Advertisement

Formally Verified System Initialisation

  • Andrew Boyton
  • June Andronick
  • Callum Bannister
  • Matthew Fernandez
  • Xin Gao
  • David Greenaway
  • Gerwin Klein
  • Corey Lewis
  • Thomas Sewell
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8144)

Abstract

The safety and security of software systems depends on how they are initially configured. Manually writing program code that establishes such an initial configuration is a tedious and error-prone engineering process. In this paper we present an automatic and formally verified initialiser for component-based systems built on the general-purpose microkernel seL4. The construction principles of this tool apply to capability systems in general and the proof ideas are not specific to seL4. The initialiser takes a declarative formal description of the desired initialised state and uses seL4-provided services to create all necessary components, setup their communication channels, and distribute the required access rights. We provide a formal model of the initialiser and prove, in the theorem prover Isabelle/HOL, that the resulting state is the desired one. Our proof formally connects to the existing functional correctness proof of the seL4 microkernel. This tool does not only provide automation, but also unprecedented assurance for reaching a desired system state. In addition to the engineering advantages, this result is a key prerequisite for reasoning about system-wide security and safety properties.

Keywords

System Initialisation seL4 Isabelle 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Alves-Foss, J., Oman, P.W., Taylor, C., Harrison, S.: The MILS architecture for high-assurance embedded systems. Int. J. Emb. Syst. 2, 239–247 (2006)CrossRefGoogle Scholar
  2. 2.
    Hicks, B., Rueda, S., Clair, L.S., Jaeger, T., McDaniel, P.D.: A logical specification and analysis for SELinux MLS policy. In: Lotz, V., Thuraisingham, B.M. (eds.) SACMAT, pp. 91–100. ACM Press, New York (2007)CrossRefGoogle Scholar
  3. 3.
    Klein, G.: From a verified kernel towards verified systems. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 21–33. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: 22nd SOSP, pp. 207–220. ACM (2009)Google Scholar
  5. 5.
    Klein, G., Kolanski, R., Boyton, A.: Mechanised separation algebra. In: Beringer, L., Felty, A. (eds.) ITP 2012. LNCS, vol. 7406, pp. 332–337. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Kuz, I., Klein, G., Lewis, C., Walker, A.: capDL: A language for describing capability-based systems. In: 1st APSys, New Delhi, India, pp. 31–36 (August 2010)Google Scholar
  7. 7.
    Murray, T., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., Klein, G.: seL4: from general purpose to a proof of information flow enforcement. In: IEEE Symp. Security & Privacy, Oakland, CA (May 2013)Google Scholar
  8. 8.
    National Security Agency. U.S. government protection profile for separation kernels in environments requiring high robustness, version 1.3 (June 2007)Google Scholar
  9. 9.
    Open Kernel Labs. OKL4 microkernel, reference manual (September 2008), http://wiki.ok-labs.com/downloads/release-3.0/okl4-ref-manual-3.0.pdf
  10. 10.
    Reynolds, J.C.: Separation logic: A logic for shared mutable data structures. In: Proc. 17th IEEE Symposium on Logic in Computer Science, pp. 55–74 (2002)Google Scholar
  11. 11.
    Sewell, T., Myreen, M., Klein, G.: Translation validation for a verified OS kernel. In: Proc. 34th PLDI, pp. 471–481. ACM (June 2013)Google Scholar
  12. 12.
    Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., Klein, G.: seL4 enforces integrity. In: van Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 325–340. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Shapiro, J.S., Weber, S.: Verifying the EROS confinement mechanism. In: IEEE Symposium on Security and Privacy, pp. 166–176. IEEE Computer Society (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Andrew Boyton
    • 1
    • 2
  • June Andronick
    • 1
    • 2
  • Callum Bannister
    • 1
    • 2
  • Matthew Fernandez
    • 1
    • 2
  • Xin Gao
    • 1
  • David Greenaway
    • 1
    • 2
  • Gerwin Klein
    • 1
    • 2
  • Corey Lewis
    • 1
  • Thomas Sewell
    • 1
    • 2
  1. 1.NICTASydneyAustralia
  2. 2.School of Computer Science and EngineeringUNSWSydneyAustralia

Personalised recommendations