SeL4: Formal verification of an OS kernel

We present our experience in performing the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. ... Complete formal verification is the only known way to guarantee that a system is free of programming errors. ... We also would like to acknowledge the contribution of the former team members on this verification project: Jeremy Dawson, Jia Meng, Catherine Menon, and David Tsai. ...

doi:10.1145/1629575.1629596 dblp:conf/sosp/KleinEHACDEEKNSTW09 fatcat:cidf7z4awnhyfljpznijerhee4

We report on the formal, machine-checked verification of the seL4 microkernel from an abstract specification down to its C implementation. ... We assume correctness of compiler, assembly code, hardware, and boot code. seL4 is a third-generation microkernel of L4 provenance, comprising 8,700 lines of C and 600 lines of assembler. ... Acknowledgements We would like to acknowledge the contribution of the former team members on this verification project: Timothy Bourke, Jeremy Dawson, Jia Meng, Catherine Menon, and David Tsai. ...

doi:10.1145/1743546.1743574 fatcat:cuqv3av3ojfm3os7u2mv5cf2oi

The proof is machine checked in Isabelle/HOL and the results hold via refinement for the C implementation of the kernel. ... We prove that the seL4 microkernel enforces two high-level access control properties: integrity and authority confinement. Integrity provides an upper bound on write operations. ... Acknowledgements We thank Magnus Myreen for commenting on a draft of this paper. ...

doi:10.1007/978-3-642-22863-6_24 fatcat:onkuh7qo4raxrmucoeki6wvb3a

We present an overview of the different refinement frameworks used in the L4.verified project to formally prove the functional correctness of the seL4 microkernel. ... The verified version of the seL4 kernel runs on the ARMv6 architecture and the Freescale i.MX31 platform. ... Acknowledgements We thank the other current and former members of the L4.verified and seL4 teams: ...

doi:10.1007/978-1-4419-1539-9_11 fatcat:2ytrxjfjf5f7hfez7pk2653rei

We present the, to our knowledge, first complete, formal, machine-checked verification of information flow security for the implementation of a general-purpose microkernel; namely seL4. ... In contrast to testing, mathematical reasoning and formal verification can show the absence of whole classes of security vulnerabilities. ... Citation of manufacturers or trade names does not constitute an official endorsement or approval of the use thereof. ...

doi:10.1109/sp.2013.35 dblp:conf/sp/MurrayMBGBSLGK13 fatcat:ixjwu5pzzncsjczh5rhptkwytu

This microkernel is the first operating system kernel ever to be formally proven for its functional correctness. ... The seL4 kernel implements isolation of components in terms of the memory resource and security. However, there is still a missing part when it comes to isolation and that is time partitioning. ... Still, the verification process of the seL4 kernel took 20 person years to perform and it revealed 144 software defects [2] . ...

doi:10.1145/2544350.2544352 fatcat:tfkde662gjcebbrbqiy76loxbm

We present our initial efforts with a promising performance evaluation of a rump kernel running on seL4. ... We argue that recent formal verification of microkernels provides a compelling platform for constructing general purpose systems, and that existing systems are not appropriate to take advantage of a formally ... Verification The successful application of formal verification to the seL4 microkernel [Klein et al. 2009 ] has established a clear value proposition for basing a system on a microkernel. seL4 provides ...

doi:10.1145/3124680.3124727 dblp:conf/apsys/ElphinstoneZMH17 fatcat:reqzohc45rhmvkyd4ig3cq5wzu

Formal verification of an operating system kernel manifests absence of errors in the kernel and establishes trust in it. ... This paper evaluates various projects on operating system kernel verification and presents indepth survey of them. ... Formal verification of an operating system kernel produces mathematical proofs of correctness of an operating system. ...

doi:10.5121/ijcses.2015.6401 fatcat:kmf3kdtarja7fduluaq5qxx4we

The L4.verified project has produced a formal, machinechecked Isabelle/HOL proof that the C code of the seL4 OS microkernel correctly implements its abstract implementation. ... verified kernel may be used for gaining formal, code-level assurance about safety and security properties of systems on the order of a million lines of code. ... of Excellence program. ...

doi:10.1007/978-3-642-17164-2_3 fatcat:askysutvofghzk2ajojawwmmgu

Last year, the L4.verified project produced a formal, machinechecked Isabelle/HOL proof that the C code of the seL4 OS microkernel correctly implements its abstract implementation. ... on overall system security, and I will explore further future research directions that open up with a formally verified OS kernel. ... A Formally Verified OS Kernel Last year, we reported on the full formal verification of the seL4 microkernel from a high-level model down to very low-level C code [5] . ...

doi:10.1007/978-3-642-14052-5_1 fatcat:gb72mkwnnrd2hp3hiz3y2nukxq

This shift was possible thanks to highly successful verified artifacts, such as the CompCert compiler [16] and the seL4 operating system (OS) kernel [14, 15] . ... Formal verification -mentality shift Recent years have seen a shift in the perception of formal software verification in the academic community and, to some more emerging extent, in the industrial community ... It has been used for the verification of seL4: the C-level formal specification of seL4 is in SIMPL, inside Isabelle/HOL. ...

doi:10.1007/978-3-319-63046-5_1 fatcat:etyhrw4auradbptcsixj6zeq4y

In this talk, I will give an overview of the various formal verification projects around the evolving seL4 microkernel, and discuss our experience in large-scale proof engineering and maintenance. ... Among these are a number of firsts: the first code-level functional correctness proof of a general-purpose OS kernel, the first non-interference proof for such a kernel at the code-level, the first binary-level ... For instance, it can be found for simpler separation kernels in the MILS setting [2] . For modern systems, some of the untrusted components will be an entire monolithic guest OS such as Linux. ...

doi:10.1007/978-3-319-06410-9_2 fatcat:fs4qvxrgmzhh5g4qnn2z6fcqpa

We present an in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel. ... We then describe the functional correctness proof of the kernel's C implementation and we cover further steps that transform this result into a comprehensive formal verification of the kernel: a formally ... ACKNOWLEDGMENTS We would like to acknowledge the contribution of the following people in the different parts of this work, spanning multiple years and projects. ...

doi:10.1145/2560537 fatcat:wgaqjtqacfen3nd2apj4z4eldm

The seL4 microkernel was the world's first general-purpose operating system kernel with a formal, machine-checked proof of correctness. ... This paper first gives an overview of seL4's correctness proof, together with its main implications and assumptions, and then describes our approach to provide formal security guarantees for large, complex ... Acknowledgments The proof of the SAC mentioned above was conducted almost entirely by David Greenaway with minor contributions from Xin Gao, Gerwin ...

doi:10.1007/978-3-642-18070-5_1 fatcat:yeoqx3v4tnf5pakxffeucoslfe

Last year, the NICTA L4.verified project produced a formal machine-checked Isabelle/HOL proof that the C code of the seL4 OS microkernel correctly implements its abstract implementation. ... This papers gives a brief overview of the proof together with its main implications and assumptions, and paints a vision on how this verified kernel can be used for gaining assurance of overall system ... Acknowledgements The formal security model of the SAC was mostly created by June Andronick. ...

doi:10.1007/978-3-642-15057-9_6 fatcat:aablfaxfo5ct7lafrv5w74bbvy

seL4

Preserved Fulltext

seL4

Preserved Fulltext

seL4 Enforces Integrity [chapter]

Preserved Fulltext

Refinement in the Formal Verification of the seL4 Microkernel [chapter]

Preserved Fulltext

seL4: From General Purpose to a Proof of Information Flow Enforcement

Preserved Fulltext

Towards a user-mode approach to partitioned scheduling in the seL4 microkernel

Preserved Fulltext

A Performance Evaluation of Rump Kernels as a Multi-server OS Building Block on seL4

Preserved Fulltext

OS Verification- A Survey as a Source of Future Challenges

Preserved Fulltext

From a Verified Kernel towards Verified Systems [chapter]

Preserved Fulltext

A Formally Verified OS Kernel. Now What? [chapter]

Preserved Fulltext

Reasoning About Concurrency in High-Assurance, High-Performance Software Systems [chapter]

Preserved Fulltext

Proof Engineering Considered Essential [chapter]

Preserved Fulltext

Comprehensive formal verification of an OS microkernel

Preserved Fulltext

From a Proven Correct Microkernel to Trustworthy Large Systems [chapter]

Preserved Fulltext

The L4.verified Project — Next Steps [chapter]

Preserved Fulltext