seL4 Enforces Integrity

Sewell, Thomas; Winwood, Simon; Gammie, Peter; Murray, Toby; Andronick, June; Klein, Gerwin

doi:10.1007/978-3-642-22863-6_24

Cited by 54 publications

(18 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…As an example, the absence of dataflow between two components and the absence of data modification are two distinct security properties with different techniques for verifying them. Verification of dataflow [5] be achieved using SPIN, whereas mathematical proof in Hoare Logic that is verified by a theorem prover, Isabelle, may be used to verify unauthorized data modification [22]. Formal verification techniques provide a high level of assurance about the security properties of our designs.…”

Section: Security Property Analysismentioning

confidence: 99%

Building high assurance secure applications using security patterns for capability-based platforms

Rimba

2013

2013 35th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Building high assurance secure applications requires the proper use of security mechanisms and assurances provided by the underlying secure platform. However, applications are often built using security patterns and best practices that are agnostic with respect to the intricate specifics of the different underlying platforms. This independence from the underlying platform leaves a gap between security patterns and underlying secure platforms. In this PhD research abstract, we propose a novel approach to bridge this gap. Specifically, we propose reusable capability-specific design fragments for security patterns, which are specialization for patterns in a capabilitybased system. The focus is on systems that adhere to a capabilitybased security model, which we consider as the underlying platforms, to provide desired application-wide security properties. We also discuss assumptions and levels of assurance for these reusable designs and their use in the verification of application designs.

show abstract

Section: Security Property Analysismentioning

confidence: 99%

Building high assurance secure applications using security patterns for capability-based platforms

Rimba

2013

2013 35th International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…One recent breakthrough is the machine-checked refinement proof of an implementation of the seL4 microkernel [33]. Subsequent machine-checked developments prove that seL4 enforces integrity, authority confinement [43] and intransitive non-interference [39]. The formalization does not model cache nor side-channel attacks.…”

Section: Related Workmentioning

confidence: 99%

System-level Non-interference for Constant-time Cryptography

Barthe

Betarte

Campo

et al. 2014

Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security

123

View full text Add to dashboard Cite

Abstract. Cache-based attacks are a class of side-channel attacks that are particularly effective in virtualized or cloud-based environments, where they have been used to recover secret keys from cryptographic implementations. One common approach to thwart cache-based attacks is to use constant-time implementations, i.e. which do not branch on secrets and do not perform memory accesses that depend on secrets. However, there is no rigorous proof that constant-time implementations are protected against concurrent cache-attacks in virtualization platforms with shared cache; moreover, many prominent implementations are not constant-time. An alternative approach is to rely on system-level mechanisms. One recent such mechanism is stealth memory, which provisions a small amount of private cache for programs to carry potentially leaking computations securely. Stealth memory induces a weak form of constant-time, called S-constant-time, which encompasses some widely used cryptographic implementations. However, there is no rigorous analysis of stealth memory and S-constant-time, and no tool support for checking if applications are S-constant-time. We propose a new information-flow analysis that checks if an x86 application executes in constant-time, or in S-constant-time. Moreover, we prove that constant-time (resp. S-constant-time) programs do not leak confidential information through the cache to other operating systems executing concurrently on virtualization platforms (resp. platforms supporting stealth memory). The soundness proofs are based on new theorems of independent interest, including isolation theorems for virtualization platforms (resp. platforms supporting stealth memory), and proofs that constant-time implementations (resp. S-constant-time implementations) are non-interfering with respect to a strict information flow policy which disallows that control flow and memory accesses depend on secrets. We formalize our results using the Coq proof assistant and we demonstrate the effectiveness of our analyses on cryptographic implementations, including PolarSSL AES, DES and RC4, SHA256 and Salsa20.

show abstract

“…All that matters is that compiler and prover semantics match and thereby transport high-level properties that have been proved on the C code down to the binary level. For seL4, this includes functional correctness, integrity, authority confinement, and non-interference [11,15,28].…”

Section: Introductionmentioning

confidence: 99%

Translation validation for a verified OS kernel

Sewell

Myreen

Klein

2013

Proceedings of the 34th ACM SIGPLAN Conference on Programming Language Design and Implementation

Self Cite

103

View full text Add to dashboard Cite

We extend the existing formal verification of the seL4 operating system microkernel from 9 500 lines of C source code to the binary level. We handle all functions that were part of the previous verification. Like the original verification, we currently omit the assembly routines and volatile accesses used to control system hardware.More generally, we present an approach for proving refinement between the formal semantics of a program on the C source level and its formal semantics on the binary level, thus checking the validity of compilation, including some optimisations, and linking, and extending static properties proved of the source code to the executable. We make use of recent improvements in SMT solvers to almost fully automate this process.We handle binaries generated by unmodified gcc 4.5.1 at optimisation level 1, and can handle most of seL4 even at optimisation level 2.

show abstract

seL4 Enforces Integrity

Cited by 54 publications

References 14 publications

Building high assurance secure applications using security patterns for capability-based platforms

Building high assurance secure applications using security patterns for capability-based platforms

System-level Non-interference for Constant-time Cryptography

Translation validation for a verified OS kernel

Contact Info

Product

Resources

About