. Space limitations prevented theentire kernel from being processed in a single run, so the kernel specifica-tions were broken into 5 modules. It is significant that the modularity ofthe kernel specifications permitted such a decoaposition after the fact.

In the first run, 24 November 1979, a total of 1654 formulas were gen-erated by MLS. 755 of these were sufficiently trivial so that the MLS toolwas able to deduce their validity without passing them on to the TheoremProver. Of the remaining 899 formulas, 586 were proved by the Theorem Prover,and 313 were unproved. In the final run, 5 February 1980, the figures were:1598 formulas generated, 867 proved trivially by MLS, 416 proved by TheoremProver, and 315 unproved. Detailed charts showing the statistics for eachkernel call are presented below. These specifications are included as Appen-dix A.

In the remainder of this section, we will discuss the significance ofthese numbers, and the effect that the .7uns had on subsequent modifications tothe specifications. There is no significant correlation between the number ofunproved conjectures and the degree to which the specifications contain secu-rity violations. This is because a subtle and deep violation of the securitymodel may generate a small number of conjectures, whereas a simple and easily


KSOS Kernel Verification Results

repairable violation may generate many unproved conjectures. Nonetheless,the totality of unproved conjectures is significant in that it maps onto thetotality of violations of the model.

The first several runs pinpointed problems in the MLS tool itself and inthe style of writing specifications. The MLS tool was unable to handleresource errors, renaming, and produced numerous duplicate formulas to be sentto the Theorem Prover. In terms of specification writing style, the tool hadtrouble with EFFECTS OF clauses, with ordering of exceptions, and (somewhat toour amazement) with Treating logically equivalent Boolean expressionsequivalently (e.g. AND and OR are treated nonsymmetrically, with the result

- that DeMorgan's laws do not apply as far as the MLS tool is concerned).Therefore phase I of our efforts dealt with rewriting the specifications towork around these problems, and with the correction of certain difficultieswith the MLS tool.

The next phase of our involvement with the specifications dealt withadding knowledge that the Theorem Prover would need to prove some of theunproved conjectures. For example, various security properties hold for openfiles, because such properties were checked at the time the file was opened,and no security changes were made since then. Such information was added inthe form of axioms (or unproved lemmas), which allowed some of the unprovedconjectures to be proved. However, extreme caution is needed in adding axioms(i) to avoid adding inconsistencies (in which case every conjecture is prov-able, due to the interesting property of logical implication, that an incon-sistency implies FALSE, and FALSE implies anything), and (ii) to avoid addingconsistent but unwarranted axioms. It is very unlikely that an inconsistencywould be added that would not be detected subsequently by human analysis. Forseveral runs, however, there were some unwarranted axioms to the effect thatan object can only access objects at the same security level (such a system isknown as "stratified"). As a result, several conjectures were proven whichshould not have been.

Thus, the discussion has focused on experiences with the tools them-selves, and with adding supplemental knowledge in the form of axioms. Theanalysis of the unproved conjectures is also significant. We categorized thereasons for failing to prove a conjecture into the following:

* resource error (representing a potential channel, based on resource util-ization patterns, which may be bandwidth-limited by the introduction ofrandom delays in the implementation, rather than eliminated);

& errors that can be fixed by redesigning the kernel;

* errors that are allowed to remain because there is no way for illicitinformation to leak beyond the security perimeter (including deliberateviolations in the trusted software, needed to achieve desired functional-ity, as well as violations to hidden VFUNS);

- and valid formulas which the theorem prover could not prove.

We have analyzed every error detected by the tools, and taken appropriateaction. However, the funding for continued utilization of the tools on live



specifications was depleted before the final version of the specifications wasproduced. Thus, potentially, there are violations in the final version of thespecifications that should be fixed.

Next are presented detailed charts showing the statistics for each of the34 kernel calls in terms of number of formulas generated (FOR), triviallyproved (TRV), proved by Theorem Prover (THM), and unproved (UNP). Followingthese charts, the next several subsections deal with a more detailed analysisof the changes made to the specifications as a result of analyzing the outputof the tools.

D m -

December 1980 - 4 - WDL-T19001


11/19/79 Status of KSOS SpecificationsS"(R)FOR TAV THM UNP

(KERI)K FORK 158 39 18 101

- KGET PROCESS STATUS 2 0 2 0K INTERRUPT RETURN 9 9 0 0K-INVOKE - 61 42 19 0-NAP 0 0 0 0

K-POST 10 6 4 0KCRECEIVE 7 7 0 0K-RELEASE PROCESS 49 18 9 22

- KSET PROCESS STATUS 6 4 2 0K-SIGNAL 6 2 4 0K-SPAWN 149 50 31 68K WALKPROCESS TABLE 2 2 0 0

(KER2)K CLOSE 29 11 15 3K-CREATE 29 10 1 18K GET FILE STATUS 28 0 6 22K LINK 30 3 3 24K- MOUNT 66 28 28 10K OPEN 90 18 1 71K SECURE TERMINAL LOCK 7 4 0 3K-SET FILE STATUS- 81 15 15 51

K UNLINK - 59 3 4 52

KUNMOUNT 79 22 19 38

(KER3)K DEVICE FUNCTION 100 49 51 0K"SPECIAL FUNCTION 3 2 1 0KWRITEBLOCK 211 97 114 0

(KER4)K BUILD SEGMENT 39 22 3 14KGET OBJECT LEVEL 2 0 2 0K GET SEGMENT STATUS 3 0 3 0K RELEASE SEGMENT 30 15 15 0K-REMAP - 82 55 27 0K-CRENDEZVOUS SEGMENT 49 28 3 18K SET OBJECT LEVEL 11 5 0 6K SET SEGMENT STATUS 31 16 15 0

(KER )K READBLOCK 309 161 148 0

TOTAL 1827 743 563 521

- December 1980 - 5 - WDL-TR9001


2/12/80 Status of KSOS Specifications

(The total of the last three columns may be less than the firstcolumn, due to the formula generator eliminating duplicate

formulas.) -

FOR TRV THM UNP

(KERI)K FORK 177 96 0 34K GET PROCESS STATUS 2 0 2 0KC INTELRRUPT iffTURN 9 9 0 0

K INVOKE 61 42 11 1KNAP 0 0 0 0K POST 8 6 1 1K-RECEIVE 7 7 0 0K RELEASE PROCESS 74 19 5 13

K SET PROCESS STATUS 6 4 2 0KSIGNAL 6 2 3 0

K SPAWN 149 88 11 16

KWALK PROCESS-TABLE 2 2 0 0

(KER2)K CLOSE 48 23 0 3ICCREATE 26 12 1 6K GET FILE STATUS 7 0 3 0

K-LIK 15 11 2 1K-MOUNT 64 23 6 17

K-OPEN 48 27 8 4K-SECURE TERMINAL LOCK 7 4 0 2K-SET FiESTATUS- 36 16 10 1I( UNLINK 26 19 3 1KUNHOUNT 79 35 6 17

(KER3)

K DEVICE FUNCTION 45 13 32 0

K-SPECIAL FUNCTION 3 2 1 0

KWRITE. BLOCK 211 111 100 0

(KER4) "

K BUILD SEGMENT 43 33 3 3

KGET OBJECT LEVEL 2 0 2 0K-GET-SEGMENT STATUS 3 0 2 0 .

KRELEASE SEGMENT 38 17 0 6-REMAP 50 34 9 7

K-RENDEZVOUS SEGMENT 48 28 12 1K-SET OBJECT-LEVEL 11 7 0 4 "KSE-SZGME9N"_ STATUS 31 16 8 0

(KER5) -

K READ-BLOCK 254 160 94 0

TOTAL 159o 867 337 138



2.2.1 Analysis of the Specification Proofs

The value of using an automatic tool for checking conformance with a for-mal model of security, rather than relying on careful scrutiny by teams ofhumans, became obvious when the tool detected numerous "errors" that had goneundetected throughout several iterations of human inspection by the Contrac-tor, Subcontractor, and Customer. Analysis of these errors lead to the fol-lowing three categorizations:

1. errors that could be removed by providing additional information or by

syntactically reformulating the specifications;

2. errors that represent formal, but not "real", violations of the model;

3. errors that represent implicit channels, that cannot be removed withoutdestroying needed KSOS functionality, but which can be bandwidth-limited;

4. and errors that represented wide-open security violations (there were ncviolations in this category).

Examples of errors that could be removed by adding or reformulating EXCEPTIONSare found in PROpost, PROreleasLProcess, PROsetprocessStatus, and FCAopen.Security violations existed in the original versions of the PRO specificationsbecause a process could determine the (non)existence of another process at ahigher level by means of an EXCEPTION value. In FCAopen, an error existed inthe original specifications when a process tried to open a file at a higherlevel for writing (since file status information also had to be read by theprocess). The solution was to disallow a process from opening a file at ahigher level.

An example of a violation that could be removed by kernel redesign was inthe subtype mechanism. In FCA, a global assertion was needed stating that ifa process p can read or write a file f, then p can read the subtype associatedwith f. Thus, the level of a file is greater than or equal to the level ofits associated subtype. In the original design of subtypes, there was alsothe rule that to write on file f, a process p must be able to write on thesubtype associated with f. All the previous facts, however, imply that forany subtype x, all files associated with x must be at the same level as x.This is unacceptable in the case of directories, since users at different lev-els create directories. The solution was to change the above rule so that towrite on file f, process p must be able to execute (not write) the subtypeassociated with f.

An example of a formal, but not "real", security violation is a readreference to the openCount field of FCAinfo, as occurs in FCAclose. Ostensi-bly this read reference is a security violation; however, the only knowledgegained is whether or not its value is 1, and if so, the file is deletedimmediately.

- 2.2.2 Additional Lessons Learned from the Kernel Specification Proofs

In addition to the direct analysis of the output of the specificationproofs, certain principles emerged which have provided useful guidelines in



writing specifications, and which, in the future, may be worthwhile to incor-porate in tools. Two such principles we have named the "setup principle" andthe "transition principle".

2.2.2.1 The Setup Principle

The Setup Principle states: "If process p can access object o at time t,and no security-related changes occur to p or o between t and current time t',then p can access o at t' without rechecking access rights". Applications ofthis principle are: putting a file into the open descriptor table; and put-ting a segment into an address space. Utilizing the principle in a proofwould involve the restriction of tranquility violations to trusted software,and proving that trusted software did not make undesirable security-relatedchanges.

2.2.2.2 The Transition Principle

The Transition Principle states that "For finite, reusable objects (e.g.,Seids, openDescriptors), tranquility violations are acceptable if they conformto the following transition rules:

1. in making transitions from a defined to an undefined state for an objecto, all VFUNS whnse security level is a function of o also become unde-fined at the same time (VFUNS such as SENseidNSP, whose security level isalways system low, are thus excluded from this rule);

2. A new object comes into existence only from the undefined state."

2.3 Prototype Tools for Specification and Code Proofs

This section includes three figures showing the organization of the KDMtools-, the organization of the MLS proof tools, and the organization of thecode proof process (including a summary and some additional notes). Thesediagrams reflect the status of the subcontractor's efforts at the conclusionof their participation in KSOS methodological tool development, circa thefirst quarter of 1980.

December 1980 -8 -WDL-TR9001

-. KSOS Kernel Verification Results

Figure 1ORGANIZATION OF THE HDM TOOLS

Specifications Mappings Programs

I MODULE I I REPRESENTATION I j CODE II CHECKER I j CHECKER I HANDLER II.. •...I I----. * - I I----* -- I

(Robinson et al.) : Modula,: Pascal

Checked : ..................... : handlersspecs : Specs for : exist

upper and : ..... Interface andlower levels: : hierarchy j

S I-.....V-...... I---V---V---V---I descriptionsI MLS FORMULA I I INTERFACE &

GENERATOR I HIERARCHY II (Feiertag) I CHECKER <--.. -..-.

.For Spec Proofsj IFor Code Proofs I Merge mappings into code

:Would-be Upper&: :Code:theorems lower: :plus: level: :mappings* specs:............... I -V---V--I

* I VC GEN I

* * * *....Extra lemmas, axioms

l--V ---- V---V --- V-1

I VERIFICATION I-I SYSTEM

(Boyer-Moore)I-- , .. .•-....I

-I ITRUE FAILED

(plus PROOFS and/or failed NONPROOFS)



Figure 2

ORGANIZATION OF THE MLS SPEC PROOr TOOLS

SPECIALSpecifications

MODULE

CHECKER I -

Checkedspecs

I MLS FORMULA II GENERATOR I

: Would-be: theorems -

THEOREM -

PROVER

TRUE FAILED

(plus PROOFS and/or NONPROOFS)

0t



Figure 3ORGANIZATION OF THE CODE PROOF PROCESS FOR KSOS

(NOTE A)

Lower-Level Upper-Level Mappings Modula forSpecifications Specifications Between Levels Upper Level

..... Loop2.:- 2 2 . 5 : : invariants--- ... --- ... --- V ---- 1 _ . .- -- -.. 1t. .v--- v-1I MODULE I I MODULE I I MAPPING I ICODE TO PIFII CHECKER I I.CHECKER i I CHECKER I I PARSER I

-I----.-....I 1. . - 1I- ' . .II- -.. .

3 : 3 3

I manual I I manual I i manual IIxiate to I ixlate to I Ixlate to I (NOTE B)I CiS I I CIS I I CIM I

4 4 4I ... V.. ---- V---- V_ I ---- v ---- 1 6 :

I "UPDATE"[ I "UPDATE" I "UPDATE"I I II EXPANDERI IEXPANDEKj I EXPANDERI I PIF TO CIFiI TO VSSL TO VSSL I I TO VSSL I .-->I TRANSLATORI

I ----------- I

! - :.: ...(NOTE )..:7 7 8:I ---- V . . ---- 1 _ V----.. I-V7 ---- V-1

1* insert 1 * insert 1 1* insert l<--definitions (>I)ISelect ISelectl 1 .1 mappingsi<--invariants (-1)I1s.sLructI I I into C2Fl<--g1oba1.variabaes(optnl)ISuccessorl I I I i<--initialization programlUndefined I JClockinfol (required)IClockinfo I I I

: lower- upper- : code + mappings: level VSSL level VSSL

9:I-V ---- v ---- v-1

I VERIFICATIONII CONDITION I<--PRIMITIVE.OVFN.SPECSI GENERATOR I

(NOTE D)........... extra lemmas and axioms

10

I T EOKEM 1I PROVERI----. -

I ITRUE FAILED

(plus PROOFS and/or failed NONPROOFS)KEY: Lower case implies human effort, UPPER CASE IMPLIES MECHANICAL EFFORT.boxes marked with an asterisk (*) could be trivially MECHANIZED.



2.3.1 Summary of Tools and Manual Steps

1. It is necessary before beginning the proof process that the specifica-tions, mappings, and code conform to each other. Ideally this step isnot an enormous undertaking if things are done consistently throughout.Problems that must be dealt with include various difficulties with excep-tions, conflicting effects in multiple EFFECTS-OF, naming differences,different return argument conventions, etc. Special effort must also bedevoted to handling sets and structures, and certain auxiliary VFUNs mustalso be introduced.

It should also be noted that this process is an iterative process. Oneof the most important aspects of this approach is that it detects incon-sistencies. Thus each problem that is detected requires recyclingthrough the appropriate paths in the figure.

2. MODULE CHECKER and MAPPING CHECKER are the HDM tools that check syntacticconsistency. They have been working for four years, and are well docu-mented.

3. Manual translation to CIS (Common Internal Specification) and CIM (CommonInternal Mapping) removes all quantification, accommodates structures(rewriting VFUN references in terms of SELECT, UPDATE, and MAKESTRUCT),expands nested macros, etc.

4. "UPDATE" EXPANDER translates CIS and CIM to the internal specificationform (VSSL) used by the verification system. It removes all uses ofUPDATE and expands them to expressions in terms of SELECT only - guaran-teeing consistent manipulations of structures. Except for the structurerepresentations, CIS/CIM and VSSL are identical.

5. CODE TO PIF PARSER parses the Modula code into a parsed internal form.This form is normally invisible to the prover.

6. PIF TO CIF TRANSLATOR translates the parsed internal form into the commoninternal code form used by the verification system, using the supplied(upper-level) specifications to compute exception handling instructions.CIF is documented in the Boyer-Moore HDM document.

7. Insertion of various specifications (for the upper-level SELECT, [calledSELECTI], the lower-level SELECT, IS.STRUCTURE, CLOCKINFO, and the notionof UNDEFINED) is required to complete the specifications.

8. The CIF must be augmented with the mappings, CLOCKINFO, at least twodefinitions, an invariant (which may contain many components), globalvariables (which are optional), and an initialization program.

9. The VERIFICATION CONDITION GENERATOR takes upper- and lower-level specif-ications and code (augmented with the mappings, etc., as noted above),and generates verification conditions for the Theorem Prover.

10. The THEOREM PROVER takes verification conditions as would-be theorems andattempts to prove them. It returns either TRUE (along with the proof) or



FAILED (along with its attempted proof) for each verification condition.

2.3.2 Additional Notes

A. Before attempting any code proofs, code should have been compiled, run,and tested. These steps are omitted from this diagram.

B. This path may be traversed either manually or automatically (in theilatter case, with the ALLPARSE function).

C. The output from the CIF translator must be manually loaded from thetranslator environment into the Theorem Prover environment, which aredisjoint. However, this change of environment could be automated.

D. At present the Theorem Prover must be invoked manually for the given setof verification conditions, although this could easily be done automati-cally.

2.3.3 Sample 14LS Tool Outputs and Their Interpretation

In this section we present two sample outputs from the MLS tool: onewhich fails to be proven subsequently by the theorem prover, and one which issubsequently proven by the theorem prover.

2.3.3.1 A Failed Formula

This example is taken from PVIbuild, and is generated from the firsteffect. The relevant definitions are the following:

DEFINITIONStiiStruct proTii IS TIIinfo(pSeid);tiiStruct segTii

IS STRUCT(proTii.nd, ...seid newSegSeidIS SOME seid s I SENseid Nsp(s) - SENseidNsp(exampleSegmentSeid)

AND SEGinstancelnfo(s) - ?;EXCEPTIONS

EFFECTS'Tllinfo(newSegSeid) - segTii;

M- The MLS tool generates the following conjecture from this first effect, whichis then fed into the theorem prover:



Proving:(SMXcompare pSeid.I s.1.1.1.1)

Name the conjecture *I.

Since there is nothing to induct upon, the proof has

F AILED I

The conjecture is generated based on the structural aspect of the effect,namely, that writing is occuring into TItinfo, as evidenced by the syntax ofTIIinfo being quoted. Hence, according to the multilevel security model,which allows writing to occur only in an upward or equal direction of securitylevel, the model requires the source of the write to be less than or equal tothe level of 'TIlinfo. The predicate "x is less than or equal to y in secu-rity level" is given formally by "SMXcompare(x,y)." The source of the writingis segTii, which expands from the above definitions to STRUCT(TIllnfo(pSeid),•..). The level of segTii is computed by the MLS tool to be pSeid, based oninformation fed to the tool at the start of the session (or remembered by thetool from a previous session). The level of Tllinfo(newSegSeid) is likewisecomputed by the MLS tool to be s (from the definition of newSegSeid). Hencethe model requires pSeid to be less than or equal to s in security level, andgenerates the conjecture so stating.

The reason for the arguments of the conjecture being named pSeid.1 ands.1.1.1.1 are due to the internal workings of the MLS tool, which adds suffi-cient "tails" to the variable names to make them all unique. The MLS toolworks in a completely flat name space. -e

For the above conjecture to be true, it is necessary to add more informa-tion, namely, that the level of newSegSeid is greater than or equal to thelevel of pSeid. This additional information can be added in a variety ofways. One way would be to add a third conjunct to the definition of newSeg-Seid. The information could also be added via an exception.

2.3.3.2 A Proven Formula

Virtually all of the formulas generated by the MLS tool and subsequentlyproved were simple in nature, requiring substitution of variables, or proposi-tional logic, rather than complex inductive strategies. The following exampleis typical.

As a first step, a global assertion stating that

SMXcompare(SEGuselnfo(s, sd).instance, s) - TRUE

was added to the semantics of the system, taken from an assertion in thespecifications. Universal quantification is understood with respect to theparameters s and sd. The internal form of the assertion is:



-ADD.AXIOM(A0013 (REWRITE)(IMPLIES T

(EQUAL (SMXcompare (DOT (SEGuselnfo sl sd)(QUOTE instance))

- sl)T))

NIL)

The following proof is now presented, which uses the above axiom.

Module: ker4Function: KbuildsegmentEXCEPTION(EXCEPTIONSOF (PVMbuild pSeid ss ms size vl))

Proving:(IMPLIES (EQUAL use.1.l.1.l (SEGuselnfo pSeid.1 s.4.1))

(SMXcompare (DOT use.1.1.1.1 (QUOTE instance))pSeld.1))

This formula simplifies, rewriting with A0013, to:

(TRUE).

2.4 Code Proof for a Simplified Module

The Modula procedure SMXcompare was greatly simplified for the purpose ofpushing a code proof through the tools. Essentially all data abstractionswere removed from the procedure and its associated specifications, and theprocedure simply compared the fields of the two objects under considerationfor the appropriate inequality or subset operation. Although very much a toyexample, it was instructive to see the trace of the theorem prover in provingthe "correctness of the implementation of SMXCompareModule on PrimitiveMo-dule". The elapsed time was 1.065 seconds, with .124 seconds of cpu timedevoted to theorem proving. This code proof has been included as Appendix B.

2.5 Manual Code/Specification Analysis

As part of the efforts leading to the final version of the kernel specif-ications, we spent approximately 2 man days in manually comparing the code andspecifications for the PVM module. Our goal was to get a feeling for the dif-ficulties in carrying out a code proof. The first step was to map the typesbetween the code and the specifications. Although there were no conceptualdifficulties at this step, a variety of minor issues had to be checked. Forexample, {segDes} is mapped into {0..15}. We checked that no ordering pro-perties of the integers were used at the top level in the code (where suchordering properties would be unavailable at the top level in the specifica-tions). It was only in the implementation of the FORALL construct in SPECIALthat the ordering properties of the integers were used. Another minor exampleoccurs in the mapping of tiiStruct. Although the mapping is virtually theidentity mapping, in the specifications, owner and group are of type INTEGERand in the code they are of type CARDINAL.



The next step was to map the primitive VFUNS into the Modula datarepresentations. There are five primitive VFUNS to be dealt with. Four ofthem had reasonably clean mappings. SEGinUselndexSet, on the other hand, hadno counterpart in the code. We conjectured that its use in the specificationswas to guarantee unique said generation in PV~build and PVMcopySeg. In thecode, STMGassignEntry has the property that any seid generated is unequal tothe said of any existing segment. It was unclear how a mechanical code proofwould account for this type of correspondence.

The next step was to mAp the definitions between the specifications andthe code. We noted details in the code that had no counterpart in the specif-ications, e.g.: all virtual addresses that are base addresses for upward-growing segments are multiples of 64; no segment size exceeds 2**16 -512; andall segment sizes are multiples of 512. Nevertheless, there were no majorconceptual problems in this mapping.

The final step was to map the OFUNs into the Modula procedures. Ourapproach was to attempt "transliterating" the OFUNS into a Modula-likepseudo-code by first applying the previous mappings (and thus moving into a"Modula-like data space"), and then applying programmers's license to convertthe nonprocedural aspects of SPECIAL into the standard sequential type ofModula procedure. Having done this, the goal was then to compare the result-ing pseudo-code with actual Modula code to see if we could demonstrateequivalence. This paradigm went smoothly for the first OFUN we attempted(PVMcreate). For the next OFUN, however, (PVMstore) we encountered conceptualobstacles. In the specifications, one of the parameters was VECTOR OF INTEGERvec; in the code, however, there was nothing tangible corresponding to thisbecause vec represents data in transit along i/o channels or the data bus.To achieve a code proof would have necessitated resolving this problem, e.g.,by formalizing appropriate aspects of the underlying computer architecture andincorporating them into the specifications. This was obviously undoable atthis late stage.


Lf

KSOS Kernel Verification t esults

3. Non-Achievments

As mentioned earlier, there were various goals that were not achieved.In this section we indicate difficulties whica made success elusive, and whereappropriate, indicate things we would do differently which might lead togreater success in the future.

1. Logistical difficulties in running verification. Getting access to theverification machine at SRI involved physically being at SRI (due to apoor communications link between FACC and SRI). Furthermore the jobs hadto be run in batch mode in the evening hours. In the future, thingscould be improved dramatically with an on-site, accessible, interactiveverification capability.

2. Tool development in isolation from applications development. A largeL part of the SKI subcontract for tool development and related support pro-

ceeded in virtual isolation from the KSOS development effort. In thefuture, a much closer relationship is called for between Contractor andSubcontractor. The design and development of tools should be coordinatedwith the applications that will eventually use the tools.

3. Failure to apply HDM throughout all stages of KSOS. Although the modu-larization achieved by the formal specifications is clean and comprehen-sible, there was a failure to apply the hierarchical aspects of themethodology. The original lower-level specifications were simplytransliterations from the Modula code to SPECIAL, rather than an evolve-ment from top-level specifications. The gap between upper- and lower-level specifications was a significant reason for failure to achieve codeproofs. In the future, more rigorous use of all aspects of HDM will berequired. In particular, implementation should not commence until thereis a clear hierarchy of specifications, with appropriate mapping func-tions between adjacent levels, in which there is a reasonable gap betweenthe bottom level and the state space corresponding to the implementationlanguage. (It is worth noting that FACC has applied HDM in its entirety,as just mentioned, in IR&D projects during 1980 with successful results).

4. Shortcomings of Specification Technology. The lack of powerful con-structs in SPECIAL (and all other specification languages) for con-currency and dynamic processes created another gap between the code and

- the specifications. For future applications, more powerful versions ofHDM, in which SPECIAL is buttressed by appropriate concurrency and pro-cess constructs, and in which there is a closer correlation between HDMand the underlying theorem prover, will help achieve verification goals.

5. Oversimplicities in the basic security model. The Bell and LaPadulamodel which formed the basis for the KSOS security model is inappropriatein several respects, e.g., there is no direct way to model KSOSprivileges (which is a major reason the NKSR specifications were not pro-ven), and it does not allow the reuse of resources such as seids (whichis required in a finite implementation). In the future, more sophisti-cated and relevant models should be developed.



4. Appendix A - Kernel Formal Specifications

This appendix contains the most recent versior. of the Kernel Formal Specifica-tions that were actually verified. The current version, which describes the

f system actually delivered, appears as an appendix to the Kernel B-Specs.


fca.specs Page I Fri Mar 27 15-30 44 1981

I $C MODULE- fca.specs (version 2.21)2 CONTENTS: File Capabilities3 TYPE: SPECIAL.specifications

4 LAST CHANGED! 10/12/79, 11:26:25

5 ")- 6

78 MODULE fca

- 91011 $("rhis module manages all openable objects, i.e., those that are referenced

12 through the open table corresponding to a process. These objects Include- 13 files, devices - both addressable and nonaddressable-, terminals, extents,

14 and subtypes.* 15

- 16 Each object is identified by a seid. Seids for devices, terminals, and17 subtypes are allocated at system generation time. These objects are18 permanent, and canot be dynamically allocated and deallocated.19 Seids for files are allocated by this module. Seids for extents are20 allocated when the device Is physically mounted. Physicial mounting21 is not handled at this time - logical mounting is - but should be.

" "22- 23 Each process at creation is assigned an open table, in which all the

24 open objects of that process are recorded, along with their mode of25 access. The state of the open table for a process is recorded in the

- 26 values of the V-functions 'FCAopenTableExIsts(pSeId)' which tells27 whether the open table for the process named by 'pSeld' exists, and28 'FCAopenEntry(pSeld, od)'. which gives the seid and open mode for the29 open object of process 'pSeld' named by the open Descriptor - a

- 30 designator - od.3132 The existence of an openable object is detected by a defined value for33 'FCAfileStatusInfo(fSeld),' where 'fSeld" is the object's seld. Each

34 object's type is ascertained by looking at the nsp part of the seld.35 Depending on the type of the object, certain V-functions hold additional36 information. A description of this information can be found In the

- 37 comment directed at each type of object.")3839 $C' DEVICES - there are two kinds of devices, addressable and nonaddressable;40 an addressable device, such as a disk, has two properties: It can be41 accessed via a block number or address; and what is put onto the device42 via a read operation is retrieved by a write when the device is read at43 the same address. A non-addressable device, such as a tape unit, can be44 viewed as having an infinite stream of input data and producing an45 infinite stream of output data. Each kind of device has four quantities46 associated with It: a minimum request, a maximum request, a size47 modulus, and a maximum block number. For non-addressable devices, the48 size modulus must be I and the maximum block number must be zero.

49 An 10 request specifies a certain number of characters at a certain

50 block number. The number of characters must be within the range51 defined by the minimum and maximum request quantities for the device,52 and must be a multiple of the size modulus. The block number must be with53 within the range (0 .. maximum block numberl for the device.

54 ")5556 $(" TERMINALS -- With one exception, terminals are nonaddressable devices

fca.specs Page 2 Fri Mar 27 15130:44 1981

57 whose 10 requests are limited to small multiples of a single character58 ( 255). Terminals however, have a special property. To enable the59 user to change the security level of his job without changing terminals,60 there is an illusion that a single terminal is renresented by a61 multiplicity of device seids. one for each possible login security level.62 Each seid represents a particular secure path to the terminal. Only63 one path to the terminal may do 10 operations at a time, and this path64 is specified by the value of the V-function 'FCAcurrentPath(t)', where65 t refers to the terminal group or physical terminal.66 The different paths associated with a particular physical terminal67 are specified by the value of the V-functlon 'FCAterminalPathSet(t)'.68 where t is as above.")6970 $(" EXTENTS - Extents are addressable devices, representing areas on a71 disk. with a block size of 512 and a size determined when the device is72 physically mounted. For the73 purposes of this specification, the size has been predetermined, as no74 physical mounting is specified. The special property of extents is that

75 they can be logically mounted, so that they 'become' a file system76 or set of files. When77 the system is started up, there are no files, except the root, only78 extents. Each extent is mounted. setting up the actual file system79 that a user sees when he logs on. When the extent is mounted, it can80 no longer be accessed as an extent. Unmounting turns a file system81 back into an extent, and the file system disappears.")8283 $(" FILES - Files are addressable devices, with a block size of 512 and84 two important properties. They can be dynamically created and deleted,85 and they are of variable size. Writing onto the end of a file effectively86 changes its size. Files may also be linked to. A link is a reference87 count used by the directory manager sitting above the kernel. It88 represents the number of directories in which a file is found. When89 this count goes to 0. and no process has the file open, the file90 is deleted. This is the only way of deleting files, although they can91 be explicitly created.")9293 SO' SUBTYPES - This is an additional protection mechanism over and above94 that provided by the mandatory. privilege, and discretionary access95 control systems. Each openable object may be associated with a96 subtype, of which there are a fixed number at system generation time.97 Any object of a non-null subtype may be accessed only by those prccesses98 who have access rights to the subtype as well as the object. The99 access right to a subtype is established by opening the subtype for

100 the desired access. Access to the subtype is granted or denied according101 to the usual mandatory and discretionary rules. An object with102 a non-null subtype can be accessed only when the open descriptor for103 the subtype, to which access must already have been granted, is104 presented. and when the desired access to the object is a subset of105 the access granted to the subtype. This forms a mini-capability106 mechanism with type extention, which is necessary for achieving acceqs107 control over objects such as directories. Thus there will be a108 directory subtype, to prevent arbitrary programs from damaging the109 directory system jNst because they have access to a particular110 directory. The rules for subtype access occur in the open function andIII all functions that require a subtype capability for accessing112 an object.")

fca.specs Page 3 Fri Mar 27 15-30:44 1981

113114

115 TYPES116117 $(FROM smx)118 nonDisType: STRUCT OF(119 INTEGER securityLevel: SET OF securityCat securltyCatS:120 INTEGER IntegrityLevel; SETOF integrityCat integrityCatS):121 daType: SET OF daMode;122 modeStruct: STRUCT OF(daType ownerMode, groupMode, allMode);123 tilStruct: STRUCT OF(nonDisType nd; modeStruct da; INTEGER owner, group:

Um 124 SET OF privType priv):125126 $(from fca - exportable)127 openDescriptor: DESIGNATOR;

-. 128 openModes: {omRead. orldrite, omExclusive):129 lOfunction: {rewind. etc}; $(names for special kinds of 10 functions)130 deviceType: {RK05, RWP04, RWPO5, RWP06, RSW04, TWE16. TMII, TU56, PRII.131 PCII. LPI1. IMP1IB, LHDH};132 terminalGroup: DESIGNATOR;133134 $(from fca - redeclarable)

. 135 fileStatus: STRUCTOF(INTEGER nBlocks, linkCount, timeLastMod: seid subtype:136 BOOLEAN openAtCrash);137 $(data about an openable object that is returned to the user)138 globalData: STRUCT OF(INTEGER linkCount, timeLast4od; seld subtype;139 BOOLEAN openAtCrash);140 $(state information for all openable objects)141 fileBlock: VECTOR OF CHAR;

-w 142 ioStatus: STRUCT_OF(INTEGER devlndep, devDep);143 $(result of an I0 operation, including possible hardware failure)144 openFileEntry: STRUCT OF(seld openSeld; SETOF openModes openMode):145 $(entry in a process' open file table)146 asyncld: CHAR;147 readResult: STRUCT OF(VECTOR OF fileBlock data; ioStatus errst);148 deviceStruct" STRUCT_OF(BOOLEAN addressable;149 INTEGER minRequest, maxRequest, modSlze, maxBlockNo);150 $(properties necessary for processing 1O requests for devices)151 mountTableEntry" STRUCTOF(seld leafSeId, rootSeid; BOOLEAN readOnly;152 tilStruct devTli; globalData devGl);153 fileSystevEntry: STRUCTOF(setd fileSeid; globalData gl; tiliStruct tit;154 VECTOR OF fileBlock fileData);155 $(the state of a file, for purposes of mounting and unounting)

w 156 fileSystem: SET OF fileSysteuEntry;157 $(the state o an entire mountable file system)158 sodPair: STRUCT OF(seld ps; openDescriptor od):

W 159 $(for openCount definition)160161162 PARAMETERS

- 163164 SET OF seid subtypeSeidSet; $( set of non-null subtypes known to the systsm)165 seid FCAstSeid; $(all objects who have this sed as their subtype ARE

w 166 in fact subtypes)167 seid nullStSeid: $( seid indicating the null subtype)168 openrDescrlptor FCAnullSt; $(a file descriptor indicating the null subtype)

fca.specs Page 4 Fri Mar 27 15:30:44 1981

169 seid FCArootSeid; $(distinguished root of KSOS permanent file system)170 INTEGER FCAmaxOpenDescrlptors; $(maximum number of open descriptors per171 process)172173174 DEFINITIONS

175176 INTEGER FCAfileSize(seid fSeld) IS177 CARDINALITY({INTEGER i I FCAfileData(fSeld, i) ?});178 $(the size, in blocks, of an addressable device, file, or extent)179180 INTEGER nOpenDescriptors(seid pSeid) IS181 CARDINALITY({openDescrlptor od I FCAopenEntry(pSeid, od) -

182 $(the number of open objects in a given process: It must not exceed a fixed183 maximum)

184185 INTEGER openCount(seid fSeid) IS

186 CARDINALITY((sodPair sp I FCAopenEntry(sp.ps, sp.od).openSeld - fSeld});187 $(the number of times that a given openable object is open)

188189 deviceStruct deviceDataSeid(seld fSeld) IS190 FCAdeviceData(FCAdeviceType(fSeid));191 $(given the seid of a device, the data on which its 10 requests depend)192

193 SET OF daMode h modeTrans(SET .OF openriodes oModes) IS194 (IF omRead INSET oModes THEN {daRead} ELSE (})195 UNION (IF omurite INSET oModes THEN {daWrite} ELSE {});196 $(translates from one enumerated type, open Modes, to another slightly197 different enumerated type, discretionary access modes)198

199 BOOLEAN isCurrentPath(seld tSeld) IS200 EXISTS termlnalGroup t : FCAcurrentPath(t) - tSeld:201 $(for a given terminal, tells whether it is the active path to its physical202 device)203204 BOOLEAN isReadOnly(seid s) IS205 EXISTS seid devSeid206 SENseldNsp(FCAmountTable(devSeld).rootSeld) - SENseldNsp(s)207 AND FCAmountTable(devSeld).readOnly - TRUE;208 $(tells whether or not a given file is on a file system that is mounteo in209 read-only mode)210211 seid indir(seid fSeid) IS212 LET seld devSeld I FCAmountTable(devSed).leafSeld - fSeld213 IN IF devSeid - ? THEN fSeid ELSE FCAmountTable(devSeld).rootSeid;214 $(if a file represents the spot in the file system where a file system215 has been mounted, it is translated into the root of the mounted file216 system)

217218 EXTERNALREFS

219

220 FROM mac:221 VFUN MACclock() -> INTEGER time;222

223 FROM sox-224 seld: DESIGNATOR:

fca.specs Page 5 Fri Mar 27 15:30-44 1981

225 secureEntityType: {tFIle. tDevice, tTerminal, tProcess, tSegment, tSubtvpe,226 tExtent, tNul}:227 privrype: {228 privFileUpdateStatus. prlvLlnk. prIvLockSeg,229 privModifyPriv, pri vMount,230 prIvSetFileLevel. privSetSeg~rocLevel,231 privStickySeg, pri vTermlnalLock,

V232 privViolSimpSecurity. prfvViolStarSecurity,233 privViolSimplntegrity, pri vViolStarlntegrity.234 privViolDiscrAccess. privSignal. privWalkPTable.235 priviialt, privKenrelCall, privVIolCompartments,236 privRealizeExecPeruissions };237 daMode! {daRead. daWrIte. daExecute);238 securityCat: DESIGNATOR;239 IntegrityCat: DESIGNATORz240 VFUN SENseidftp(seid 9) ->INTEGER nsp:.241 VFUN SENseidType(seld 9) ->secureEntityType set,242 VFUN Tllinfo(seid s) -> tliStruct tiist;243 VFUN SllXhasPriv(seid pSeid; privType priv) ->BOOLEAN b;244 VFUN SMXflow(seid pSeid, oSeid; daType da) ->BOOLEAN b;245 VFUN SMXdap(seid pSeid, oSeid; daType da) ->BOOLEAN b;

* 246247248 ASSERTIONS249

*250 FORALL seid fSeid I FCAinfo(fSeld) ?251 :SENseidType(fSeid) INSET {tTerminal, tDevice, tSubtype, tFile, tExtent};252 $(restricts the types of objects manipulated by this modul.e)253

* 254 FORALL seid fSeid. (INTEGER i I FCAfileData(fSeid, 1) - )255 - {0O. FCAfileSIze(fSeld) - 1);256 $(the blocks of a file, extent, or addressable device form a sequence)257258 FORALL seid dSeid259 JSENseIdType(dSeId) -tDevlce AND FCAInfo(dSeid) -- ?260 -(LET deviceStruct d - devIceDataSeId(dSeId)261 IN NOT d.addressable -> d-modSIze -1 AND d-maxBlockNo -0);I262 $(necessarypropertles of all non-addressable devices)263264 FORALL seid fSeid265 1 FCAInfo(fSeid) -- ?266 (LET secureEntityType t -SENseldType(fSeid)267 IN FORALL INTEGER I I FCAfIleData(fSeId, i) --268 LENGTH(FCAfileData(fSeid. 0)269 -(IF t - tDevIce THEN deviceflataSeid(fSeld).modSize270 ELSE IF t INSET {t~xtent, tFile) THEN 512

- 271 ELSE ?)272 $(the lengths of all blocks for files, extents, or addressable devices273 must correspond to the parematers for those objects)274275 FORALL setd a I SENseidType(s) - tTeruainal AND FCAinfo(s) ?276 (EXISTS rerminaiGroup ti277 - a INSET FCAterminalPathSet(tl)278 AND (FORALL terminal~roup t2 -- t1279 :NOT s INSET FCAtermlnalPathSet(t2)));280 $(each terminal is In exactly one terminal group)


281282 FORALL seld f283 1 EXISTS INTEGER I : FCAfileDara(f. I) -?

284 FCAinfo(f) -= ?285 AND (SENseidType(f) = tDevice AND deviceDataSeid(f).addressable = TRUE286 OR SENseldType(f) INSET {tFile. tExtent});287 $(only files, extents, or addressable devices have file data)288289 FORALL seid f

290 (FCAinputStream(f) -- ? AND FCAoutputStream(f) -- 9)291 (SENseidType(f) = tTerminal292 OR SENseidType(f) - tDevice293 AND deviceDataSeid(f).addressable = FALSE);294 $(non-addressable device have both an input and an output stream, although295 it may always be null)296297 FORALL seid pSeid I FCAopenTableExists(pSeid)298 FCAopenEntry(pSeld. FCAnulISt) - ?;299 $(there are never any opened objects assigned to the open descriptor .300 reserved for the null subtype)301302 FORALL seid sl. s2303 SENse!dType(sl) - tSubtype AND SENseidType(s2) - tSubtype _

304 => SENseidNspksl) - SENseidNsp(s2);305 $(subtypes have only one name space partitfon)306307 SENseidType(nullStSeld) - tSubtype AND SENseidType(FCAstSeid) - tSubtype;308 $(the raill subtype seld and the subtype seid indicating "sybtype")309310 FORALL seid s INSET subtypeSeidSet : SENseldType(s) - tSubtype;311 $(properties of the set of non-null subtypes)312313 SENseidType(FCArootSeld) - tFile;314 $(property of the distinguished root of the entire file system)315316 FORALL seid f I FCAinfo(f) -= ? AND SENseldType(f) - tFile317 EXISTS sed d • SENseidNsp(FCAmountTable(d).rootSeid) = SENseidNsp(f)318 OR f - FCArootSeid;319 S(a file is either the root or it is on a mountab_'e file system)320321322 FUNCTIONS323324 $C- ---- - - - state functions - devices325326 VFUN FCAdeviceType(seid fSeld) -> deviceType d; $(FCAdeviceType)327 $(gives the type of a particular device, which determines Its 10 behavior)328 HIDDEN;329 iNITIALLY330 (d -- ?)331 - (SENseldType(fSeid) - tDevice AND FCAinfo(fSeid) -= ?);332333 VFUN FCAdeviceData(deviceType d) -> deviceStruct ds; $(FCAdeviceData)334 $(for a given type of device, defines the 10 behavior)335 HIDDEN;336 INITIALLY


337 ds = (IF d - RK05338 THEN STRUCT(TRUE. 512, 32768. 512. 203*24-1)339 ELSE IF d INSET {RWP04, RWP05}340 THEN STRUCT(TRUE, 512, 32768. 512, 22*19*411-1)341 ELSE IF d - RWP06

- 342 THEN STRUCT(TRUE, 512, 32768, 512, 22*19*411*2-1)343 ELSE IF d - RSW04 THEN STRUCT(TRUE, 512, 32768, 512. 2048-1)344 ELSE IF d INSET {TWE16, TM11} THEN STRUCT(FALSE, 12, 8191, I, 0)345 ELSE IF d = TU56 THEN STRUCT(TRUE, 512, 512, 512, 0)346 ELSE IF d INSET (PRI1. PC11} THEN STRUCT(FALSE, 1. 1, 1, 0)347 ELSE IF d = LPI1 THEN STRUCT(FALSE, 1. 132. 1, 0)348 ELSE IF d INSET (IMPlIB, LHDH} THEN STRUCT(FALSE, 1. 8191, 1, 0)349 ELSE ?);350351 .-.- ---- state functions - terminals352353 VFUN FCAterminalPathSet(terminalGroup t) -> SET OF seld ss;354 $(FCAterminalPathSet)355 $(defines the set of paths, or logical terminals, that correspond to356 a given terminal group, or physical terminal)357 HIDDEN;358 INITIALLY

-. 359 FORALL seid s INSET as360 FCAinfo(s) - ? AND SENseidType(s) - tTerrinnali361362 VFUN FCAcurrentPath(terminalGroup t) -> seid a: $(FCAcurrentPath)

- 363 $(the seid of the logical terminal that is allowed to.do 10 on a given364 physical terminal)365 HIDDEN;

*. 366 INITIALLY

367 s INSET FCAterminalPathSet(t);368369 $(-------------state functions - mountable file systems370371 VFUN FCAmountTable(seid extentSeid) -> mountTableEntry mte; $(FCAmVunrTable)372 $(for a given extent that is mounted, tells leaf of the old file system,

- 373 the root of the new or mounted file system, whether the file system374 is read only. and the state information for the extent)375 HIDDEN;376 INITIALLY mte - ?;

-- 377378 VFUN FCAextentToFileSys(VECTOR OF fileBlock fb; seld rootSeld)379 -> fileSystem fs; $(FCAextentToFileSys)

- 380 $(given the data of a given extent and a root seld for a file system381 to be made out of the extent whose data is given, produces the382 file system consisting of a set of tuples each made up of a383 file seid and the state of the file)384 HIDDEN:385 INITIALLY386 fs -- ? =>387 (EXISTS fileSystemEntry fee INSET fe : rootSeld - fse.fileSeld)388 AND (FORALL fileSystemEntry fe INSET fs389 SENseldNsp(fse.fileSeld) - SENseidNsp(rootSeld)):390 $(a constant function for data conversion)391392 $(-........ state functions - all openable objects

fca.specs Page 8 Fri Mar 27 15:30-44 1981

393394 VFUN FCAinfo(seid fSeid) -> globalData gl; $(FCAinfo)

395 $(the status information, excluding data and type dependent stuff, for

396 an openable object)

397 HIDDEN;398 INITIALLY

399 IF devlceDataSeid(fSeid) - ? THEN gl -- ?

400 ELSE IF fSeld INSET {FCArootSeld, FCAstSeld, nullStSeld}

401 THEN gl.subtype - nullStSeid

402 ELSE IF fSeld INSET subtypeSeidSet THEN gl.subtype - FCAstSeid

403 ELSE gl - ?;404405 VFUN FCAfileData(seid fSeid; INTEGER blockNo) -> fileBlock fb; $(FILfileData)

406 $(the data contained on a file, extent or an addressable device)

407 DEFINITIONS

408 secureEntityType type IS SENseidType(fSeid); -

409 deviceStruct d

410 IS IF type - tDevice THEN deviceDataSeid(fSeid)

411 ELSE IF type INSET {tFile. tExtent)

412 THEN STRUCT(TRUE, 512, 32768. 512. FCAflleSlze(fSeid)-l)413 ELSE STRUCT(FALSE, 1. 255, 1. 0);

. 414 HIDDEN:

415 INITIALLY416 (IF FCAInfo(fSeld) = ? OR type INSET {tTerminal, tSubtype}

417 OR NOT blockNo INSET (0 d.maxBlockNo} OR NOT d.addressable

418 THEN fb - ?

419 ELSE fb -- 9)420 AND (fb" ?

421 => LENGTH(fb) - d.modSize422 AND (FORALL INTEGER i INSET (0 blockNo - 1}423 - FCAflleData(fSeid, I) - )424 AND (FORALL INTEGER j INSET {1 LENGTH(fb)}

425 - fb[j] - )

426427 VFUN FCAlnputStream(seid fSeid) -> VECTOR OF CHAR vc; $(FCAinputStream)

428 $(the input data for terminals and nonaddressable devices)

429 HIDDEN;430 INITIALLY

431 IF FCAinfo(fSeld) -= ?432 AND (SENseldType(fSeld) - tTerminal433 OR SENseldType(fSeld) - tDevice434 AND deviceDataSeld(fSeld).addressable - TRUE)435 THEN vc ?

436 ELSE vc -?437438 VFUN FCAoutputStream(seid fSeid) -> VECTOR OF CHAR vc; $(FCAoututStream)

439 $(the output data for terminals and nonaddressable devices)

440 HIDDEN;

441 INITIALLY442 IF FCAinfo(fSeld) -a ?443 AND (SENseidType(fSeid) - tTerminal

444 OR SENseidType(fSeid) - tDevice445 AND deviceDataSeid(fSeid).addressable

= TRUE)

446 THEN vc -- ?

447 ELSE vc - ?;448


449 $(-.....- state functions - open tables ....- )450451 VFUN FCAopenTableExists(seld pSeid) -> BOOLEAN b: $(FCAopenTableExlsts)452 $(the existence predicate for the table of openable objects corresponding453 to a given process)454 HIDDEN:

455 INITIALLY b - FALSE;456

- 457 VFUN FCAopenEntry(seid pSeid; openDescriptor od) -> openFileEntry oe;458 $(the information in entry "od" of the open table of process "pSeid")459 HIDDEN; $(FCAopenEntry)460 INITIALLY oe - ?;

- 461462 $( -------. creation of files463464 OVFUN FCAcreate(seld pSeid, nspSeid; modeStruct da; openDescriptor stCap)465 -> STRUCT OF(seld fSeid; openDescriptor od) return: $(FCAcreate)466 $(creates a file and opens it in the desired mode. the file system on467 which the file resides must be writable. If a subtype capability

- 468 is provided it oust refer to a valid subtype. The created file gets469 only the discretionary access permission specified. All other data

. 470 comes from the process making the call. The file is originally of zero471 length)472 DEFINITIONS473 tiiStruct ptii IS Tllinfo(pSeld);474 tiiStruct otil IS STRUCT(ptil.nd, da, ptil.owner, pili.group, ptli.priv);475 seid extSeid476 IS SOME seid s I SENseidNsp(FCAmountTable(s).rootSeld)477 SENseidNsp(nspSeid);

478 EXCEPTIONS479 $(these exceptions subsume those for opening a file for writing)480 KEfcaBadNsp:481 extSeid - ? OR NOT SMXflow(pSeid, extSeid, {daRead, daWrite}):482 KEfcaNoWriteDa- NOT daWrite INSET da.ownerMode;483 KEfcaDevNotWritable: isReadOnly(nspSeid):484 KEfcaBadSubtype: stCap -= FCAnullSt

S - 485 AND FCAinfo(FCAopenEntry(pSeid, stCap).openSeid).subtype -- FCAstSeld;486 KEfcaSTNotWritable:487 stCap -- FCAnullSt488 AND NOT omnrite INSET FCAopenEntry(pSeid, stCap).openMode;489 KEfcaOdSpace: nOpenDescriptors(pSeld) >- FCAmaxOpenDescriptors;490 RESOURCE ERROR;491 ASSERTIONS

- 492 FCAopenTableExists(pSeid):493 EFFECTS494 LET seid fs I FCAinfo(fs) - ?;

- 495 openDescriptor o I FCAopenEntry(pSeid, o) - ? AND o -- FCAnullSt496 IN return - STRUCT(fs, o)497 AND 'TlIinfo(fs) - otil498 AND 'FCAopenEntry(pSeld. o) - STRUCT(fs. {omwrite})499 AND 'FCAinfo(fs) - STRUCT(O, MACclocko.500 IF stCap - FCAnullSt THEN millStSeld501 ELSE FCAopenEntry(pSeld, stCap).openSeid.502 FALSE);503504 $(-------- file opening and closing ---- )

fca.specs Page 10 Fri Mar 27 15,30:44 1981

505506 OVFUN FCAopen(seid pSeid. oSeid; SET OF openModes mode; openDescriptor stCap)507 -> openDescriptor od; $(FCAopen)508 $(opens the openable object specified by "oSeid". The object must exist509 and the process "pSeid" must have the right mandatory and discretionary510 access. Special rules, described below, apply to subtypes.511 Special rules also apply when the object Is being opened for exclusive512 use. Only one process may open an object for exclusive use.513 A process is allowed a fixed maximam number of open objects.)514 DEFINITIONS515 seid o IS indir(oSeid);516 globalData ofst IS FCAinfo(o);517 openFileEntry stEntry IS FCAopenEntry(pSeld, stCap);518 BOOLEAN anotherExcl IS519 EXISTS seid pSeidl; openDescriptor od :520 FCAopenEntry(pSeldl, odl).openSeld - o AND521 omExclusIve INSET FCAopenEntry(pSeidl, odl).open~ode;522 $(the object is opened exclusive use elsewhere)523 EXCEPTIONS524 KEfcaNoFile: ofst - ? OR NOT SMXflow(pSeid, o, hmodeTrans(mode));525 KEfcaBadRefCount: ofst.linkCount - 0;526 KEfcaBadStCap:527 stCap -- FCAnullSt AND FCAinfo(stEntry.openSeid).subtype - FCAstSeid:528 $(a subtype capability was specified, but it is not for a valid subtype)529 KEfcaNoStCap:530 stCap - FCAnullSt AND NOT ofst.subtype INSET {nullStSeid, FCAstSeid}:531 $(no subtype capability was specified, but the object has a non-null532 subtype)533 KEfcaBadSubtypeMatch:534 stCap -- FCAnullSt535 AND (stEntry.openSeld -- ofst.subtype536 OR NOT mode SUBSET st:ntry.openMode):537 $(a subtype capability is specified, but it does not match the subtype538 of the object, with access modes included)539 KEfcaDapViol: NOT SMXdap(pSeid, o, h-modeTrans(mode)),540 KEfcaNotWritable: omWrrte INSET mode AND isReadOnly(o);541 KEfcaNoExclDA:542 omExclusive INSET mode AND NOT (omRead, omaritel SUBSET mode:543 KEfcaCrItExcl:544 anotherExcl OR (openCount(o) > 0 AND omExclusive INSET mode):545 $(either the object was opened elsewhere for exclusive use, or546 exclusive use is requested and the object is open elsewhere)547 KEfcaOdSpace: nOpenDescriptors(pSeid) >- FCAmaxOpenDescriptors;548 ASSERTIONS549 FCAopenTableExsts(pSeid);550 EFFECTS551 LET openDescriptor odl I FCAopeEntry(pSeld, odl) - ? AND odl -- FCAnullSt552 IN "FCAopenEntry(pSeld, odl) - STRUCT(o, mode)553 AND od - odl:554555 OFUN FCAclose(seid pSeid; openDescriptor od); $(FCAclose)556 $(closes the open object named Ivy "od". If the object is not is use by557 anyone else, either by linking or by opening, then the object is deleted)558 DEFINITIONS559 openFileEntry oe IS FCAopenEntry(pSeid, od);560 seid fSeid IS oe.openSetd;

k l , II kIz'- - ... . . . . 'S k L .L .. . .... . .

fca.specs Page 11 Fri Mar 27 15-30-44 1981

561 globalData ofst IS FCAinfo(fSeid);562 EXCEPTIONS

- 563 KEfcaBadOd: oe - ?564 ASSERTIONS565 FCAopenTableExists (pSei d);566 EFFECTS567 ofst.linkCount- 0568 AND openCount(fSeid) 1

- 569 AND SENseidType~fSeid) - tFile570 0 'FCAinfo(fSeid) -?571 AND (FORALL INTEGER I :'FCAfileData(fSeid, 1) ?)572 AND 'TlIInfo(fSeId) - ?573 'FCAopenEntry(pSeid. od) - ?574 $(the openAtCrash field Is cleared when closing an object that was open575 for writing. This has not been put in.)

-. ~576___577 $( --------------- open table maintenance578

*579 OFUN FCAcreateOpenTable(seld pSeid); S(FCAcreateOpenTable)- 580 $( this operation creates an open table associated with a process seid:

581 It is used as an auxiliary operation by the process modules when582 creating a new a process)583 ASSERTIONS584 NOT FCAopenTableExists~pSeid);585 EFFECTS586 'FCAopenTableExists(pSeid) - TRUE;587588 OFUN FCAdeleteOpenTable(seid pSeid); $CFCAdeleteOpenTable)589 $( Deletes the open table associated with a process; supports the release590 of a process)591 ASSERTIONS592 FCAopenTableExIsts~pSeId):593 EFFECTS594 'FCAopenTableExists(pSeid) - FALSE;595596 $(---------- utility operations-- - - - - - )

m~597598 OFUN FCAcloseAll~seld pSeid); $(FCAcloseAll)599 $C Closes all the open objects of an open object table; supports process600 release and Invocation. May cause unreferenced objects to be deleted)601 ASSERTIONS602 FCAopenTableExists~pSeid);603 EFFECTS

- 604 FORALL openDescriptor od I FCAopenEntry~pSeid, od) -- ?605 seid fSeid - FCAopenEntry~pSeid, od).openSeid606 'FCAopenEntry~pSeid, od) ?607 AND (openCount~fSeid) 1608 AND FCAlnfo~fSeid).linkCount - 0609 AND SENseidType(fSeId) - tFile)610 0> 'FCAinfo(fSeid) -?611 AND (FORALL INTEGER I : FCAfileData~fSeid. 1) ? )612 AND 'TIlinfo~fSeid) - ?:613 'FCAopenTableExIsts~pSeId) - FALSE;614615 OFUN FCAcopyOenTable~seid fromSeid, toSeid); $(FCAcopy~penTable)616 $(Copies the contents of one open table, 'fromSeid." to another, "toSeid."

fca-specs Page 12 Fri Mar 27 15:30:44 1981-

617 totoSeid" must be empty)618 ASSERTIONS-619 FCAopenTableExists(froiSeid):.620 FCAopenTableExists(toSeid);621 FORALL openDescriptor od :FCAopenEntry~toSeld. od) ?-622 EFFECTS623 FORALL openDescriptor od624 :'FCAopenEntry(toSeid, od) - FCAopenEntry(from~eid, od);625626 C-- - - - file status operations- -- - - - )

627628 VFUN FCAgetFileStatus(seid pSeid, fSeid) -> fileStatus fst;$(FCAgetFileStatus)629 $(returns the status of the file. The requesting process must have630 mandatory access to the object, and the object muist exist)631 DEFINITIONS632 seid f IS indir~fSeid);633 globalData gl IS FCAinfo(f);634 EXCEPTIONS635 KEfcaNoFile: FCAinfo~f) - ? OR NOT SMXflow(pSeid. f, {daRead});636 DERIVATION637 STRUCT(IF FCAfileSize~f) -? THEN 0 ELSE FCAfileSize(f),638 gl.linkCount, gl.timeLastMod, gl.subtype,639 gl.openAtCrash);640641 OFUN FCAsetFileStatus~seid pSeid. fSeid; fileStatus newfs);$(FCAsetFileStatus)642 $(only the subtype file of an openable object may be changed. The_643 requesting process must have mandatory access to the object, and the644 object must exist. Note the particular rule, explained below, relating645 to subtypes)646 DEFINITIONS647 seid f IS indir(fSeld).648 globalData oldfs IS FCAinfo(f);649 EXCEPTIONS650 KEfcaNoFile-651 FCAinfo(f) - ? OR NOT SMXflow(pSeid, f, {daRead, daWrite});

*652 KEfcaBadDa: NOT SMXdap(pSeId, f, {daRead., daWrite});653 KEfcaNoOwner: Tlinfo(pSeid).owner -- Tlinfo(f).owner;654 KEfcaBadPrIv: NOT SMXhasPriv(pSeid. privFileUpdateStatus):655 KEfcafladSubtype:656 newfs.subtype :oldfs-subtype657 AND Coldfs.subtype - millStSeld658 AND Tllinfo(oldfs.subtype).owner -- Tlinfo(pSeId).owner659 OR newfs.subtype -- nllStSeid660 AND TIlinfo~newfs-subtype).owner -- Tllinfo(pSeid).owner);661 $(the requesting process must be the owner of both the old and662 new subtypes, If non-null)663 KEfcaChangeLink: old f . linkCount - mewfs .11nkCount;664 ASSERTIONS665 FCAopenTableExI sts (pSeid);666 EFFECTS667 'FCAinfo(f) STRUCT(nefa.linkCount. newfs-timeLastMod,668 mewfs.subtype, newfs.openAtCrash);669670671 END MODULE

fmi-specs Page 1 Fri Mar 27 15.:31:25 1981

1 Wt" MODULE fmi.specs (version 2.10)- 2 CONTENTS: File Miscellaneous Operations

3 TYPE- SPECIAL specifications4 LAST CHANGED- 10/12/79, 13-58:055 )

- 678 MODULE fmIi91011t$ this module contains miscellaneous file operations that are not included

* 12 in the fca modul~e, because the SPECIAL checker at FACC cannot accomodate- 13 the combined file)

14*15 TYPES

* - 1617 $(FROM suuc)18 nonDisType: STRUCT OF(19 INTEGER securityLevel; SET _OF securityCat securityCatS*;

- 20 INTEGER IntegrityLevel; SET-OF integrityCat integrityCatS):,21 daType: SET -OF daMode;

*22 modeStru.ct: STRUCTOF(darype ownerMode, groupMode. allMode);w 23 tiiStruct: STRUCT OF(nonDisType nd: modeStruct da. INTEGER owner, group;

*24 SET OF privType priv);2526 $(from fca)

*27 globalData: STRUCT-OF(INTEGER linkCount, timeLast~od; seid subtype:*28 BOOLEAN openAtCrash);

29 ioStatus: STRUCT OF(INTEGER devlndep. devDep);- 30 asyncld: CHAPR;

31 fileBlock: VECTOR OF CHAR;32 openFileEntry: STRUCT -OF~seid openSeid; SETOF openModes openMode);33 readResult: STRUCT OF(VECTOR OF fileBlock data; ioStatus errst);34 deviceStructi STRUCTOFBOOLEA4 addressable;35 INTEGER minRequest, maxRequest, modSize, nisxBlockffo);36 mountTableEntry: STRUCTOF~seid leafSeld, rootSeid; BOOLEAN readOnly;37 tiiStruct devTii; globalData devGl);38 fileSystemEntry: STRUCTOF(seid fileSeid; globalData gl. tiiStruct tii;39 VECTOROF filefllock fileData);40 fileSystem: SET OF fileSysten~ntry;414243 DEFINITIONS

- 4445 $(these definitions are explained In the fca module)4647 INTEGER FCAfileSize(seid fSeid) IS48 CARDINALITY({INTECER I I FCAfileData(fSeid. i) --uM4950 INTEGER nOpenDescriptors~seld pSeid) IS

- 51 CARDINALITY({openDescriptor od I FCAopenEntry(pSeid, od) M;5253 INTEGER openCount(seld fSeid) IS

- 54 CARDINALITY({aeid pSeid55 1(EXISTS openDescriptor ad56 :FCAopenlntry(pSeld. od).openSeld *fSeid)1))

*fmi-specs Page 2 Fri Mar 27 15:31:25 1981

5758 deviceStruct deviceDataSeid(seld fSeid) IS59 FCAdeviceDataCFCAdeviceType(fSeid));6061 BOOLEAN isCurrentPath(seld tSeid) IS62 EXISTS terminaiGroup t - FCAcurrentPath(t) -tSeid;6364 seld indir~seld fSeid) IS65 LET seid devSefd I FCAmountTable~devSeid).leafSeid -fSeid66 IN IF devSeid - ? THEN f Seid ELSE FCAmountTable(devSeid).rootSeid;-6768 BOOLEAN isReadOnly(seid fSeid) IS69 EXISTS seid devSeid :SENseidNsp(FCAmountTable(devSeid).rootSeld)70 -SENseidNsp(fSeld)

71 AND FCAmountTable(devSeid).read~nly -TRUE;72

- 7374 EXTERNALREFS7576 FROM suuc:

*77 said: DESIGNATOR;78 secureEntityType: {tFile, tDevlce, tTerminal, tProcess. tSegment, tSubtype,79 tExtent, tNull);80 privType-81 privFileUpdateStatus. pri vLink, privLockSeg.82 privModifyPriv, privMount,83 prIvSetLevel, pri vSti ckySeg, privTerminalLock,84 privViolSimpSecurity, privViolStarSecurity,85 privViolSimplntegrity, privViolStarlntegrity,86 privViolDiscrAccess. privSignal, prlvWalkPTable,-87 privlialt, privKernelCall. privViolCompartments,88 prIvRealizeExecPermissions);89 securityCat: DESIGNATOR;90 integrityCat: DESIGNATOR;-91 daMode: {dalead, daWrite. daExecute};92 VFUN SENseidNsp(seid a) ->INTEGER nsp;93 VFUN SENseldType(seld a) ->secureEntltyType set;-94 VFUN TIlinfo(seld 9) -> tiiStruct tijat;95 VFUN TIlgetEntityLevel(seld pSeid, oSeid) -> tiiStruct otli;96 OFUN TIlsetEntityLevel(seld pSeid, oSeid; tiiStruct ntii);97 VFUN SMXhasPriv(seid pSeid; privType priv) - BOOLEAN b;98 VFUN SMXflo(seid pSeld, oSeid; dalype da) - BOOLEAN b;99 VFLJN SMXdap~seld pSeid, oSeid; daType da) ->BOOLEAN b;

100101 FROM fca:102 openDescriptor: DESIGNATOR:103 openModas: {om'iead. ovilrite, omExclusivel;104 IOfunction: (rewind, etc);105 deviceType: {RKO5, RWPO4, RWPO5. RWPO6. RSWO4, TWE16, TM11. TU56, PRI1.106 PCII. LPII. IMPlIB. LHDH);107 terminaiGroup: DESIGNATOR;108 said FCArootSeid;109 VFUN FCAdeviceType(seid f Said) -> deviceType d;110 VFUN FCAdeviceData(deviceType d) -> deviceStruct da;III VFIN FCAcurrentPath(terminalGroup t) -> said s;112 VFUN FCAterminalPathSet(toriinalGroup t) ->SETOF seld as;

fmi.specs Page 3 Fri Mar 27 15:31!25 1981

113 VFUN FCAmountTable(seld extentSeid) -> mountTableEntry mte:114 VFUN FCAextentToFileSys(VECTOROF fileBlock fb; seid rootSeid)

- 115 -> fileSystem fs;116 VFUN FCAinfo(seid fSeld) -> globalData gl:117 VFUN FCAfileData(seld fSeid; INTEGER blockNo) -> fileBlock fb;118 VFUN FCAinputStream(seld fSeld) -> VECTOR OF CHAR ye;

119 VFUN FCAoutputStream(seid fSeld) -> VECTOR OF CHAR vc;120 VFUN FCAopenTableExists(seld pSeid) -> BOOLEAN b;121 VFUN FCAopenEntry(seld pSeid; openDescriptor od) -> openFlleEntry oe;122123124 FUNCTIONS

- 125126 $(---------------process support operations --- ....- .)127

- 128 $(Note: the function FCAcreateOpenTable is sufficient to support PROspawn,129 and the function FCAcloseAll is sufficient to support PROinvoke.130 The other support operations are listed here.)131

- 132 OFUN FMlforkSupport(seid parent, child); $(FMlforkSupport)133 $(This function creates a new open table, "child." and copies all open134 from "parent" into it)135 EXCEPTIONS136 KEfudExclusiveFile:137 EXISTS openDescriptor od138 omExclusive INSET FCAopenEntry(parent, od).openMode;139 ASSERTIONS140 FCAopenTableExists(parent);141 NOT FCAopenTableExists(child);

- 142 EFFECTS143 'FCAopenTableExists(child) - TRUE-144 FORALL openDescriptor od145 'FCAopenEntry(child, od) - FCAopenEntry(parent, od);146147 OFUN FMIreleaseSupport(seid pSeld); $(FCAreleaseSupport)148 $( Closes all the open objects of an open object table and deletes the

- 149 table)150 ASSERTIONS151 FCAopenTableExists(pSeld);

- 152 EFFECTS153 FORALL openDescrlptor od I FCAopenEntry(pSeid. od) -- ?;154 seid fSeid - FCAopenEntry(pSeid, od).openSeld155 'FCAopenEntry(pSeid, od) -?156 AND (openCount(fSeid) - 1157 AND FCAinfo(fSeld).llnkCount - 0158 AND SENseldType(fSeld) - tFile)159 -=> 'FCAinfo(fSeid) - ?160 AND (FORALL INTEGER i *FCAfileData(fSeld. 1) ?)161 AND *TIIinfo(fSeld) ;162 'FCAopenTableExists(pSeld) - FALSE;

-- 163164 $(- ......... .. link and unlink operations ----

165166 OFUN FCAlink(seid pSetd, fSeld); $(FCAlink)167 $(increments the link count of an existing file. Mandatory access is168 required, and the process must have the privilege to link. The file

fmd.specs Page 4 Fri Mar 27 15:31-25 1981 -

169 system must not be mounted in read only mode)170 DEFINITIONS171 seid f IS Indir(fSeid);172 globalData fs IS FCAInfo(f):173 EXCEPTIONS174 KEfcaBadPriv: NOT SMXhasPriv(pSeId, privLink):175 KEfcaNotThere: fs - ? OR NOT SMXflow(pSeId. f, {daRead, daWrite});176 KEfcaNotFIle. SENseidType(f) " tFile;177 KEfcaReadOnly: IsReadOnly(f);178 ASSERTIONS179 FCAopenTableExists(pSeid);180 EFFECTS181 'FCAinfo(f)182 - STRUCT(fs.linkCount + 1. fs.timeLastMod, fs.subtype. fs.openAtCrash);183184 OFUN FCAunlink(seld pSeid, fSeid); $(FCAunlink)

185 $(decrements the reference count of an existing file. Mandatory access is186 required and the process must have the privilege to link. The file187 system that the file is on must not be mounted in read only mode. Note188 that unlinking can cause the file to be deleted if the link count goes189 to zero and the file is not open anywhere)190 DEFINITIONS191 seld f IS indir(fSeid):192 globalData fs IS FCAinfo(f):193 EXCEPTIONS194 KEfcaBadprIv: NOT SMXhasPriv(pSeid, prlvLink);-195 KEfcaNotThere: fs - ? OR NOT S1NXflow(pSeid, f, (daRead, daWrite}); -196 KEfcaNotFile: SENseidType(f) -- tFile;197 KEfcaReadOnly: isReadOnly(f);198 ASSERTIONS199 FCAopenTableExists(pSeid);200 EFFECTS201 IF fs.linkCount - I AND openCount(f) - 0202 THEN "FCAinfo(f) - ?203 AND (FORALL INTEGER i - 'FCAfileData(fSeid, i) - ?)204 AND 'TIlinfo(fSeid) - ?205 ELSE 'FCAinfo(f)206 - STRUCT(fs.iinkCount - 1. fs.timeLastMod, fs.subtype.207 fs.openAtCrash):208209 $(---basic I/O operations .. ---- -)210211 VFUN FCAvReadBlocks(seid pSeid; openDescriptor od; INTEGER blockNo, size.212 asyncld id) $(FCAvReadBlocks)213 -> readResult rr;214 $(the purpose of this function is to return the result that FCAreadBlocks215 would return if executed)216 $(returns blocks that are read from a given file, device, extent, or217 terminal, the object must be open for reading. the block number and218 size mst be within range for the kind of object specified. note219 that files, extents, and addressable devices are handled differently220 from terminals and nonaddressable devices, with respect to the data.)221 DEFINITIONS222 seid fSeld IS FCAopenEntry(pSeid, od).openSeld:223 deviceStruct d224 IS IF SENseidType(fSeid) - tDevice THEN deviceDataSeid(fSeid)

fmi.specs Page 5 Fri Mar 27 15i3l:25 1981

225 ELSE IF SENseidType(fSeid) INSET {tFile. tExtent)226 THEN STRUCT(TRUE. 512, 32768, 512. FCAfleSize(fSeid)-1)

- 227 ELSE STRUCT(FALSE, 1. 255, 1 0); $(tTerminal)228 EXCEPTIONS229 KEfcaBadOd: FCAopenEntry~pSeld, ad) - ?230 KEfci. adType: SENseidType(fSeid) - tSubtype;231 KEfcaNotReadable: NOT omRead INSET FCAopenEntry(pSeid, od).openMode;232 KEfcaTermLocked:

- 233 SENseidType(fSeid) - tTerminal AND NOT isCurrentPath(fSeid):234 KEfcafladSize:235 NOT size INSET {d.minRequest .. d-maxRequest)236 OR (size MOD d.modSize) -- 0:237 KEfcaBadBlockNo: NOT blockNo INSET {O .. d.naxBlockNo);238 KEfcaEndOfFile:239 d-addressable AND blockNo + size/d.mudSize > d.maxBlockNo;

-*240 ASSERTIONS*241 FCAopenTableExists(pSeid);

242 DERIVATION*243 LET INTEGER sl INSET {O .. size/d.modSize}

244 IN STRUCT(IF d.addressable245 THEN VECTORCFOR i FROM blockNo TO blockNo + si I246 :FCAfileData(fSeid, i))

.. 247 ELSE VECTORCFOR I FROM 1 TO si $(d.modSize - 1)248 VECTOR(FCAinputStream(fSeid)[i ]))249 SOME ioStatus ios I TRUE):250251 OVFUN FCAread~locks(seid pSeld; openDescriptor od; INTEGER blockNo, size;252 asyncld 1d)253 -> readResult rr; $ (FCAreadBlocks)

- 254 $(LR - needs semantics f or asynchronous I/O)255 $(returns blocks that are read from a given file, device, extent, or256 terminal, the object must be open f or reading. the block number and257 size must be within range for the kind of object specified, note

- 258 that files, extents, and addressable devices are handled differently259 from terminals and nonaddressable devices. with respect to the data.)260 DEFINITIONS

- 261 seid fSeid IS FCAopenEntry(pSeld, od).openSeid;262 deviceStruct d263 IS IF SENseidType(fSeid) - tDevice THEN deviceDataSeid(fSeid)

- 264 ELSE IF SENseidType(fSeid) INSET {tFile, tExtent)265 THEN STRUCT(TRUE. 512, 32768. 512, FCAfileSize(fSeid)-1)266 ELSE STRUCT(FALSE, 1, 255. 1 0); $(tTerminal)267 readResult rrl IS FCAvRead~locks(pSeld, od, blackNo, size, id);268 EXCEPTIONS269 EXCEPTIONSOF FCAvReadBlocks(pSeld, ad, blockNo, size, 1d);270 ASSERTIONS271 FCAopenTableExists(pSeld);272 EFFECTS273 rr - rrl;274 NOT d.addressable

- 275 0> 'FCAinputStream~fSeid)276 -VECTOR(FOR I FROM LENCTH(rrl.data) + 1277 TO LENGTH(FCAlnputStream(fSeld))278 :FCAInputStream(fSeld)(11);279280 OVFUN FCAwriteBlocks(seid pSeid; openDescriptor ad; INTEGER blockNo:

fmi.specs Page 6 Fri Mar 27 15.31:25 1981

281 VECTOR Or fileBlock vfb: asyncld Id)282 -> foStatus ios: $(FCAwriteBlocks)283 $(LR - needs asynchronous I/O)284 $(writes the contents of a vector of file blocks onto the object mentioned.285 the data must correspond to the parameters of the openable object.)286 DEFINITIONS287 seid fSeld IS FCAopenEntry(pSeid, od).openSeid;288 globalData fs IS FCAinfo(fSeid);289 secureEntityType type IS SENseldType(fSeid);290 deviceStruct d291 IS IF type - tDevice THEN deviceDataSeid(fSeid)292 ELSE IF type INSET {tFile, tExtent}293 THEN STRUCT(TRUE, 512, 32768. 512, FCAftleSize(fSeid))294 ELSE STRUCT(FALSE, 1. 255, 1 0):295 EXCEPTIONS296 KEfcaBadOd: FCAopenEntry(pSeid, od) - ?;297 KEfcaNotWritable: NOT oudrite INSET FCAopenEntry(pSeid, od).open~ode;298 KEfcaTermLocked: type - tTerminal AND NOT isCurrentPath(fSeid);299 KEfcaBadRequest:300 NOT LENGTH(vfb) INSET {d.minRequest .. d.maxRequest}301 OR (LENGTH(vfb) MOD d.modSize) -- 0;302 KEfcaBadBlockNo: NOT blockNo INSET {0 .. d.maxBlockNo};303 KEfcaOverflow: d.addressable AND type -= tFile304 AND blockNo + LENGTH(vfb) > d.maxBlockNo;305 EFFECTS306 ios - (SOME IoStatus Iosl I TRUE);307 EXISTS INTEGER sizel INSET {0 .. LENGTH(vtb)}308 : IF d.addressable309 THEN FORALL INTEGER I310 'FCAfileData(fSeld. I)311 - (IF NOT I INSET (blockNo .. blockNo + size! - 1)312 THEN FCAfileData(fSeId, I)313 ELSE vfb[i - blockNo + 11)314 ELSE 'FCAoutputStream(fSeld)315 - VECTOR(FOR I FROM I316 TO LENGTH(FCAoutputStream(fSeid ))+LENGTH(vfb)37 IF I <- LENGTH(vfb)318 THEN vfb[iJ[1]319 ELSE FCAoutputStream(fSeld)[i+LENGTH(vfb)]);320321 $(-..... general device manipulation322323 VFUN FCAvDeviceFunction(seid pSeid; openDescriptor od; IOfunction f;324 VECTOR OF INTEGER args; asyncld Id)325 -> ioStatus status; $(FCAvDeviceFunction)326 $(the purpose of this function is to return the value that FCAdeviceFunction327 would return if It were executed in a given state)328 $(the specification of this function is device-dependent, but may be329 filled in at a later time)330 DEFINITIONS331 seid dSeid IS FCAopenEntry(pSeid, od).openSeid;332 EXCEPTIONS333 KEfcaNotThere: FCAopenEntry(pSeid, od) - ?:334 KEfcaBadDevice: NOT SENseidType(dSeid) INSET (tDevice, tTerminal}:335 KEfcaNoOwner: TIIinfo(dSeid).owrer - TIIinfo(pSeld).owner;336 ASSERTIONS

fmi.specs Page 7 Fri Mar 27 15:31:25 1981

337 FCAopenTableExists(pSed):338 DERIVATION

- 339 SOME ioStatus ios I TRUE;340341 OVFUN FCAdeviceFunction(seid pSeid; openDescriptor od; IOfunction f;

- 342 VECTOR OF INTEGER args; asyncld Id)343 -> IoStatus status; $(FCAdeviceFunction)344 $(the specification of this function is device-dependent, but may be345 filled in at a later time)346 EXCEPTIONS347 EXCEPTIONS OF FCAvDeviceFunction(pSeid, od, f, args, Id);348 ASSERTIONS

- 349 FCAopenTableExists(pSeid);350 EFFECTS351 $(the state of the device somehow changes, and the result is returned via352 the Io status)353 status - FCAvDeviceFunction(pSeid, od, f, args, id);354 TRUE;355356 OFUN FCAterminalLock(seid pSeid, devSeid); $(FCAterminalLock)357 $(sets the current terminal in the group to be "devSeld". The requesting358 process must have the privilege to lock terminals)359 EXCEPTIONS360 KEfcaNotTerminal: SENseldType(devSeid) -- tTerminal;361 KEfcaNoPriv: NOT SMXhasPrIv(pSeid, privTerminalLock);362 KEfcaNotThere: FCAinfo(devSeid) - ?;

- 363 ASSERTIONS364 FCAopenTableExists(pSeid);365 EFFECTS366 LET terminalGroup t I devSeld INSET FCAterminalPathSet(c)367 IN *FCAcurrentPath(t) - devSeid;368369 $( - ------- mounting and unmounting operations

- 370371 OFUN FCAmount(seid pSeid, dev, leaf, root; BOOLEAN readOnly); $(FCAmount)372 $(performs the logical mounting of a file system from an extent. The

- 373 semantics are described in the general commentary in the FCA374 specification)375 DEFINITIONS376 fileSystem fileSys IS377 FCAextentToFIleSys(VECTOR(FOR i FROM 1 TO FCAfileSize(dev)378 FCAfileData(dev, i)),379 root);380 $(the file system produced by the data on the extent)381 fileSystemEntry fse(seid f) IS382 SOME fileSystelEntry fsel I fsel.fileSeld - f;

- 383 $(the entry in the file system with a given seld)384 EXCEPTIONS385 KEfcaBadPriv: NOT SMXhasPrIv(pSeId, privMount);386 KEfcaNoLeaf: FCAinfo(leaf) - ?387 OR NOT SXflow(pSeid, leaf. {daRead, daWrite}):388 KEfcaNoDev- FCAinfo(dev) a ?389 OR NOT SXflow(pSeId, dev, (daRead, daWrite}):

- 390 KEfcaBadDal: NOT SMXdap(pSeid, dev, {daWrite});391 KEfcaBadDa2: NOT SHXdap(pSeId, leaf, {daWrIte}):392 KEfcaNoFilel: SENseldType(leaf) "- tFile;

fmi.specs Page 8 Fri Mar 27 15-31:25 1981-

393 KEfcaNoFile2: SENseidType(root) -- tFile;,394 KEfcaNoExtent: SENseidType~leaf) -- tExtent;-395 KEfcalnUse:396 SENseldNsp( root) - SENseidNsp(FCArootSeid)397 OR (EXISTS seid devSeid398 SENseidNsp(FCAmountTable(devSed).rootSeid)399 - SFNseidNsp(root));400 KEfcaNoOwner: Tli nf o(pSei d). owner -- TIIInfo(dev).owner:401 KEfcaFileOpen: openCount(dev) > 0;402 KEfcaDevOpen: openCount(leaf) > 0!.403 RESOURCEERROR;404 ASSERTIONS405 FCAopenTableExists(pSeid);406 EFFECTS407 'FCAmountTable(dev)408 - STRUCT(leaf. root, readonly. Tllinfo(dev), FCAinfo(dev));409 'FCAinfo~dev) - ?410 FORALL INTEGER i: 'FCAfileData~dev, i) - ?411 'TIlinfo(dev) -412 FORALL seid f I fse(f) -- ?413 'FCAinfo(f) - fse~f).gl414 AND (FORALL INTEGER I INSET (I LENGTH~fsef).filelata)}415 :'FCAflleData(f. i - 1) -fse(f).fileData(J))

416 AND 'Tllinfo(f) - fse(f).tii;417418 OFUN FCAunmount~seld pSeid, devSeid); $(FCAunmount)419 $(performis logical unmounting of a file system. Restores the extent420 so that it can be accessed)421 DEFINITIONS422 mountTableEntry mte IS FCArnountTable(devSeid);-423 INTEGER fsNsp IS SENseidNsp(mte.rootSeid);424 fileSystem fs IS425 {fileSystemEntry fee426 1 LET said fSeid I SENseidNsp(fSeld) - fsNsp AND FCAinfo~fSeid) -?

427 IN fee - STRUCT(fSeid, FCAinfo(fSeid). Tllinfo(fSeid).428 VECTOR(FOR I FROM I TO FCAfileSize(fSeid)429 - FCAfileflata(fSeld, i - 1))430 $( the state of the file system to be unmounted)431 VECTOR OF fileBlock extData432 IS SOME VECTOR OF fileBlock vfb-433 1 FCAextentToFileSys(vfb,434 SOME said s435 1 EXISTS fileSystemEntry fee INSET fs436 a - fse.fileSeid)-437 -fs;

438 $(given the state of the file systez'. the extent that is equivalent to439 it)-440 EXCEPTIONS441 KEfcaBadPriv- NOT SMXhasPriv(pSeld, prlvMount);442 KEfcaNoDeviceT mte -?443 OR NOT SMXflow(pSeid, devSeid, {daRead, dawrite));444 KEfcaNoOwner: TIlinfo(pSeld).owner - TIIinfo(devSeld).owner;445 KEfcaBadfla: NOT SMXdap(pSeid, devSeid, fdaWrite));446 KEfca~penFiles:447 EXISTS seid fSeid I SENseidNsp(f Said) - fsNsp : openCount~fSeld) > 0;448 ASSERTIONS

- fmi-specs Page 9 Fri Mar 27 15731:25 1981

449 FCAopenTableExists (pSei d):- 450 EFFECTS

451 'FCAinfo(devSeid) - mte.devGL452 'TIIinfo(devSeid) - mte-devTii.453 FORALL INTEGER I INSET 0{. LENGTH~extData)}454 - 'FCAfileData~devSeld, i - 1) -extData~i];455 $(the device's state "comes back")456 FORALL seid fSeld I SENseidNsp(fSeid) - P sNsp457 'Tllinfo(fSeid) -=458 AND 'FCAirifo(fSeid) -?459 AND (FORALL INTEGER i 'FCAfileData(fSeid, 1)460 $(the state of all files on the file system "disappears")461462463 END-MODULE

ker.spereq Page I Fri Mar 27 15!31:55 198:

I S(' MQDULE- ker.specs (version 2.21)2 CONTENTrS: Kernel Calls3 TYPE- SPECIAL.specifications4 LAST CHA'NCED- 10/17/79, 18:56:315 )

678 MODULE ker91011 TYPES1213 $(fromi mac)14 vAddrType- (0 .. MACmaxVAddr),1516 $(from sm)17 nonDisType! STRUCT OF(18 INTEGER securityLevel; SET OF securityCat securityCatS;19 INTEGER integrityLevel:, SET-OF integrityCat integrityCatS);20 daType: SET _OF daMade;21 modeStruct: STRUCT OF~daType ownerMode, groupMode, allMode);22 tlStruct: STRUCT OF~nonDisType nd;23 modeftruct da, INTEGER owner, group: SET-OF privType priv);-2425 $(FROM pvm)26 virtualLocation:27 STRUCT OF(domainType domain; spaceType idSpace; vAddrTv~pe vAddr);28 globalData:29 STRUCT OF(BOOLEAN sharable, swappable, sticky, memAdvise, executable;30 direction growth);31 segStatus: STRUCT OF~globalData gl; INTEGER size);32 pBlock: STRUCTOF(virtualLocation vloc; INTEGER size);3334 $(FROM fca)35 fileStatus: STRUCT _OF(INTEGER nBlocks, linkCount, timeLastMod; seld subtype;36 BOOLEAN openForWrite, openAtCrash);37 asyncld: CHAR;-38 ioStatus: STRUCT OF(INTEGER devlndep, devDep):3940 $(from pro)41 piLevelType: (0 .. PROmaxPiLevel); $(pseudo interrupt level range)42 piEntryType: STRUCT OF(BOOLEAN pending;43 piLevelType oldPil:44 INTEGER oldPc;-45 INTEGER oldPs:46 INTEGER parameter;47 INTEGER newPc;48 INTEGER newPs);49 piVectorType! (VECTOR OF piEntryType piv I LENGTH(piv) -PROmaxPiLevel + I)-50 ipcqType- (VECTOR OF fpcMesaageType zz I LENGTH(zz) <- IPCmakxessageCount):51 ipcTaxtType- {VECTOR OF CHAR vc I LENGTH(vc) - IPCmax~essageLengthl:-52 Ipc-4essageType: STRUCT OF~seid sender; fpcTextType text);53 processStateType: STRUCT OF~seid self;54 seid parent;55 INTEGER family;56 INTEGER realUser:

ker-specs Page 2 Fri Mar 27 15!31:55 1981

57 INTEGER realGroup;58 INTEGER pc; $(programi counter)59 INTEGER ps; $(Processor status)60 piLevelType pil;61 piVectorType ply;

- 62 ipcqType ipcq;63 INTEGER advPrio; $(advisory priority)64 INTEGER timerAlari, $Cone-zero crossing ->pi)65 INTEGER supervisorTiming;66 INTEGER userTiming;67 BOOLEAN tiuTog): $(timer toggle TRUE Is ON)68

- 6970 EXTERNALREFS71

- 72 FROM mac:73 INTEGER MACmaxVAddr;7475 FROM4 smx:76 seid: DESIGNATOR;77 privType- (78 privFileUpdateStatus, privLink. privLockSeg.79 privModifyPriv. privflount,80 pri vSetLe vel. privStIckySeg. privTerminaiLock,81 privViolSimpSecurity, privViolStarSecurity,82 privViolSimplntegrity. privViolStarlntegrity,83 privViolDiscrAccess. privSignal, privWalkPTable,84 privHalt, privKernelCall, privViolCompartments,85 privRealizeExecPermissions)*:

- 86 daMode: (daRead, daWrIte, daExecute);87 securityCat: DESIGNATOR;88 integrityCat: DESIGNATOR;89 damainType: {userDomain, supervisorDomain}.

- 9091 FROM pvm:92 segDes: DESIGNATOR;

- 93 spaceType- {ISpace, dSpace};94 direction: {up. down):95 OVFUN PVMbuild(seld pSeld; segStatus ss; modeStruct mns; INTEGER size,96 virtualLocation vi)97 -> STRUCT 0F(seid segSeid; segDes segd) result;98 OVUN PVMdestroy(seld pSeid: segDes segd);99 VFUN PV~getSegmentStatus~seid pSeid, segSeld) -> segStatus st;

- 100 OFUN PVMsetSeginentStatus~seid pSeid, segSeid; segStatus at);101 OFUN PVMretmp(seid pSeid; segDes in; virtualLocation v1; daType da;102 BOOLEAN~ viFlg, daFlg; segDes out; INTEGER outSize;

- 103 BOOLEAN osFig);104 OVFUN PV.4rendezvous(seid pSefd, segSeid; virtualLocation vi: daType da)105 ->segDes segd;106107 FROM fca:108 openDescriptor: DESIGNATOR:109 openModes: {oinRead. om~rite, omExclusive);

- 110 10function: {rewind, etc};III OFUN FCAclose~seid pSeid; openflescriptor ad);112 OVFUN FCAcreate~seid pSeid, nspSeid; inodeStruct ma; openDescriptor atCap)

ker.specs Page 3 Fri Mar 27 15:31-55 1981

113 -> STRUCT OF(seid fSeld; openDescriptor ad) result:114 OVFUN FCAopen(seid pSeid, oSeid; SET OF openModes am: openDescriptor stCap)115 -> openDescriptor od;116 VFUN FCAgetFileStatus(seld pSeld, fSeid) -> fileStatus fat;117 OFUN FCAsetFileStatus(seid pSeid, fSeid; fileStatus nevfst);118-119 FROM fmi-120 OFUN FCAlink~seid pSeid. fSeid):121 OFUN FCAmount(seid pSeid, dev. leaf, root; BOOLEAN readOnly);122 OFUN FCAterzrlnalLock(seld pSeld. devSeid);123 OFUN FCAunlink(seid pSeid, fSeid);124 OFUN FCAunmount~seid pSeid, devSeid).125126127 FROM pro:128 INTEGER tPCmaxMessageCount;-129 INTEGER IPCmaxMessageLength;130 INTEGER PROmaxPiLevel;131 OVFUN PROfork(seid pSeid) -> seld childSeid;132 VFUN PROgetProcessStatus(seld pSeid, getSeld) ->procesaStateType pa:133 OFUN PROinterruptReturn~seid pSeid);134 OFUN PROInvoke(seid pSeid. immSeid; segDea arg);135 OFUN PROnap(seid pSeid; INTEGER timeOut);.136 OFUN PROpost~seid pSeid, receiver; BOOLEAN pseudolnt: IpcTextType msg)i137 OVFUN PROreceive~seid pSeid; INTEGER timeOut) -> ipcMeaaageType uiag;138 OFUN PROreleaseProc~seid pSeid. rSeid)t -

*139 OFUN PROserProcessStatus(seld pSeid, procSeid; procesaStateType pa);140 OFUN PROsignal~seid pSeld, procSeid; INTEGER sigVal);

*141 OVFUN PROspawn(seid pSeid, immSeid; aegfles arg) -> aid childSeid;,142 VFUN PROwalkProcesaTable(aeld pSeid; INTEGER n) ->seid rSeid:143144 FROM 1ev:145 VFUN LEVgetObjectLevel(seid pSeld, objSeid) -> tiiStruct level;

*146 OFUN LEVsetObjectLevel(seid pSeid, objSeid; tiiStruct level);147148 FROM spf:149 SPFfunctionType: {ayncSPF, lmmSegSPF, ayaHaltSPF, levelSetSPF};-

* 150*151 FROM pbl:

152 OFUN PBLdeviceFunction(seid pSeid; openDeacriptor od; lOfunction f;-153 pBlock arguments, statua; asyncld 1d);154 OVFUN PBLread~lock(aeld pSeid; openDescriptor ad: INTEGER blockNo:155 pBlock duFile; asyneld as)156 ->STRUCTOF(INTEGER byteaRead; IoStatua errat) reault:157 OFUN PBLpecalFunction(aeid pSeid; SPFfunctionType fn; pfllock parts);158 OFUN PBLwriteBlock~aeid pSeid; openDescriptor ad; INTEGER blockNo;159 p~iock duFtle; aayncld as):160161162 FUNCTIONS163-164 $(Visible Kernel Functiona in Alphabetical Order)165166 OVFUJ K bulld--.egment(segStatus as; modeStruct me;: INTEGER size;167 virtualLocation vl)168 (seid pSeidi -> STRUCT OF(seid segSeid: segDes aegd) result:

- ker.specs Page 4 Fri Mar 27 15:31:55 1981

169 S(K build segment)170 EXCEPTIONS

- 171 EXCEPTIONS OF PVMbuild(pSeid. as, ma, size, v1);172 EFFECTS173 result - EFFECTS-OF PVMbuild(pSeid, as, mis, size, vi):

- 174175 OFUN K close~openDescriptor od)[seid pSeid]; $(K close)176 EXCEPTIONS

- 177 EXCEPTIONS.OF FCAclose(pSeld, od);178 EFFECTS179 EFFECTS OF FCAcloae(pSeid, od);.180

- 181 OVFUN K create(seld nspSeid; modeStruct ma; openflescriptor stCap)(seid pSeidj182 -> STRUCT OF(seid fSeid: openDeacriptor ad) return; $CK -create)183 EXCEPTIONS

- 184 EXCEPTIONS-OF FCAcreate(pSeld. napSeid, ms, stCap):185 EFFECTS186 return - EFFECTS-OF FCAcreate(pSeid, nspSeid, ma. stCap);187

- 188 OFUN K _device _furction~openDescriptor od; IOfunction f;189 pBlock arguments, status; asyncld id)190 (seid pSeid]; $CK-device -function)191 EXCEPTIONS192 EXCEPTIONSOF PBLdeviceFunction~pSeid, ad. f, arguments, status, Id);193 EFFECTS194 EFFECTS OF PBLdeviceFunction(pSeid. ad, f, arguments, status, Id).

- 195196 OVFUN K forko~seid pSeid] -> acid childSeid; SOC-fork)197 EXCEPtIONS

- 198 EXCEPTIONS-OF PROfork(pSeid):199 EFFECTS200 childSeid - EFFECTSOF PROfork~pSeid);201 $("ChildSeld Is returned to the (original) process; pSeid (parent scid)

*202 Is returned to the newly created child")* 203

204 VFUN K get -file status~seid fSeid)[seid pSeid] -> fileStatus fat;- 205 $(X get f Ile _status)

206 EXCEPTIONS207 EXCEPTIONS OF FCAgetFileStatus(pSeid, fSeid);208 DERIVATION209 FCAgetFileStatus(pSeid, fSeid);210211 VFUN Kget _object-level(seid objeId)(seid pSeid] ->tiiStruct otii:

- 212 $CK_,get. object level)213 EXCEPTIONS214 EXCEPTIONS OF LEVgetObjectLevel(pSeid, objeid);

- 215 DERIVATION216 LEVgetObjectLevel(pSeid. objeid);217218 VFUN Kget _process-statua(seid getSeid)(seid pSeid] -> procesaStateType pa;219 $(K get-process status)220 EXCEPTIONS221 EXCEPTIONS -OF PROgetProceaStatue(pSaid. getSeid);,

- 222 DERIVATION223 PROgetProcessStatus(pSeid, getSeid);224

ker.specs Page 5 Fri Mar 27 15:31:55 1981

225 VFUN Kget segment status(seld segSeid)[seld pSeid] ->segStatus st;226 $(K get segment-status)227 EXCEPTIONS228 EXCEPTIONS -OF PVMgetSegmentStatus(pSeid, segSeld);229 DERIVATION230 PVMgetSegmentStatus(pSeld, segSeid);231232 OFUN K Interrupt returno~seid pSeid]; $(K Interrupt return)233 EXCEPTIONS234 EXCEPTIONS-_OF PROinterruptReturn~pSeid);235 EFFECTS236 EFFECTS OF PROinterruptReturn~pSeid);

* 237238 OFUN K invoke(seld immSeid; segDes arg)[seid pSeidi; $(K Invoke)239 EXCEPFTIONS

*240 EXCEPTIONS OF PROinvoke(pSeid, immSeid. arg);241 EFFECTS242 EFFECTS OF PROinvoke(pSeid. inunSeid, arg);243244 OFUN K link(seid fSeid)[seld pSeid]; $(K link)245 EXCEPTIONS246 EXCEPTIONS OF FCAlink(pSeid, fSeid);247 EFFECTS-248 EFFECTS OF FCAlink~pSeid. fSeid);249

*250 OFUN K-mount(aeid dcv, leaf, root; BOOLEAN readOnly)[seid pSeid]: $(K-mount)251 EXCEPTIONS252 EXCEPTIONSOF FCAmount(pSeid, dcv, leaf. root, readOnly);253 EFFECTS254 EFFECTS OF FCAmount(pSeld. dev, leaf, root, readOnly);255

.i256 OFUN K nap(INTEGER timOut)[seid pSeid]; $(K-nap)257 EXCEPTIONS258 EXCEPTIONS-OF PROnap(pSeid, timeOut);259 EFFECTS260 EFFECTS OF PROnap~pSeId, timeOut);261262 OVFUN Kopen(seid oSeid; SET 'OF openModes on; openDescriptor stCap)263 (acid pSeidi -> openDescriptor od; S(K-open)264 EXCEPTIONS-265 EXCEPTIONS-OF FCAopen(pSeid, oSeid, om, atCap);266 EFFECTS

*267 od - EFFECTS OF FCAopen(pSeId, oSeid, om, arCap);268 -269 OFUN Kpost(seid receiver; BOOLEAN pseudolnt; ipcTextType nsg)[seid pSeid];270 S(K post)271 EXCEPTIONS272 EXCEPTIONS-OF PROpost(pSeid, receiver, pseudolnt, mag);273 EFFECTS274 EFFECTS-OF PROpost(pSeid, receiver, pseudolnt, mug);275276 OVFUN K -read block(openDescriptor od; WNEGER blockNo; pBlock duFfle:277 asyncld as)[seid pSeid)278 -> STRUCT-_OF(INTEGER bytesRead; loStatus errat) result; $(K read-block)279 EXCEPTIONS280 EXCEPTIONS _OF PBLreadBlock(pSeid, od, blockNo, duFile, as);

- ker-specs Page 6 Fri Mar 27 15:31:55 1981

281 EFFECTS_ 282 result - EFFECTS-OF PBLreadBlock(pSeid, od. block~o, duFile, &a);

283284 OVFUN K receive(INTEGER timeOut)[seid pSeid] -> ipc~essagerype msg;285 $(K -receive)286 EXCEPTIONS287 EXCEPTIONS.-OF PROreceive(pSeid. timeOut).288 EFFECTS289 msg EFFECTS OF PROreceive(pSeid, time~ut);290291 OFUN K release process(seid rSeid)[seid pSeidi; $(K release process)292 EXCEPTIONS293 EXCEPTIONSOF PROreleaseProc(pSeid, r~eid);,294 EFFECTS295 EFFECTS OF PROreleaseProc(pSeid. rSeld);296297 OFUN K release segment(segDes segd)[seid pSeidi; $(Kirelease-segment)298 EXCEPTIONS299 EXCEPTIONS OF PVMdestroy(pSeId, segd):300 EFFECTS301 EFFECTS OF PVMdestroy(pSeld, segd);

33OFUN K -remap(segDes in: virtualLocation vi; daType da; BOOLEAN viFig, daFig;304 segDes out, INTEGER outSize; BOOLEAN osFlg)[seId pSeid];305 r(Kemap)306 EXCEPTIONS

- 307 EXCEPTIONSOF308 PVMremaP(pSeid, in, vi, da, viFig, daFig, out, outSize, osFig);309 EFFECTS

* ~ 3I EFFECTS OF311 PVMremap(pSeid. In, vi. da, viFlg, daFlg, out, outSize. osFig);

4; 312313 OVFUN K -rendezvous-segment(seld segSeid; virtualLocation vi: daType da)314 (seid pSeidi

*315 ->segfles segd: $(K-rendezvous-segment)316 EXCEPTIONS

S 317 EXCEPTIONS OF PVMrendezvous(pSeld. segSeid, vi, da);318 EFFECTS

*319 segd - EFFECTSOF PVMrendezvous(pSeid, segSeid, vi, da);__320

321 OFUN K-secure terminal _lock(seid devSeid)(seld pSeld];322 $(K secure terminal lock)323 EXCEPTIONS

- 324 EXCEPTIONS OF FCAtermina lLock(pSei d, devSeid);325 EFFECTS326 EFFECTS OF FCAterminalLock(pSeld, devSeid);

- 327328 OFIJN K set file -status~seid fSeid; fileStatus fat)[seid pSeld];329 $(K-set f Ile -status)330 EXCEPTIONS331 EXCEPTIONSOF FCAsetFileStatus(pSeld, fSeid, fat);

*332 EFFECTS333 EFFECTS-OF FCAsetFileStatus(pSeid. fSeid. fst);

- 334335 OFUN Kaet_ object -level(seid objeid; titStruct level)(seid pSeid!;336 $ (K-set _ob ject..level)

ker.specs Page 7 Fri Mar 27 15:31:55 1981

337 EXCEPTIONS338 EXCEPTIONS-OF LEVsetObjectLevel(pSeid, obiSeid. level):339 EFFECTS340 EFFECTS OF LEVsetObjectLevel(pSeid, objeid, level);341342 OFUN K _set process_ status(seid procSeld; processStateType ps)(seid pSeid];343 $(K set process-status)

344 EXCEPTIONS345 EXCEPTIONS-OF PROsetProcessStatus(pSeid, procSeid. pa):-346 EFFECTS347 EFFECTS-OF PROsetProcessStatus(pSeld, procSeid, ps);348349 OFUN K set segment status~seld segSeid; segStatus st)[seid pSeid];350 $(K set segment _status)351 EXCEPTIONS352 EXCEPTIONS OF PVMsetSegmentStatus(pSeid, segSeid, at);

-. 353 EFFECTS354 EFFECTS OF PVMsetSegmentStatus(pSeld, segSeid, at);355356 OFUN K signal~seid procSeid; INTEGER slgVal)[seid pSeid]; $(K signal)357 EXCEPTIONS358 EXCEPTIONS-OF PROsignal(pSeid, procSeid, sigVal);359 EFFECTS360 EFFECTS-OF PROsignal~pSeid, procSeid, sigVal):361362 OVFLJN K~ spawn(seid ImmrSeid; segDes arg)[seid pSeid] ->seid childSeld;363 $(K spawn)

*364 EXCEPTIONS365 EXCEPTIONS OF PROspawn(pSeid, immSeid. arg);366 EFFECTS367 childSeld - EFFECTSOF PROspawn(pSeid, inuSeid, arg);368369 OFUN K special .function(SPFfunctionType fn; p~lock parm)(seld pSeid]:370 $(K special function)371 EXCEPTIONS372 EXCEPTIONS--OF PBLspeclalFunction(pSeld, fn, parm);373 EFFECTS-

*374 EFFECTS-OF PBLapecialFunction(pSeid. fn, parm);375376 OFUN K unlink~seld fSeid)[seld pSeid]; $(K unlink)377 EXCEP TIONS378 EXCEPTIONS OF FCAunlink(pSeld, fSeid);379 EFFECTS380 EFFECTS-OF FCAunlink(pSeid, fSeid);381382 OFUN K unmount(seid devSeld)fseld pSeid]; $CK.unmount)383 EXCEPTIONS384 EXCEPTIONS OF FCAunmount(pSeid, devSeid);385 EFFECTS386 EFFECTS-OF FCAunmount(pSeid, devSeid);387388 VFUN K walk prcs table(INTEGER n)[seid pSeld] - seld rSeid;389 $(K walk process table)390 EXCEPTIONS391 EXCEPTIONS OF PROwalkProceseTable(pSeid,n);392 DERIVATION

ker-specs Page 8 Fri Mar 27 15-31!55 1981

393 PROwalkProcessTable(pSeid, n);394395 OFUN K write block~openDescriptor ad; INTEGER blockNo; pBlock duFile;

396 asyncld id)(seid pSeid]; $(K write block)397 EXCEPTIONS

-t 398 EXCEPTIONS-OF PBLwriteBlock(pSeid, ad, blockNo, duFile, id);399 EFFECTS400 EFFECTS OF PBLwriteBlock(pSeid. ad, blockNo. duFtle. id);401402403 END MODULE

lev.specs Page I Fri Mar 27 15"32"17 1981

1 $(" MODULE: lev.specs (version 2.3)2 CONTENTS- System Levels3 TYPE- SPECIAL specifications4 LAST CHANGED- 7/17/79 15-04:045 ")678 MODULE lev91011 $( This module enables the centralization of the get and set level operations12 for all modules. Each module maintains the type-independent operation13 of its own objects, and applies certain conditions to the getting and14 setting of this information. However, there is only one kernel operation15 for getting levels, and one for setting levels, of all objects. The16 operations are combined in this module)1718 TYPES1920 $(rom sm)

21 nonDisType: STRUCT OF(22 INTi.GER securityLevel ; SET OF securityCat securityCatS :

23 INTEGER IntegrItyLevel. SET OF integrityCat integrityCatS): .24 daType: SET OF daMode;25 modeStruct: STRUCT OF(daType ownerMode, groupMode, allMode);26 tiiStruct: STRUCT. OF(nonDisType nd; modeStruct da; INTEGER owner, group;27 SET OF prlvType priv);2829 $ (FROM pvm)30 globalData: No31 STRUCT OF(BOOLEAN sharable, swappable, sticky, memAdvise, executable;32 direction growth);3334 $(FROM fca)35 openFileEntry: STRUCT.OF(seid openSeld; SET-OF opern(odes openMode):363738 EXTERNALREFS3940 FROM sum:41 seid: DESIGNATOR:42 secureEntityType: {tFile, tDevice, tTerminal, tProcess, tSegment, tSubtype.43 tExtent, tNull);44 securityCat: DESIGNATOR; W

45 IntegrityCat: DESIGNATOR;46 daMode: (daRead, daWrite, daExecute);47 prtvType: (48 prtvFileUpdateStatus, privLink, pri vLockSeg,49 prlvModifyPriv. privMount,50 privSetLevel, privStlckySeg, privTerminalLock.51 privVIolSimpSecurity. privVlolStarSecurlty,52 privViolSi mplntegrity, pri vViolStarlntegrity,53 privVio.DiscrAccess, privSlgnal, privWalkPTable.54 privHalt, privKernelCall, prlvViolCompartments,55 privRealizeExecPermsatons};56 VFUN SENseidType(seid s) -> secureEntityType set:

lev-specs Page 2 Fri Mar 27 15:32:17 1981

57 VFUN TllgetEntityLevel(seid pSeld, oSeld) -> tiiStruct ntli:58 OFUN TIlsetEnitryLevel~seld pSeid. oSeid: tIlStruct ntii);5960 FROM pvm:61 direction- {up. downl:

- 62 VFUN SEGinstancelnfo(seid s) -> globalData gi;6364 FROM fca:65 openDescriptor: DESIGNATOR:66 openModes! {ornRead, omr~rite, omExclusivel;67 VFUN FCAopenEritry~seid pSeid; openDescriptor od) ->operiFileEntry oe:

- 686970 FUNCTIONS71

- 72 VFUN LEVgetObjectLevel(seid pSeid, oSeid) ->tllSrruct otil,73 EXCEPTIONS74 EXCEPTIONS _OF TIlgetEntityLevel(pSeld, oSeid);75 DERIVATION

*76 TIlgetEntltyLevel(pSeld. oSeld):7778 OFUN LEVsetObjectLevel(seid pSeici, oSeld; ttiStruct otiH);79 $(LEVsetObjec tLevel)30 DEFINITIONS81 secureEntltyType type IS SENseidType(oSeld):82 EXCEPTIONS

r83 EXCEPTIONS-OF TllsetEntityLevel(pSeld, oSeid, otfi):84 KElevSegEx: type -tSegment AND SEGinstancelnfo(oSeid).sharable -TRUE:85 KElevFilEx:86 type INSET {tFile, tDevice, tSubtype, tTerminal, tExtenci87 AND, (EXISTS seid pSedil: openDescrlptor od

*88 FCAopenEntry(pSeld. od).openSeld - oSeid);89 EFFECTS90 EFFECTS-OF TllsetEntityLevel(pSeid, oSeld, otii);91

* 9293 END MODULE

79

mac.specs Page I Fri Mar 27 15:32"38 1981

1 SW" MODULE: mac.specs (version 2.4)2 CONTENTS: Machine3 TYPE- SPECIAL.specifications4 LAST CHANGED* 6/24/79 19:31:125 ')678 MODULE mac9

10 PARAMETERS1112 INTEGER MACmaxVAddr, $( maximum virtual address, also maximum segment size13 2'16 - I on PDP-11/70)14 MACmaxOffset, $( maximum offset component of virtual address,15 2-13 - I on PDP-11/70)16 MACmaxReg; $( maximum memory mapping register address, seven on17 PDP-11/70)181920 ASSERTIONS21

22 MACmaxVAddr > 0; MACmaxOffset > 0: MACmaxReg > 0:23 MACmaxVAddr + I = (MACmaxOffset + 1) * (MACmaxReg + 1);24

2526 FUNCTIONS2728 VFUN MACclock() -> INTEGER time:29 $( integer that representr real time)30 INITIALLY TRUE-

,j. 3132 OFUN MACclocklncremento:33 $( invlked continuously by a separate abstract process - the system clock)34 EFFECTS35 'MACclock() " MACclock() + 1;363738 END MODULE

pbl.specs Page 1 Fri Mar 27 15"33:01 1981

I $(" MODULE. pbl.specs (version 2.7)2 CONTENTS- Parameter Block Functions3 TYPE- SPECIAL specifications4 LAST CHANGED: 10/12/79, 14:18:285 ")678 MODULE pbl910 $( This module specifies the action of getting arguments or putting results11 of operations into the virtual memory of a process. The part of

12 virtual memory so manipulated is called a parameter block. The need13 for parameter blocks comes about when the length of the data is not14 constant for all invocations of a given operation.1516 To make specifications more readable, all parameter block operations are17 specified in two parts. The basic functionality of an operation is18 specified in the module to whose object the operation refers. e.g.,19 the basic specification of readBlock comes from the fml module. The20 parameter block manipulation, along with appropriate data conversion,21 is specified here. This decomposition removes the issue of parameter22 blocks from the basic specification of already complicated operations.23 The parameter block manipulation becomes simple once Isolated here.)242526 TYPES2728 $(from mac)29 vAddrType: {0 .. MACmaxVAddr};3031 $(from pvm)32 virtualLocation-33 STRUCT OF(domainType domain; spaceType idSpace: vAddrType vAddr);

34 pBlock: STRUCT OF(virtualLocatlon vloc; INTEGER size);3536 $(from fca)37 asyncld CHAR;38 fileStatus: STRUCTOF(INTEGER nBlocks, linkCount, timeLastMod; seld subtype:39 BOOLEAN openAtCrash):40 ioStatus: STRUCT OF(INTEGER devDep, devlnd);41 fileBlock: VECTOR OF CHAR;42 readResult: STRUCTOF(VECTOROF fileBlock data; ioStatus errst);4344 $(from spf)45 SPFargs: VECTOR OF INTEGER;464748 EXTERNALREFS4950 FROM mac:

51 INTEGER MACmaxVAddr;5253 FROM ssx:54 seld: DESIGNATOR;55 domainType: (userDomain, supervlsorDomain};56

pbl.specs Page 2 Fri Mar 27 15!33:01 1981

57 FROM pvm:58 spaceType: fispace. dSpacej:59 OFUN PVMstore(seid pSeid: pBlock block: VEC71R_-OF INTEGER vec);60 VFUN PVMretrleve~seid pSeid; pBlack block) -> VECTOROF INTEGER vec;6162 FROM fca:-63 openDescriptar: DESIGNATOR:64 lOfunction. (rewind, etc);65

- 66 FROM Erni:67 VFUN FCAvDeviceFunction(seid pSeid. openflescriptor ad; IOfunction f;

- 68 sau; VECTOR-OF INTEGER args; asyncld 1d)69 iotts tts

70 OVFUN FCAdeviceFunction~seid pSeid; openflescriptor ad; l0function f;71 VECTOR OF INTEGER args; asyncld 1d)

-. 72 -> ioStatus status;73 VFUN FCAvReadBlocks(seid pSeid; openDescriptor ad; INTEGER blockNo, size,74 asyncld as) -> readResult rr;75 OVFUN FCAreadBlacks~seid pSeid; openDescriptor ad; INTEGER blockNa, size;76 asyncld as) -> readResult rr;77 OVFU N FCAwriteBlocks~seid pSeid; apenDescriptor ad; INTEGER blackNo;

*78 VECTOR-OF fileBlack vfb: asyncld id) -> ioStatus jas:.7980 FROM spf:81 SPFfunctlanType. {syncSPF. ImmSegSPF. sysHaltSPF, levelSetSPF};82 OFUN SPFspecialFunction(seid pSeid; SPFfunctianType fn, SPFargs args):.838485 ASSERTIONS8687 FORALL VECTOR OF fileBlock vfb88 : PBLwardsToBlacks(PBLblocksTaWards~vfb)) -vfb;

* 89* - 90

91 FUNCTIONS9293 $( - - - - - data conversion functions - -- -- -- )9495 VFLJN PBLIoStatTaVec CiaStatus los) -> VECTOROF INTEGER v1;96 HIDDEN:

- 97 INITIALLY vi -?

9899 VFUN PBLblocksToWordsCVECTOROF fileBlock vfb) -> VECTOR-OF INTEGER vi;

- 100 HIDDEN;101 INITIALLY vi -- ?102103 VFUN PBLwordsToBlocks (VECTOROF INTFGER vi) -> VECTOROF fileBlock vfb;104 HIDDEN:105 DERIVATION SOME VECTOR OF fileBlock vfbl I PBLblocksToWords(vfbl) - vi:106107 C-----------operations-- -- --

108109 OFUN PBLdeviceFunction(seid pSeid; openDescriptar ad: IOfunction f:

- 110 pBlack arguments, status. asyncId 1d);III $ (PELdeviceFunct ion)112 DEFINITIONS

pbl.specs Page 3 Fri Mar 27 15-33:01 1981-

113 VECTOR OP INTEGER Inargs IS PV~retrieve(pSeid, arguments);114 ioStatus st IS FCAvDeviceFunction(pSeid, ad. f. 1nargs, 1d),115 VECTOR OF INTEGER result IS PBLiaStatToVec(st):116 EXCEPTIONS117 EXCEPTIONS _OF PVMretrieve(pSeid, arguments);118 EXCEPTIONS OF FCAdeviceFunction~pSeld. ad, f. inargs, 1d);119 EXCEPTIONS-OF PVMstore(pSeid, status, result);120 EFFECTS121 EFFECTS OF PVMstore~pSeid, status, result);

*122 st -EFFECTS OF FCAdeviceFunction(PSeld, ad, f. Inargs, 1d):123124 OVFUN PBLreadBlock(seld pSeid; openDescriptor od; INTEGER blockNo;125 pBlack duFile; asyncld as)126 -> STRUCT OF(INTEGER bytesRead; ioStatus errst) result; $CPBLreadBlock)127 DEFINITIONS128 readResult rr IS FCAvReadBlocks~pSeid, ad, block,7o. duFile.size, as);129 VECTOR OF INTEGER intData IS PBLblocksToWords~rr.data);130 EXCEPTIONS131 EXCEPTIONS OF FCAreadBlocks(pSeid, ad, blockNa, duFile.size, as):132 EXCEPTIONS-OF PVMstore~pSeid, duFile, intData):133 EFFECTS134 result - STRUCT(LENGTlHintData), rr.errst):135 EFFECTS-_OF PVMstore(pSeid, duFile, IntData);

* 136137 OFUN PBLspecialFunction~seid pSeid; SPFfunctionType fin; pBlock parni).138 $ (PBLspecialFunction) _

*139 DEFINITIONS140 SPFargs args IS PVMretrleve(pSeid, parm);

*141 EXCEPTIONS*142 EXCEPTIONS OF PVMretrieve(pSeid. parm);

143 EXCEPTIONS OF SPFspecialFunction~pSeid, fn, arga);144 EFFECTS145 EFFECTS OF SPFspecialFunction~pSeld. fin, args);

* 146147 OVFUN PBLwrlteBlock(seld pSeid; apenDescriptor ad; INTEGER blockNo;148 pBlock duFile: asyncld 1d) -> ic~.tatus ias;149 DFNTOS$(PBLwriteBlock)

151 VECTOR OF file~lock vfb IS PBLwordsToBlocks(PVMretrleve(pSeid, duFlle));* 152 EXCEPTIONS-

153 EXCEPTIONS OF PVMretrlevie(pSeid, duFfle);154 EXCEPTIONS-OF FCAwriteBlocks~pSeid, ad, blackNo, vfb, id);155 EFFECTS156 las - EFFECTS-OF FCAwrlteBlocks~pSeid, ad, blackio, vfb, 1d);157158 END MODULE

pro.specs Page I Fri Mar 27 15"33"31 1981

I $(" MODULE pro.specs (version 2.11'

2 CONTENTS- Process Operators

3 TYPE SPECIAL.specificat ions4 LAST CHANGED- 7/17/79, 15-08:33

5 ")- 6

78 MODULE pro

_ 910 $( this module now contains the material which was formerly in

11 the pro. ipc and pst modules)12

- 13 TYPES14

15 $(types supporting pseudo interrupts)

16 piLevelType: IPROminPiLevel .. PROmaxPiLevell: $(pseudo Interrupt level range)

17 piEntryType" STRUCT OF(BOOLEAI pending:18 piLevelType oldPil;19 INTEGER oldPc;20 INTEGER oldPs:21 INTEGER parameter;22 INTEGER newPc;23 INTEGER newPs)*,24 piVectorType: {VECTOR OF piEntryType ply I25 LENGTH(piv) - PROmaxPiLevel-PROminPiLevel}:2627 $(types supporting ipc)

28 ipcqType" {VECTOR OF ipcMessageType zz I LENGTHi(zz) <- IPCmaxMessageCount};29 ipcMessageType: STRUCT OF(seld sender; IpcTextType text);

30 ipcTextType: (VECTOR OF CHAR vc I LENGTIH(vc) - IPCmaxMessageLength};31 pendingType: STRUCT OF(BOOLEAN flag; INTEGER time);3233 $(structure of process status information)34 processStateType: STRUCTOF(seid self;35 seid parent;36 INTEGER family;37 INTEGER realUser;38 INTEGER realGroup,39 INTEGER pc; $(program counter)40 INTEGER ps; $(processor status)

41 piLevelType pll

42 piVectorType piv:

43 ipcqType ipcq;

- 44 INTEGER advPrio; $(advisory priority)45 INTEGER timerAlarm: $(one-zero crossing m> pi)

46 INTEGER supervisorTiming:47 INTEGER userTiming;

48 BOOLEAN timTog)" $(timer toggle TRUE is ON)49

50 S(from smx)51 nonDisType: STRUCT OF(

52 INTEGER securityLevel. SET OF securityCat securityCatS:53 INTEGER IntegrityLevel; SET__OF IntegrityCat IntegrityCatS):

- 54 daType: SET OF daMode;55 mdeStruct: STRUCT OF(daType ownerMode. groupMode. allMode);56 tIiS,.ruct" STRUCT OF(nonDisType nd:

pro.specs Page 2 Fri Mar 27 15"33!31 1981

57 modeStruct da; INTEGER owner, group; SET.OF prIvType priv);585960 PARAMETERS6162 INTEGER PROmaxProcessCount:6364 INTEGER PROminPiLevel: $(most interruptable pseudo interrupt level)65 INTEGER PROmaxPILevel: $(least interruptable pseudo interrupt level)66 INTEGER piZero,piIPC,piTimerpiSignal,piHardwareFault;67 $(defined pseudo interrupt levels)6869 INTEGER IPCmaxMessageCount; $(maximum number of Ipc messages per process)70 INTEGER IPCmaxMessageLength; $(maximum number of characters per ipc message)71 IpcMessageType tlmeoutMessage; $(distinguished message returned when K. recelve72 is satisfied by its timeout)7374 INTEGER newPc, $(program counter for process invocation and spawning.75 probably 0)76 newPs: $(processor state for process invocation and spawning.77 probably 050000 octal)7879 seid processExampleSeid; $(any seid with the tProcess nsp)80 piVectorType emptyPiv; $(used for state initialization)81 ipcqType emptyIpcq; $( ... )828384 DEFINITIONS8586 BOOLEAN processExists(seid pSeid) IS PSTprocessState(pSeid) -?:

87 seid newProcessSeid IS $(the process seid generation algorithm)88 SENmakeSeld(processExampleSeid, SOME INTEGER i I EXISTS seld s89 SENseidType(s) - tProcess90 AND SENseidIndex(s) - i91 AND NOT processExists(s)),

92 INTEGER processCount IS93 CARDINALITY({INTEGER i I PSTprocessSlot(i) -- ?});94 INTEGER emprySlot IS SOME INTEGER i I I INSET { .. PROmaxProcessCount}95 AND PSTprocessSlot(i) - ?;969798 EXTERNALREFS99

100 FROM mac"101 VFLtN MACclock() -> INTEGER time;102103 FROM snu:104 seid: DESIGNATOR:105 secureEntityType: {tFile. tDevIce, tTerminal, tProcess, tSegment,106 tSubtype. tExtent, tNull};107 prIvType: {108 privFileUpdateStatus, privLink, privLockSeg.109 privModIfyPriv. privMount,110 prIvSetFi leLevel. prIvSetSegProcLevel,III prIvStickySeg, privTerminalLock,112 prlvViolSimpSecurity. privViolStarSecurity,

pro.specs Page 3 Fri Mar 27 15:33:31 1981

113 privViolSimplntegrity, privViolStarlntegrity,114 privViolDiscrAccess, privSignal. privWalkPTable.

- 115 privHalt. privKernelCall, prlvViolCompartments.116 privRealizeExecPermissions}:

*117 daMode- {daRead, daWrite. daExecutel,118 securityCat: DESIGNATOR;119 integrityCat: DESIGNATOR:120 VFUN SENseidlndex(seld s) ->INTEGER index;121 VFUN SENseidType~seid s) '>secureEntityType t;122 VFUN SENrnakeSeid(seld exampleSeld; INTEGER index) -> seid rSeid;123 VFUN SMXhasPriv(seid pSeid; privType priv) ->BOOLEAN b-,124 VFUN SMXflow~seid pSeid, oSeid; daType da) ->BOOLEAN b:

- 125 VFUN SMXdap~seld pSeid. oSeid: daType da) ->BOOLEAN b;126 VFUN TllgetEntityLevel(seid pSeid, oSeid) ->tIlStruct. otii;127 VFUN TlIInfo~seid s) -> tiiStruct ti;

4-- 128 OFUN TllsetEntityLevel(seld pSeld, oSled; tiiStruct ntii);129130 FROM pvm:

*131 segDes: DESIGNATOR.132133 FROM pvp:134 OFUN PVPforkSupport~seld parent, child);

* - 135 OFUN PVPinvokeSupport(seid pSeid. ininSeid; segfles arg);136 OFUN PVPspawnSupport~seid parent, child, In~eid: segDes arg):137 OFUN PVPreleaseProcessSupport(seid pSeid);138139 FROM fca:140 OFUN FCAcreateOpenTable(seid pSeid): $(spawn support)141 OFUN FCAcloseAll(seid pSeid): $(Invoke support)142

*143 FROM fmlP144 OFUN FMlforkSupport(seld parent, child);145 OFUN FMlreleaseSupport~seid pSeid);146147148 ASSERTIONS149 PROmiriPiLevel <- piZero: piZero < piIPC: piIPC < piTimer; piTimer < piSignal;150 piSignal < piHardwareFault; piHardwareFault (- PROmaxPiLevel1:151 $( ordering of defined pseudo interrupt levels)152 SENseidType~processExampleSeid) - tProcess:153 $CprocessExampleSeld Is an example of a process seid)154 FORALL INTEGER I INSET {PROminPiLevel .. PROmaxPiLevel}155 en'ptyPIv[i] - STRUCTCFALSE.1,..,O,O.O): $(definiition of empty piy)

- 156 LENGTH(emptylpcq) - 0; $(emptylpcq is in fact empty)157 processCount <- PROmaxProcesaCount; $(there are never too many processes)158159160 FUNCTIONS

* 161162 $(------------ -- ----process state functions)

- 163164 VFUN PSTprocessState~seid pSeid) -> processStateType. ps;165 HIDDEN;

- 166 INITIALLY pa - ?167168 VFUN PSTprocessSlot(INTEGER n) -> soid pa;


169 HIDDEN:170 INITIALLY ps =?:171172 $( ----------- support for K walk process table ........ )

173174 VFUN PROwalkProcessTable(seid pSeid; INTEGER n) -> seid rSeid:175 EXCEPTIONS176 KEproNoPriv: NOT privWalkPTable INSET TIIinfo(pSeid).priv:177 KEproBadSlot: NOT n+l INSET {I .. PROmaxProcessCount}:178 DERIVATION179 PSTprocessSlot(n);180181 $( support for K nap -- ...- )

182183 VFUN PSTtmeOfNap(seid pSeid) -> INTEGER time;184 HIDDEN;185 INITIALLY time = -186187 OFUN PROnap(seid pSeld; INTEGER tireout);188 DELAY WITH 'PSTtimeOfNap(pSeid) - MACclocko;189 UNTIL MACclock() >- PSTtimeOfNap(pSeid) + timeout;190191 $( ---- support for pseudo interrupts: K signal and K interruptReturn--)192193 OFUN PROsignal(seid sender, receiver: INTEGER signalName);194 DEFINITIONS195 piEntryType receiversSignalEntry()196 IS PSTprocessState(receiver).piv(piSignal];197 EXCEPTIONS198 KEproNoPriv: NOT SMXhasPriv(sender, privSignal): ,199 KEproNoAccess: NOT (processExists(receiver)200 AND SMXflow(sender, receiver. {daWrIte,daRead}));201 KEproUninterruptable: NOT PSTprocessState(receiver).pil > piSignal:202 $(If fails, try once again after a short timeout)203 ASSERTIONS204 processExists(sender):205 EFFECTS206 "receiversSignalEntryo.pending - TRUE;207 receiversSignalEntryo.parameter - signalName;208 $(PROBLEMS209 Design requires that Ksignal interrupt long kernel calls. How is this210 this to be done?)211212 OFUN PROinterruptReturn(seid pSeid);213 $(emulates rti instruction. Uses pseudo interrupt vector entry associated214 with current level and restores pc, ps, and pil to their "old" values)215 DEFINITIONS216 piEntryType currentInterruptEntry217 IS PSTprocessState(pSeld).piv(PSTprocessState(pSeid).pil];218 EFFECTS219 "PSTprocessState(pSeid).pc - currentlnterruptEntry.oldPc;220 'PSTprocessState(pSeid).ps - currentlnterruptEntry.oldPs;221 *PSTprocessState(pSeid).pil - currentlnterruptEntry.oldPil;222223 $( support for ipe: Kpost and K_recelve ....- )224


225 OFUN PROpost(seid senderreceiver; BOOLEAN postPseudolnterrupt;226 ipcTextType text);

- 227 $(Detects security violation and overflow. Appends message to the tail of228 the receivers ipcq. Posts pseudo interrupt in the receiver if requested229 and if receiver has no pending receive)

- 230 DEFINITIONS231 VECTOR OF ipcMessageType queue() IS PSTprocessState(receiver).ipcq;232 INTEGER qLength IS LENGTH(queueo):-33 EXCEPTIONS234 KEproNoReceiver: NOT (processExists(receiver)235 AND SMXflow(sender, receiver, {daWrite})):236 KEprolpcOverf low: (1+qLength) > IPCmaxMessageCount;

- 237 ASSERTIONS238 processExists(sender):239 LENGTH(text) <- IPCmaxMessageLength;240 EFFECTS241 $(append new message to receivers queue)242 "queueo)VECTOR (FOR I FROM 1 TO 1+qLength243 IF i <- qLength THEN queueo[i] ELSE STRUCT(sender,text));244 $(post ipc pseudo interrupt if required and if receiver has no pending245 read)246 postPseudoInterrupt AND NOT PSTreceivePending(receiver).flag

* _ 247 > 'PSTprocessState(receiver).piv[piIPC].pending - TRUE:248249 VFUN PSTreceivePending(seld pSeid) -> pendingType r;250 HIDDEN:251 INITIALLY r.flag - FALSE AND r.time - 0;252253 OVFUN PROreceive(seid pSeld; INTEGER timeout) -> ipcMessageType msg;

- 254 $(Returns the Ipc message at the head of the queue if one exists or arrives255 before the expiration of timeout. Otherwise returns a distinguished Ipc256 message signifying timeout)257 DEFINITIONS258 VECTOR OF ipcMessageType queue() IS PSTprocessState(pSeid).ipcq;259 INTEGER qLength IS LENGTH(queueo));260 pendingType pending() IS PSTreceivePending(pSeid);

- 261 DELAY WITH 'pendingo.flag - TRUE; "pendingo.tlme - MACclockC):262 UNTIL qLength > 0 OR MACclock() >- pendingc).time + timeout;263 EFFECTS

- 264 IF qLength > 0 THEN msg - queue)[Ol ELSE msg = timeoutMessage;265 queue() - VECTOR( FOR I FROM I TO qLength-1 queueo[1+1]);266 "pendingo).flag = FALSE;267

- 268 $( support for Kfork ......- )

269270 OVFUN PROfork(seld parent) -> seid child;271 DEFINITIONS272 processStateType p IS PSTprocessState(parent);273 seid c IS newProcessSeid;274 EXCEPTIONS275 KEproTooManyProcesses: processCount+l > PROmaxProcessCount;276 EXCEPTIONS OF FMIforkSupport(parent, c);277 EXCEPTIONS OF PVPforkSupport(parent, c);278 EFFECTS279 child - c;280 'PSTprocessSlot(emptySlot) = child;


281 'PSTprocessState(child) - STRUCT(child,parent.p.family,282 p.realUser, p.realGroup, p.pc. p.ps, PROmaxPiLevel.283 emptyPiv, emptylpcq. p.advPrio, 0, 0. 0. FALSE);284 $(this assertion specifies the initial tdi state of a forked child)285 "TIlinfo(child) - TIlinfo(parent):286 $(this assertion specifies the initial tii state of a forked child) -

287 EFFECTS _OF FMIforkSupport(parent, child); $(provide and copy pofv)288 EFFECTSOF PVPforkSupport(parent, child): $(provide virtual memory)289290 $( support for K invoke ..... )

291292 OFUN PROinvoke(seld pSeid, 1-Seid; segDes arg);293 DEFINITIONS294 processStateType p IS PSTprocessState(pSeid);295 tiiStruct pt IS TIItnfo(pSeid):296 EXCEPTIONS297 EXCEPTIONS OF PVPinvokeSupport(pSeld, immSeid, arg);298 ASSERTIONS299 processExists(pSeld):300 EFFECTS301 'PSTprocessState(pSeid) - STRUCT(p.self, p.parent. p.famlly,302 p.realUser, p.realGroup. newPc, newPs.303 p.pil, emptyPiv, emptyIpcq, p.advPrIo, 0, 0. 0, FALSE):304 $(assertion defines the initial process state of the invoked intermed.)305 'TIIinfo(pSeid) - STRUCT(pt.nd, pt.da, pt.owner, pt.group,306 TIlinfo(inmmSeid).priv),307 $(this is how the post-invoke process gets the Intermeds privileges)308 EFFECTS-OF PVPinvokeSupport(pSeid, immSetd, arg); $(redo virtual memory)309310 $( ----------- support for K-spawn --- - ) 311312 OVFUN PROspawn(seid parent, immSeid; segDes arg) -> seid child;313 DEFINITIONS314 processStateType p IS PSTprocessState(parent);315 tilStruct pt IS TIIInfo(parent);316 seid c IS newProcessSeid;317 EXCEPTIONS318 KEproTooManyProcesses: processCount+1 > PROmaxProcessCount:319 EXCEPTIONS OF PVPspawnSupport(parent, c, ImSeld. arg);320 EXCEPTIONSOF FCAcreateOpenTable(parent):321 ASSERTIONS322 processExists(parent);323 EFFECTS324 child - c;325 'PSTprocessSlot(emptySlot) - child;326 'PSTprocessState(child) - STRUCT(parent, child, p.family,327 p.realUser. p.realGroup. newPc, newPs. PROmaxPILevel,328 emptyPiv. emptylpcq, p.advPrio, 0, 0, 0, FALSE);329 $(the process state of the newly spawned intermediary)330 'Tllinfo(child) - STRUCT(pt.nd, pt.da, pt.owner, pt.group.331 TllInfo(ImmSeid).prIv);332 $(post-spawn child acquires intermediatarys privileges)333 EFFECTS OF PVPspawnSupport(parent, child, immSeid, arg): $(create vm)334 EFFECTS-OF FCAcreateOpenTable(child); $(create pofv) -

335336 $( -------- support for K release process ----- .)

*0 pro.specs Page 7 Fri Mar 27 15:33:31 1981

337338 OFUN PROreleaseProcess(seid PSeid, rSeid):

%V 339 $(Typically a process will release itself and pSeidurSeld. However this340 Is not treated as a special case.)341 EXCEPTIONS342 KEproNoRelease: NOT processExists(rSeid)343 OR NOT (Tllinfo~rSeld).owner - TIlinfo(pSeid).owner344 OR privSetSeg~rocLevel INSET Tllinfo(pSeld).priv):

__ 345 ASSERTIONS346 processExists(pSeld);347 EFFECTS348 'PSTprocessSlot(SOME INTEGER i I PSTprocessSlot(I) -rSeid) ?349 'PSTprocessState(rSeid)350 'TIIInfo(rSeId) -?,351 EFFECTS.OF M~releaseSupport(rSeid);352 EFFECTS.OF PVPreleaseProcessSupport(rSeid);353

354 $( status getting and setting-- -- -

356 VFUN PROgetProcessStatus(seid pSeid, oSeid) -> procesaStateType ps;357 EXCEPTIONS358 KEproNoProcess: NOT processExlsts(oSeid)

-w 359 OR NOT SMXflow(pSeId, oSeid, {daRead));360 ASSERTIONS

* 361 proc 'ssExists(pSeld):*362 DERIVATION*363 PSTprocessState(oSeid);

364365 OFUN PROsetProcessStatus(seid pSeld, oSeld: procesaStateType n):

S 366 DEFINITIONS367 procesaStateType o IS PSTprocess~tate(oSeid):368 EXCEPTIONS

_ 369 KEproNoProcess: NOT processExista~oSeid)370 OR NOT SMXflow(pSeid, oSeid, {daurite));371 ASSERTIONS372 processExists(pSeid):373 EFFECTS374 'PSTprocesaState(oSeid) - STRUCT(o-self, o-parent, nafamily,375 n-realUser. n-realGroup, n-pc, n.pe, n.pIl. n.pIv, n.ipcq,

S 376 n-advPrIo, n.timerAlarm. o.supervisorTIming, o-userTiming,377 n.tiuiTog);378379

S 380 ENDMODULE

mWI

pvm.specs Page 1 Fri Mar 27 15"34"01 1981

I $(t MODULE! pvm.specs (version 2.37)2 CONTENTS: Virtual Memory3 TYPE: SPECIAL.specifications4 LAST CHANGED- 10/12/79. 10-30.48

678 MODULE pvm9

10 $( this module now contains the contents of what was the seg and pvm modules)1112 TYPES1314 $(FROM mac)15 vAddrType- (0 .. MACusxVAddr};1617 $(FROM sm)18 daType: SET OF daMode;19 modeStruct: STRUCTOF(daType ownerMode. groupMode, allMode):20 nonDisType: STRUCT OF(21 INTEGER securityLevel; SET OF securityCat securityCatS:22 INTEGER integrityLevel: SETOF integrityCat integrityCatS);23 tiliStruct: STRUCT OF(nonDisType nd;24 modeStruct da; INTEGER owner, group: SET OF prIvType priv):2526 $(from pvm - exportable)27 segDes: DESIGNATOR:28 spaceType: (iSpace, dSpace):29 direction: {up, down);3031 $(from pvm - redeclarable)32 virtualLocatlon:33 STRUCT OF(domanType domain; spaceType idSpace; vAddrType vAddr);34 pBlock: STRUCT OF(virtualLocation vloc; INTEGER size):35 globalData:36 STRUCTOF(BOOLEAN sharable, swappable, sticky, memAdvise, executable;37 direction growth);38 statusStruct:39 STRUCTOF(globalData gl; INTEGER size);40 instanceStruct:41 STRUCT OF(globalData gl; INTEGER refCount; VECTOR OF INTEGER data):42 useStruct: STRUCTOF(seld Instance: virtualLocation vloc; daType da);434445 PARAMETERS4647 $(from seg)48 seid exampleSegmentSeld; $(used for segment creation)49 segDes SEGnullSeg; $( indicates null segment designator)50 INTEGER PVMmaxSegDes; $(maximum number of segment designators in an address51 space)525354 DEFINITIONS5556 $(from seg)

of

- pvm.specs Page 2 Fri Mar 27 15:34:01 1981

57 INTEGER SEGslze(seid segSeld) IS LENGTH(SEGinstancelnfo(segSeld).data):5859 $(from pvm)60 INTEGER nSegs(seid pSeld)61 IS CARDINALITY({segDes sd I SEGuselnfo(pSeid, sd) 7

• - 6263 BOOLEAN PVMvmExists(seid pSeid) IS PVMsegmentSet(pSeid) ?:6465 segDes PVMblockToSeg(seid pSeid; pBlock block) IS66 SOME segDes ad67 1 ad INSET PVMmappedSegmentSet(pSeid)68 AND (EXISTS useStruct use = SEGuselnfo(pSeld, ad)

- 69 use.vloc.domain - block.vloc.domain70 AND use.vlocidSpace - block.vloc.IdSpace71 AND use.vloc.vAddr <- block.vloc.vAddr72 AND block.vloc.vAddr + block.size73 <- use.vloc.vAddr + SEGsize(use.instance)):74 $( gives the segment designator, if any, that totally contains block in75 address space designated by pSeid; if there is none, returns ?; the76 segment must be mapped)7778 SET OF INTEGER addrRegRange(INTEGER vAddr, size! direction d) IS

, 79 IF d - up

80 THEN {vAddr / MACmaxOffset .. (vAddr + size - 1) / MACmaxOffset}81 ELSE {(vAddr - size + 1) / MACmaxOffset .. vAddr I MACmaxOffset}-82 $( gives the range of address registers used by a segment as a function of

- 83 Its start address, size, and growth direction)8485 SET OF INTEGER addrRegRangeSeg(seld pSeid; segDes a) IS86 LET useStruct use - SEGuseInfo(pSeid, a)87 IN addrRegRange(use. vloc. vAddr, SEGsize(use. instance),88 SEGinstancelnfo(use •instance) .gl. growth);89 $( gives the range of address registers used by a segment as a function of90 the process Id and the segment designator)9192 BOOLEAN nollole(seid pSeid; INTEGER size; virtualLocation vl; direction d:93 SET OF segDes ssd) IS94 NOT addrRegRange(vl.vAddr, size, d) SUBSET (0 .. MACmaxReg}95 OR (EXISTS segDes a I a INSET sad: useStruct use - SEGuselnfo(pSeid, s)96 use.vloc.idSpace - vl.idSpace

- 97 AND use.vloc.domain - vl.domain98 AND addrRegRangeSeg(pSeld, a)99 INTER addrRegRange(vl.vAddr, size, d) - {):

100 $(TRUE iff a segment described by size. vl, and direction will NOT fit into101 a hole in the address space designated by pSeid and sad; this includes102 testing for virtual memory underflow and overflow)103104 EXTERNALREFS105106 FROM mac:107 INTEGER MACmaxVAddr, MACmaxOffset, MACmaxReg.108109 FROM sm:

110 seid: DESIGNATOR;111 secureEntityType: {tFile, tDevice. tTerrrdnal. tProcess, tSegment, tSubtype,112 tExtent. tNull};

hto

pvm.specs Page 3 Fri Mar 27 15-34-01 1981-

113 privType- {prlvFlleUpdateStatus, privLink, prIvLockSeg,114 privModifyPriv privMount,115 privSetFileLevel. priv.SetSegProcLevel.116 privStickySeg. prlvTerminalLock,117 prIvViolSimpSecurity. privVIolStarSeciirity,118 privViolSimplntegrity. privViolStarlntegrity.119 privViolDiscrAccess, privSignal, privWalkPTable,120 privHalt, privKernelCall. privViolCompartments,121 privRealizeExecPermissions):122 daMode: {daRead, daWrite, daExecute},123 securityCat! DESIGNATOR;124 integrityCat: DESIGNATOR:125 domainType: {userDonalin. supervisorDomain};126 VFUN SENseldNsp~seid s) ->INTEGER nsp;127 VFUN SENseldType(seid s) ->secureEntityType set;128 VFUN TIIinfo(seid anySeid) -> tilStruct tiISt;129 VFUN TIlgetEntityLevel(seid pSeid. oSeid) -> tiiStruct otli;130 OFUN TIlsetEntityLevel(seid pSeid, oSeid; tiiStruct ntii);131 VFUN SMXhasPriv~seld pSeld;. privType priv) B> OOLEAN b:132 VFUN SMXflow(seid pSeid. aSeid; daType cia) ->BOOLEAN b;133 VFUN SMXdap,(seld pSeid. oSeid: daType da) ->BOOLEAN b;134135136 ASSERTIONS

K 137138 $(from seg)-139 PVMmaxSegDes >- 2;140 $( basic relations among the SEC parameters)F141 SENseldrype(exampleSegrnentSeld) -tSegment;142 $( basic property of exampleSegmentSeid and all segment seids)143 FORALL seid s I SEGinstancelnfo(s)-144 SENseidNsp(s) - SENseidNsp(exampleSegmentSeid);145 $(all seids for existing segments have a distinbuished nsp component)146 FORALL seid s I SEGinstancelnfo(s) -- ? :TIlinfo(s) -?147 $(all existing segments have an exiting TII entry)148 FORALL seid pSeid; segDes segd I SEGuserInfo(pSeld, segd) W ?149 SEGinstancelnfo(SEGuselnfo(pSeld, segd).instance) -- ?15O $(all valid segment uses have corresponding valid segment instances)151 PORALL seld a I SEGinstancelnfo(s) -- ?152 LET modeStruct ms - Tllinfo~s).da V153 IN CdaWrite INSET ms.ownerMode -> daRead INSET ms.ownerMode)154 AND CdaWrite INSET me-groupMode -> daRead INSET ms.groupMode)155 AND CdaWrIte INSET ms.allMode 0> daRead INSET me.allMode);156 $(write access Implies read access, because the hardware does not support157 write-only access for segments)158 FORALL seid pSeid; aegDes ad I SEcuselnfo(pSeId, ad) -- ?159 :daWrite INSET SEGuselnfo(pSeid, ad).da160 -> daRead IiWFET SEGuselnfo(pSeId. sd)-da;161 $(same constraint as above, for segment use Information)162163 $(from Pvm)-164 FORALL seid pSeid I PVMvmExists(pSeId): segDes ad165 (ad INSET PVMsegmentSet(pSeid)) a (SEGuselnfo(pSeId, ad) -

166 $(defines what It means for a segment to be in the segment set of a167 process)168 FORALL seid pSeid I PVMvmExists(pSeId)

pvm.specs Page 4 Fri Mar 27 15"34-01 1981

169 PVMmappedSegmentSet(pSeld) SUBSET PVMsegmentSet(pSeid):170 $(only existing segments can be mapped)171 FORALL seid pSeid I PVMvmExists(pSeid): segDes sl, s2172 LET useStruct usel - SEGuselnfo(pSeid. sl):173 useStruct use2 - SEGuselnfo(pSeid, s2)

- 174 IN sl -- s2 AND usel -- ? AND use2 -- ?175 AND {sl, s2) SUBSET PVMmappedSegmentSet(pSeld)176 AND usel.vloc.domain = use2.vlocdomain177 AND usel.vloc.idSpace = use2.vloc.IdSpace178 > addrRegRangeSeg(pSeld, sl) INTER addrRegRangeSeg(pSeld, s2) (;179 $(no two mapped segments in the same domain and idSpace may have180 overlapping memory address registers)

-- 181182183 FUNCTIONS184185 $(-- --------- state functions186187 VFUN SEGinstanceInfo(seid segSeid) -> InstanceStruct is; $(SECinstanceInfo)

-- 188 $( gives all the information pertaining to a segment's global data,189 referred to as segment instance data)

190 HIDDEN;191 INITIALLY is - ?;192193 VFUN SEGuselnfo(seid pSeId; segDes segd) -> useStruct us; $(SEGuselnfo)194 $( gives all the information pertaining to a segment's use in the address

- 195 space in a particular process; this is information local to a process)196 HIDDEN;197 INITIALLY us - ?;198199 VFUN PVMsegmentSet(seid pSeid) -> SET OF segDes segSet; $(PVMsegmentSet)200 $( gives the set of segments possessed by a given process)201 INITIALLY segSet - ?:

-- 202203 VFUN PVMmappedSegmentSet(seid pSeid) -> SETOF segDes mappedSet;204 $(PVMmappedSegmentSet)205 $( gives the set of mapped - or active segments - of a process; a206 segment cannot be addressed unless it is mapped)207 HIDDEN:208 INITIALLY mappedSet - ?;

-- 209210 Sc-----------virtual memory management ..... ..... )

211- 212 OFUN PVMcreateVM(seid pSeid); $(PVMcreateVM)

213 $( creates a new virtual memory to be identified by "pSeid"; this VM214 must not currently exist)215 ASSERTIONS

- 216 NOT PVMvmExists(pSeid);217 EFFECTS218 'PVMsegmentSet(pSeid) =

-- 219 'PVMmappedSegmentSet(pSeid) = {};220221 OFUN PVMdeleteVM(seid pSeid); $(PVMde/eteVM)

- 222 $( deletes the currently existing virtual memory "pSeld")223 ASSERTIONS224 PVMvmExists(PSeid);

4. ....

pvm. specs Page 5 Fri Mar 27 15:34-01 1981

225 EFFECTS226 'PVIsegmentSet(pSeld) ?;227 'PVymappedSegmentSet(pSeid) = ?;228229 $( --------.--- basic segment management .......-

230231 OFUN PVMstore(seid pSeid: pBlock block: VECTOR OF INTEGER vec); $(PVlstore)232 $(inserts contents of vec Into the mapped segment indicated by block)233 DEFINITIONS234 segDes targ IS PVMblockToSeg(pSeId. block):235 useStruct use IS SEGuselnfo(pSeld. targ);236 instanceStruct inst IS SEGinstancelnfo(use.instance):237 EXCEPTIONS238 KEpvmVecTooLong: LENGTH(vec) -- block.size;239 KEpvmNoSuchSeg: targ - ?:240 $(there is a single segment in the address space of "pSeid" in which241 "pBlock" fits, having the same domain and IdSpace of pBlock)242 KEpvNotWritable: NOT SMXdap(pSeld, use.instance, (daWrite}):243 ASSERTIONS244 PVMvmExists(pSeid);245 EFFECTS246 LET INTEGER relOffset - block.vloc.vAddr - use.vloc.vAddr247 IN 'SEGinstancelnfo(use.lnstance) =248 STRUCT(Inst.gl. inst.refCount,249 VECTOR(250 FOR i FROM I TO LENGTH(inst.data)251 IF I INSET {relOffset + I .. relOffset + LENGTH(vec)}252 THEN vec[i - relOffset]253 ELSE inst.dataji1))254255 VFUN PVWretrleve(seid pSeld: pBlock block) -> VECTOR OF INTEGER vec:256 $( retreives data from a mapped segment as specified by pBlock)257 DEFINITIONS258 segDes targ IS PVMblockToSeg(pSeid, block);259 useStruct use IS SEGuselnfo(pSeid, targ);260 InstanceStruct inst IS SEGinstancelnfo(use.instance);261 EXCEPTIONS262 KEpvmNoSuchSeg: targ =263 $(there is a single segment in the address space of "pSeid" in which264 "pBlock" fits, having the same domain and idSpace of pBlock)265 KEvvmNotReadable: NOT SMXflow(pSeld, use.instance, (daRead}))266 ASSERTIONS267 PVMvmExists(pSeid);268 DERIVATION269 VECTOR(FOR i FROM 1 TO block.size:270 Inst.data(block.vloc.vAddr - use.vloc.vAddr + i - 1]);271272 OVFUN PVMbuild(seld pSeid: statusStruct at; modeStruct ms; INTEGER size:273 virtualLocation vl)274 -> STRUCT OF(seld segSeid; segDes segd) result; $(PVMbuild)275 $( builds a new segment with the specified parameters:276 an entry in the til table is also created for the segment;277 the results are the -- previously unused -- seld for the new segment and278 the - previously unused - segment designator: the newly created279 segment is mapped, indicating that it can be addressed immediately;280 discretionary access that the process allows itself to the segment, "da"

- pvm.specs Page 6 Fri Mar 27 15734:01 1981

281 mrust be a subset of the owner access specified in the tii information282 "inms" the new segment must be within the size limitations and fit Into283 the mapped virtual memory space of the creating process)284 DEFINITIONS285 tiiStruct proTil IS TIlinf,..(pSeid);

- 286 tiiStruct segTli287 IS STRUCT(proTii.nd, mns, proTit-owner, proTii.group, pro~ii.prlv):288 seid newSegSeid289 IS SOME seid s I SENseidNsp(s) - SENseidNsp(exainpleSegmentSeid)290 AND SEGinstancelnfo(s) - ?

*291 EXCEPTIONS*292 KEsegSticky: st.gl.sticky AND NOT SMXhasPriv~pSeid, privStickySeg);

- 293 KEsegSwappable:294 NOT st.gl.swappable AND NOT SMXhasPriv(pSeId. privLockSeg);295 K~segBadNode!296 (daWrite INSET ms.ownerMode AND NOT daRead INSET is.ownerMode)297 OR (daWrite INSET is-groupMode AND NOT daRead INSET ns-groupMode)298 OR (daWrite INSET ms-allMode AND NOT daRead INSET ms-all~ode):

*299 KEsegBadSize! NOT size INSET {0 .. MACmaxVAddr -1)* 300 KEpvinNoHole:

301 noHole(pSeid. st.size, vl, st.gl.growth, PVMmappedSeginentSet(pSetd)):.302 KEpvinNoDes: nSegs~pSeId) >- PVMmaxSegDes;303 RESOURCE ERROR; $( ran out of table space or seid space)304 ASSERTIONS

*305 PVMvmExIsts(pSeId);306 EFFECTS307 'TIlinfo(newSegSeid) -segTii;308 'SEGinstancelnfo(newSegSeid)309 STRUCT(st.gl, 1,310 VECTOR(FOR I FROM I TO size :0));311 EXISTS segDes sd I SEGuselnfo~pSeid, sd).instance-?312 'SEcuselnfo(PSeid, sd) -STRUCT(newSegSeld, vi, ms-ownerMode)313 AND result - STRUCT(newSegSeid, sd)

- 314 AND 'PVMseginer.-Set(pSeid) - PVMsegmentSet(pSeid) UNION {sd}315 AND 'PVMiappedbegientSet(pSeid)316 -PVMmappedSegmentSet(pSeid) UNION {sd};

- 317318 OFUN PV'~destroy(seid pSeid; segDes segd); $(PVMdestroy)319 $(destroys the segment use Indicated by pSeid and segd; if the segment is320 unsticky and otherwise unreferenced, the segment Instance Information is

- 321 also deleted)322 DEFINITIONS323 useStruct use IS SECuselnfo(pSeld. segd);324 seid segSeid IS use-instance;325 1nstanceStruct inst IS SEGinstancelnfo(segSeid);326 EXCEPTIONS327 KEsegNotileld: NOT segd INSET PVMsegmentSet(pSeid):328 ASSERTIONS329 PV~vmExists(pSeid):330 EFFECTS331 'PV!4segmentSet(pSeid) - PVMsegmentSet(pSeid) DIFF {segd};332 'PVxmappedSegmentSet(pSeid) - PVMiappedSegmentSet(pSeld) DIFF {segd):333 'SE~uselnfo(pSeid. segd) - ?334 IF (inst.refCount -1 AND Inst-gl-sticky - FALSE)335 THEN 'SE~instancelnfo(segSeid) -7336 AND 'Ttlinfo(segSeid) -?

pvm.specs Page 7 Fri Mar 27 15"34.01 1981

337 ELSE 'SEGinstancelnfo(segSeid) -338 STRUCT(inst.gl. inst.refCount - 1, inst.data);339340 $( ....... -------- high level storage allocation -)341342 OFUN PVMremap(seid pSeid: segDes in: virtualLocation vl; daType da;343 BOOLEAN viFg. daFlg; segDes out; INTEGER newSize;344 BOOLEAN nsFlg ) ; $ (PV~remap)

345 $( this function takes the currently mapped segment "out" and maps it out,346 while simultaneously mapping in the currently unmapped segment "in";347 this function can be used for mapping in - without mapping out - by348 letting "out" be the distinguished value SEGnullSeg; similarly, mapping349 out alone can be done by letting "in" be SEGnullSeg; a mapped in segment350 can have a new virtual location and a discretionary access specified351 optionally; a mapped out segment can have Its size optionally changed;352 all these optional changes are specified by the values of BOOLEAN flags;353 the IdSpace of the mapped in segment may not be changed; the mapped in354 segment must occupy a hole in the virtual memory)355 DEFINITIONS356 SET OF segDes inSet IS IF in = SEGnullSeg THEN {} ELSE {in};357 SET OF segDes outSet IS IF out - SEGnullSeg THEN {} ELSE {out};358 useStruct inUse IS SEGuseinfo(pSeId, in);359 instanceStruct inlnst IS SEGinstancelnfo(inUse.instance);360 useStruct outUse IS SEGuselnfo(pSeid, out);361 seid outSeld IS outUse.instance;362 instanceStruct outlnst IS SEGinstancelnfo(outSeld);363 EXCEPTIONS364 KEpvmBadSeg: NOT IrnSet SUBSET PVMsegmentSet(pSeld);365 KEpvmRemapl: N': outse.- SUBSET PVMmappedSegmentSet(pSeid);366 KEpvmRemapZ o EXI.STS -f,.gDes sd INSET inSet -367 sd INSET PVmappcd. egmentSet(pSeid);368 KEpvmWriteOnlv; doFlg AND daWrIte INSET da AND NOT daRead INSET da;369 KEpvmSpace- vl'lg AND vl.IdSpace -- InUse.vloc.IdSpace:370 KEpvmShara~le.371 nsFlg AND newSize -= SEGsize(inUse.instance) AND inlnst.gl.sharable:372 KEpvmBadDa: daFlg AND NOT SMXdap(pSeId, outSeld, da):373 KEpvmNoHole:374 in -- SEGnullSeg375 AND noHole(pSeld. SEGsize(InUse.Instance),376 IF vlFlg THEN vl ELSE inUse.vloc, inlnst.-gl.growth,377 PVMmappedSegmentSet (pSei d) DIFF outSet)-378 ASSERTIONS379 PVMvmExlsts(pSeid);380 EFFECTS381 "PVMmappedSegmentSet(pSeid) = (PVMmappedSegmentSet(pSeid) DIFF outSet)382 UNION inSet;383 'SE~useInfo(pSeid. in)384 -STRUCT(InUse.instance. IF vlFlg THEN vl ELSE inUse.vloc,385 IF daFlg THEN da ELSE InUse.da):386 'SEGinstancelnfo(outSeld)387 - STRUCT(outInst.gl, outInst.refCount,388 VECTOR(FOR I FROM I389 TO (IF nsFlg THEN newSize ELSE SEGslze(outSeld))390 IF I <- SEGsize(outSeid)391 THEN outlnst.data(il ELSE 0)),392

6M pvm. specs Page 8 Fri Mar 27 15!34O01 1981

393 $( -- ---- -- -- ----- --- segment sharing - - - - - - - -

394%W 395 OVFUN PVMrendezvous(seid pSeid, segSeid; virtualLocation vi; daType da)

396 -> segDes sd; S (PVMrendezvous)397 S( creates a use for the segment named by segSeid; this segment appears

1- 398 Inaccessible If the multilevel security model would consider It a399 violation of Information flow)400 DEFINITIONS

*_w 401 instanceStruct inst IS SE~instancelnfo(segSeid);402 EXCEPTIONS403 KEpvmWriteOnly: daWrite INSET da AND NOT daRead INSET da:,404 KEseg~adName: inst - ? OR NOT SMXflow(pSeid, seggeid, da);

S 405 KEpvmNoDa: NOT SMXdap(pSeId, segSaid, da);*406 KEpvmDupSeg: EXISTS segDes sdl

407 SE~uselnfo(pSeid, sdl).instance -segSeid;408 KEpvrnNoHole: nollole~pSeld, SE~size(segSeid), vi, Inst.gl.growth,409 PVMmappedSegmentSet(pSeld));410 KEpvmNoDes: nSegs(pSeid) >- PVMmaxSegDes;411 ASSERTIONS412 PVMvmExIsts(pSeId);

*413 EFFECTS414 LET segDes segd I SEGuselnfo(pSeId, segd) -?

S 415 IN 'SEGuselnfo~pSeid, segd) - STRUCT(segSeid, vi, da)416 AND 'SEGinstancelnfo(segSeid)417 STRUCT(imat.gl, Inst-ref~ount + 1, inst-data)418 AND 'PVMaegmentSet~pSeid) - PVMsegmentSet(pSeid) UNION {segd)

- 419 AND 'PVMmappedSegmentSet(pSeId)420 - !v,4mappedSegmentSet(pSeid) UNION {segd}421 AND sd - degd;

S 422423 OFUN PVMcorSeg(seid from~eid, toSeid; segDes ad): $(PVxcopySeg)424 $( copies a segment from the virtual memory "fromSeid" to the virtual425 memory "toSeid". both virtual memories must exist; the segment426 designator sd mst exist In "fromSeid" but not in "toSeld"; used by427 the module that sets up virtual memories for new processes)428 DEFINITIONS

429 useStruct use IS SEGuselnfo(fromSeid, ad);430 said oldSeid IS use.instance;431 InstanceStruct inst IS SEGinstancelmfo(oldSeid):432 acid newSeld

- 433 IS SOME acid a I SENseidNap(s) - SENseidNsp(exampleSegmentSeid)434 AND SEGInstancelnfo(s) - ?435 tiiStruct atii IS TIlinfo(oldSeid);436 tilStruct ptii IS TIlInfo~toSeid);437 ASSERTIONS438 PVMvmExists(fromSeid);439 PVvmExists(toSeid);440 ad INSET PVMegmentSet~fromSeid),:441 NOT ad INSET PVMaegmentSet(toSeid);442 EFFECTS443 'SEGinstancelnfo~nevSeid) - STRUCT(int.gl, 1. inst.data);444 'SEGuselnfo~toSeid, ad) - STRUCT(neSld. uae.vioc, use.da):445 'Tllinfo(newSeid) - STRUCT(stii-nd, atii.da, ptii.ovner, ptii.group,446 aril-priv);447 'PVMeguentSet(toSeid) - PV.4aegmentSet(toSeid) UNION (ad);448 ad INSET PVMmappdSgmentSet(fromSeid) -

pval.specs Page 9 Fri Mar 27 15:34-01 1981

449 'PVMmappedSegmentSet(toSeid) - PVMmappedSegmentSet(toSeId) UNION {sd}:450451 $(-------------segment status manipulation------------)_452453 VFUN PVMgetSegmentStatus(seid pSeid, segSeid) -> statusStruct ss;454 $ (PVMgetSegmentStatus)455 $( returns the status information -which is much of the global456 information - for the segment; the segment must exist In the segment457 set of the requesting process)458 EXCEPTIONS459 KEnoSeg- SEGinstancelnfo~segSeid) -?

4460 OR NOT SMXflow(pSeid. segSeld, {daRead});461 ASSERTIONS462 PV,4vmExsts(pSeid);463 DERIVATION464 STRUCT(SEinstancelnfo(segSeid).gl. SEGsize(segSeId));465466 OFUN PV~setSegmentStatus(seid pSeid, segSeidi globalData glo);467 $(PVMsetSegmentStatus)468 $( changes the status Information for the segment; certain privileges469 are required;)470 DEFINITIONS471 InstanceStruct I IS SEcinstancelnfo(segSeid);472 EXCEPTIONS473 KEpvmNoSeg: I - ? OR NOT Sl4Xflow(pSeid. segSeid. {daRead. daWrite});474 KEpvmBadDa: NOT SMXdap(pSeid, segSeid, (daRead, daWrite));475 KEpvmExecute: i.gl.sharable;476 KEpvmBadGrowth: glo-growth - i.gl.growth;477 KEpvmNoSwap:

*478 glo.swappable AND NOT i-gl-svappable479 AND NOT SMXhasPriv(pSeId, privLockSeg);480 KEpvmNoStIck:481 glo.sticky AND NOT i-gl-sticky482 AND NOT SMXhasPriv(pSeid. privStickySeg);483 ASSERTIONS434 PV~vmExists(pSeid),485 EFFECTS486 'SEGinstancelnfo~segSeld) STRUCT(glo, i.refCount, i-data);487

* 488*489 END MODULE-

pvp.specs Page I Fri Mar 27 15:34.23 1981

1 S(" MODULE pvp.specs (version 2.7)2 CONTENTS: Virtual Memory - Process Support3 TYPE:4 LAST CHANGED: 7/17/79 15"09"515 ")

- 678 MODULE pvp9

10 $( this module contains operations that support the process module's use of11 the virtual memory mechanism. This is entirely a procedure abstraction.12 It is specified in terms of V-functions of other modules, but is13 implemented by a program in terms of operations of other modules.14 This sequence will be included in the comments for each of the operations.15 This module has no state of Its own except for parameters for immediate16 segments.)1718 TYPES1920 $(from mac)21 vAddrType' (0 .. MACmaxVAddr},2223 $(from smx)24 nonDisType" STRUCT OF(25 INTEGER securItyLevel; SET OF securityCat securityCatS.:26 INTEGER IntegrityLevel; SET_OF IntegrityCat IntegrityCatS):27 daType: SET OF daMode;28 modeStruct- STRUCTOF(daType ownerMode, groupMode, allMode);29 tiiStruct: STRUCTOF(nonDisType nd;30 modeStruct da; INTEGER owner, group; SET.OF privType priv);3132 $(from pvm)

_ 33 vIrtualLocation:34 STRUCT OF(domainType domain; spaceType idSpace; vAddrType vAddr):35 globalData:36 STRUCT OF(BOOLEAN sharable, swappable, sticky, memAdvise. executable;37 direction growth);38 instanceStruct:39 STRUCTOF(globalData gl: INTEGER refCount; VECTOR OF INTEGER data):40 useStruct: STRUCTOF(seld instance; vIrtualLocation vloc; daType da);414243 PARAMETERS4445 vIrtualLocation PVMimmVloc; $(location for immediate segment)46 segDes PVMimmDes; $(designator for immediate text segment)47 segDes PVMargDes; $(designator for argument segment)48 virtualLocation PVMargVloc; $(location for argument segment)495051 DEFINITIONS5253 $(from seg)54 INTEGER SEGsize(seid segSeid) IS LENGTH(SEGinstancelnfo(segSeld).data);5556 $(from pvm)

pvp-specs Page 2 Fri Mar 27 15-34:23 1981

57 INTEGER nSegs(seld pSeid)58 IS CARDINALITY',{segDes sd I SEGuselnfo~pSeid, sd) -9)

5960 BOOLEAN PVMvmExists(seid pSeid) IS PVMsegmentSet(pSeid) -- ?6162 SET OF INTEGER addrRegRange(INTEGER vAddr, size; direction d) IS-63 IF d -up64 THEN {vAddr IMACnwxOffset .. (vAddr + size - 1) /MACmaxOffset}65 ELSE {(vAddr -size + 1) / M1ACmaxOffset .. vAddr /MACmaxOffset)-66 $( gives the range of address registers used by a segment as a function of-67 its start address, size, and growth direction)6869 SET OF INTEGER addrRegRangeSeg(seid pSeid; segDes s) IS70 LET useStruct use - SEGuselnfo(pSeid, a)71 IN addrRegRange(use.vloc.vAddr, SEGsize(use-instance).72 SEcinstancelnfo(use.Instance).gl.grovth):73 $C gives the range of address registers used by a segment as a function of74 the process id and the segment designator)7576 BOOLEAN noHole(seid pSeid; INTEGER size-, virtualLocation vi:. direction d:77 SET.OF segDes ssd) IS78 NO0T addrRegRange~vl.vAddr, size, d) SUBSET {(0. MACmaxReg}79 OR (EXISTS segDes s I s INSET ssd; useStruct use - SEGuselnfo(pSeid, s)-80 - use.vloc.idSpace - vl.ldSpace81 AND use-vloc-doniain - vl.domain82 AND addrRegRangeSeg(pSeid, s)83 INTER addrRegRange(vl-vAddr, size, d) -{)

84 $(TRUE 1ff a segment described by size. vl. and direction will NOT fit into85 a hole in the address space designated by pSeid and ssd: this Includes

* 86 testing for virtual memory underf low and overflow)) 87

88 EXTERNALREFS8990 FROM mac:91 INTEGER MACmaxVAddr. MACmaxOffset. MACri~xReg;

* 9293 FROM suuc94 seid: DESIGNATOR;95 pr'vType- {prIvFIleUpdateStatus, prIvLInk. privLockSeg,96 privModifyPriv. privl~ount,97 prI vSetFI leLevel, pri vSetSegProcLevel,98 privStIckySeg, privTerminalLock.

95 privViolSimpSecurity. privViolStarSecurity.100 pri vViolSi mplntegrity, pri WiolStarlntegrity,101 privViolDiscrAccess. privSIgnal. privWalkPTable,102 privHalt, privKernelCall. privViolCompartments,103 pri vRealizeExecPermissions };104 da~lode: {daRead. daWrIte, daExecute}:105 securityCat: DESIGNATOR:106 integrityrat: DESIGNATOR:107 domainType: (userDoiraln. supervisorDomain);108 VFUN SENseidNsp~seid s) -> INTEGER nsp;109 VFUN TlIInfo~seid anySeid) -> tiiStru~ct tiiSt;110 VFUN SMXflow(seid pSeid, oSeid; daType da) ->BOOLEAN b;II1 VFUN SNXdap(seid pSeid, oSeid; daType da) ->BOOLEAN b;112

- pvp.specs Page 3 Fri Mar 27 15:34'23 1981

113 FROM pvm:114 segDes: DESIGNATOR;115 spaceType: {ISpace, dSpace}:116 direction: {up, down);117 seid exampleSegmentSeld; $(used for segment creation)

- 118 INTEGER PVMnaxSegDes;119 VFUN SEGInstancelnfo(seid segSeld) -> InstanceStruct Is;120 VFUN SEGuseInfo(seid pSeid; segDes segd) -> useStruct us:121 VFUN PVMsegmentSet(seid pSeid) -> SET OF segDes segSet;122 VFUN PVMmappedSegmentSet(seid pSeid) -> SETOF segDes mappedSet;123124

- 125 ASSERTIONS

126127 PVMimmVloc.domain - supervisorDomain:128 PVMlmmVloc.idSpace i iSpace;129 PVMargVloc.domaIn W supervIsorDomain;

130 PVMargVloc.ldSpace dSpace;131 $( constraints on parameters)132

134 FUNCTIONS-. 135

136 $( .------ - support for PSTreleaseProcess

137138 OFUN PVPreleaseProcessSupport(seld pSeld):

- 139 $( This function supports PSTreleaseProcess by deleting all segments in140 the virtual memory named by "pSeid" and then deleting the virtual memory141 itself)

- 142 ASSERTIONS143 PVMvmExists(pSeid):144 EFF7CTS145 FORALL segDes sd I SEGuselnfo(pSeid, sd) - ?146 'SEGuselnfo(pSeld. sd) - ?147 AND (LET seld segSeid - SEGuselnfo(pSeld, sd).instance:148 instanceStruct inst149 - SEGinstancelnfo(segSeid)150 IN IF inst.refCount - I AND Inst.gl.stIcky - FALSE151 THEN 'SEGinstancelnfo(segSeid) w ?152 AND 'TllInfo(segSeId) - ?153 ELSE 'SEGinstancelnfo(segSeid)154 - STRUCT(Inst.gl. Inst.refCount - 1. inst.data)):155 'PVMsegmentSet(pSeid) - ?;

- 156 'PV~mappedSegmentSet(pSeid) - ?;157158159 $( NOTE -- There are two special segments that are appropriate to the invoke160 and spawn operations! the argument segment "arg", already in the virtual161 memory, which contains the data to be used by the initialized process;162 and the immediate segment. "immSeld", which contains the code for the163 process - this code is also called the process bootstrapper)164165 $(--------------------support for PSTinvoke -...-.- )

166167 OFUN PVPInvokeSupport(seid pSeid, immSeid; segDes arg): $(PVPlnvokeSupport)168 $( This function sets up the virtual memory of a process for

pvp.specs Page 4 Fri Mar 27 15:34:23 1981

169 invocation; the new mapped set contains all previously mapped supervisor170 segments and the argument and Immediate segments; the argument segment171 Is mapped to a different virtual location, and a use is created for the172 the immediate segment)

173 DEFINITIONS174 InstanceStruct ImmIlnst IS SEGinstancelnfo(immSeld): -

175 useStruct argUse IS SEGuselnfo(pSeid, arg):176 seld argSeid IS argUse.instance:177 InstanceStruct arglnst IS SEGinstanceInfo(argSeld):178 EXCEPTIONS179 KEpvmNoArg: argUse =180 KEpvmArgSharable: arglnst.gl.sharable;181 KEpvmArgNotWritable: NOT daWrite INSET argUse.da:182 KEpvmBadSeg: immlnst - ?183 OR NOT SMXflow(pSeld. I mmSeid, {daRead));184 KEpvmBadDa- NOT SMXdap(pSeid, immSeid, {daExecute});185 KEpvmArgOverflow:186 NOT addrRegRange(PVMargVloc.vAddr, SEGsize(argSeld), arglnst.gl.growth)

187 SUBSET {O .. MACmaxReg}:188 KEpvrImmOverf low:189 NO' addrRegRange(PVMimmVloc.vAddr. SEGsize(immSeld), immInst.gl.growth)190 SUBSET {0 .. MACmaxReg};191 nSegs(pSeid) >- PVMmaxSegDes;

192 ASSERTIONS193 PVlvmExIsts(pSeId);

194 EFFECTS195 'SEGuseInfo(pSeid. PVMargDes)196 = STRUCT(argUse.instance, PVMargVloc, argUse.da):

* 197 $( create a reference to the immediate segment)* 198 'SEGuselnfo(pSeld, PVMimmDes)

199 - STRUCT(IumSeid. PVMiumVloc, (daRead, daExecute});

200 'SECinstanceInfo(immSeid)201 - STRUCT(immInst.gl, ImmInst.refCount + 1. Immlnst.data);"202 $( add the immediate segment to the address space)203 "PVMsegmentSet(pSeld) - PVMsegmentSet(pSeld) UNION {PVMimmDes};204 $( unmap all segments except supervisor segments, the argument segment,205 and the immediate segment)206 'PVMmappedSegmentSet(pSeid)

*207 ={PVargDes, PVMImmDes}208 UNION209 (segDes ad210 I ad INSET PVMmappedSegmentSet(pSeid)211 AND SEGuseInfo(pSeld, sd).vloc.domain - supervisorDomain}:212 $( remap the argument segment)

213214 S(-... ---- support for PSTspawn ....... ...... )215216 OFUN PVPspawnSupport(seid parent, child; seid immSeld; segDes arg);217 $(PVPspawnSupport)218 $(creates a new address spdce named by child and inserts into it two219 segment uses - the argument segment, arg, which is copied from the parent

220 address space, but occupies a different position - PVMargDes --

221 and the immediate segment, ImmSeld, which is shared)222 DEFINITIONS223 InstanceStruct immlnst IS SEGInstanceInfo(ImmSeid);

224 ' useStruct argUse IS SECuselnfo(parent, arg):

pvp.specs Page 5 Fri Mar 27 15:34"23 1981

225 seid argSeid IS argUse instance.226 InstanceStruct arglnst IS SEGinstancelnfo(argSeid);227 seid argCopy228 IS SOME seid a I SENseldNsp(s) - SENsetdNsp(exampleSegmentSeid229 AND SEGinstancelnfo(s) ?230 tiiStruct aTil IS TIIinfo(argSeid);231 tiiStruct pTti IS TIItnfo(parent):232 fiStruct nTIi IS STRUCT(aTiI.nd. aTi.da. pTii-owner. pTii-group,233 aTii.priv);234 EXCEPTIONS235 KEsegNotNull: argInst - ?;236 KEpvmBadSeg: immInst - ? OR NOT SMXflow(parent, immSeid. (daRead}):

- 237 KEpvmBadDa: NOT SMXdap(parent, immSeid, {daRead, daExecute}):238 KEpvmArgSharable" argInst.gl.sharable;239 KEpvmArgNotWritable: NOT daWrite INSET argUse.da;

S -- 240 KEpvmArgOverflow:241 NOT addrRegRange(PVMargVloc.vAddr, SEGsize(argSeid), argInst.gl.growth)242 SUBSET {0 .. MACmaxReg};243 KEpvmImmOverflow:244 NOT addrRegRange(PVMimmVloc.vAddr, SEGsize(iumSeid), ImmInst.gl.growth)245 SUBSET {0 .. MACmaxReg};246 RESOURCE ERROR;

- 247 ASSERTIONS248 PV~vmExists(parent);

* 249 NOT PVMvmExists(child);250 EFFECTS251 $( create a copy of the argument segment)252 'TIIInfo(argCopy) - nTli:253 "SEGinstanceInfo(argCopy) - STRUCT(argInst.gl. 1. argInst.data);

- 254 'SEGuseInfo(child. PVMargDes) - argUse;255 S( create a use for ImmSeid in child)256 'SEGuseInfo(child, PVMimmDes)257 - STRUCT(immSeid, PVMImmVloc, {daRead, daExecute});258 'SEGinstancelnfo(immSeid)259 = STRUCT(immInst.gl, i mmInst.refCount + I ImmInst.data);260 'PVMsegmentSet(child) a (PVMimmDes, PVMargDes};

, - 261 'PVMmppedSegmentSet(child) - (PVMinuDes, PVYargDes};262263 $(-......-support for PROfork ------- -)264265 OFUN PVPforkSupport(seld parent, child); $(PVPforkSupport)266 $(creates a new virtual memory, child, that is a copy of parent; some267 segments are copied and others are merely shared; if a segment is268 sharable in the parent process, it is not copied, but a use corresponding269 to the instance In parent is created instead; if the segment is not270 sharable, then a new instance of the segment Is created, requiring the271 allocation of an unused seld; in either case, corresponding segments have272 identical segment designators in both processes; ouch mechanism in this273 specification is devoted to describing the set of new seids created and274 the mapping of this set onto the set of new segment instances)275 DEFINITIONS276 INTEGER nCopies277 IS CARDINALITY

_ 278 ({segDes sd I SECinstancelnfo(SEGuselnfo(parent.279 ad).instance).gl.sharable280 = FALSE);

pvp.specs Page 6 Fri Mar 27 15734-23 1981

* 281 $(nujmber of nonsharable segments in parent process)282 SET OF seid copySet283 IS SOME SET OF seld 85

284 1CARDINALITY(ss) a Coples*285 AN4D (FORALL seid s INISET s

286 tSENseidNap(s) - SENseidNsp(exaroleSegmentSefd)* 287 AND SE~instancelnfo(s)-*288 $(actual set of new acids)

289 EXCEPTIONS _

*290 RESOURCE ERROR:291 ASSERTIONS292 PVMvmExists(parent).293 NOT PVMvmExists(child):294 EFFECTS295 'PVMsegment Set (child) - PVMsegmentSet (parent):

-296 'PVMvappedSegmentSet'(child) - PVMmapiedSegmentSet(parent):297 FORALL scgDes segd I SE~uselnfo(parent, segd).Instance -- ?

*298 LET useStruct use -SECuselnfo(parent, segd):299 acid segSeid -use-instance;300 InstanceStruct inst - SEGintancelnfo(segSeid)301 IN (IF inst.gl sharable302 THEN303 'SEGuselnfo~child, segd) - use304 AND 'SEGinstancelnfo(segSeid)305 STRUCT(Inst-gI, inst.refCount + 1, inat-data)

*306 ELSE307 (LET seid copy INSET copySet308 IN 'Tllinfo(copy) - 'TlIInfo(segSeid)309 AND 'SEGinstancelnfo(copy) -310 STRUCT(Inst.gl, 1, Inst.data.)311 AND 'SEGuselnfo(child. sexd) -312 STRUCT(copy, use.vloc. use.da)313 AND (FORALL segDcs segdl - segd314 'SEGuenfo(child. segdl). instance315 -'SEGuselnfo(child, segd).instance)));316317

*318 END MODULE

sum. specs Page I Fri Mar 27 15-34-47 1981

1 $C$ MODULE- s=ucspecs (version 2.29)2 CONTENTS Security Model3 TYPE: SPECIAL-specifications4 LAST CHANGED,- 10/12/79. 10!11:235 of)

678 MODULE soxc91011 $( This module now includes what used to be the contents of amx. pry. til.12 syl and sen modules)

Ww 1314 TYPES15

* - 16 $(from anm - exportable)17 seld.- DESIGNATOR;18 secureEntityType: {tFle, tDevice. tTerminal. tProcess, tSeguient. tSubtype,19 tExtent. tNulllh20 privType {21 privFileUpdateStatus, privLink, privLockSeg,22 privModifyPriv priv~ount,23 privSetFileLevel, privSetSegProcLevel.24 privStickySeg, privTerminalLock,25 pri vViolSinmpSecurity, prtvViolStarSecurity,26 privViolSimpltegrity, privViolStarlntegrity,27 privViolDiscrAccess, privSignal, privWalkPTable.28 privHalt. .priv~ernelCall. privViolCompartments,29 prIvRealizeExecPermissions);3031 daMode: {daRead, daWrite, daExecute);

*32 securityCat: DESIGNATOR;33 integrityCat: DESIGNATOR;34 domainType: {userDomaln. supervisorDomain);3536 $(from sam - redeclarable)

lw 37 nonDisType: STRUCT OF(38 INTEGER securityLevel;, SETOF securityCat securicyCatS,

*39 INTEGER integrityLevel, SETF OF integrityCat tntegrityCatS);40 S(integrityCat Is typically the null set)i41 daType: SET -OF daMode;42 modeStruct: STRUCT OF(daType ownerMode, groupMode, ailMode);43 tiiStruct: STRUCTOF(nonDisType nd;

44 modeStruct da; INTEGER owner, group; SET-OF privType priv);454647 PARAMETERS4849 INTEGER SENnaxlndex $(maximlum index component of a soid. 2^24 -1),

s0 SENmaxNsp $(maxium nsp component of a said, 2^8 - 1):51 INTEGER SENlowLevel, $(system low level)52 SENhighLevel; $(system high level)53

55 ASSERTIONS56

sx.specs Page 2 Fri Mar 27 15:34:47 1981

57 FORALL seld *1 s2" (.1 - s2) - (SENseidNsp(sl) SF.NseIdNsp(s2)58 AND SENseldlndex(ol) - SENseldIndex(s2)):59 $(this states that the nap and index are isomorphic with the meld, and60 thus uniquely Identify It)6162 SENlowLevel < SENhlghLevel ;63 $(defines the "greater than" relation for security In terms of the Integer64 relation ">")6566 SYLgetHIgh() INSET {SENlowLevel .. SENhighLevel);67 $(the current system high level is always within range)6869 FORALL seld a I TIlInfo(s) - ?70 LET nonDlsType nd n TIllnfo(s).nd71 IN nd.securityLevel INSET {SENlowLevel .. SENhighLevel}72 AND nd.integrityLevel INSET (SENlowLevel .. SENhighLevel}73 $(restricts the values of the security and integrity levels for any

. 74 existing objects)757677 FUNCTIONS

*- 7879 $(-....... . . sen - state functions ---... . . .- -- -)8081 VFUN SENseldNsp(seld anySeid) -> INTEGER nap; $(SENseldNsp)82 $( this is the nap table entry component of a aeid)83 INITIALLY84 nap INSET {0 .. SENmmxNsp); $(constrained by assertion above)8586 VFUN SENsetdlndex(seld anySeid) -> INTEGER Index; $(SENseldlndex)87 $( this is the index component for a sld)88 INITIALLY89 index INSET J0 .. SENmaxIndix);90 $(also characterized by assertion)9192 VFUN SENnpType(INTEGER nap) -> secureEntityType set; $(SENnspType)93 $( gives the type Informtion as a function of the nap component of94 a said)95 INITIALLY NOT nap INSET {0 .. SENmxNsp) > set -9697 m(.. en - said and nap mnipulation .... )9899 VFUN SENseldToInt(seid anySeld) -> INTEGER 1; $(SENseidToInt)

100 $(gives the integer corresponding to a given meld)101 DERIVATION102 SENseldlndex(anySeld) + 2^24 * SENseidNsp(anySeid):103104 VFUN SENseidType(seld a) -> secureEntityType set: $(SENseidType) -

105 $( returns the type information pertaining to a given said)106 DERIVATION107 LET secureEntityType setl a SENnspTpe(SNaeidNp(s))108 IN IF setl - ? THEN tNull ELSE setl:109110 VFUN SENmakeSeid(seld exampleSeid; INTEGER index) -> maid rSaid;111 $(SENmakeSeld)112 $( forms a sold with an nap the same as the example said and the given

- smc.specs Page 3 Fri Mar 27 15:34:47 1981

113 index; seld allocation is now done by the type managers for the114 objects in question, allowing seids to be reused in the case of115 objects that are dynamically allocated)116 ASSERTIONS117 index INSET {0 SENmaxlndex}:

S 118 DERIVATION119 SOME seid s I SENseldNsp(s) - SENseldNsp(exampleSeid)120 AND SENseldlndex(s) - index;121122 $ -........ --syl funtion123124 VFUN SYLgetHigh() -> INTEGER level; $(SYLgetHigh)125 $( represents the current highest security level for the system)126 HIDDEN:

. 127 INITIALLY- 128 level - SENhighLevel.

129130 OFUN SYLsetHigh(INTEGER level); $ (SYLsetHigh)131 $( sets the current highest security level for the system to the specified132 value)133 EXCEPTIONS

* 134 KEsylToolligh: NOT level INSET (SENlowLevel SENhighLevel};135 EFFECTS136 'SYLgetHigh() - level;137138 $(-- ......... tii state function )139140 VFUN TIIinfo(seid s) -> tIiStruct st; $(TIIinfo)141 $(returns the type-independent information for a system object; this

, 142 information includes discretionary, non-discretionary, and domain access143 controls, privileges, and the owner and group for the object)144 HIDDEN;145 INITIALLY st -

* 146147 $(---.... s functions .....- )148149 VFUN SMXhasPriv(seld pSeld; privType priv) -> BOOLEAN b, $(SMXhasPriv)150 $( tells whether a given object - usually a process - has a particular

* 151 privilege)152 DERIVATION153 IF TIItnfo(pSeid) - ? THEN priv INSET TIIlnfo(pSeid).priv ELSE FALSE:154155 VFUN SMXflow(seId pSeid, oSeid; daType da) -> BOOLEAN b; $(SMXflow)156 $( tells whether a given subject "pSeid" can access a given object "oSeid"157 with the information flow specified by "flow", according to the158 constraints of the military multilevel security model: these constraints159 do not apply if the subject has the proper privilege)160 DEFINITIONS161 titStruct pTii IS TIllInfo(pSeId):162 tiiStruct oTil IS Tllinfo(oSeid):163 DERIVATION164 IF pTii -- ? AND oTIt -- ?165 THEN (daWrIte INSET da166 > (NOT SMXhasPriv(pSeid, privViolStarSecurity)167 > pTii.nd.securityLevel <- oTii.nd-securityLevel)168 AND (NOT SMXhasPriv(pSeid, privViolCompartments)

6W

snuc.specs Page 4 Fri Mar 27 15:34:47 1981

169 -> pTii.nd.securityCatS SUBSET oTii.nd.securityCatS)170 AND (NOT SMXhasPrIv(pSeid, prlvViolSimplntegrity)171 0> pTii.nd.integrityLevel >- oTii.nd.integrityLevel)-172 AND (NOT SMXhasPriv(pSeid, privViolCompartments)173 -> oTII.nd.integrityCatS SUBSET pTii.nd.IntegrityCatS))174 AND (daRead INSET da175 W> (NOT SMXhasPriv(pSeid. prlvViolSimpSecurity)176 0> oTii.nd.securityLevel <- pTii.nd-securityLevel)177 AND (NOT SMXhasPriv(pSeid. privViolCompartments)178 0> oTii.nd.securityCatS179 SUBSET pTii .nd. securityCatS)180 AND (NOT SMXhasPriv(pSeid, privViolStarlntegrity)181 0> oTil.nd. integrityLevel182 >-m pTii-nd. integrityLevel)183 AND (NOT SMXhasPriv(pSeId, privViolCompartwents)184 0> pTii nd.integrItyCatS185 SUBSET oTti.nd-integrityCatS))186 ELSE FALSE:187188 VFUN SMXdap~seid pSeid. oSeid: daType da) -> BOOLEAN b: $(SMXdap)189 $( tells whether a given subject "pSeid" can access a particular object190 "oSeld" according to the discretionary access rules of the system-191 similar to those of UNIX)192 DEFINITIONS193 tiiStruct p IS TIlinfo(pSeld)z194 modeStruct mst IS TIlinfo(oSeid).da:195 tiiStruct o IS TlIInfo(oSeid);196 BOOLEAN access(daType requested, allowed)197 IS requested198 SUBSET allowed199 UNION (IF SMXhasPrIv(pSeid. privRealizeExecPermlssions)200 AND daExecute INSET allowed201 THEN (daRead)202 ELSE ()203 DERIVATION204 IFo --?205 THEN SMXhasPrIv(pSeid. privViolDiscrAccess)206 OR access(da. mst.allMode)207 OR (p.group - o.group AND access(da, mst.group~ode))208 OR (p.owner - o-owner AND access~da, mst-ownermode))209 ELSE FALSE;210211 $(-- -- tit -- extraction and Insertion functions ----212213 OFUN TllcreateEntityLevel(seld oSeid; tiiStruct ntIi):S(TllcreateEntityLevel)214 $( Initializes the til information for an object "oSeid". the object hust215 not have currently defined tii Information; this Is a service function _

216 required for the creation of all types of objects In KSOS)217 ASSERTIONS218 TlIInfo(oSeid)219 ntil.nd-securityLevel INSET {SENlowLevel SYLgetHIgh0):220 ntil-nd.integrityLevel INSET (SENlowLevel SENhighLevell;221 EFFECTS222 'Tllinfo(oSeid) - ntii;

223224 VFUN TtlgetEntityLevel(seid pSeid. oSeid) -> tIlStruct ntii:

simx.specs Page 5 Fri Mar 27 15"34:47 1981

225 $(TllgetEntityLevel)226 $(Retrieves the tii information of an object named by "oSeid", as227 directed by process "pSeid"; mandatory and discretionary checks are also

228 performed; this function Is used by229 functions of the object-maintaining modules, which provide status

- 230 information to the object that is concerned with getting and setting231 object levels)232 EXCEPTIONS233 KEtiiNoObj: Tllinfo(oSeid) - ? OR NOT SMXflow(pSeid, oSeid, {daRead});234 DERIVATION235 Tllinfo(oSeid);236237 OFUN TllsetEntityLevel(seld pSeid. oSeld: tilStruct ntii);238 $ (TIlsetEnt i tyLevel)239 $( sets the type-independent information for an existing object240 "oSeld" to the new value "ntii". as directed by process241 "pSeid", the privilege to set level is always required: if an242 object's privileges are to be modified. the privilege to modify243 privileges is required; because only privileged programs are allowed to244 invoke this function, no other security checks - either mandatory245 or discretionary - are made)246 DEFINITIONS247 tiiStruct otil IS TIIinfo(oSeld),248 EXCEPTIONS249 $(privilege checking occurs In lev module)250 KEtIiNoSetPriv:251 otii.priv - ntli.priv AND NOT SMXhasPriv(pSeid, privModifyPriv);252 KEtIINoObj: otii - ?;253 ASSERTIONS254 ntil.nd.securityLevel INSET {SENlowLevel SYLgetHigho)};255 ntili.nd.integrltyLevel INSET {SENlowLevel .. SENhIghLevel};256 EFFECTS257 "TIIinfo(oSeld) - ntii:258259 OFUN TIIclearEntityLevel(seld oSeid); $(TllclearEntityLevel)260 $( deletes the type-independent Information for an object "oSeld"; this261 function Is used for implementing functions that delete objects - and262 thus must also delete the tit info)263 EFFECTS264 'Tllinfo(oSeid) -?265266267 END MODULE


5. Appendix B -Sample Code Proof

ism

December 1980 -19 -WDL-TR9001

nR I? -)~~~LT.1. Tue j1-Ja-O 11:37PM Page I

~e r ?s t 04 uo our 3m t o i r ov e n

V-UUUL-4 S-X;

JJLTN Sxcomnare:

*mxcoriare : (tii.ni.szcuritylevel (? tii..lsacuritylevel) AND

u',ao(Ltii.r% -securitycats, Hti i-nd-securitycats) AND

2 4 M A xS F( S X . J1)UL A ;wrst, the "odu1.3 program~ is -arsedFarsinq startel ;with the function MPAP3-, in the IrANS.TEXE(P~arsing Dor'e) ;environ e nt.1 -P? k SV.Vei"hIILE ;iere's th up )er-ievel spc anterod with

;the E!nacs editor, usingj the Coyer-L.oore

; (5CKUUF>SMX.nflIB'LE.2 Tue 1-Jan-SO 11:37PN Page 1:1

tSIXC0MPARWEADULE ;Enmacs - LISP interface.(UvMS (3.XCO4PA2E (LTll 14T!)

(VALUF (AND (NOT (GREATERP (SELFCT LTTI(QUOTE (ND

SECURITYLEVEL))STATE)

(SELECT HTII(QUOTE (ND

SECURITYLEVEL))STATE)))

(SUBSET (SELECT LTII (QUOTE (NO SECURITYCATS.

STAT0)(SELECT HTII (QUOTE (NO SECURITYCATc

STATE)STATE)

(NOT (LESSP (SELECT LTII(QUOTE (ND

INTEGRITYLEVEL))STATE)

(SELECT hTII(QUOTE (ND

INTEGRITYLEVEL))t STATE))) -

(SUBSET (SELECT LTII (QUOTE (NDINTEGRITYCATS))

STATE)(SELECT HTII (QUOTE (ND

INTEGRITYCATS))STATE)

STATE))))))SMXMUUIILE2PPP PRIMITIVEMUDULC )ilere's the lower-level spec.

* (PRiMITIVEMODULE (OVFNS (SUBSETOP (X Y)(VALUE (SUBSET X Y STATE)))

(SELECT.RECORD (STRUCTURE FIELD)(VALUE (SELECT STRUCTURE FIELD STATE)4

)

(VF4S (SUBSET (X Y))(SELE:T (STRUCTURE FIELD))))

V(LMLTiVEMUDUL62"/.P VHS ;This variable PRS has been set to be the

;parsed Modula program Dy MPARSE.

<K(CPR'POFSMX.DRIBnLZ.2 Tue 1-Jar.-80 11:37P4 Page 1:2

(MUUIILt

- ~UEINE. Slyc3r"'are)(.USE Subsetop)(( (pXuCEt1URE

Smywcomnar e- ((CUNST (Ltil. Htii)

tiistruct))

- 0v IL(H4ECTN

(=Si1ccomoareCANDOP (AIDOP (ANDOP (LESSORT() JALOP

(SELECT-RECORD (SELECT.RECORDF. Ltii

(QUOTECP (rid)))- (QUGTEOP (securitylevel))

(SELECT-RECORD (SELECT.RECORJHtii(QUOiTEOP (rid)))

(QUOTEOP (securitylevel))

(subsetop (SELECr.RECORD* (. (SELECT. RECORD

Ltii(QU07EOP (nce)))

(QUOTEJP (zsecuritycats)))C SELECT. IE COPD(SELECT. RECORD

IHtiA(QOEOtP (rid)))

- (QUOTEOP (securitycats)))))(GREATERCREQLJALOP (SELECT-RECORD

C SELECT. REC DPDLtii(QUOTEOP (rid)))

(QrJQTEOP (integritylevel)))(SELECT.RECORD

- (SELECT.*RECOFRDittii(Q93TEOP (rid)))

- (QUOTEOP (integritylevel)))))(subsetop (SELECTRCOR (SELECT.RECOPD Ltli

(QUOTEOP

- (QUOTEflE (irtegritycats)))(SELECT-RECORD (SELECT.RECORD Htii

(QUOTEiJP- (nd)))

LQOTO NIL))))cat)))

NLL))

; (CjUFS,%X.DRI3"LF.2 Tue I-Jan-1O 11:37P4 Page 1:3

PHS2UA~(LI~l T!1SL2"E2~;Just checcing to see tzie ord~er of the

(eAKSV-POflAI _F~"D~L LOERIflLF) ;arginents to TPANSLATF.29-(TRANSLATE PRS q4X,,.'D'IL- PPIMITIVEFODU') ;Invoking TRAASLATE on the

Inarsea prograT~, the upper-level specs.. andADOut to unuo JETINiE lists ;the lower-level specs.

06iNF lists undoneAbout to disambiguate n~ame luolications

4enaming done ;This stuff iust messages from TRANSLATE.About to nike integer substitutions for Types ani Constants-

constants and Tv'n.as replaced by integersAbout to perform translation

Translating finishe'About to do somie oDti-nizatton

Uptinzinq liore* A3out to splice in 3vcentjon ftaniling lumps

Splicing done

(I'rocessirnq Coipt3~dGGGG-AA-^;GGGG3u..PV ;Lr-I0Ghis is the result or the TRANSLATE call. -

(V F 14 S)(UVVNS (SMXCJ9PARc ((ASSIGN 50001 (OUOTEiLP (ND)))-

(ASSI ~N 50002 (SELECT.RECOR) LTII SOC01))(ASSIGN S0003 (QIJOTEOP (SEC T JRITYLEVEL)))(ASSI^-, S3CO 04 (SELECT.RFCORD S O002 S0003))k. (S SI 57 0005 (QUDTEOP (N4D)))

(ASSION S0006 (SELECT.RFCORD dTII SOC05))(ASSIrN SOO007 (nJOTEOP (S *FCTURILY'VEL)))(ASSIGN SO 38 (SELLCT.RECORD SV'036 SOCO7))-(1SSI"'S S0009 (LESSORE2IiAL3P SQOO04 50008)(ASSIGN SMA10 (OrJTEcJP (ND)))(ASSIGN S0011 (SEL!ECT.REC0RD LTII S0010))(ASSIIS 50,012 (QUO0TT0P (SEZURITYCA S))(ASSIGN S0013 (SELEC-T.RF.CORD S0011 SCC12))

(ASSICN S0015 (SELE:T.RFCDRD P7II SOC14))-(ASSIGN 30016 (QU10TEOP (SECEJPIrYCATS)))(ASSIf;N S0017 (SELECT.RFCOm D 30015 SC016))(ASSIGN S0018 (SUBSETOP S0013 S0017))(ASSIGN S0019 (AN1)0P S0CO9 SO'118))(ASSIGN S032G C0)UOTFUi' (mn)))(ASSIGN 50021 (SELECT.RECORD LTII S0020))(ASSIGN 50022 (OJOTFOP (INTEGRITYLEV7L)))-(ASSIGN SO)23 '(SELECT.RECORD S0021 S0C22))(ASSIrN S0024 (QrJOTEIP (NID)))(ASSIGI S0 75 (SELLCT.PECOR) 4TII S0024))-(ASSIGN S0026 (OUflTEOP (INTEGRITYLEVFL)))(ASSIrN S0127 (SELECT.PFCJORD SJ)025 S0026))(ASSIGN S0028 (GREATEPOREQUALOP S0C23 S0027))

; ~ T u0p 1-Ja.-30 11:37PH Page 1:4

(ASSIGN S1029 (4100 S~il9 50026))

(A.SSIf'6 333 (SELECT.RCORPD LTII 03)

(ASSIGN SC033 (SELECT.RECO3R) S 031 S0 32))(ASSI'N SC034 ofufTZOP (ND)(ASSPIN SO'35 (SELLZ3T.RECGR) H7TL S0034))(kSSIGN SV36 (QUJOT.Cj (INTEGRITYCATS))(ASSlrX 300337 (SELECT-RECORkD S0035 S00'36))

-(ASSIC~J S0038 (SUSSETOP S1033 30337))(ASSIGN ACI (AN90P S0029 30033))

(S!'X NIL))(1NITIALiZATICN)

(U~ LN I A JFT)

- (GLIUAL.VARlAJLES))NJ N-F'lUC-J1..D WIHt0( ;I saved the specs and translation on a file

;for use in VC generation and proving. Recall;that the tools for these processes are in a;different environment: CIFVCC.EXE.

* ;Sot nOW I'm in the ndw environmflent. I've;loadeP the things I saved previously into

3~ ~ A:.cs .IN-FiRi SSK~I!')ULE PliIN[TIVER001JLE) ;this environment. I begin( ;by invoking MAKE.VCS on the iimplerentationt

* (Argume.-it (Nu) in (Q11OTEOP (ND)) hot a LITATO') ;and the specs.

;Ali or tne messa~ges anpearing here are warnings from the VCG. Looking; at the CIF (RJJi-PPJG,) you should be able to tell why they're here. Can;Yo Oi'?(neck 1,)ack to the Boyer-Moore formalization of liD!.)

-* - collecting lists4U22, 10166 free cells(Argument WSCURFITYL"VFL) in (OTrEOP (SECURTTYLEVEL)) not a LITATOM)(Argument (Nu) i, (V0TEOP (lsu)) not a LITATC4)

- (Argumient C CIRITYLFVEL) in (QIJITEOP (SECURITYLEVEL)) not a LITATOM3)(Argumpnt 00!) in (2;!VTEr!P (NO)) not a LITAMO'.(Argument (SECTIRITYCA"S) ir (QUOTEOP (SECURITCATS)) rn,.t a LITATO4)

- (Arqu1mp.1t (t,,U) i-rOTi , (Iro)) aot a LITATOW)(Argument (1'C CJiITYCATS) in MOUTEZOP (SECUPITYCATS)) inot a LITAT04)tArgument M'L) in (QUOTEOP (ND)) not a LITATO')(Argument (iNTEGRITiLEVEL) in OUL!TEOP (1NTErRITYLEVFL)) not a LITATOM)

- (Argument (NO) in (VIOTEGP (ND)) not a LTTATVA)(Argtiment (INTECRITYLEVEL) in (QUO)TEOP (IIJIEGRITYLEVEL)) not a LITATC')(Argument (rul) in (OJErIP (13J)) not a LTT&Tr)M)

- (Argument (iNTEG~i-ITV~rs) in (QJCUfTEOP (INTECRITYCATS)) not a LITATOM)(Argunrt (00) in ('UTEJP (o.D)) not a LITATVI0)(Argument (INTEGRITUCATS) in (QJCTEOP (INTEGRITYCATS)) not a LTTATOM)

<K(CVKjUF>SMXVI39L7.2 Tue 1-Jan-80 11:37PM Page 1:5

***CG*GCGAGGCG~CG~CGAG

ii' V1L.HES3jLT ;IAKE.VCS has stored the list of VCs tO;be proved nere, in V'.G.Rv'SULT

C~(&'~S.F*ri PETTAINC.YCMPPMDL.NPIMITIVE:YOCULE)-(JCL STATE NIL)(LJEL STATE* :JIL)(U(CL ULGI' NIL)-1J;L Nr4i.STATC. I'L)

(JCL NE~XT (ITAT )'(UCL SUCS6T (X V STATF))-(UCL SELECT (STRLUrTIUE FIFLO S-,AT!:))(uL TR'UEOP (ST.ATF))

*(JUL FALSECJP (.3TA-E))(UCL f1NVEFoP (STATiF))-(IJCL EQUALJP (X Y STATE))(UCL NEOUALUP (X v STATE))(JUL ZERUPOP (X STATE))(OLk t ;hATLSPUP (X v STATE))(IJCL LQ*SS!N2P (X Y STAT-7))(UCL AIJ01lP (X STAT'7))(JCL P0 160P (Y Y SrTEv))(UCL UFFKLh.NCEODP (X( Y STATE)(VUL NUV!P!kPOP (X STATE))(UCL GH6ATEROREnUALOP (X Y STATE))(JCL LESSfrtR.)(tAL1' (X Y STATE))(UCL UKL]P (X Y STAT1))(UCL AN'JUP (X Y STA T M)(UUCL MJU'iOP (X S;"AE))(JCL SUPSI TOP (X( Y STATE))(LJCL SkrLLCT.RFCJI'% (STRUJCTURE FIELD STATE)MUL S ,YCUM1PAPE (LTTI 1HUT STATE))

(CUMmk.NT CORU ,CTN' SS. JF.INITIALIZATIWJ.Q*FSXCO4PARE'400ULE)(.'UMNT INPUT.T3.OiTDJT)(t'HtJVL.LF'V4A CONC LUSION 4IL (TR TE))(0NV)O*8AL('.TtiH0UV? TNPUT.TO -OUTPUT)(cum4.N'r bTAT~eEjLrIVALE:iCE)

(A%0 (F'2"AL (SUB2SET X V (NE49SUTE))-(S'!8SET X Y (STATE)))

(EQUfAL (SELECT STRUCTURE FIELD (NEWSTATE))(SFLE:T STRUCTURE~ FIELD (STATE)))))-

(V1HUVte.LtL'4% C3JUCLUSION 3TL (TRUE))(UNUOedACK.rHqujrGi; STATTE7'JIVALM7IC)(U1UO.bAL(. Tiht~fY! CG-7Rr-CT4ESS.OF.INITIALIZATION.OF.Si!XCOIPAPF:",)ULE')(VL1M1SrT C RRJFT4rSS.OF.S!XC3MARS)

(MIL LT1L' RIL)

<KCVWUU )S?6.DRIRcLF.2 Tue 1-Jan-?O 11:37PM Page 1;6

( (LUMA MNT INPUT. TO.OUTPUT)

to CUNCLUSIJN NIL(EQUAL (AID (AND (AMD (NJT (G?EATE P (SoLECT (SEL-'.CT (LTII*)

(QUOTE (D))(STATE*))

(QUOTE (SECURITYLEVEL))(STATE-))

(SELECT (SELECT (HTII*)(QUOTE (NO))(STATE*))

(QUOTE (SECURITYLEVEL))(STATE*))))

(SURSET (SELECT (SELECT (LTII*)o (qlOTE (NO))

*(STATE*))

(QUOTE (SECUtITYCATS))(1TATE*))

(SELECT (SELECT (HTII*)b• (QUOTE (ND))

(STATE*))(QIJOT: (SECURITYCATS))(STATE*))

(STATE*)))(NOT (LESSP (SELECT (SELECT (LTII*)

* (QUOTZ (ND))(STATE*))

(QUOTE (INTEGRITYLEVEL))(STATE*))

(SELECT (SELECT (HTII*)* (QUOTE (NO))

(STATE'))(QUOTE (INTEGRITYLEVEL))(STATE*)))))

(SURSET (SELECT (SELECT (LTII*)(QUOTE (M))(STATE'))

%(QUOTE (INTEGRITYCATS))

(STATE*))(SELECT (SELECT (HTII*)

(QUOTE (N3))(STATE'))

(QUOTF (INTEGRITYCAT3))(STATE*))

- (STATE*)))

N-

; (KCPRU0F>SMX.)RIE LF.2 Tue 1-Jan-80 11:37PM Page 1:7

(AID (NOT (GREATFAP (SELECT (LTII")(QUOTE (ND SEC1RITYLEVFL))(STATE*))

(SELECT (HTII*)(QUOTE (ND SECURITYLEVEL))(STATE*))))

(SUPSET (SELECT (LTII*)M(OOTE (N SECURITYCATS))(STATE*))

(SELECT (HTTII*)(QUOTE (ND SECURITYCATS))(STATE*))

(NT (STATE*))(3T (LFS3P (SELECT (LTII*)

(QUOTE (ND INTEGRITYLEVEL))(STATE*))

(SELECT (HTII*)(QUOTE (ND INTEGRITYLEVFL))(STATE*))))

(SJ SET (SELEr (LTII*)(QUOTE (ND INTEGRITYCATS))(STATE*))

(SELECT (HTII*)(QUOTE (N) INTEGRITYCATS))(STATE*))

(STATE*)))))(U4UU.bkCK.Tk1ROUGH TNPUT.TO.OUTPUT)(UtmMENT STATE.FJIqALEN:E)

(ADU.AXIOM HYPOTAESIS (REWRITE)(AND (Q1fTAL (SUBSET X Y (NEWSTATF))

(SUBSET X Y (STATE)))(7QJAL (SELET STRUCTURE FIELD (NESTATE))

(SELECT STRUCTURE FIELD (STAT6)))))(FRUVE.LEMMA CONCLUSION NIL (AND (EIUAL (SURSET V1 V2 (NEISTATE))

(SUBSET V1 V2 (STATE)))(EQUAL (SELECT V1 V2 (NEWSTATE))

(SELECT Vi V2 (STAT!)))))(UNUO.UACK.THROUGH STATE.EQUIVALENCE)(JNUO. dACK .fTH3U~w RRE'TNESS.OF.SmXCO4PARE)(U0VO. BACK. THRO110CUKKMEC f NESS -OF , TH P .TMPL '4FXTATION. OF • SMXCOMPAREMODULE -ON.PRI MITI VE MODULE))

ViG.KESULT34-Pe AXIUY' AXIOM2 ;?art of the axiomatization of structures

;requires the following two axioms. They are(AUU.AXLUM IDENTIToY.rF.SPLFCT (REWRITE) ;added to the list of theorem'

(EQUAL (SELECT S NIL STATE) ;prover events.5))

A

ft

< KCPRluOF>SMX.VRI3aLT'.2 Tue !-Jan-80 11:3JPM Page 1:8

(AUU.A'"IUM ASSOC IATIY yuF oSELECT (REWRITE)(SQUAL (SELECT (SELECT S PI STATE)

P2 STATE)(SELECT S (APPEND P1 P2)

STATE))NIL)

S(AXJUM1 AXIO042)

)Hlere I.s the proif of SAXAM0LA on PRIMITIVE?400ULE

<LISP>LISP. EXE.132

<NGRE>COOE..4

<HIER>CODEI. .2

01MORaE))ATA. .4

<iIER>DAYAl.,2

Friday, November 16, 1979 B:25PM-PST

...ICL(SrATE UIL)STAT9

.. UCLdSTATkW '41L)SATC*

.. UCL(BEGIN NIL)ilXGIM

MENSTATE

6L jk

< KCPUUF>S!AX.DRBL-L.2 Tue !.-Jap-80 11:37PM Page 1:9

.. uL.(hr(.STATE))N6XT

-JLSujlST (X Y STA"LJ))

-UCL.bELCT (STRUCTURE FTELD STATE)SELECT

- ~UC L(fIUtLJP (STATTE))TkRUSUP

UCL(FALS60QP (S-TATE))

...uL(JNO't:FrlF' (STATE))

* -UCLL4bfALOP (X Y STATE))* EQUAL.U"

UL(NEIWALiUP (X Y STAT~E))NUQUALUP

.UCL(ZtRWUP (X STATL9) a

-.JCL(GRATERPQ' (X Y STATE))-UKLATLHPOP

.UCLLEdSSPUP (X Y STATE))

,,.LCL(AU01UP (X STATE))AL? IlUP

... CLCPLtISLP (X V STAT'E))PUS LW

; ?UU>iX.3l L. Tue I-Jan-0 11:37?M Page 1:10

..UCLFr.EiC'2CP' (K Y STATE))

NUMbEFF'iP

.. UCL(AT rh'UALJn (X Y STATE))

.JCL(LVS0Hl-rJALOJ2 Y~ STATt ))

.. uiCLdUeLI (X Y STATEz))

- ULL(ANDiJ' V Y STAT7))At4VUP

UL( lUOTkA) (X SI'A14))QUOV

-JC(SSLSTOP (X Y STATE))SUBS&Tfl?

-VCL(StLLtT~iqTC0RD (STRUCTURE FIFLD STATE))- ELEYUT .RCOP)

SMKCUMdPARE

-- AUU.AXIU.'-( IDE1TV.~jW.SLECT(REW4RITE)(EQUAL (SELECT 3 NIL STATE) S))

IJ ENTITY. OF*SELECT

AUUA~~iA( S~lCATIIY.OF.SELECT- ~(REw4 PI 'E)

(EOJAL (SELECT (SELECT S Pl STATE) P2 STATE)(SELECT 3 (APPEV4D PI P2) STATE))

NIL)~ASUiArtvITV.)?.SELT

<KCUtUF>S%.lI~~. Tu.3 I-Jan-10 11:37?14 Page 1: 11

~LJM~NT( 'I~C NrS **I N ITA 17 ATI! N. JF.* Si XCn-A? RE'Ji

t.uKhC*[NS.'.F V4~1 1 LZA

LuMMtNT'( I:4PIT.TO.J OU 1'UT)INPJT.TJ-. JITPJT

ePUVE.L6;N1UA A(c tmL 73 IO0 11.I1L 7)Tnis Co),-iErture simplifies, clearly, to:

Load average d'.rin; Proof: 1.1344'4-Etapsadl UMCn: 1.t#F3 secondsCPU ~Ire (rli'oted to theore n proving): .124 secondsGu time: 0 secanlsUJ timie: .096 seconrisCUNses co)nsun-d: 5)

4 I'KOVE.Lr_'fA CuNCLUS2Lr)N *NIL (TRUJE)) (COV'f7NTINPUTeTOOUTPUT))

* ;UMMNr(sAT.E ;JIVALF!JIC;-)5rATE.E9U IVAL.NCE

(zREA4ITF)(M~ (CSIUAL (SUJRSS" X Y (NEWSTATE))

(SCJPSET X Y (STATE)))(E'UAL (SELE7T ST.RJCTURE FIELD (NEW'3 ATM)

(SELECT STRjUCTURE FIELD (STATE)))H Y OTH ES IS

<w(CP-Jv>h') X ' BL'7.2 Tue 1-Jin-80 11 :37PM ?age 1:12

'rnis tormula simniiLles, clteqrij, to:

(iUUE)

Q. E.U.

LoaU averag;e during proof: 1.202444Elapsed time: .225 secon.1sCv'U tire (devoted to t'~eorem proving): .107 seconds(;C timq? 0.0 secnfl-1i timne: . G1s econ 4sCUNSes consu'"s1: 50

V R ov E.L

,1JNV]. 4 Af,,'i( Ti. JH (S 'ATLE.*E'UVAL ICE)(FWlV~oLEM.4A CtUNCL!JF1nN NI, (TRT--)) (OD.AXIO"' EHYPOTATSIS(

mtwRivri) (Alt) (E(Q AL (SUPSET X Y (NEWSTATE)) (SUBSET A iSTATK))) (L.'IAL (ZTST.RJCTJ.RE FIELD (f*%FSTATE)) (SFLECTs'rxuCvt Vl' Lf (STAT))))) (CY. s*ENT STIATE.Z"IJTALENC-1))

.J No jL. H A(;K . 1rHfDijr:;H

. uL)MMFN 'r) rFlckC','ES S.IF *IN IT IALIZ AT"ION OF. .S*XCOIP ARE' tJLE)

LTr11w

I.UM~E N F LNP'I' .71 uuJP!J )u

AD-AIII 563 FORD AEROSPACE AND COMMUNICATIONS CORP PALO ALTO CA W-ETC FIG 17/2(KSOS) KERNEL VERIFICATION RESULTS. KERNELIZED SECURE OPERATING-(TC(U)

UN4CLASSIFIED WDL-TR900L NL,

, -82

lQ 13Z8ji

H~11111_L25 L1

MICROCOPY RESOLUTION TEST CHART

<CP.RUOp>S1rX.DRlSTLr.2 Tlue 1-jan-80 11:31P'A Page 1:.13

eRUV.LwY%(CulJCLU.3lX" N'IL

(AND

(GRE ATER~P

(SELECT (LTII*) (Q 1OTi (40D)) (STATE*))(ollTE~ (SECURITYLEVEL)(STATE*)

(SELECT (![TIT*) (QtJW?"E (~D)(57ATF*))-(0UOTE (SEC'JRITYLEVEL)(STATE*))))

(SE~LEC T(SELECT (LTIT*) (QFJOT3 (ND)) (STATE*))(QUOTj (SECJRITYCATS))(STATE~*))

(SvLrCT(SELECT (EiIT*) (QUOTE (ND)) (STATE*))('VIJOTE (5ECJRiLTVlATS))(STA!E*))

(3'ATE*))

(SF'LECT(S7%'LTCT (LTIT*) (QUOTE (0O)) (STATE*))(QUOTE (rITEGRITYLEVEL))( STATE*) )

(S F.L CT(SELECT GII)(QUUTE (ND)) (SrATE*))(QUOTE (INTEGRITYLEVEL))

(SUqSiT(SP!LrC'!

(SELECT (L~Trr) (QUOTE (M)) (STATE*))(VJOTE (TIECkRTTYCATSyl(STATE*))

(3FL7CT-(SELTCT (UTIT*) (QUOTE (NO)) (S'lkTE*))("VOTE (I.ITECRITYCATS))(STATE*))

(STA'"E*)))(AND

RJ T(GREATFRP (SELFCT (L.TII*)

(Q!IDTE (NO SFCURITYV.FWEL))(S~LET(STATE))

(QUOTE (NO SECURITYLEVEL)(STATE))))

. <vCPXUL>SX.DRT3nLT.2 Tue I-Jan-80 11:37PM Page 1;14

(SU33ST (SELCrT (LTTI*)(QUOTE (NO SECURITYCATS))(STATE*))

(SELECT (4TII*)(QUOTE (ND SECURITYCATS))(STATE*))

b(STATE*))

(OT(LSSP (SELECT (LTII*)

(QUOTE (N3 TNTEGRITY6EVEL))(STATE*))

(SELECT (HTII*)- (QUOTE (ND INTEGRITYLEVEL))

(STATE*))))(SUPSET (SELECT (LTII')

(OUOTF (ND INTEGRITYCATS))(STATE*))

(SELE:T (HITI*)(QUOTE (ND IhTEGRITYCATS))(STATE*))

(STATE*)))))TniS simplifies, ex 3nling the definitions of GREATERP, NOTeand AND, to 13 new goals:

Case 1. (IMPLIES( (OAND

(LESSP (SELECT (SELECT (,iTI*)(CONS (0UO'E NO) NIL)(STATE*))

(CONS (JOTE SECURITYLEVEL) NIL)(STATE*))

(SELECT (SELECT (LTII*)(C'.NS (QUOTE NO) NIL)(STATE*))

(CONS (QUOTE SECURITYLEVEL) NIL)(STATS*)))

(LESSP (SELECT (SELECT (LTII*)(CONS (QUOTE NO) NIL)(STATE*))

(CONS (QUOTE TNTEGRITYLEVEL) n1L)(STATE*))

(SELE:T (SELECT (HTII*)(CONS (QUOTF NO) NIL)(STATE*))

(CONS (QUOTE INTEGRITYLEVEL) NIL)(STATE*)))

(NOT(LESSP(SELECT (HTII*)

(.'NS (4JOTE 93)(CCNS ( UOTL SFCURITYLEVEL) NIL))

(STATE*))

<5C0P)>SXX.DRI3BLF.2 Tue 1-Jan-80 11:31/PM Page 1:15

(.SONS (133TE 143)(Cr'NS (4UDTE SECLIRITYLEVEL) NIL))

(NCT (STAT'))))

(LESSP(SEL ECT

(LTTII)(CONS (QUOTE NO)

(CDNS (OJOTE INEIRITYLEYEL) NIL))(STATE*))

(SE~LECT- (ITTI')

(CORS (OJOTE N))* (CONS ('lUOTE INTE.CRITYLEVEL) 'ILL))

CTATE*))(SUJBSET

(CONS (QUOTE ND)(CONS (atUOE INTEGIZITYCATS) NIL))

(ST ATE')(SELECT (FiIl')

(CONS (QUJOTE ND)(CONS (JUOTE INTEGRITYCATS) NIL))

(STATE*))(S*ATE*)))

* (SUBRSET(SELECT (LTII')

('.DNS (QJOTE 4D)(CONS (QUOTE SECURITYCATS) NIL))_

MSATE*))(SELECT (I{ 'It*)

(7ONS (rJOTE P40)(CONS (QUOTE SECCJRITYCATS) NIL))

(STATE'))(STATE*)))).

Tnis alain simpiies, rew4riting withASSUCIATLVITY.OF.SFLECTO CAR-CONS, and CDR.CONS, andexpanding tlhe function APPEND, to: gs

(TRUE).

/6

< (KCPHUUF>SMX.DRI9?LF.? Tue 1-Jan-80 11:37PM Fage 1:16

("Case 2. (IMPLIES(AND

_. (LESSP (SELECT (SELECT (HTII*)(CONS (QUOTE ND) NIL)(STATE*))

(CONS (nUOTE SECURITYLEVEL) :IL)b- (STATE*))

(SELE.T (SELE:r (LTII*)(CONS (QUOTE ND) NIL)(STATE*))

(CONS (QUOTE SECURITYLEVEL) NIL)(STATE*)))

(NT(LESSP (SELECT (SFLECT (LTII*)

* (CONS (QUOTE ND) NIL)(STATE*))

(CONS (QUOTE INTEGFITYLEVEL) NIL)(STATE*))

(SELECT (SFLECT (HTII*)(CONS (QJOTE ND) NIL)%W '(STATE'))

(CONS (JUOTE INTEGRITYLEVEL) NIL)(STATE*))))

(NOT(LESSP,k.(SELECT (HTII*)

(CONS (QUOTE NO)('ONS (JUOTE SECJRITYLE'EL) NIL))

(STATE*))(SELECT (LTII*)

(CONS (QUOTE NO)(CONS (QUOTE SECJRITYLEVEL) NIL))

(STATE'))))6,0 (NOT

(LESSP(SELE:T

(LTII*)ko (rONS (QWOT ND)

(CONS (QUOTE INTEGRITYLEVEL) NIL))(cTATE*))

(SELECT('T11')(CONS (QUOTE NO)

(CONS (mJOTE INTEGRITYLEVEL) NIL))~(STATE'))))(SUBSET

(SELECT (LTII*)(C'NS (QUOTE NO)

(CONS (4UOTE INTEGRITYCATS) NIL))(STATE*))

h.,

; <KCVROF>SlX.DRI99LZ.2 Tue 1-Jan-80 11:3'PM Page 1:17

C. (SELECT (11TII')(.'ONS ("JJTE 143)

(CONS (jUOTE INTEGRITYCATS) lIL))(STATE*))

(STATE')))- ( NOT

(SURSET(SELFCT (LTII*)

(CONS (QUOTE ND)(CONS (QJDOTE SEZJRITYCATS) NIL))

(ITATE*))(SELECT (RTrI*)

(CC3S (QUOTE ND)(CONS (QUOTE SE:JRITYCATS) VIL))

(STATE*))(STATF*)))),

which we again simnlify, applying the leMMasASSCtATIVITY.0F.SFLE7', CAR.CONS, and CDR.CONS, anduntolding the function APPEND, to:

(TRUE).

Case 3. (IMPLIES* (NOT

k. (LESSP (SELECT (SELECT (HTII*)(CONS (QUOTE N3) NIL)(STATE'))

(CONS (QUOTE SECUqITYLEVEL) AIL)(STATE'))

(SELECT (SELECr (LTII*)(CONS (QUOTE ND) NIL)(STATE*))

(CONS (QUOTE SECURITYLEVEL) NIL)(STATE*))))

(S"BSET (SELECT (SELECT (LTII*)(CONS (QUOTE NO) NIL)(STATE*))

(CINS (JUOTE SECIRITYCATS) NIL)(STATE'))

(S-LECT (SELECT (HTII*)(CONS (QUOTE ND) NIL)(STATE*))

(CONS (QUOTE SECURITYCATS) NIL)(STATE'))

(STATE'))

Cw

<KCFRU F>.!,+X.DRI3SLF'.2 Tue 1-Jan-10 11:31PM Page 1:18

( (LESSP (SELE:T (SELE'T (LTII-)(CONS (QUOTE ND) NIL)

, (STATE*))(CONS (OUOTE TNTEGRITYLEVZL) NIL)(STATE*))

(SELECT (SELECT (HTII')(CONS (qUOTE NO) NIL)(STATE*))

(CONS (OJOTE INTEGRITYLEVEL) NIL)(STATE*)))W T

(LESS?(SELECT (HTII*)

(CONS (QUOTE 8D)(CONS (OUOTE SECURITYLEVEL) NIL))

.(STATE*))-, (SELECT (L ,TII*)

(CONS (QUOTE 3D)(CONS (UOTE SECUIRITYLEVEL) NIL))

(STATE*))))(NIT(LiFSSP

(SELECT(LTTI')(."ONS (OJOTE N))

(CONS (QUOTE INTEGRITYLEVEL) NIL))* ,j (STATE*))(SELECT( ITI'*)

(CONS (QUOTE ND)(CONS (OLIOTE INTEGRITYLEVEL) NIL))

(STATE*))))(SI'SET

(SELECT (LTII*)(CONS (QUOTE NO)

(CONS (qUOTE INTEGRITYCATS) NIL))(STA'E*))

(SELECT (HTII*)(CONS (QUOTE NO)

(CONS (QUOTE INTEGRITYCArS) NIL))(STATE*))

(STATE*)))(NOT(SUBSET

(SELECT (r.TII*)(CONS (QUOTE ND)

(CONS (QUOTE SECUPITYCATS) NIL))(STATE*))

(SELECT (ITII*)(CONS (QUOTE NO)

(CONS (QUOT+ SECURITYCATS) NIL))(STATE*))

(STATE*)))).

hi

) <KCPRUUF>SMX.iRIBFLE.2 Tue 1-Jan-80 11:37PP Page 1:19

out tnis simplifies- a~ain, appljing

AbUCi%'I'T1TV°OF.S'L.CT, CA.CfJS, and COnRCONS, aniexpanalfiq the function APPFND, to:

(TRUE).

Case 4. (I'APLIES(AND

(NOT(LESSP (SELECT (SELECT (HTII')

(CONS (IUOTFE ND) !lIL)(STATE*))

(ZONS (QUOTE SECURITYLEVEL) NIL)(STATE*))

(SELECT (SELECT (LTII*)(CONS (OUCTE ND) 'IL)(STATE*))

(CONS (QUOTE SECUPITYLEVEL) NIL)(STATE*))))

(SUBSE-T (SELECT (SELECT (LTII*)(CO.NS (GIOTE NO) NIL)(STATE'))

(CONS (M)tJOTE SECURITYCATS) diL)(STATE'))

(SC.LFCT (SELECT (HTII*)

(CONS (QTOTE ND) NIL)(STATE*))

(CONS (QUOTE SECURITYCATS) NIL)(STATE*))

(STATE'))WiT(LESSP (SELECT (SELECT (LTII*)

(CONS (QJOTE ND) NIL)(STATE*))

(CIINS (V.OTE INTEGRITYLEVEL) NIL)(STATE*))

(SPLEC? (SEL ZT (PITIT')(CONS (QUJOTE NO) NIL)(STATE*))

(CONS (QUOTE INTEGRITYLEVEL) NIL)(STATE*))))

(S!7BSLT (SFLFCT (SELECT (LTZI')(CONS (QUOTE NO) NIL)(STATE*))

(ONS (QUOTE INTEGRITYCATS) NIL)(STATE'))

(SFLECT (SELECT (HTII*)(CONS (QUOTE ND) NIL) W

(STATE*))(CONS (QUOTE INTEGRITYCATS) NIL)(STATE'))

(STATE'))

; <KCFWJUF>S.(.J.IB"L.o2 Tue 1-Jan-80 11:37PM Page 1:20

( (LJ.SSP

(C9ES ('UOTE ND)(CnalS (IJUTE SCURITYLFVEL) NIL))

(STATE'))(SELrm (L7TII*)

(CINS (,UOTE ND)(CONS (JUOTE SECURITYLEVEL) NIL))

(STATE*))))(NCT

(LESSF(SELECT (LTII*)

(CONS (WUOTE 10)(C NS (IJOTE INTEGRITYLEVEL) IIL))

(SELECT ('-TTI*

(COS (qUOTE ND)(CJNS (QJOTE INTEGRITYLEVEL) NIL))

Hut tnls aqain silirlifies, rewriting withAbUClATlVlTV.£o S.S-LCT, CAR°ZONS, ani C3R.CrNS, andexparcling the function APPE:ND, to:

case 5. (IMPLIES

(NOT(Lr4SSP (SELECT (SELECT (hiTII*)

- (CONS (QUOTE N3) NIL)(STATE*))

(CONS (0 UOTE SECUPITYLEVEL) NIL)(STATE*))

(SELECT (SELECI (LTII*)(CONS (QUnTE ND) NIL)(STATE*))


(SUBSzET (STLFCT (SELECT (LTII*)-- (CONS (QUOTE ND) NIL)

(STATE*))(OZNS (LJOTE SECJRITYCATS) NI16,)(STATE*))

(SMLECT (SvLFCT (HTII*)(CONS (QUOTE ND) NIL)(STATE*))

ow (CONS (QUOTE SECURITYCATS) NIL)(STATE*))

(STATE*))

"W

•I-

; ,C tU0>SlX*VRInLro2 Tue 1-Jan-9O 11:37PM Page 1:21

(NCT(LESSF (SSLE:T (SELE:T (LTII*)

(CONS (QUOTE Nn) NIL)(STATE*))

(CONS (QUOTE INTEGRITYLEVEL) 4JIL)(STATE*))

(SFLFCT (SELECT (HTII*)(CONS (QUOTE ND) NIL)(STATE*))

(:ONS (10QTE INTEGRITYLEVEL) NIL)(STATE*))))

(SUBSET (SFLvCT (S7ELECT (LTII*)(CONS (QUOTE ND) NIL)(STATE*)) "l

(CONS (QUOTE INTEGRITYCATS) NIL)(STATE*))

(SELECT (SELECT (HTII*)(CONS (QJOTE ND) NI)(STATE*))

(CONS (JUOTE INTEGRITYCATS) NIL)(STATE*))

(STATE*))(LESSP

(SFLFCT (H II*)

(CONS (QUOTE !ID)(CONS (LJOTE SECIRITYLEVEL) NIL))

(STATE*))(SELECT (LTII*)

(CONS (QUOTE ND)(NS (QUOTE SECJRITYLEVEL) NIL))

(STATE*)))(NIT(LESSP(SELE:T

(LTII*)(CONS (QUOTE ND)

(CONS (QUOTE INTEGRITYLEVEL) NIL))(.TATE*))

(S ELECT('TTI*)(CONS (QUOTE NO)

(CONS (QJOTE TNTEGRITYLEVEL) NIL))(STATE*))))

(W'I8SET(SELECT (LTIT*)

(.,NS (QUOTE NO)(CONS (QUOTE INTEGRITYCATS) NIL))

(STATE*))(SELECT (HTII*)

(CINS (QJOTE NID)(CONS (QUOTE INTEGPITYCATS) NIL))

(STAT,*))(STATE*)))

<KCFHU6MMX.9I BL'. 2 Tue 1-Jan-RD 11:17P?4 Page 1:22

(NUT

(CNS (-u--%- AmD)(CONS (QUOTE SECUFITYCATS) '1L))

(STATE*))- (SELECT V~TII*)

(CONS (QuO71Z -D)(CONS (QUOTE SECURITYCATS) :3IL))

(qTATE*))(STATE*)))),r

wnicn w~e al~ain simplify, applying ASSOCIATTVITY.OF.SELECT,CAIR.CONS, an-3 C)R.704Sp and expanding the functior, APPEND,

* to:

*ca se b. 1PIS

(NOT(LESSP (SELECT (SELECT (k{TII*)

* (CONS (WOTE F)) NIL)(STATE*))

(CWNS M~LOTE SECURITYLEVEL) AIL)(STATE*))

* ((SELE:T (SELECr (LTII*)(CONS (~JOTE XD) N4IL)(STATE*))

(CONS (QUOTE SECURITYLEVEL) NIL)- (STATE*))))

(STIRSkT (Sr~L!CY (SELFCT (LTII*)(CONS (QUJTE NOS) NIL)(STAT E*))

(.'DNS (VUOTE SECJRITYCATS) NIL)

(SFLECT (SELF.CT (1TI*)(CONS (QUOTE ND) NIL)(STATE*))

(CONS (QUOTE SFCVTRITYCATS) NIL)WMP (ST ATE*))

(STAT'E*))(NIT?(LESS' (S'-:LEC? (SFLECT (LTII*)

(cflNs (QTIOTE ND) NtL)(STATE*))

(:ONS (VJOTE INTEGRI'YLEVEL) NIL)- (STATE'*))

(SrLFCA (SrLFCT (HTII*)(CONS (QUOTE ND) NIL)(STATE*))

-, (CONS (QUOTE IgTEGPITYLEVEL) NIL)(STAATE')))

<C i?3GjFSX3I3%LT.2 Tue 1-Jan-63O 11:37P~4 Page 1:23

(S'IMSE~T (S-LrCT (S:,L7Cr (LTII*)(CONS (41DOT2 IJD) ~I.(STATE*))

(CMlIS (QUGTE INTFEG'ITYCATS) N4IL)(STAE)

(St"LcVT (SELEZ? (4!iTIT*)(CONS (QrUUTE VD) NI-)(STATE*))

(CONS (QUOTE INTEGRITYCATS) NIL)(STATE*))

(SZLECT (HTII*)(Z.7NS (Q-JOTE %,D)

(CONS (QUOTE SECUIRITYLEVEL) NIL))(ST ATE*))

("%JOS (O)',I E NO)(CONS (QUOTE SECtJRITYLEVEL) 41L))

(STATE*)))(NCT

(LESSP(SE~LECT LI*

(CO4S, (OUOTE MID)(C3NS (QJCTE INTEGRITYLEVEL) NIL))

( (STATE*))(SE:LECT

(H4T~T*)(Os((100TE N))

(CONS (qqOTE INTEGRITYLEVEL) NIL)(STATE*))))

(SUB SET(SZLF' r (LTIT*)-

(C3NS (QUJOTE NO)(CONS (QUTOTE INTEGRITYCATS) NIL))

(STATE*))(SELECT (ITII*)

(C3NS (QUOTE NO)(CONS (11UOTE INTTGRITYCATS) NIL))

(STATE*W))(STATE*))

(SU9SET(SELECT (L.TII*)

(CONS (QUOTE ND)(CONS (QUOTE SE:JRITYCATS) NiL))

(rTATIE*))(SELECT ("TTI*)

(CONS (QUOTE NO)(CONS (QUOTE SE.CJRITYCATS) NIlL))

( STA TE*) )

CSTATS* Mo

; (KCY UUF)S,-'X.DRIl'LF.2 Tue 1-Jan-90 11:31PM Page 1%24

wnlncn 3gain silpilies, spplying ASSOCIATIVITY.0F.SWLLCT,CARi.CCA1S, In! C)R.'OaS, ane opening up the definition ofAPPE.ND, to:

(TPtJE).

Case '1. (I'-,PLYES(AND)(NOT

_ (LESSP (SELECT (SELECT (fITII*)(CONS (MJ TE N)) NIL)(STATE*))

(CONS (QUOTE SECURITYLEVEL) .iIL)b. "(STATE*))

(SFLE"T (SELECr (LTTI*)(CONS (QUOTE ND) NIL)(STATE*))


(SrJBStT (SELECT (SELECT (LTII*)qw (CONS (QUOTE ND) NIL)

(STATE*))(CONS (QUOTE SECJRITYCATS) NIl.)

" ,(STATE*))(SFLFCT (SELECT (HTIIT*)

(CONS (QUOTE ND) NIL)(STATE*))

taw (CONS (QUOTE SECLRITYCATS) NIL)(STATE*))

(STATE*)), (NnT

(LESSP (S7LECT (SELFCT (LTII*)(CONS (QUOTE ND) NIL)(STATE*))

- (CONS (QUOTE INTEGRITYLEVEL) A IL)(STATE*))

(S'LPCT (SPLECT (HTII*)(CONS (QUOTE NO) NIL)(STATE*))

(CONS ('1JGTE INTEGRITYLEVEL) NIL)(STATE*))))

(SUbSET (SELECT (SELECT (LTII*)(CONS (QJOTE 4D) NIL.)(STATE*))

(CflNS (QUO)TE INTEGRITYCATS) NIL)(STATE*))

(S7LF:T (SFLE:T (HTII*)-, (CONS (QUOTE ND) NIL)

(STATE*))(CONS (QUOTE INTEGRITYCATS) IL)(STATE*))

(STATE*))

<KCtUF>SMX.DI3'-LE,? Tul 1-Jar-60 11:1/PFM Page 1:25

(LESSP(SELFCT (riTIT*)

(CONS ('IUJTF. 34)(CONS (VJOTE SECJRUTYLEVEL) *11L)

(STAT~E*))

(CONS (QUOTE IDO)"3NS (VLOTE SEC'IkTTYLEVEL) NIL))

(STATE*w))

(LESSP(S EL F:

(LTII*)(CON4S (QJOTt 111)) -

(CONS (QUOTE INTEGRrTYLEVEL) NIL))

(SELECT

(CONS (QUOTE ND)(CJNS (PJflTE TXTEGRITYLEVEL) NIL))

(SUR ~S6~T(SEL&CT (L-TII*)

(CONS (VIOTE INTEGRITYCkTS) NIL))(STATE*))

( (SLECT CHTII*)(CNS (VJOTE N'))

(CONS COtOTE INTEGRITYCATS) 114IL))(S T ATE*))

(S'rATE*)))f

wfltcn a~jain simplifies, applyin~g ASSOCIATIVITY.DF.SELa.CT,CA1?*COiS,* and CbQ.COVNSo and unfolding APPE"'Of to:

(TRUE).

.fCtjFS$XD '7o2 Tue 1-Jan-PO 11%37? Page 1:25

Case d. (1'LA'LFS

(LFSS? (-zEF.E-CT (SELECr (LITTI*)(CONS (JU'-TF NO) N~IL)(STATE*))

(CONS (OUCTE SZCURiITYLEVEL) AiIL)(STATE*))

(SELECT (SELECT (LTTI*)(CNS (7UflTI NO) NIL)(STATE*))

(CONS (lIOTr SE:JF.ITYt.SVEL) NIL)(STATE*))))

(SUB8SET (S'-L7CT (SFL72CT (LTII*)(CONS (QUOTE ND) NIL)(STATE*))

(CONS ( UOE SFCURITYCATS) ilL)(STJA'z*))

(SELE:CT (SELECT (IITII*)(CONS (QJOTS NO) Mt.)(STATE*))

(CMUS (V~OTE SEC!1RITYCATS) :,'L)(STATE))

(LE~SS? (SrLTCT (STLECT (lTII*)- (CONS (QUGTT- ND) NIL)

(STATE*))(CONS (111QTE INTFGPITYLEVEt.) 1IL)(STATE'))

*(SMLC7 (SELECT (HTII*)(CONS (QJGTF. 1O) Nt~(STATe.'))

(CONS (ITJUTE INTEGIYTLEVEL) MI)(STATE))))

(CONS (QUOTE ND) NIL)- (STATE))

(CONS (QUOTZ lNTEGPITYCATS) NIL)(STATE*))

-(SELECT (SFLECT (!]Tll')(CINS M~OVE NO) NIL)(ST ATE*))

- (0GNS MQOTE INTEGqlI"YCATS) 1lL)(3TATE))

(S rATE*))

- (LESS'(SELECT (!fTII')

(CONS (I)UUTE Rn)(CONS (QUIOTE SECrWITYLEVEL) ILL))

(STATE*))

3 CF)X. "1L',*2 lue I-Jar.-80 11:37cm Page 1:27

(CONS (QUTOTE SZCU -ATYLEL) '411)

(NL.I'

(S2L C'r ([TIT*)-

(CJNS (tZJOTE IIWTEGRITYLF.VZL) '11L))( TATr*))

(CON3 (?TJOTE INTEGRITYLFEVL) :.'L))( TAT*))))). -

However- this a~ai sippifles, rewriting wit!AbJCAIVTY.'1F.3FLZTi CAR-i.CNS1 and CDR.CONSp an"oPeniryg uip APPF"'. to:

(TRUE).

- -Case 9. (IMPLI.,3

(CONS (,)UnTE NO) NIL)(STATF*))

(C03S (QUOJTS SE~CURITYLEVEL) i~IL)* (STATE*))

(SELECT (SELECT (LTTI*)(CONS (IU.q-TE ND) 111L)(STATE*))

(CONS (# JOTE SEcURITYLEVEL) NiIL)(STATE*))))

(S"BSi.T (STL7CT (SELFCT (LTII*)(CONS (QUOTE 1W) NIL)(STATE*))

(CONS (QUOTE SECURITYCATS) NIL)(STAT7*))

(SELE7CT (SFLECT (HTII*)(ClNS (Q,10TE NLI) NIL)(STATE*))

(CCNS (QUOTE SECURITYCATS) I.)(ST ATE*))

(STATE*))(NOT

<) ( FRJUF>SY .J ?I iLc. Ts 1-Jan-80 11:1'0P4 Page 1:26

(L~S~P (~YC CS~~CT(LTII*)(CONS (QUJOT',. D) NIL)

- (STAE'*))(CONS (-.0UTE INTEGRITYLE.VEL) NIL)(ST ATE~*))

- (CONS (QJOTE NO) NIL)(STATE*))

(CONS VTlOTE INTFG'ITYLEVEL) J1IL)- (STATE*)

*(StliSLA (57LF:T (SELF:T (LTII*)(CONS (wUGTE NO) NIL)

- (STATZ*))(CONS (QUOTE INTEGRIrYCATS) NJIL)(STAT .*) )

(SFLFCT (SELECT (liTlI*)- (CONS (QUOTE NrO) NIL)

(STATE*))(CONS (CiJOTE. INTEGIRITYCATS) '41L)(STATE*))

(STATE*))

(LESS'(SELECT (14T1I*)

(CINS (gTYOTE Nnf)(CONS (QUOTE SECURITLEVEL) NIL))

(CONS (QUOTE SECURITYLEVEL) NIL))(STATE*))))

WI~T(LESSP(SELECT

((.TTI*)(Co'~S (QUOTE. 111)

(CONS (OUOTE INTSTIRITYLEVEL) NIL))- (S1TATE*)

(SFLE'. 7(HTTII')

- (f!ONS (IUtOTT 'I0)(CONS (QUOTE INTECRTTYLEVEL) NI1L))

(lTATE*))))(SUBSET

(CONS (QUOTE ND)(:ONS (QUOTE INTEGRITYCATS) N4IL))

- (STATE*))

(CONS (QUOTE ND)aw (CONS (QUOTE INTECPITYCATS) NIL))

(STATE'*))(STATE*)))

(SU'EST(SELECT (LT,!I*)

(CI-S (0OJOTF MD)(COJNS ('WCTE SECU:ZIYCATS) '71L))

S(-z*LlCT (',TI* )(77CS (frJ."E 143)-

(CONS (QUOTE SECURITYCATS) NIL))MSATT~*))

4~nicn 3gi±ln sipiliejs, rewrittnq withAbUCLAfiVITY.-F3 'L'CT, CAR.C2PJS, and CDR.COVS, andopening up APP!E1D, to:

* (TRUso

* Case 19.(IMPLIES(AND 1

(NCT 0(LESS? (SELE.CT (SELECT CiTTTI*)

(CONS (W)U!TE ND) NIL)(STATE*))

(CONS (QUOTE SECURZITYLEVEL) 11IL)(FTATE*))

* ( ~~(MELCT (SELECT (LTII*) J)IL-(CONS (ICF4)VL(STATE*))

(CONS (0JOTE SECJRITYLEVEL) NIL)(STATF*))))

(SUPSc.T (S7LFCT (SFLTCT (LTII*)(CONS (QU6iTE NO) NIL)(STATE*))

(CICJS (JUCTx. SECURITYCATS) AIIL)

(STATE*))(SELECT (SELECT (HTiI')

(CONS (f1JOTE NO) NIL)(STATE*))

(CONS (VtOTE SECr!RITYCATS) NIL)(STTATE*))

(NlOT(LZSSP (St-LFCT (S!FLECT (LTII*)

(CONS (QUOTE NC) NIL)(STAT'E*))

(CONS (QUOTE INTECF.ITYLEVEL) J~IL)(STATE*))

(SELECT (SELECT (HTII')(CONS (QJJTE 40) NV.L)(STATE*))

.(CCNS Q~UOTE INTEGFITYLEVEL) NIL)(STATE*))))

; ~~ ~~'ue 1-Jan-10 11:37PMPae13

(~'fS ST (S'LECT (SELFECT (LTII*)(CtnNS (QUOT!E X'D) NIL)(STATE*))

(CONS (QUOTE INTEGRITYCAS) NIL)(STAZ)

(S!.hLCT (SELECT (HTIT')(CONS (QUOTE NO) NIL)(STATE*))

(:ONS (Q'1OTE INTE4.,ITYCkTS) 14iL)(STATZ*))

(STATE"~)(NCT(LESSP

- -(SELFCT (HII*)(CINS (1VTOTE NO)

* (COSIS (QUOTE SECURITYLZVEL) NIL))- (STATE*))

(CONS (QUO3TE NO)(CONS (QUOTE SECURITYLEVEL) 1,IL))

- (STAE*)(NIT(LES3!7

* (SELECT(t.TII*)

( (~~~~CONS (QUJOTE 1 10)TTLVE)NI)(C9J4S ('VJGTEZTG?!LVL I)

(STATE*))SS FLPC"

(4TII*)(C"ONS (aJQTr NO)

(CONS (QUOTE INTEGRITYLEVEL) NIL)(STATE*)))))

(SLYRSET(SELECT (LTiI')

(CONS (QUJOTE 4))(;ONS (2LJOTE INTEGRITYCATS) 4IL))

(STATE*))

(CONS (QUOTE NU)(ZOlNS (VJOTE INTEGPITYCATS) N!IL))

(STATE*))(STATE*)).

but this again siollfiesf rewriting with the lemmnasA5UC1AT1VITYeOF.SFLvZT, CAR.COMS, and CDR.CONS, andopening up APPF.OM, ti':

(TRUE).

<(~clJuFSX.DRIatLF'.? Tue I-Jan-80 11:37PM Page 1:31

Case I I.LiiL! ES(A NO)

(LE.SSP (57LECT (SELTECr (HTri')(CONJS ('nJfTF N)) 'NIL)(STATE*))

(CONS (lUOTT SECUFITYLZ7VEL) 'J1L) o(STATE'))

CEFCT (SELi Cr (LTTI*)(CONS (lUOTE PIO) '41L)(STATE*))

(CONS (QUOTE SECURITYLEVEL) NIL)(STATE')

- -(SIPSiTl (SFLFCT (SELECT (LTIT*)(CONS (QGJOTF ND) NIL)(STATE*))

(INS (VLOTE SFCJRTTYCATS) NIL)(STATE*))

(CONS (QUOTE ND0) NIL)(STATE*)) o

(CONS (41OTE SECITRITYCATS) NIL)(3TATE*))

(S"ATE*)) N(WMT

(CONS (qUlOTE ltD) NIL)(STATE*)) u

(:ONS (aJ0TE IITEGRITYLEVEL) N4IL)(ST AT.7*))

(SL!CT (SI,:LTCT (HTIT*)(CONS (QUOTE ND) NIL)(STATE*))

(CONS (,,UCTE INTEGPITYLEVEL) MJIL)(STATE*))))

(NUT(SJtiSwT (SF.ECT (SELECT (LTII*)

(CONS (QUOTE ND) NIL)-(STATE*))

(C6NS (QUOTE INTEGRITYCATS) NIL)(STATE*))

(SELECT (S .LECT (HrIll)(CONS (JUTE ND) NIL)(STATE*))

(CONS (QUJOTE INTECkRITYCATS) NIL)(STATF*))

(.T ATF'))(NOT(LE SS?

<KC1'WKUUV)5XsDRTBEL.-.2 Tue 1-Jarn-80 11:31Pw Page 1:32

(5LCT (W]TII*)(CrINS (PILfTTE NOD)

(CP'qS (QUOTE SECUIRITYLEVEL) 1IL))(STATE*))

(CONS (QUOTE SECURITYLEVEL) !41L))(S?kTL*)1))

(WIT* - (LESSP

(S6LECT(r.TII*)

-' - (CONS (QUOTE 1JO)(CONS MQOTE INTEGRITYf2VEL) NJIL))

(SL^T(STATE*))

- (ITII* )(CONS MQOTE ND)

(CONS (QUOTE INTEGRITYLEVEL) NIL)- (STATE)

(511? SET

(CONS (QUOTE 11D)(I-NS (QUJOTE 14TEGRITYCATS) qIlL))

(S"ArE*))

- (CONS MQOTE '40)(CONS (V~OTE INTEGRITYCATS) NIL)

(ST AT%*))(STATE)))

- (NOT

(SELECT (LTII)(CONS (QUOTE NO)

(CONS (QUOTE SECURITYCATS) NIL))(STATE*))

(CONS (001TE ND)(CONS (MOTE SECURITYCATS) 11L)

(STATE*))- (STATZ'))))

wnicti we again simtplifyt applying ASSOCIATIVITY.OF.SELECTI(;AR.LOM, and COR.7ONSI and expanding the definition ofAPI'ER'fD to:

(TRCU 5Z)o

t KCV'i~t3F>3VX *OR I B ILE2 Tue 1-Jan-aO l1:3IPM Page 1:33

Case 12.(iNPLIL-S

(N3T(LhSSP (SELECT (SELECT C!TTI')

(CONS (QU3TE 40) NIL)(STATE*))

(CONS (QUJOTE STECURITYLEVEL) NIL)(!TATE*))

(SELFCT (SELECT (LTII')(CONS (QJIE ND) NIL)(STTE*))

(CJNS MQOTEj SECURITYLEVEL) NIL)(STATE*))))

(S11BS-T (SF'LF.CT (SE.LFCT (LTII*)(CCINS (QUJOTE ND) NIL)(STATE*))

(ONS (QUOTJE SECUITYZATS) NIL)

((STATE'))

(Ci~4S(ONS S(CUOTECAN) NIL)((STATE*))

(S(STATE*))

( (LF!SSP (9cFLE-T (SEL7.77 (LTIT*)(CONS (QUOTE ND) UlIL)(STATE*))

(CONJS (QUOTE INTECSRITYLEVEL) NIL)(STATE*))

(SELECT (SELECT (HTII*)(CONS (OUOTE ND) NIL)(STATE'))

(CONS (V)OTE IN'!EGRITYLEVEL) NIL)(STATE*)))

(Nn?(LESSP(SELEZT (iV11*)

(CONS (QUOTE N))(CONS (JUOTE SFCURITYLEVEL) NIL))

(STATE*))

(CONS (QUOTE ND)(CONS (QUOTE SEcIJRITYLEVEL) NIL))

VT (STATE))))

(LESSP

(Lri* I)(:O"1S (qJOTE N))

(CONS M OTE ISTEGRITYLEVEL) 41WL)( TATF*))

KL; ( ,UOF>SA4XORI 3L .2 Tue 1-Jan-80 11:37PM Page 1:34

(S --L C T

(CONS (QUOTE INTEGRITYLVEL) NIL))(nTATF*))))

( SELECT ( LTII*)

(CONS (QOTE ND))(CONS (VUOTE INTEGPITYCATS) N'ILL))

(STATEW))(SELFZT fiTII*)

(CONS (0TTOTE MD)(CONS (QrTOTE I EGPITYCATS) NIL))

(STATE*))(STATE*)))

(NOT(SIJBSET

(SELZCT (LTII*)(:DqS (OJOTE ND)

(CONS (QUOTE SLCURITYCATS) NIL))(STAT*))

(SELECT (HTII*)(NS (TJ IE NO)

(CONS (QUOTE SECUPITYCATS) NiL))(STATE*))

(STATE*)))),

whlch we agaln sinplify, re#riting withA35UCiATiVTv.F.SFL7CT, CAR.CONS, and CDR.CONS, anduntod lng the function APPEND, to:

(TRUE).

..

:. a .-

; K~ffFSX!R3L 'r~ue I-Jarn-eO 1 :17PM4 Page 1:35

(A ND(WiT

(LESS-', (SELE.CT (SELECT (ViTTI*)(COJNS OUITF ND) NI11.)(STATE*))-

(CJ)NS (QU'OTE SECUR ITYLEVEL) NIL)(STATE*))

(SELECT (SELFC1T (LTTI*)(CONS (13UfTE ND) :4IL)(STATE-))

(CONS (QUOTE SECUP.ITYLEVFL) NIL)

(NOT(S~bSET (SFLECT (S'FV:T (LTII*)

(C-INS (QUOTE ND) :JIL)

(ST ATE*))(CONS (QUOTE SECUJRITYCATS) NIL)

(STATE*))

(LESP(SLFT (SE.ET (TI')(CNS (QOTE ND) NIL)(STATE*))

(CNS (QUOTE SNECIRTYLCATL) NIL)(STATE *))

(LSP(SFECT (Sg LEC? (LITI)(CONS (QUJOTE~ ND) NIL.)(STATE'))

(CONS (QUOTE INTEGRITYLEVEL) NIL)

(N UT (STAE*)))

(CONS (QUOTE NnND)1L

(S(STATE*))

(C"NS (V!OTE SNEURITYLEVEL) NIL)((TATAT)))))

(NOT(LESSP

(SEL-,T H TlI I*

KCtS(jOT O

<N CF9 POF >S,X .0R 3-:L':2 Tue I-Jan-80 11:1IPM Paj-e 1:36

(LTT*)

- ~(CO~NS (^X!j0Tw INTLIRIT~vEVEL) ~t)

(SELECT

CONS~ (0Q'IOTE N~O)(CONIS (OUOVE T3TEGRITYLEVEL) NIL))

(STAE*)))

* (S~LEC~(LTII*)(COlNS 013TrT ND)

(CONS (QUOTE INTEGPITYCATS) :41L))(STATE*))

(SFLEC"I (MTTI*)(CS (PjrYTT ND)

(CONS (QUOTE SNEGRrTYChTS) AIL))(SATE*))

('ONS (TJ0TF NOD)

(C) NS (nUOT7 1ECfPIYCATS) NIL))

(ST ATE*))

Ruat tnis stj.-1jfies againr applyingASSU1AiAI'1TYUFS7L'CTf CAR.CCONS, and CDR.CONS, andopeninq up the definition o~f APPEND, to:

(TRUJE).

- Load averaqe during; nrrnef: 2.O5' 366I AaPgel tlr'e: I'l1X577 seconds1t'U tine (levoteli to theorem proving): 43.741 seconds(W tlmla: 9.887 secondsto tirme: 7.20 secondsCUN~as consui'iel: 99301

PI(OVKL1

<A Ci'xdF3':!7.0. I BL2 Tue 1-Jar.-80 11:37??' Page 13

_JNOJj. t~;. T41,U ';.I( I i, JT .T.J'r~ i r

~JUT (NI)) ~TA".; ) ) r;':T. -C S'PI LFVL )A' (AN sA E.j) ))SU8t CfF ( LrT (SELF", CL":TI*) Cf'rIT" M?1)) (SAT*)) (!j'

(uI~CAh) (3T,!FTTYi;.)) (sELT--*) (SELCT (EL7C) (QJTI*CP4JU)) (!TT)) (.SJA.1') (sE';rT.: s) STTE )) (SAT*)))CNUBT" (SP(S:Lt.C (LC LTII*) (0r)TP On) ((AT)) OC'T

(~U~f~(v~ :~7'i.73) (STA..) )-L~ CSEL.':CT ("'LETI* (NII) (* (,INU)) (ST'3)(T)) (,!rl - (STATTLE E*)) (STAT"*)))

* ~ ur~:(ii~L;FTYC~S))(STAT:E*)) (S;7.ECT (SLECT (HTII*)(QJUTL. k*N)) (T)(UT (NERTCT (STAT7,*)) ((SU9rT*) (., !'3 (ST]--C rGLETII* C3Ej1.EZF (1T40') (;TATE-) (P hQCU~r L)!) .TA) (SATE*)) (HTIT*) (ELET~ (NO1

* SUH1VYLk.V00)) (3TA-E )) OTE (11TE LETCATS (TAE*))~F* NJ STAt*.U) ir) aj ('~ (SEaT (LTT*) (QUOCTE(N

Se~CUiTYC~3)) Cr1-3*)) (S"LAT) (NT* (ESSPT (1L4DLTIN (U"~ :.l 7 SVCiE) (59tE) (LCT C'TI

SLIUTYC (NU (S~G~TT-vE)) CSTTATE*))))T (LSiSE (SELC

LT!I1) (1j!1v'w (NO TIIT?%!ITY:ATS)) (STATE*)) (SFLECT (iT!II*)(,jUUT. (10L 1'JTLGQT~yCATS)) C3TAr7*)) (5TATT*)))) (C.JAV IIT

( UM'AtiNT( .STAT .EJ-IIVALFINC6)

(AND (r"UIL (SJPSET X Y (r4EWSTATE))(S UPSET X V (STATE)))

CE-;JAL (MEET STRICTURE FIELu %NEWSTATE))(SELECT STRUCTUPL FIELD (STATS)))

_kPO V t Li (NCL 341D ! I L(AMD (E:,UAL (SUPSET V! V-1 (NE.WSTATE))

(5URSZT VI V2 (STATS))(EQUAL. (SELECT V1 V2 (NE'.SrATE))

(SELECT Vi 112 (STATEM))This conliect'jre c3fl be propositiona1ly si.liified to twc,new rorvirlais:

Case 1. (EPUAL IllSE '1F12 (L4'tSTATE))(3'JIS T V1 Y12 (FIATF)).

This sliplifieS, irpiying t , 1lrmna HYPOTHESIS, to:

(TPUE).

13 L7 .2 ue 1-Ja'-6O 11:31_'PM Page 1:30

Case 2. (iLr)UAL (S71L7-T V1 '.,2 (Nx-3rAT'))(SFLE7T Vi V2 (ST'rE))),

wfllCf w silipify, rldritinj iith IiYOTiIE_1tS, to:

- Loaa i%-raaje J~jrlrvT7 oroof: 2 . 05 3b6El~apse!i tinel QR secondsCiFU tirme (.devotedc to theoro-m urovin'g): .342 secondsU;C timp: 0. secon!5-iU time: .JO3 seconijsCuNs'qj cornsu'red: 261

_U 09 t AC T1idUM (STATE.E~ I VALE ICE)Uk~tVr.Lt9VM. CUiNC LJZr) 'T L (AND (EEOUAL (SU.ESET V1 V2(

NE4'SrATL)) (SJ~iSZ~r V1 VZ (STAT~F)) (E(JAL (S--LF'CT V1 V2CNbWrATI.)) (SL?:CT V-1 12 (STATEM))) (ADnD.AXTJ',, yPUTiF312S(l~.R~wiTr (AM ( QIJAL (St'OSET X Y (NEWSTATE)) (SJESET A Y1STATt.)I) (EV~AL (SF.'FCT STRJCTJ:tRE FIELD (t'xSTATE)) (SELECT

_kSEIKUCTWJh FIELD (STA-E)))) (C4'Z T STATE.E'nr!IVALEUC2E))

- (Ot.LT?!L) (9CL 471II") (COMMFNT CORRE-CTNESS.OF.SA4Xc;]3'PAt-.)

*LUK C fNtS SF THE 9 I'-,PCF"l N rA TI.3.OF- SMXCO'-4PAREM'.ODUL . 3N .PR UUITliL!'0DULE'

((AUU. AX1U.'. ASOCIATIVITY.O'. SELECT (REWRITE) (EQUAL (SELZCT(S~uUT ' P1 STATF) P2 STATE) (SFLECT S (APPEND PC P2)

NTATlt))) (Ai'). AY~r'4 ID:IVa.~?T(RE-YR1E) (--n t JAL(5,kLE(;f b NIL STAT'.) S)) (VOCr. SIAXCONMPARE (L'rIT hT1T ST.-T2-))CUCL Sk LL:TetRFnR (S RJZ TURE FIEL) STATE)) OCL 'USsETc- (XY STATtI)) (UCL QUOTE-OP (X STATF.) (DCL ANDO.? X Y STATZ.))CUUL IUi" (X V STATF)) (DCL 1A'Ss3RE(MAL'1P (X Y STATE)) ( )Cl.UKhATt.FU~rLOUALQP (X Y STATF)) (DCL %,tPrERFP3P (Y STArE)) (PCL

J1~Y~xr~EU 0 (X V 3-A'E)) (IZL P6-.USOP (Y Y STATE)) (-'CLAUDIut' (x STATf.)) ()-L LES3POP (X Y STATE)) (JCL GREAMF0U'PtX V STAr)) (Q)CL 7E1POPOP (X STATE)) (DCL NE' UALOP (X YSTAVE)) (UCL E'JUALOP (Y Y STATF)) (DCL UNDEFFP (STATE)) ([CCLtVALSEUPk (.STkTS)) ()7L TRUEOP (STrATE)) (DCL SELFCT (

STNUI'TW(E F'iELD ST4A&.')) (DCL SU95ET (X Y STATE)) (DCL '1--X7:STATE) (DCL, f.EkSTAT~) (r)C FErIN) Q)CL STATE-) (OCL STATF)(~t'fmLNTCUKV CVNSS. r1L.-THE .I 1"PtrE NTATI)N.C F. SvXC IPARE O)tJLE. ),N. PiI "ITI VEMOIDULE

ad-all& ford aerospace and.connunications corp palo … · jecting the kernel specification to...

Documents