Trustworthy Systems

The formally verified seL4 microkernel – a high-assurance foundation for MCS


Gernot Heiser

CSIRO's Data61, Australia
UNSW, Australia


Keynote at IEEE Conference on Embedded and Real-Time Computing and Applications


This talk covers the seL4 microkernel and its assurance story. I explain the kernel's spatial isolation guarantees. I also cover the worst-case execution-time (WCET) analysis and how it integrates with the functional correctness proof artefacts through the translation validation toolchain to establish provable loop bounds and infeasible path refutations. I explain how a verified mapping to a higher-level component framework allows reasoning about isolation properties of a system at the architecture level. I finally discuss seL4's new model of scheduling contexts, which introduces capabilities for time, making time a first-class resource just as space. This is specifically designed to support the needs of mixed-criticality systems. The model allows less critical tasks to preempt critical ones while ensuring the critical tasks will meet their deadlines; the model also supports resource sharing across criticalities. The new scheduling model is presently undergoing formal verification.

BibTeX Entry

    author           = {Gernot Heiser},
    howpublished     = {Keynote at IEEE Conference on Embedded and Real-Time Computing and Applications},
    month            = aug,
    title            = {The Formally Verified {seL4} Microkernel -- A High-Assurance Foundation for {MCS}},
    video            = {},
    year             = {2020}