Book Chapter10.1007/978-3-642-35308-6_12
Noninterference for operating system kernels
Toby Murray,Daniel Matichuk,M. Brassil,Peter Gammie,Gerwin Klein +4 more
- 13 Dec 2012
- pp 126-142
TL;DR: This paper presents a machine-checked formulation of intransitive noninterference for OS kernels, and its associated sound and complete unwinding conditions, as well as a scalable proof calculus over nondeterministic state monads for discharging these unwinding Conditions across a kernel's implementation.
read more
Abstract: While intransitive noninterference is a natural property for any secure OS kernel to enforce, proving that the implementation of any particular general-purpose kernel enforces this property is yet to be achieved. In this paper we take a significant step towards this vision by presenting a machine-checked formulation of intransitive noninterference for OS kernels, and its associated sound and complete unwinding conditions, as well as a scalable proof calculus over nondeterministic state monads for discharging these unwinding conditions across a kernel's implementation. Our ongoing experience applying this noninterference framework and proof calculus to the seL4 microkernel validates their utility and real-world applicability.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Comprehensive formal verification of an OS microkernel
Gerwin Klein,June Andronick,Kevin Elphinstone,Toby Murray,Thomas Sewell,Rafal Kolanski,Gernot Heiser +6 more
TL;DR: An in-depth coverage of the comprehensive machine-checked formal verification of seL4, a general-purpose operating system microkernel, and the experience in maintaining this evolving formally verified code base.
410
Formal verification of information flow security for a simple arm-based separation kernel
Mads Dam,Roberto Guanciale,Narges Khakpour,Hamed Nemati,Oliver Schwarz +4 more
- 04 Nov 2013
TL;DR: Limiting the kernel functionality as much as meaningfully possible, this work accomplishes a detailed analysis and verification of the system, proving its correctness at the level of the ARMv7 assembly.
End-to-end verification of information-flow security for C and assembly programs
David Costanzo,Zhong Shao,Ronghui Gu +2 more
- 02 Jun 2016
TL;DR: A novel methodology for formally verifying end-to-end security of a software system that consists of both C and assembly programs is presented and a general definition of observation function is introduced that unifies the concepts of policy specification, state indistinguishability, and whole-execution behaviors.
76
•Journal Article
seL4 Enforces Integrity
TL;DR: The seL4 microkernel as mentioned in this paper enforces integrity and authority confinement, which can be used as a general framing property for the verification of user-level system composition, and is machine checked in Isabelle/HOL and holds for the C implementation of the kernel.
75
Compositional Verification and Refinement of Concurrent Value-Dependent Noninterference
Toby Murray,Robert Sison,Edward Pierzchalski,Christine Rizkallah +3 more
- 01 Jun 2016
TL;DR: This paper presents a flow-sensitive dependent type system for enforcing timing-sensitive value-dependent noninterference for shared memory concurrent programs, comprising a collection of sequential components, as well as a compositional refinement theory for preserving this property under componentwise refinement.
65
References
•Book
Isabelle/HOL: A Proof Assistant for Higher-Order Logic
Tobias Nipkow,Markus Wenzel,Lawrence C. Paulson +2 more
- 01 Jan 2002
TL;DR: This presentation discusses Functional Programming in HOL, which aims to provide students with an understanding of the programming language through the lens of Haskell.
3.4K
Security Policies and Security Models
Joseph A. Goguen,José Meseguer +1 more
- 26 Apr 1982
TL;DR: The reader is familiar with the ubiquity of information in the modern world and is sympathetic with the need for restricting rights to read, add, modify, or delete information in specific contexts.
2.4K
seL4: formal verification of an OS kernel
Gerwin Klein,Kevin Elphinstone,Gernot Heiser,June Andronick,David Cock,Philip Derrin,Dhammika Elkaduwe,Kai Engelhardt,Rafal Kolanski,Michael Norrish,Thomas Sewell,Harvey Tuch,Simon Winwood +12 more
- 11 Oct 2009
TL;DR: To the knowledge, this is the first formal proof of functional correctness of a complete, general-purpose operating-system kernel.
Noninterference, Transitivity, and Channel-Control Security Policies 1
John Rushby
- 01 Jan 2005
TL;DR: It is shown that transitive polices are precisely the “multilevel security” (MLS) polices, and that any MLS secure system satisfies the conditions of the unwinding theorem.
Secure information flow as a safety problem
Tachio Terauchi,Alex Aiken +1 more
- 07 Sep 2005
TL;DR: The termination insensitive secure information flow problem can be reduced to solving a safety problem via a simple program transformation, and this paper generalizes the self-compositional approach with a form of information downgrading recently proposed by Li and Zdancewic.
Related Papers (5)
Joseph A. Goguen,José Meseguer +1 more
- 26 Apr 1982
Tobias Nipkow,Markus Wenzel,Lawrence C. Paulson +2 more
- 01 Jan 2002