Trustworthy Systems

seL4 enforces integrity

Authors

Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick and Gerwin Klein

NICTA

UNSW

Abstract

We prove that the seL4 microkernel enforces two high-level access control properties: integrity and authority confinement. Integrity provides an upper bound on write operations. Authority confinement provides an upper bound on how authority may change. Apart from being a desirable security property in its own right, integrity can be used as a general framing property for the verification of user-level system composition. The proof is machine checked in Isabelle/HOL and the results hold via refinement for the C implementation of the kernel.

BibTeX Entry

  @inproceedings{Sewell_WGMAK_11,
    address          = {Nijmegen, The Netherlands},
    author           = {Sewell, Thomas and Winwood, Simon and Gammie, Peter and Murray, Toby and Andronick, June and Klein,
                        Gerwin},
    booktitle        = {International Conference on Interactive Theorem Proving},
    doi              = {10.1007/978-3-642-22863-6_24},
    editor           = {{Marko van Eekelen, Herman Geuvers, Julien Schmaltz, and Freek Wiedijk}},
    keywords         = {sel4, isabelle/hol, integrity, access control, security},
    month            = aug,
    pages            = {325--340},
    paperurl         = {https://trustworthy.systems/publications/nicta_full_text/4709.pdf},
    publisher        = {Springer},
    title            = {{seL4} Enforces Integrity},
    year             = {2011}
  }

Download