IEEE Transactions on Software Engineering - Special issue on formal methods in software practice
Programming semantics for multiprogrammed computations
Communications of the ACM
Verified Protection Model of the seL4 Microkernel
VSTTE '08 Proceedings of the 2nd international conference on Verified Software: Theories, Tools, Experiments
seL4: formal verification of an OS kernel
Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles
A Verified Shared Capability Model
Electronic Notes in Theoretical Computer Science (ENTCS)
capDL: a language for describing capability-based systems
Proceedings of the first ACM asia-pacific workshop on Workshop on systems
The road to trustworthy systems
Proceedings of the fifth ACM workshop on Scalable trusted computing
From a verified kernel towards verified systems
APLAS'10 Proceedings of the 8th Asian conference on Programming languages and systems
From a proven correct microkernel to trustworthy large systems
FoVeOOS'10 Proceedings of the 2010 international conference on Formal verification of object-oriented software
What if you could actually trust your kernel?
HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
Provable Security: how feasible is it?
HotOS'13 Proceedings of the 13th USENIX conference on Hot topics in operating systems
ITP'11 Proceedings of the Second international conference on Interactive theorem proving
Verifying system integrity by proxy
TRUST'12 Proceedings of the 5th international conference on Trust and Trustworthy Computing
Towards a verified component platform
Proceedings of the Seventh Workshop on Programming Languages and Operating Systems
Comprehensive formal verification of an OS microkernel
ACM Transactions on Computer Systems (TOCS)
Hi-index | 0.00 |
This paper proposes a generalized framework to build large, complex systems where security guarantees can be given for the overall system's implementation. The work builds on the formally proven correct seL4 micro-kernel and on its fine-grained access control. This access control mechanism allows large untrusted components to be isolated in a way that prevents them from violating a defined security property, leaving only the trusted components to be formally verified. The first steps of the approach are illustrated by the formalisation of a multi-level secure access device and a proof in Isabelle/HOL that information cannot flow from one back-end network to another.