A verified shared capability model

Authors

Andrew Boyton

NICTA, Sydney, Australia
UNSW, Australia

Abstract

This paper presents a high-level access control model of the seL4 microkernel. We extend an earlier formalisation by Elkaduwe et al with non-determinism, explicit sharing of capability storage, and a delete-operation for entities. We formally prove that this new model can enforce system-global security policies as well as authority confinement. By treating sharing explicitly in the abstract access control model we simplify considerably the refinement proof towards the seL4 implementation. To our knowledge this is the first machine-checked access control model with explicit sharing of authority.

BibTeX Entry

  @inproceedings{Boyton_09,
    author           = {Boyton, Andrew},
    month            = {October},
    year             = {2009},
    title            = {A Verified Shared Capability Model},
    booktitle        = {4th International Workshop on Systems Software Verification},
    pages            = {25-44},
    address          = {Aachen, Germany}
  }

Download

Served by Apache on Linux on seL4