Research
Software Systems

A verified shared capability model

Authors

Andrew Boyton

NICTA

UNSW

Abstract

This paper presents a high-level access control model of the seL4 microkernel. We extend an earlier formalisation by Elkaduwe et al with non-determinism, explicit sharing of capability storage, and a delete-operation for entities. We formally prove that this new model can enforce system-global security policies as well as authority confinement. By treating sharing explicitly in the abstract access control model we simplify considerably the refinement proof towards the seL4 implementation. To our knowledge this is the first machine-checked access control model with explicit sharing of authority.

BibTeX Entry

  @inproceedings{Boyton_09,
    author           = {Boyton, Andrew},
    month            = {oct},
    year             = {2009},
    keywords         = {shared capabilities, interactive theorem proving},
    title            = {A Verified Shared Capability Model},
    booktitle        = {Systems Software Verification},
    pages            = {25-44},
    address          = {Aachen, Germany}
  }

Download