seL4 Enforces Integrity

We prove that the seL4 microkernel enforces two high-level access control properties: integrity and authority confinement. Integrity provides an upper bound on write operations. Authority confinement provides an upper bound on how authority may change. Apart from being a desirable security property in its own right, integrity can be used as a general framing property for the verification of user-level system composition. The proof is machine checked in Isabelle/HOL and the results hold via refinement for the C implementation of the kernel.

[1]  Kevin Elphinstone,et al.  Towards Proving Security in the Presence of Large Untrusted Components , 2010, SSV.

[2]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[3]  D. Elliott Bell,et al.  Secure Computer System: Unified Exposition and Multics Interpretation , 1976 .

[4]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[5]  Gerwin Klein,et al.  Secure Microkernels, State Monads and Scalable Refinement , 2008, TPHOLs.

[6]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[7]  Andrew Boyton A Verified Shared Capability Model , 2009, Electron. Notes Theor. Comput. Sci..

[8]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[9]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[10]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[11]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[12]  Benedict G. E. Wiedemann Protection? , 1998, Science.

[13]  Trent Jaeger Operating System Security , 2008, Operating System Security.

[14]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.

[15]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[16]  Joshua D. Guttman,et al.  Verifying information flow goals in Security-Enhanced Linux , 2005, J. Comput. Secur..

[17]  Kevin Elphinstone,et al.  Verified Protection Model of the seL4 Microkernel , 2008, VSTTE.

[18]  Gavin Lowe,et al.  Analysing the Information Flow Properties of Object-Capability Patterns , 2009, Formal Aspects in Security and Trust.