Trustworthy Systems

seL4 enforces integrity


Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick and Gerwin Klein




We prove that the seL4 microkernel enforces two high-level access control properties: integrity and authority confinement. Integrity provides an upper bound on write operations. Authority confinement provides an upper bound on how authority may change. Apart from being a desirable security property in its own right, integrity can be used as a general framing property for the verification of user-level system composition. The proof is machine checked in Isabelle/HOL and the results hold via refinement for the C implementation of the kernel.

BibTeX Entry

    address          = {Nijmegen, The Netherlands},
    author           = {Sewell, Thomas and Winwood, Simon and Gammie, Peter and Murray, Toby and Andronick, June and Klein,
    booktitle        = {International Conference on Interactive Theorem Proving},
    doi              = {10.1007/978-3-642-22863-6_24},
    editor           = {{Marko van Eekelen, Herman Geuvers, Julien Schmaltz, and Freek Wiedijk}},
    keywords         = {sel4, isabelle/hol, integrity, access control, security},
    month            = aug,
    pages            = {325--340},
    paperurl         = {},
    publisher        = {Springer},
    title            = {{seL4} Enforces Integrity},
    year             = {2011}