adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/infoflow
History
Joel Beeren 81064fdb55 idle-thread-pd: run idle thread with the global PD all the time. 
This avoids the multicore scenario of the idle thread running in the
address space that has been deleted by a thread running on another core.
 		2017-07-11 11:29:34 +10:00
..
admin Import release snapshot. 2014-07-14 21:32:44 +02:00
figs Import release snapshot. 2014-07-14 21:32:44 +02:00
tools Import release snapshot. 2014-07-14 21:32:44 +02:00
ADT_IF.thy idle-thread-pd: run idle thread with the global PD all the time. 2017-07-11 11:29:34 +10:00
ADT_IF_Refine.thy arm infoflowc: Updates for the new argument of getActiveIRQ 2017-06-19 14:32:45 +10:00
ADT_IF_Refine_C.thy update references from/to moved crefine, parametrise over L4V_ARCH 2017-03-31 16:13:41 +11:00
Arch_IF.thy SELFOUR-748: rename tlb invalidation functions 2017-06-20 14:05:45 +10:00
CNode_IF.thy arm InfoFlow: fixes for the backports from arm-hyp 2017-06-19 14:32:44 +10:00
Decode_IF.thy arm InfoFlow: fixes for the backports from arm-hyp 2017-06-19 14:32:44 +10:00
ExampleSystemPolicyFlows.thy infoflow: 2015 update (apart from C refinement) 2015-05-16 18:14:59 +10:00
Example_Valid_State.thy arm InfoFlow: fixes for the backports from arm-hyp 2017-06-19 14:32:44 +10:00
Example_Valid_StateH.thy arm infoflowc: Refactors proofs for new definitions (pteBits, pdeBits, etc) 2017-06-19 14:32:45 +10:00
FinalCaps.thy wp: update the proofs for the new wp/wpc/wpsimp 2017-03-16 19:39:11 +11:00
Finalise_IF.thy arm InfoFlow: fixes for the backports from arm-hyp 2017-06-19 14:32:44 +10:00
IRQMasks_IF.thy SELFOUR-748: rename tlb invalidation functions 2017-06-20 14:05:45 +10:00
Include_IF_C.thy l4v: Add intermediate image for InfoFlowC. 2016-11-16 09:12:18 +11:00
InfoFlow.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
Interrupt_IF.thy arch_split: requalify abstract theories 2016-04-27 18:46:16 +10:00
Ipc_IF.thy wp: update the proofs for the new wp/wpc/wpsimp 2017-03-16 19:39:11 +11:00
Noninterference.thy idle-thread-pd: run idle thread with the global PD all the time. 2017-07-11 11:29:34 +10:00
Noninterference_Base.thy infoflow: 2015 update (apart from C refinement) 2015-05-16 18:14:59 +10:00
Noninterference_Base_Alternatives.thy Isabelle2016-1: follow Isabelle's choice of meta-forall bindings 2017-01-05 14:25:18 +11:00
Noninterference_Base_Enabledness_weak_asym.thy regression: add test to check theory import paths 2016-05-27 16:17:13 +10:00
Noninterference_Base_Refinement.thy Isabelle2016: infoflow update (partial) 2016-02-11 11:15:59 +11:00
Noninterference_Base_Refinement_Example.thy SELFOUR-421: infoflow and infoflow_c builds 2016-09-22 19:11:37 +10:00
Noninterference_Refinement.thy arch_split: InfoFlowC checking 2016-05-06 13:15:37 +10:00
PasUpdates.thy wp_cleanup: update proofs for new wp behaviour 2017-01-13 14:04:15 +01:00
PolicyExample.thy infoflow examples: clean out unnecessary warnings 2017-01-13 14:04:15 +01:00
PolicySystemSAC.thy infoflow examples: clean out unnecessary warnings 2017-01-13 14:04:15 +01:00
README.md infoflow: Move "EquivValid" out of "infoflow/", into "lib/". 2014-10-13 11:05:31 +11:00
Retype_IF.thy arm InfoFlow: fixes for the backports from arm-hyp 2017-06-19 14:32:44 +10:00
Scheduler_IF.thy idle-thread-pd: run idle thread with the global PD all the time. 2017-07-11 11:29:34 +10:00
Syscall_IF.thy arm InfoFlow: fixes for the backports from arm-hyp 2017-06-19 14:32:44 +10:00
Tcb_IF.thy update proofs for SELFOUR-30/291 "Reschedule on self-modification" 2017-06-26 15:52:35 +10:00
UserOp_IF.thy arm InfoFlow: fixes for the backports from arm-hyp 2017-06-19 14:32:44 +10:00

README.md

Confidentiality Proof

This proof establishes that seL4 enforces information flow, and so enforces the security property of confidentiality. Information flow security is defined in terms of (intransitive) noninterference, and implies confidentiality: data cannot be inferred without appropriate read authority. This proof is described in a 2013 IEEE Symposium on Security and Privacy paper. This proof firstly establishes noninterference for seL4's abstract specification, building on top of the Access Control Proof, before transferring the noninterference result to the kernel's C implementation via the Design Spec Refinement Proof and the C Refinement Proof.

Building

To build from the l4v/ directory, run:

./isabelle/bin/isabelle build -d . -v -b InfoFlow

Important Theories

The top-level theory where noninterference is proved for the seL4 abstract specification is Noninterference; it is transferred to the C implementation via refinement in the theory Noninterference_Refinement. The base theory where noninterference is (generically) defined is Noninterference_Base. The bottom-level theory where confidentiality is formalised over the seL4 abstract specification is InfoFlow. Confidentiality is a relational property and the theory EquivValid defines these generically for the nondeterministic state monad of the abstract specification.