Skip to main content
SpringerLink
Log in
Book cover

International Conference on Interactive Theorem Proving

ITP 2011: Interactive Theorem Proving pp 325–340Cite as

seL4 Enforces Integrity

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 6898))

Abstract

We prove that the seL4 microkernel enforces two high-level access control properties: integrity and authority confinement. Integrity provides an upper bound on write operations. Authority confinement provides an upper bound on how authority may change. Apart from being a desirable security property in its own right, integrity can be used as a general framing property for the verification of user-level system composition. The proof is machine checked in Isabelle/HOL and the results hold via refinement for the C implementation of the kernel.

NICTA is funded by the Australian Government as represented by the Department of Broadband, Communications and the Digital Economy and the Australian Research Council through the ICT Centre of Excellence program

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Andronick, J., Bourke, T., Derrin, P., Elphinstone, K., Greenaway, D., Klein, G., Kolanski, R., Sewell, T., Winwood, S.: Abstract formal specification of the seL4/ARMv6 API (January 2011), http://ertos.nicta.com.au/software/seL4/

  2. Andronick, J., Greenaway, D., Elphinstone, K.: Towards proving security in the presence of large untrusted components. In: Klein, G., Huuck, R., Schlich, B. (eds.) 5th SSV. USENIX, Vancouver (2010)

    Google Scholar 

  3. Bell, D., LaPadula, L.: Secure computer system: Unified exposition and Multics interpretation. Technical Report MTR-2997, MITRE Corp (March 1976)

    Google Scholar 

  4. Boyton, A.: A verified shared capability model. In: Klein, G., Huuck, R., Schlich, B. (eds.) 4th SSV. ENTCS, vol. 254, pp. 25–44. Elsevier, Amsterdam (2009)

    Google Scholar 

  5. Cock, D., Klein, G., Sewell, T.: Secure microkernels, state monads and scalable refinement. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs 2008. LNCS, vol. 5170, pp. 167–182. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  6. Dennis, J.B., Van Horn, E.C.: Programming semantics for multiprogrammed computations. CACM 9, 143–155 (1966)

    Article  MATH  Google Scholar 

  7. Elkaduwe, D., Klein, G., Elphinstone, K.: Verified protection model of the seL4 microkernel. In: Shankar, N., Woodcock, J. (eds.) VSTTE 2008. LNCS, vol. 5295, pp. 99–114. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  8. Feiertag, R.J., Neumann, P.G.: The foundations of a provably secure operating system (PSOS). In: AFIPS Conf. Proc., 1979 National Comp. Conf., New York, NY, USA, pp. 329–334 (June 1979)

    Google Scholar 

  9. Guttman, J., Herzog, A., Ramsdell, J., Skorupka, C.: Verifying information flow goals in security-enhanced linux. J. Comp. Security 13, 115–134 (2005)

    Article  Google Scholar 

  10. Jaeger, T.: Operating System Security. Morgan & Claypool Publishers, San Francisco (2008)

    Google Scholar 

  11. Klein, G.: Operating system verification—an overview. Sādhanā 34(1), 27–69 (2009)

    MathSciNet  MATH  Google Scholar 

  12. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: 22nd SOSP, pp. 207–220. ACM, Big Sky (2009)

    Google Scholar 

  13. Krohn, M., Tromer, E.: Noninterference for a practical DIFC-based operating system. In: IEEE Symp. Security & Privacy, pp. 61–76 (2009)

    Google Scholar 

  14. Lampson, B.W.: Protection. In: 5th Princeton Symposium on Information Sciences and Systems, pp. 437–443. Princeton University, Princeton (1971); Reprinted in Operat. Syst. Rev. 8(1), 18–24 (1974)

    Google Scholar 

  15. Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. J. ACM 24(3), 455–464 (1977)

    Article  MathSciNet  MATH  Google Scholar 

  16. Murray, T., Lowe, G.: Analysing the information flow properties of object-capability patterns. In: Degano, P., Guttman, J.D. (eds.) FAST 2009. LNCS, vol. 5983, pp. 81–95. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  17. Richards, R.J.: Modeling and security analysis of a commercial real-time operating system kernel. In: Hardin, D.S. (ed.) Design and Verification of Microprocessor Systems for High-Assurance Applications, pp. 301–322. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  18. Shapiro, J.S., Weber, S.: Verifying the EROS confinement mechanism. In: IEEE Symp. Security & Privacy, Washington, DC, USA, pp. 166–181 (May 2000)

    Google Scholar 

  19. Walker, B.J., Kemmerer, R.A., Popek, G.J.: Specification and verification of the UCLA Unix security kernel. CACM 23(2), 118–131 (1980)

    Article  MATH  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. NICTA, Sydney, Australia

    Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick & Gerwin Klein

  2. School of Computer Science and Engineering, UNSW, Sydney, Australia

    Simon Winwood, Toby Murray, June Andronick & Gerwin Klein

Authors
  1. Thomas Sewell
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Simon Winwood
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peter Gammie
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Toby Murray
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. June Andronick
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Gerwin Klein
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculteit Informatica, Open Universiteit, Postbus 2960, Heerlen, 6401 DL, The Netherlands

    Marko van Eekelen

  2. FNWI/ICIS/IS, Radboud Universiteit Nijmegen, Postbus 9010, 6500 GL, Nijmegen, The Netherlands

    Herman Geuvers  & Freek Wiedijk  & 

  3. Faculteit Informatica, Open Universiteit, Postbus 2960, 6401 DL, Heerlen, The Netherlands

    Julien Schmaltz

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., Klein, G. (2011). seL4 Enforces Integrity. In: van Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds) Interactive Theorem Proving. ITP 2011. Lecture Notes in Computer Science, vol 6898. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22863-6_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-22863-6_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-22862-9

  • Online ISBN: 978-3-642-22863-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation