Introduction to the Guardol Programming Language and Verification System

Guardol is a high-level programming language intended to facilitate the construction of correct network guards. The Guardol system generates Ada code from Guardol programs. It also provides specification and automated verification support: guard specifications are formally translated to SMT format and passed to a new decision procedure dealing with functions over tree-structured data. The result is that difficult properties of Guardol programs can be proved fully automatically. Guardol is a programming language and support environment being developed by the Trusted Systems group in the Advanced Technology Center of Rockwell Collins. Guardol is aimed at making the process of specifying, implementing, and certifying high assurance guards more efficient, flexible, and retargetable. The motivation for developing Guardol comes from experience Rockwell Collins has in developing guard implementations. Although execution aspects of programs (e.g., speed and size) are undoubtedly important, we have focused on a number of other significant aspects as well: the ability to target a wide variety of guard platforms; the ability to glue together existing or mandated functionality; the generation of both implementations and formal analysis artifacts; and sound and highly automated formal analysis. What is a guard? A guard mediates information sharing between security domains according to a specified policy. Some typical guard operations on a packet stream are the following: read field values in a packet; change fields in a packet; transform a packet by adding new fields; drop fields from a packet; construct audit messages; and remove an entire packet from stream. ∗Rockwell Collins Advanced Technology Center †University of Minnesota