Trustworthy Systems

Can we prove time protection?


Gernot Heiser, Gerwin Klein and Toby Murray


UNSW Sydney

University of Melbourne


Timing channels are a significant and growing security threat in computer systems, with no established solution. We have recently argued that the OS must provide time protection, in analogy to the established memory protection, to protect applications from information leakage through timing channels. Based on a recently-proposed implementation of time protection in the seL4 microkernel, we investigate how such an implementation could be formally proved to prevent timing channels. We postulate that this should be possible by reasoning about a highly abstracted representation of the shared hardware resources that cause timing channels.

BibTeX Entry

    address          = {Bertinoro, Italy},
    author           = {Heiser, Gernot and Klein, Gerwin and Murray, Toby},
    booktitle        = {Workshop on Hot Topics in Operating Systems (HotOS)},
    date             = {2019-5-12},
    doi              = {},
    month            = may,
    pages            = {23-29},
    paperurl         = {},
    publisher        = {ACM},
    title            = {Can We Prove Time Protection?},
    year             = {2019}