seL4: From general purpose to a proof of information flow enforcement

Toby Murray; Daniel Matichuk; Matthew Brassil; Peter Gammie; Timothy Bourke; Sean Seefried; Corey Lewis; Xin Gao; Gerwin Klein

doi:10.1109/SP.2013.35

seL4: From general purpose to a proof of information flow enforcement

Toby Murray
, Daniel Matichuk
, Matthew Brassil
, Peter Gammie
, Timothy Bourke
, Sean Seefried
, Corey Lewis
, Xin Gao
, Gerwin Klein

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. We present the, to our knowledge, first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4. Unlike previous proofs of information flow security for operating system kernels, ours applies to the actual 8, 830 lines of C code that implement seL4, and so rules out the possibility of invalidation by implementation errors in this code. We assume correctness of compiler, assembly code, hardware, and boot code. We prove everything else. This proof is strong evidence of seL4's utility as a separation kernel, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control. We describe the information flow security statement we proved (a variant of intransitive noninterference), including the assumptions on which it rests, as well as the modifications that had to be made to seL4 to ensure it was enforced. We discuss the practical limitations and implications of this result, including covert channels not covered by the formal proof.

Original language	English
Title of host publication	Proceedings - 2013 IEEE Symposium on Security and Privacy, SP 2013
Pages	415-429
Number of pages	15
DOIs	https://doi.org/10.1109/SP.2013.35
Publication status	Published - 13 Aug 2013
Externally published	Yes
Event	34th IEEE Symposium on Security and Privacy, SP 2013 - San Francisco, CA, United States Duration: 19 May 2013 → 22 May 2013

Publication series

Name	Proceedings - IEEE Symposium on Security and Privacy
ISSN (Print)	1081-6011

Conference

Conference	34th IEEE Symposium on Security and Privacy, SP 2013
Country/Territory	United States
City	San Francisco, CA
Period	19/05/13 → 22/05/13

Keywords

formal verification
information flow control

Access to Document

10.1109/SP.2013.35

Cite this

Murray, T., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., & Klein, G. (2013). seL4: From general purpose to a proof of information flow enforcement. In Proceedings - 2013 IEEE Symposium on Security and Privacy, SP 2013 (pp. 415-429). Article 6547124 (Proceedings - IEEE Symposium on Security and Privacy). https://doi.org/10.1109/SP.2013.35

@inproceedings{b15cf824b2184fa48bd87c40813b5d2b,

title = "seL4: From general purpose to a proof of information flow enforcement",

abstract = "In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. We present the, to our knowledge, first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4. Unlike previous proofs of information flow security for operating system kernels, ours applies to the actual 8, 830 lines of C code that implement seL4, and so rules out the possibility of invalidation by implementation errors in this code. We assume correctness of compiler, assembly code, hardware, and boot code. We prove everything else. This proof is strong evidence of seL4's utility as a separation kernel, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control. We describe the information flow security statement we proved (a variant of intransitive noninterference), including the assumptions on which it rests, as well as the modifications that had to be made to seL4 to ensure it was enforced. We discuss the practical limitations and implications of this result, including covert channels not covered by the formal proof.",

keywords = "formal verification, information flow control",

author = "Toby Murray and Daniel Matichuk and Matthew Brassil and Peter Gammie and Timothy Bourke and Sean Seefried and Corey Lewis and Xin Gao and Gerwin Klein",

year = "2013",

month = aug,

day = "13",

doi = "10.1109/SP.2013.35",

language = "English",

isbn = "9780769549774",

series = "Proceedings - IEEE Symposium on Security and Privacy",

pages = "415--429",

booktitle = "Proceedings - 2013 IEEE Symposium on Security and Privacy, SP 2013",

note = "34th IEEE Symposium on Security and Privacy, SP 2013 ; Conference date: 19-05-2013 Through 22-05-2013",

}

Murray, T, Matichuk, D, Brassil, M, Gammie, P, Bourke, T, Seefried, S, Lewis, C, Gao, X & Klein, G 2013, seL4: From general purpose to a proof of information flow enforcement. in Proceedings - 2013 IEEE Symposium on Security and Privacy, SP 2013., 6547124, Proceedings - IEEE Symposium on Security and Privacy, pp. 415-429, 34th IEEE Symposium on Security and Privacy, SP 2013, San Francisco, CA, United States, 19/05/13. https://doi.org/10.1109/SP.2013.35

seL4: From general purpose to a proof of information flow enforcement. / Murray, Toby; Matichuk, Daniel; Brassil, Matthew et al.
Proceedings - 2013 IEEE Symposium on Security and Privacy, SP 2013. 2013. p. 415-429 6547124 (Proceedings - IEEE Symposium on Security and Privacy).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - seL4

T2 - 34th IEEE Symposium on Security and Privacy, SP 2013

AU - Murray, Toby

AU - Matichuk, Daniel

AU - Brassil, Matthew

AU - Gammie, Peter

AU - Bourke, Timothy

AU - Seefried, Sean

AU - Lewis, Corey

AU - Gao, Xin

AU - Klein, Gerwin

PY - 2013/8/13

Y1 - 2013/8/13

N2 - In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. We present the, to our knowledge, first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4. Unlike previous proofs of information flow security for operating system kernels, ours applies to the actual 8, 830 lines of C code that implement seL4, and so rules out the possibility of invalidation by implementation errors in this code. We assume correctness of compiler, assembly code, hardware, and boot code. We prove everything else. This proof is strong evidence of seL4's utility as a separation kernel, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control. We describe the information flow security statement we proved (a variant of intransitive noninterference), including the assumptions on which it rests, as well as the modifications that had to be made to seL4 to ensure it was enforced. We discuss the practical limitations and implications of this result, including covert channels not covered by the formal proof.

AB - In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. We present the, to our knowledge, first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4. Unlike previous proofs of information flow security for operating system kernels, ours applies to the actual 8, 830 lines of C code that implement seL4, and so rules out the possibility of invalidation by implementation errors in this code. We assume correctness of compiler, assembly code, hardware, and boot code. We prove everything else. This proof is strong evidence of seL4's utility as a separation kernel, and describes precisely how the general purpose kernel should be configured to enforce isolation and mandatory information flow control. We describe the information flow security statement we proved (a variant of intransitive noninterference), including the assumptions on which it rests, as well as the modifications that had to be made to seL4 to ensure it was enforced. We discuss the practical limitations and implications of this result, including covert channels not covered by the formal proof.

KW - formal verification

KW - information flow control

UR - https://www.scopus.com/pages/publications/84881233720

U2 - 10.1109/SP.2013.35

DO - 10.1109/SP.2013.35

M3 - Conference contribution

AN - SCOPUS:84881233720

SN - 9780769549774

T3 - Proceedings - IEEE Symposium on Security and Privacy

SP - 415

EP - 429

BT - Proceedings - 2013 IEEE Symposium on Security and Privacy, SP 2013

Y2 - 19 May 2013 through 22 May 2013

ER -

seL4: From general purpose to a proof of information flow enforcement

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this