Trustworthy Systems

Towards a platform for secure systems


Gernot Heiser

    School of Computer Science and Engineering
    Sydney 2052, Australia


Keynote at SICS Workshop on Virtualization and Verification for Security


True security of software systems can only be achieved through mathematical proof of the relevant properties. However, real-world software systems are far too complex to make their formal verification tractable in the foreseeable future. However, strong security guarantees can, in principle, be obtained by isolating the security-critical parts of the system from less-critical parts. This approach is based on three premises: (i) it is possible to structure the system to keep the critical part(s) small and isolated, (ii) the software that provides the isolation (a microkernel or hypervisor) can be shown to enforce the security requirements, and (iii) given the known properties of the critical parts (including the hypervisor/microkernel) it is possible to prove security properties of the overall system.

The Trustworthy Systems project at NICTA takes this approach. Specifically we have mostly achieved (ii), but formally proving the functional correctness as well as other security-relevant properties of the seL4 microkernel, and are closing in on the remaining issues (especially enforcement of confidentiality). We have developed a framework to support (i) and are also working on (iii). This talk will provide an overview of the principles underlying seL4, and the approach taken in its design, implementation and formal verification. It will also discuss on-going activities and our strategy for achieving the ultimate goal of system-wide security guarantees.

BibTeX Entry

    author           = {Gernot Heiser},
    howpublished     = {Keynote at SICS Workshop on Virtualization and Verification for Security, Stockholm, Sweden},
    month            = mar,
    title            = {Towards a Platform for Secure Systems},
    year             = {2012}