seL4: From General Purpose to a Proof of Information Flow Enforcement

In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. We present the, to our knowledge, first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4. Unlike previous proofs of information flow security for operating system kernels, ours applies to the actual 8, 830 lines of C code that implement seL4, and so rules out the possibility of invalidation by implementation errors in this code. We assume correctness of compiler, assembly code, hardware, and boot code. We prove everything else. This proof is strong evidence of seL4's utility as a separation kernel, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control. We describe the information flow security statement we proved (a variant of intransitive noninterference), including the assumptions on which it rests, as well as the modifications that had to be made to seL4 to ensure it was enforced. We discuss the practical limitations and implications of this result, including covert channels not covered by the formal proof.

[1]  Ron van der Meyden,et al.  What, indeed, is intransitive noninterference? , 2015, J. Comput. Secur..

[2]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[3]  W. B. Martin,et al.  Creating High Confidence in a Separation Kernel , 2002, Automated Software Engineering.

[4]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[5]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[6]  A. Goldberg,et al.  Formal construction of the Mathematically Analyzed Separation Kernel , 2000, Proceedings ASE 2000. Fifteenth IEEE International Conference on Automated Software Engineering.

[7]  Eddie Kohler,et al.  Making information flow explicit in HiStar , 2006, OSDI '06.

[8]  Myla Archer,et al.  Formal specification and verification of data separation in a separation kernel for an embedded system , 2006, CCS '06.

[9]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[10]  Gernot Heiser,et al.  It's Time for Trustworthy Systems , 2012, IEEE Security & Privacy.

[11]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[12]  Gilles Barthe,et al.  Formally Verifying Isolation and Availability in an Idealized Model of Virtualization , 2011, FM.

[13]  Gavin Lowe,et al.  On Refinement-Closed Security Properties and Nondeterministic Compositions , 2009, Electron. Notes Theor. Comput. Sci..

[14]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[15]  John McLean,et al.  Applying Formal Methods to a Certifiably Secure Software System , 2008, IEEE Transactions on Software Engineering.

[16]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[17]  William D. Young,et al.  A robust machine code proof framework for highly secure applications , 2006, ACL2 '06.

[18]  Tom Perrine The Kernelized Secure Operating System (KSOS) , 2002, login Usenix Mag..

[19]  Gernot Heiser,et al.  Wombat: A portable user-mode Linux for embedded systems , 2005 .

[20]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[21]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[22]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[23]  Torben Amtoft,et al.  Verification condition generation for conditional information flow , 2007, FMSE '07.

[24]  Kai Engelhardt,et al.  Data Refinement: Model-Oriented Proof Methods and their Comparison , 1998 .

[25]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.

[26]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[27]  Torben Amtoft,et al.  Information Flow Analysis in Logical Form , 2004, SAS.

[28]  Willem-Paul de Roever,et al.  Data Refinement by Willem-Paul de Roever , 1998 .

[29]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[30]  Xavier Leroy,et al.  Formal Verification of a C Compiler Front-End , 2006, FM.

[31]  David von Oheimb Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage , 2004, ESORICS.

[32]  David A. Greve,et al.  Information Security Modeling and Analysis , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[33]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[34]  J. Thomas Haigh,et al.  Extending The Non-Interference Version Of MLS For Sat , 1987, 1986 IEEE Symposium on Security and Privacy.

[35]  Gerwin Klein,et al.  Formal system verification - extension, AOARD 114070 , 2012 .

[36]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[37]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[38]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[39]  Wolfgang J. Paul,et al.  Pervasive Verification of an OS Microkernel - Inline Assembly, Memory Consumption, Concurrent Devices , 2010, VSTTE.

[40]  Toby C. Murray,et al.  Extensible Specifications for Automatic Re-use of Specifications and Proofs , 2012, SEFM.

[41]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[42]  Martín Abadi,et al.  The existence of refinement mappings , 1988, [1988] Proceedings. Third Annual Information Symposium on Logic in Computer Science.

[43]  Gerwin Klein,et al.  Secure Microkernels, State Monads and Scalable Refinement , 2008, TPHOLs.

[44]  Eran Tromer,et al.  Noninterference for a Practical DIFC-Based Operating System , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[45]  David S. Hardin Design and Verification of Microprocessor Systems for High-Assurance Applications , 2010 .

[46]  Gernot Heiser,et al.  Timing Analysis of a Protected Operating System Kernel , 2011, 2011 IEEE 32nd Real-Time Systems Symposium.

[47]  Zhong Shao,et al.  Using XCAP to Certify Realistic Systems Code: Machine Context Management , 2007, TPHOLs.

[48]  Willem-Paul de Roever,et al.  Data Refinement: Theory , 1998 .

[49]  Nick Benton,et al.  Simple relational correctness proofs for static analyses and program transformations , 2004, POPL.

[50]  Michael Norrish,et al.  Types, bytes, and separation logic , 2007, POPL '07.

[51]  Jack B. Dennis,et al.  Programming semantics for multiprogrammed computations , 1966, CACM.