seL4: From general purpose to a proof of information flow enforcement

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2013, Pages 415-429

  Murray, Toby ^a,b   Matichuk, Daniel ^a   Brassil, Matthew ^a   Gammie, Peter ^a   Bourke, Timothy ^a   Seefried, Sean ^a   Lewis, Corey ^a   Gao, Xin ^a   Klein, Gerwin ^a,b  

^a CSIRO   (Australia)

^b UNIVERSITY OF NEW SOUTH WALES   (Australia)

Author keywords

formal verification; information flow control

Indexed keywords

FORMAL VERIFICATIONS; IMPLEMENTATION ERROR; INFORMATION FLOW CONTROL; INFORMATION FLOW SECURITY; INTRANSITIVE NON-INTERFERENCE; MATHEMATICAL REASONING; OPERATING SYSTEM KERNEL; SECURITY VULNERABILITIES;

FLOW CONTROL;

NETWORK SECURITY;

EID: 84881233720     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2013.35     Document Type: Conference Paper

References (54)

1. M. Abadi and L. Lamport, "The existence of refinement mappings," Theor. Comput. Sci., vol. 82, pp. 253-284, 1991.
2. E. Alkassar, W. Paul, A. Starostin, and A. Tsyban, "Pervasive verification of an OS microkernel," in VSTTE 2010, ser. LNCS, vol. 6217. Springer, Aug 2010, pp. 71-85.
3. AMD I/O Virtualization Technology (IOMMU) Specification, AMD, 2009, rev 1.26. http://support.amd.com/us/Processor-TechDocs/34434-IOMMU-Rev-1.26-2-11-09. pdf.
4. T. Amtoft and A. Banerjee, "Information flow analysis in logical form," in SAS '04, ser. LNCS, vol. 3148. Springer, 2004, pp. 33-36.
5. -, "Verification condition generation for conditional information flow," in FMSE '07. ACM, 2007, pp. 2-11.
6. J. Andronick, G. Klein, and A. Boyton, "Formal system verification - extension, AOARD 114070," NICTA, Sydney, Australia, Tech. Rep. 1833-9646-5926, May 2012.
7. P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield, "Xen and the art of virtualization," in 19th SOSP, Oct 2003, pp. 164-177.
8. G. Barthe, G. Betarte, J. D. Campo, and C. Luna, "Formally verifying isolation and availability in an idealized model of virtualization," in 17th FM, ser. LNCS, vol. 6664. Springer, 2011, pp. 231-245.
9. -, "Cache-leakage resilient OS isolation in an idealized model of virtualization," in 25th CSF, 2012, pp. 186-197.
10. N. Benton, "Simple relational correctness proofs for static analyses and program transformations," in POPL 2004. ACM, 2004, pp. 14-25.
11. W. R. Bevier, "Kit: A study in operating system verification," Trans. Softw. Engin., vol. 15, no. 11, pp. 1382-1396, 1989.
12. B. Blackham, Y. Shi, S. Chattopadhyay, A. Roychoudhury, and G. Heiser, "Timing analysis of a protected operating system kernel," in 32nd RTSS, Nov 2011, pp. 339-348.
13. S. Blazy, Z. Dargaye, and X. Leroy, "Formal verification of a C compiler front-end," in 14th FM, ser. LNCS, vol. 4085. Springer, 2006, pp. 460-475.
14. D. Cock, G. Klein, and T. Sewell, "Secure microkernels, state monads and scalable refinement," in 21st TPHOLs, ser. LNCS, vol. 5170. Springer, Aug 2008, pp. 167-182.
15. W.-P. de Roever and K. Engelhardt, Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge University Press, 1998.
16. J. B. Dennis and E. C. Van Horn, "Programming semantics for multiprogrammed computations," CACM, vol. 9, pp. 143-155, 1966.
17. R. J. Feiertag and P. G. Neumann, "The foundations of a provably secure operating system (PSOS)," in AFIPS Conf. Proc., 1979 National Comp. Conf., Jun 1979, pp. 329-334.
18. D. A. Greve, "Information security modeling and analysis," in Design and Verification of Microprocessor Systems for High-Assurance Applications, D. S. Hardin, Ed. Springer, 2010, pp. 249-300.
19. J. T. Haigh and W. D. Young, "Extending the noninterference version of MLS for SAT," Trans. Softw. Engin., vol. 13, pp. 141-150, Feb 1987.
20. D. S. Hardin, E. W. Smith, and W. D. Young, "A robust machine code proof framework for highly secure applications," in ACL2 '06. ACM, 2006, pp. 11-20.
21. G. Heiser, T. Murray, and G. Klein, "It's time for trustworthy systems," IEEE: Security & Privacy, vol. 2012, no. 2, pp. 67-70, Mar 2012.
22. C. L. Heitmeyer, M. Archer, E. I. Leonard, and J. McLean, "Formal specification and verification of data separation in a separation kernel for an embedded system," in 13th CCS. ACM, 2006, pp. 346-355.
23. -, "Applying formal methods to a certifiably secure software system," IEEE Transactions on Software Engineering, vol. 34, no. 1, pp. 82-98, 2008.
24. C. A. R. Hoare, Communicating Sequential Processes. Prentice Hall, 1985.
25. U.S. Government Protection Profile for Separation Kernels in Environments Requiring High Robustness, Information Assurance Directorate, Jun 2007, version 1.03. http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm/id/pp-skpp-hr-v1.03/.
26. G. Klein, "Operating system verification - an overview," Sādhanā, vol. 34, no. 1, pp. 27-69, Feb 2009.
27. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood, "seL4: Formal verification of an OS kernel," in 22nd SOSP. Big Sky, MT, USA: ACM, Oct 2009, pp. 207-220.
28. M. Krohn and E. Tromer, "Noninterference for a practical DIFC-based operating system," in IEEE Symp. Security & Privacy, 2009, pp. 61-76.
29. B. Leslie, C. van Schaik, and G. Heiser, "Wombat: A portable user-mode Linux for embedded systems," in 6th Linux.conf.au, Canberra, Apr 2005.
30. R. J. Lipton and L. Snyder, "A linear time algorithm for deciding subject security," J. ACM, vol. 24, no. 3, pp. 455-464, 1977. (Pubitemid 8549592)
31. W. B. Martin, P. White, F. Taylor, and A. Goldberg, "Formal construction of the mathematically analyzed separation kernel," in 15th ASE, 2000, pp. 133-141.
32. W. B. Martin, P. D. White, and F. S. Taylor, "Creating high confidence in a separation kernel," Automated Softw. Engin., vol. 9, no. 3, pp. 263-284, 2002.
33. D. Matichuk and T. Murray, "Extensible specifications for automatic re-use of specifications and proofs," in 10th SEFM, ser. LNCS, vol. 7504, Oct 2012, pp. 333-341.
34. van der Meyden, Ron, "What, indeed, is intransitive noninterference?" in 12th ESORICS, ser. LNCS, vol. 4734. Springer, 2007, pp. 235-250.
35. T. Murray and G. Lowe, "On refinement-closed security properties and nondeterministic compositions," in 8th AVoCS, ser. ENTCS, vol. 250, Glasgow, UK, 2009, pp. 49-68.
36. T. Murray, D. Matichuk, M. Brassil, P. Gammie, and G. Klein, "Noninterference for operating system kernels," in 2nd CPP, ser. LNCS, vol. 7679. Springer, Dec 2012, pp. 126-142.
37. Z. Ni, D. Yu, and Z. Shao, "Using XCAP to certify realistic system code: Machine context management," in 20th TPHOLs, ser. LNCS, vol. 4732, Sep 2007, pp. 189-206.
38. T. Nipkow, L. Paulson, and M. Wenzel, Isabelle/HOL - A Proof Assistant for Higher-Order Logic, ser. LNCS. Springer, 2002, vol. 2283.
39. NIST, "National vulnerability database," http://nvd.nist.gov, 2012.
40. von Oheimb, David, "Information flow control revisited: Noninfluence = noninterference + nonleakage," in 9th ESORICS, ser. LNCS, vol. 3193, 2004, pp. 225-243.
41. Open Kernel Labs, "seL4 research and evaluation download," http://ertos.nicta.com.au/software/seL4/, 2011.
42. P. Parkinson and A. Baker, "High assurance systems development using the MILS architecture," http://www.windriver.com/whitepapers/, Wind River Systems Inc., 2010.
43. T. Perrine, J. Codd, and B. Hardy, "An overview of the kernelized secure operating system (KSOS)," in Proceedings of the Seventh DoD/NBS Computer Security Initiative Conference, Sep 1984, pp. 146-160.
44. R. J. Richards, "Modeling and security analysis of a commercial real-time operating system kernel," in Design and Verification of Microprocessor Systems for High-Assurance Applications, D. S. Hardin, Ed. Springer, 2010, pp. 301-322.
45. Rockwell Collins, Inc., AAMP7r1 Reference Manual, 2003.
46. J. Rushby, "Noninterference, transitivity, and channel-control security policies," SRI International, Tech. Rep. CSL-92-02, Dec 1992.
47. J. M. Rushby, "Design and verification of secure systems," in 8th SOSP, Pacific Grove, CA, USA, Dec 1981, pp. 12-21.
48. A. Sabelfeld and A. Myers, "Language-based information-flow security," J. Selected Areas Comm., vol. 21, no. 1, pp. 5-19, Jan 2003.
49. O. Saydjari, J. Beckman, and J. Leaman, "Locking computers securely," in 10th National Computer Security Conference, Sep 1987, pp. 129-141.
50. T. Sewell, M. Myreen, and G. Klein, "Translation validation for a verified OS kernel," in PLDI 2013. ACM, 2013, to appear.
51. T. Sewell, S. Winwood, P. Gammie, T. Murray, J. Andronick, and G. Klein, "seL4 enforces integrity," in 2nd ITP, ser. LNCS, vol. 6898. Springer, Aug 2011, pp. 325-340.
52. H. Tuch, G. Klein, and M. Norrish, "Types, bytes, and separation logic," in 34th POPL. ACM, 2007, pp. 97-108.
53. B. J. Walker, R. A. Kemmerer, and G. J. Popek, "Specification and verification of the UCLA Unix security kernel," CACM, vol. 23, no. 2, pp. 118-131, 1980.
54. N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières, "Making information flow explicit in HiStar," CACM, vol. 54, no. 11, pp. 93-101, Nov 2011.