Trustworthy Systems

Stop the leaks: Towards provable information security with seL4

Authors

Gernot Heiser

    School of Computer Science and Engineering
    UNSW,
    Sydney 2052, Australia

Published:

Keynote at the International Summer School on Information Security and Protection (ISSISP)

Abstract

Preventing unauthorised information flow in computer systems is a problem that has been recognised at least since the 1970s, and is still not solved satisfactorily. With the move from time-shared central computers to personal computing platforms interest in the topic has waned, until the shared-platform model re-emerged in the form of public clouds, as well as mobile devices running a large number of apps from untrustworthy sources. This has put information-flow security, and especially covert information flows, back on the agenda.

The last decade saw significant progress in fundamental approaches to computer security, especially with the seL4 microkernel, the first operating system with a formal proof of implementation correctness. Subsequent work proved information-flow properties about seL4, including its ability to prevent information flow through covert storage channels. This leaves timing channels as the major security threat that must be resolved.

In this talk I will present an introduction on seL4 and its main concepts, and give an overview of its verification story and the information security challenges it does and does not address. I will explain some of the challenges presented by the present programming model of computer systems, with the instruction-set architecture (ISA) as the hardware-software contract. I will argue that the ISA abstracts too much for security, and how it could be refined into a contract that makes it possible to reason about the absence of timing channels. I will also talk about work in progress on mechanisms that allow seL4 to prevent information leakage through timing channels, in a way that should be verifiable against a suitable hardware-software contract.

BibTeX Entry

  @misc{Heiser_18:issip,
    author           = {Gernot Heiser},
    howpublished     = {Keynote at the International Summer School on Information Security and Protection (ISSISP)},
    month            = jul,
    title            = {Stop the Leaks: Towards Provable Information Security with {seL4}},
    year             = {2018}
  }

Download