seL4 enforces integrity
Authors
NICTA
UNSW
Abstract
We prove that the seL4 microkernel enforces two high-level access control properties: integrity and authority confinement. Integrity provides an upper bound on write operations. Authority confinement provides an upper bound on how authority may change. Apart from being a desirable security property in its own right, integrity can be used as a general framing property for the verification of user-level system composition. The proof is machine checked in Isabelle/HOL and the results hold via refinement for the C implementation of the kernel.
BibTeX Entry
@inproceedings{Sewell_WGMAK_11, address = {Nijmegen, The Netherlands}, author = {Sewell, Thomas and Winwood, Simon and Gammie, Peter and Murray, Toby and Andronick, June and Klein, Gerwin}, booktitle = {International Conference on Interactive Theorem Proving}, doi = {10.1007/978-3-642-22863-6_24}, editor = {{Marko van Eekelen, Herman Geuvers, Julien Schmaltz, and Freek Wiedijk}}, keywords = {sel4, isabelle/hol, integrity, access control, security}, month = aug, pages = {325--340}, paperurl = {https://trustworthy.systems/publications/nicta_full_text/4709.pdf}, publisher = {Springer}, title = {{seL4} Enforces Integrity}, year = {2011} }