{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,3]],"date-time":"2026-01-03T06:52:26Z","timestamp":1767423146950,"version":"3.41.0"},"reference-count":52,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"1","license":[{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2019,1,1]],"date-time":"2019-01-01T00:00:00Z","timestamp":1546300800000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100001381","name":"National Research Foundation Singapore","doi-asserted-by":"publisher","award":["NRF2014NCR-NCR001-30"],"award-info":[{"award-number":["NRF2014NCR-NCR001-30"]}],"id":[{"id":"10.13039\/501100001381","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Cybersecurity R&D Directorate"},{"name":"National Cybersecurity R&D Directorate"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Trans. Dependable and Secure Comput."],"published-print":{"date-parts":[[2019,1,1]]},"DOI":"10.1109\/tdsc.2017.2672983","type":"journal-article","created":{"date-parts":[[2017,2,22]],"date-time":"2017-02-22T19:12:26Z","timestamp":1487790746000},"page":"127-141","source":"Crossref","is-referenced-by-count":19,"title":["Refinement-Based Specification and Security Analysis of Separation Kernels"],"prefix":"10.1109","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2284-1383","authenticated-orcid":false,"given":"Yongwang","family":"Zhao","sequence":"first","affiliation":[]},{"given":"David","family":"Sanan","sequence":"additional","affiliation":[]},{"given":"Fuyuan","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Yang","family":"Liu","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"doi-asserted-by":"publisher","key":"ref39","DOI":"10.1007\/978-3-540-30477-7_9"},{"doi-asserted-by":"publisher","key":"ref38","DOI":"10.1109\/SP.1982.10014"},{"year":"2002","author":"nipkow","journal-title":"Isabelle\/HOL A Proof Assistant for Higher-Order Logic","key":"ref33"},{"doi-asserted-by":"publisher","key":"ref32","DOI":"10.1002\/stvr.422"},{"key":"ref31","first-page":"1","article-title":"Modeling and validation of ARINC653 architectures","author":"delange","year":"2010","journal-title":"Proc Embedded Real-Time Software"},{"year":"2012","author":"gomes","article-title":"Formal specification of the ARINC 653 architecture using circus","key":"ref30"},{"doi-asserted-by":"publisher","key":"ref37","DOI":"10.1007\/978-3-662-49674-9_50"},{"doi-asserted-by":"publisher","key":"ref36","DOI":"10.1109\/SECPRI.1999.766906"},{"key":"ref35","first-page":"1","article-title":"POK, an ARINC 653-compliant operating system released under the BSD license","author":"delange","year":"2011","journal-title":"Proc Real Time Linux Workshop"},{"doi-asserted-by":"publisher","key":"ref34","DOI":"10.1109\/EDCC.2010.18"},{"doi-asserted-by":"publisher","key":"ref28","DOI":"10.1145\/2560537"},{"key":"ref27","first-page":"1","article-title":"Refinement, decomposition, and instantiation of discrete models: Application to event-B","volume":"77","author":"abrial","year":"2007","journal-title":"Fundamenta Informaticae"},{"doi-asserted-by":"publisher","key":"ref29","DOI":"10.1109\/ISSRE.2015.7381821"},{"year":"2015","journal-title":"AUTOSAR Specifications (Release 4 2)","key":"ref2"},{"doi-asserted-by":"publisher","key":"ref1","DOI":"10.1016\/S1290-0958(99)80018-5"},{"year":"1992","author":"rushby","article-title":"Noninterference, transitivity, and channel-control security policies","key":"ref20"},{"doi-asserted-by":"publisher","key":"ref22","DOI":"10.1007\/978-3-540-30108-0_14"},{"doi-asserted-by":"publisher","key":"ref21","DOI":"10.1109\/JSAC.2002.806121"},{"doi-asserted-by":"publisher","key":"ref24","DOI":"10.1007\/3-540-51305-1_7"},{"doi-asserted-by":"publisher","key":"ref23","DOI":"10.1007\/978-3-642-35308-6_12"},{"doi-asserted-by":"publisher","key":"ref26","DOI":"10.1007\/BF01214918"},{"doi-asserted-by":"publisher","key":"ref25","DOI":"10.1145\/362575.362577"},{"doi-asserted-by":"publisher","key":"ref50","DOI":"10.1109\/SECPRI.1988.8110"},{"year":"2004","author":"richards","article-title":"The common criteria, formal methods and ACL2","key":"ref51"},{"doi-asserted-by":"publisher","key":"ref52","DOI":"10.1007\/978-3-662-54577-5_28"},{"key":"ref10","article-title":"Formal specification of a generic separation kernel","author":"verbeek","year":"2014","journal-title":"The Archive of Formal Proofs"},{"doi-asserted-by":"publisher","key":"ref11","DOI":"10.1007\/978-3-319-17524-9_26"},{"doi-asserted-by":"publisher","key":"ref40","DOI":"10.1109\/SP.2009.23"},{"doi-asserted-by":"publisher","key":"ref12","DOI":"10.1109\/TSE.2007.70772"},{"doi-asserted-by":"publisher","key":"ref13","DOI":"10.1007\/978-1-4419-1539-9_10"},{"doi-asserted-by":"publisher","key":"ref14","DOI":"10.1007\/978-1-4419-1539-9_6"},{"doi-asserted-by":"publisher","key":"ref15","DOI":"10.1007\/s10009-011-0195-9"},{"doi-asserted-by":"publisher","key":"ref16","DOI":"10.1109\/SP.2013.35"},{"doi-asserted-by":"publisher","key":"ref17","DOI":"10.1145\/2508859.2516702"},{"key":"ref18","doi-asserted-by":"crossref","first-page":"133","DOI":"10.1007\/978-3-319-12154-3_9","article-title":"Separation kernel verification: The Xtratum case study","author":"san\u00e1n","year":"2014","journal-title":"Verified Software Theories Tools and Experiments"},{"doi-asserted-by":"publisher","key":"ref19","DOI":"10.3233\/JCS-2009-0393"},{"year":"2000","author":"rushby","article-title":"Partitioning in avionics architectures: Requirements, mechanisms, and assurance","key":"ref4"},{"doi-asserted-by":"publisher","key":"ref3","DOI":"10.1145\/1067627.806586"},{"year":"2012","journal-title":"Common Criteria for Information Technology Security Evaluation","key":"ref6"},{"year":"2010","journal-title":"ARINC Specification 653 Avionics Application Software Standard Interface Part 1-Required Services","key":"ref5"},{"year":"2007","author":"craig","journal-title":"Formal Refinement for Operating System Kernels","key":"ref8"},{"year":"2007","journal-title":"U S Government Protection Profile for Separation Kernels in Environments Requiring High Robustness","key":"ref7"},{"doi-asserted-by":"publisher","key":"ref49","DOI":"10.1007\/s00165-012-0256-1"},{"doi-asserted-by":"publisher","key":"ref9","DOI":"10.1007\/978-3-642-14808-8_16"},{"doi-asserted-by":"publisher","key":"ref46","DOI":"10.1007\/s12046-009-0002-4"},{"key":"ref45","first-page":"304","article-title":"Feature-based decomposition of inductive proofs applied to real-time avionics software: An experience report","author":"ha","year":"2004","journal-title":"Proc 26th Int l Conf Software Eng"},{"key":"ref48","article-title":"Used formal methods","author":"blasum","year":"2015","journal-title":"White Paper EURO-MILS"},{"doi-asserted-by":"publisher","key":"ref47","DOI":"10.1109\/ICSE.2012.6227120"},{"doi-asserted-by":"publisher","key":"ref42","DOI":"10.1145\/1314466.1314473"},{"doi-asserted-by":"publisher","key":"ref41","DOI":"10.1007\/978-3-319-10506-2_17"},{"doi-asserted-by":"publisher","key":"ref44","DOI":"10.1109\/SP.2011.30"},{"doi-asserted-by":"publisher","key":"ref43","DOI":"10.1007\/978-3-642-54792-8_15"}],"container-title":["IEEE Transactions on Dependable and Secure Computing"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/8858\/8613030\/07862167.pdf?arnumber=7862167","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,15]],"date-time":"2025-06-15T15:50:45Z","timestamp":1750002645000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/7862167\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,1,1]]},"references-count":52,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.1109\/tdsc.2017.2672983","relation":{},"ISSN":["1545-5971","1941-0018","2160-9209"],"issn-type":[{"type":"print","value":"1545-5971"},{"type":"electronic","value":"1941-0018"},{"type":"electronic","value":"2160-9209"}],"subject":[],"published":{"date-parts":[[2019,1,1]]}}}