A verified shared capability model


Andrew Boyton

NICTA, Sydney, Australia
UNSW, Australia


This paper presents a high-level access control model of the seL4 microkernel. We extend an earlier formalisation by Elkaduwe et al with non-determinism, explicit sharing of capability storage, and a delete-operation for entities. We formally prove that this new model can enforce system-global security policies as well as authority confinement. By treating sharing explicitly in the abstract access control model we simplify considerably the refinement proof towards the seL4 implementation. To our knowledge this is the first machine-checked access control model with explicit sharing of authority.

BibTeX Entry

    author           = {Boyton, Andrew},
    month            = {October},
    year             = {2009},
    title            = {A Verified Shared Capability Model},
    booktitle        = {4th International Workshop on Systems Software Verification},
    pages            = {25-44},
    address          = {Aachen, Germany}


Served by Apache on Linux on seL4