It's time for truly secure operating systems
Authors
School of Computer Science and Engineering
UNSW,
Sydney 2052, Australia
Published:
CASA Distinguished LectureAbstract
Half a century after PSOS, the first attempts to prove an operating system (OS) secure, OS faults remain a major threat to computer systems security. A major step forward was the verification of the seL4 microkernel, the first proof of implementation correctness of a complete OS kernel. Over the following 4 years this proof was extended to the binary code, proofs of security enforcement, and sound and complete worst-case execution-time analysis. The proofs now cover 4 ISAs.
Yet, 15 years later, there is still no provably secure OS. While seL4 has been successfully deployed in defence and civilian security- and safety-critical systems, it is a microkernel that mostly guarantees process isolation without providing the application-oriented services expected from an OS. This not only makes seL4 difficult to deploy, but also means that there is no guarantee that a system built on top is secure in any real sense.
We had to realise that seL4 is too hard to use for people without a deep understanding of the kernel model and its philosophy, and that seL4 must be developed into a complete OS that provides the high-level services expected by developers, such as processes and I/O. We have therefore started to develop LionsOS, a highly modular design of an seL4-based OS for use in embedded/cyberphysical systems. We aim to achieve end-to-end proofs of security enforcement for LionsOS, including the provable confinement of untrusted code with a threat model that includes microarchitectural timing channels.
Our experience to date shows that a clean, lean and principled design not only makes it possible to develop an OS from scratch with the limited resources of a university group, but that such an OS can actually be highly performant – de-bunking some old (but apparently never-dying) myths about the performance of microkernel-based systems.
The talk will also touch on more speculative, early-stage work towards a provably secure, general-purpose OS.
BibTeX Entry
@misc{Heiser_25:casa,
author = {Gernot Heiser},
howpublished = {CASA Distinguished Lecture},
month = may,
slides = {https://trustworthy.systems/publications/papers/Heiser_25:casa.pdf},
title = {It's Time for Truly Secure Operating Systems},
url = {https://casa.rub.de/veranstaltungen/distinguished-lectures/infos/casa-distinguished-lecture-mit-gernot-heiser},
video = {https://youtu.be/vuPyAbTycNU},
year = {2025}
}
Slides
Video
BibTeX