adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/infoflow
History
Michael McInerney 356e91c9fa access-control, capDL-api, drefine, infoflow, sep-capDL, capDL: update for Isabelle2019 2019-06-13 16:22:33 +10:00
..
figs Import release snapshot. 2014-07-14 21:32:44 +02:00
tools manually adjust non-obvious cases of tab to space replacement 2017-10-20 14:22:36 +11:00
ADT_IF.thy access-control, capDL-api, drefine, infoflow, sep-capDL, capDL: update for Isabelle2019 2019-06-13 16:22:33 +10:00
ADT_IF_Refine.thy Isabelle2018: InfoFlowC 2018-08-20 09:06:37 +10:00
ADT_IF_Refine_C.thy Isabelle2018: InfoFlowC 2018-08-20 09:06:37 +10:00
Arch_IF.thy SELFOUR-1198: update proofs for correct restart PC 2019-06-13 11:43:50 +10:00
CNode_IF.thy infoflow: update for new definition of set_object 2019-04-18 14:32:08 +10:00
Decode_IF.thy infoflow: proof style cleanup (for GrantReply patch) 2018-12-10 20:01:38 +11:00
ExampleSystemPolicyFlows.thy infoflow: Fix for GrantReply (SELFOUR-6) 2018-12-10 20:01:38 +11:00
Example_Valid_State.thy AInvs: cleaner way to express ARM page table alignment 2019-02-01 14:11:37 +11:00
Example_Valid_StateH.thy InfoflowC: fix for GrantReply (SELFOUR-6) 2018-12-10 20:01:38 +11:00
FinalCaps.thy SELFOUR-1198: update proofs for correct restart PC 2019-06-13 11:43:50 +10:00
Finalise_IF.thy SELFOUR-1198: update proofs for correct restart PC 2019-06-13 11:43:50 +10:00
IRQMasks_IF.thy Updated specs and proofs for SELFOUR-1491: control IRQ triggering on ARM. 2018-09-19 16:18:09 +10:00
Include_IF_C.thy globally use session-qualified imports; add Lib session 2018-08-20 09:06:34 +10:00
InfoFlow.thy infoflow: update for new definition of set_object 2019-04-18 14:32:08 +10:00
InfoFlow_Image_Toplevel.thy infoflow: add InfoFlow_Image_Toplevel 2017-11-27 21:00:14 +11:00
Interrupt_IF.thy infoflow: Fix for GrantReply (SELFOUR-6) 2018-12-10 20:01:38 +11:00
Ipc_IF.thy infoflow: update for new definition of set_object 2019-04-18 14:32:08 +10:00
Noninterference.thy infoflow: update for new definition of set_object 2019-04-18 14:32:08 +10:00
Noninterference_Base.thy globally use session-qualified imports; add Lib session 2018-08-20 09:06:34 +10:00
Noninterference_Base_Alternatives.thy globally use session-qualified imports; add Lib session 2018-08-20 09:06:34 +10:00
Noninterference_Base_Refinement.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Noninterference_Refinement.thy Isabelle2018: InfoFlowC 2018-08-20 09:06:37 +10:00
PasUpdates.thy infoflow: proof style cleanup (for GrantReply patch) 2018-12-10 20:01:38 +11:00
PolicyExample.thy infoflow: proof style cleanup (for GrantReply patch) 2018-12-10 20:01:38 +11:00
PolicySystemSAC.thy infoflow: Fix for GrantReply (SELFOUR-6) 2018-12-10 20:01:38 +11:00
README.md infoflow: Move "EquivValid" out of "infoflow/", into "lib/". 2014-10-13 11:05:31 +11:00
Retype_IF.thy access-control, capDL-api, drefine, infoflow, sep-capDL, capDL: update for Isabelle2019 2019-06-13 16:22:33 +10:00
Scheduler_IF.thy cleanup 2019-04-18 14:32:08 +10:00
Syscall_IF.thy infoflow: update for new definition of set_object 2019-04-18 14:32:08 +10:00
Tcb_IF.thy SELFOUR-1198: update proofs for correct restart PC 2019-06-13 11:43:50 +10:00
UserOp_IF.thy access-control, capDL-api, drefine, infoflow, sep-capDL, capDL: update for Isabelle2019 2019-06-13 16:22:33 +10:00

README.md

Confidentiality Proof

This proof establishes that seL4 enforces information flow, and so enforces the security property of confidentiality. Information flow security is defined in terms of (intransitive) noninterference, and implies confidentiality: data cannot be inferred without appropriate read authority. This proof is described in a 2013 IEEE Symposium on Security and Privacy paper. This proof firstly establishes noninterference for seL4's abstract specification, building on top of the Access Control Proof, before transferring the noninterference result to the kernel's C implementation via the Design Spec Refinement Proof and the C Refinement Proof.

Building

To build from the l4v/ directory, run:

./isabelle/bin/isabelle build -d . -v -b InfoFlow

Important Theories

The top-level theory where noninterference is proved for the seL4 abstract specification is Noninterference; it is transferred to the C implementation via refinement in the theory Noninterference_Refinement. The base theory where noninterference is (generically) defined is Noninterference_Base. The bottom-level theory where confidentiality is formalised over the seL4 abstract specification is InfoFlow. Confidentiality is a relational property and the theory EquivValid defines these generically for the nondeterministic state monad of the abstract specification.