seL4: From General Purpose to a Proof of Information Flow Enforcement

Murray, Toby; Matichuk, Daniel; Brassil, Matthew; Gammie, Peter; Bourke, Timothy; Seefried, Sean; Lewis, Corey; Gao, Xin; Klein, Gerwin

doi:10.1109/sp.2013.35

Cited by 152 publications

(110 citation statements)

References 34 publications

Supporting

Mentioning

110

Contrasting

Order By: Relevance

“…As is the case with most re nement/simulation-based approaches, this work does not address information ow. In recent work on seL4 veri cation, Murray et al [14,15] present an unwinding-style characterization of intransitive noninterference. They introduce a proof calculus on nondeterministic state monads that is similar to that of this work.…”

Section: Related Workmentioning

confidence: 99%

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Khakpour

Schwarz

Dam

2013

Certified Programs and Proofs

View full text Add to dashboard Cite

Abstract. In this paper, we formally verify security properties of the ARMv7 Instruction Set Architecture (ISA) for user mode executions. To obtain guarantees that arbitrary (and unknown) user processes are able to run isolated from privileged software and other user processes, instruction level noninterference and integrity properties are provided, along with proofs that transitions to privileged modes can only occur in a controlled manner. This work establishes a main requirement for operating system and hypervisor veri cation, as demonstrated for the PROSPER separation kernel. The proof is performed in the HOL4 theorem prover, taking the Cambridge model of ARM as basis. To this end, a proof tool has been developed, which assists the veri cation of relational state predicates semi-automatically.

show abstract

Section: Related Workmentioning

confidence: 99%

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Khakpour

Schwarz

Dam

2013

Certified Programs and Proofs

View full text Add to dashboard Cite

show abstract

“…CoSMeDis belongs to a small, but expanding club of running systems proved to be secure using proof assistants, which includes an aircraft microprocessor [34] (in ACL2), a hardware architecture with information flow primitives [22] (in Coq), a separation kernel [21] (in HOL4), a noninterferent operating system kernel [51] (in Isabelle/HOL), a secure browser [36] (in Coq), and an e-voting system [39] (using the KeY theorem prover jointly with the Joana information flow analyzer).…”

Section: Related Workmentioning

confidence: 99%

CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees

BauereiB

Gritti²,

Popescu

et al. 2017

2017 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

Abstract-We present the design, implementation and information flow verification of CoSMeDis, a distributed social media platform. The system consists of an arbitrary number of communicating nodes, deployable at different locations over the Internet. Its registered users can post content and establish intra-node and inter-node friendships, used to regulate access control over the posts. The system's kernel has been verified in the proof assistant Isabelle/HOL and automatically extracted as Scala code. We formalized a framework for composing a class of information flow security guarantees in a distributed system, applicable to input/output automata. We instantiated this framework to confidentiality properties for CoSMeDis's sources of information: posts, friendship requests, and friendship status.

show abstract

“…On the other hand, the hypervisor should be unable to affect guest state even indirectly: The only desired effects of hypervisor actions should be to allocate/deallocate, map, remap, and unmap virtual memory resources, leaving any observation a guest may make unaffected. This is essentially a second-order information flow property, needed to break guest-to-guest (or guest-to-service) information channels in much the same way as intransitive noninterference is used in [19] to break guest-to-guest channels passing through the scheduler in seL4.…”

Section: Tls Consistency Propertiesmentioning

confidence: 99%

Trustworthy Memory Isolation of Linux on Embedded Devices

Nemati

Dam

Guanciale

et al. 2015

Trust and Trustworthy Computing

View full text Add to dashboard Cite

Abstract. The isolation of security critical components from an untrusted OS allows to both protect applications and to harden the OS itself, for instance by run-time monitoring. Virtualization of the memory subsystem is a key component to provide such isolation. We present the design, implementation and verification of a virtualization platform for the ARMv7-A processor family. Our design is based on direct paging, an MMU virtualization mechanism previously introduced by Xen for the x86 architecture, and used later with minor variants by the Secure Virtual Architecture, SVA. We show that the direct paging mechanism can be implemented using a compact design, suitable for formal verification down to a low level of abstraction, without penalizing system performance. The verification is performed using the HOL4 theorem prover and uses a detailed model of the ARMv7-A ISA, including the MMU. We prove memory isolation of the hosted components along with information flow security for an abstract top level model of the virtualization mechanism. The abstract model is refined down to a HOL4 transition system closely resembling a C implementation. The virtualization mechanism is demonstrated on real hardware via a hypervisor capable of hosting Linux as an untrusted guest. 1

show abstract

seL4: From General Purpose to a Proof of Information Flow Enforcement

Cited by 152 publications

References 34 publications

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

CoSMeDis: A Distributed Social Media Platform with Formally Verified Confidentiality Guarantees

Trustworthy Memory Isolation of Linux on Embedded Devices

Contact Info

Product

Resources

About