Noninterference for Operating System Kernels

  • Toby Murray
  • Daniel Matichuk
  • Matthew Brassil
  • Peter Gammie
  • Gerwin Klein
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7679)


While intransitive noninterference is a natural property for any secure OS kernel to enforce, proving that the implementation of any particular general-purpose kernel enforces this property is yet to be achieved. In this paper we take a significant step towards this vision by presenting a machine-checked formulation of intransitive noninterference for OS kernels, and its associated sound and complete unwinding conditions, as well as a scalable proof calculus over nondeterministic state monads for discharging these unwinding conditions across a kernel’s implementation. Our ongoing experience applying this noninterference framework and proof calculus to the seL4 microkernel validates their utility and real-world applicability.


Information flow refinement scheduling state monads 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Amtoft, T., Banerjee, A.: Information Flow Analysis in Logical Form. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 100–115. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  2. 2.
    Amtoft, T., Banerjee, A.: Verification condition generation for conditional information flow. In: FMSE 2007, pp. 2–11. ACM (2007)Google Scholar
  3. 3.
    Barthe, G., Betarte, G., Campo, J.D., Luna, C.: Formally Verifying Isolation and Availability in an Idealized Model of Virtualization. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 231–245. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  4. 4.
    Benton, N.: Simple relational correctness proofs for static analyses and program transformations. In: POPL 2004, pp. 14–25. ACM (2004)Google Scholar
  5. 5.
    Beringer, L.: Relational Decomposition. In: van Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 39–54. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  6. 6.
    Cock, D., Klein, G., Sewell, T.: Secure Microkernels, State Monads and Scalable Refinement. In: Mohamed, O.A., Muñoz, C., Tahar, S. (eds.) TPHOLs 2008. LNCS, vol. 5170, pp. 167–182. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  7. 7.
    de Roever, W.-P., Engelhardt, K.: Data Refinement: Model-Oriented Proof Methods and their Comparison. Cambridge University Press (1998)Google Scholar
  8. 8.
    Goguen, J., Meseguer, J.: Security policies and security models. In: IEEE Symp. Security & Privacy, Oakland, California, USA, pp. 11–20. IEEE (April 1982)Google Scholar
  9. 9.
    Greve, D.A.: Information security modeling and analysis. In: Hardin, D.S. (ed.) Design and Verification of Microprocessor Systems for High-Assurance Applications, pp. 249–300. Springer (2010)Google Scholar
  10. 10.
    Haigh, J.T., Young, W.D.: Extending the noninterference version of MLS for SAT. Trans. Softw. Engin. 13, 141–150 (1987)CrossRefGoogle Scholar
  11. 11.
    Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: seL4: Formal verification of an OS kernel. In: 22nd SOSP, pp. 207–220. ACM (2009)Google Scholar
  12. 12.
    Klein, G., Murray, T., Gammie, P., Sewell, T., Winwood, S.: Provable security: How feasible is it? In: 13th HotOS, Napa, CA, USA, pp. 28–32. USENIX (May 2011)Google Scholar
  13. 13.
    Matichuk, D., Murray, T.: Extensible Specifications for Automatic Re-use of Specifications and Proofs. In: Eleftherakis, G., Hinchey, M., Holcombe, M. (eds.) SEFM 2012. LNCS, vol. 7504, pp. 333–341. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Nipkow, T., Paulson, L.C., Wenzel, M.T.: Isabelle/HOL — A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002)zbMATHCrossRefGoogle Scholar
  15. 15.
    Richards, R.J.: Modeling and security analysis of a commercial real-time operating system kernel. In: Hardin, D.S. (ed.) Design and Verification of Microprocessor Systems for High-Assurance Applications, pp. 301–322. Springer (2010)Google Scholar
  16. 16.
    Rushby, J.: Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-02, SRI International (December 1992)Google Scholar
  17. 17.
    Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., Klein, G.: seL4 Enforces Integrity. In: van Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 325–340. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Terauchi, T., Aiken, A.: Secure Information Flow as a Safety Problem. In: Hankin, C., Siveroni, I. (eds.) SAS 2005. LNCS, vol. 3672, pp. 352–367. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  19. 19.
    van der Meyden, R.: What, Indeed, Is Intransitive Noninterference? In: Biskup, J., López, J. (eds.) ESORICS 2007. LNCS, vol. 4734, pp. 235–250. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  20. 20.
    van der Meyden, R., Zhang, C.: Information flow in systems with schedulers. In: 21st CSF, pp. 301–312. IEEE (June 2008)Google Scholar
  21. 21.
    von Oheimb, D.: Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage. In: Samarati, P., Ryan, P.Y.A., Gollmann, D., Molva, R. (eds.) ESORICS 2004. LNCS, vol. 3193, pp. 225–243. Springer, Heidelberg (2004)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Toby Murray
    • 1
    • 2
  • Daniel Matichuk
    • 1
  • Matthew Brassil
    • 1
  • Peter Gammie
    • 1
  • Gerwin Klein
    • 1
    • 2
  1. 1.NICTASydneyAustralia
  2. 2.School of Computer Science and EngineeringUNSWSydneyAustralia

Personalised recommendations