A security kernel is that part of operating system software responsible for controlling access to files and other resources. This report gives a paradigm for showing that a kernel can protect itself from destruction or tampering by user software, on the basis of the hardware and kernel software properties. An illustrative proof is carried out for DEC PDP-11 /70 hardware, with kernel properties that would be typical for this machine.