seL4 enforces integrity


Thomas Sewell, Simon Winwood, Peter Gammie, Toby Murray, June Andronick and Gerwin Klein


School of Computer Science and Engineering


We prove that the seL4 microkernel enforces two high-level access control properties: integrity and authority confinement. Integrity provides an upper bound on write operations. Authority confinement provides an upper bound on how authority may change. Apart from being a desirable security property in its own right, integrity can be used as a general framing property for the verification of user-level system composition. The proof is machine checked in Isabelle/HOL and the results hold via refinement for the C implementation of the kernel.

BibTeX Entry

    publisher        = {Springer},
    doi              = {10.1007/978-3-642-22863-6_24},
    series           = {Lecture Notes in Computer Science},
    author           = {Thomas Sewell and Simon Winwood and Peter Gammie and Toby Murray and June Andronick and Gerwin Klein},
    month            = {August},
    volume           = {6898},
    editor           = {Marko C. J. D. van Eekelen and Herman Geuvers and Julien Schmaltz and Freek Wiedijk},
    year             = {2011},
    title            = {{seL4} Enforces Integrity},
    booktitle        = {Proceedings of the 2nd International Conference on Interactive Theorem Proving},
    pages            = {325--340},
    address          = {Nijmegen, The Netherlands}


Served by Apache on Linux on seL4