adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/infoflow
History
Thomas Sewell 77d86cfc5f GraphRefine + CRefine: handle slightly more cases. 
New testfile for graph-refine export with new handling code. Also
some slight tweaks to some CRefine proofs that will be needed to
remove DONT_TRANSLATE markers from certain key places in the seL4
code. These proofs are also compatible with previous seL4.
 		2016-12-08 16:12:17 +11:00
..
admin Import release snapshot. 2014-07-14 21:32:44 +02:00
figs Import release snapshot. 2014-07-14 21:32:44 +02:00
tools Import release snapshot. 2014-07-14 21:32:44 +02:00
ADT_IF.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
ADT_IF_Refine.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
ADT_IF_Refine_C.thy GraphRefine + CRefine: handle slightly more cases. 2016-12-08 16:12:17 +11:00
Arch_IF.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
CNode_IF.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
Decode_IF.thy SELFOUR-444: Finished InfoFlow and DRefine. 2016-11-02 11:19:09 +11:00
ExampleSystemPolicyFlows.thy infoflow: 2015 update (apart from C refinement) 2015-05-16 18:14:59 +10:00
Example_Valid_State.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
Example_Valid_StateH.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
FinalCaps.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
Finalise_IF.thy SELFOUR-553: update rpidrurw in TCBConfigure for simpler Infoflow proofs. 2016-11-18 16:27:26 +11:00
IRQMasks_IF.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
Include_IF_C.thy l4v: Add intermediate image for InfoFlowC. 2016-11-16 09:12:18 +11:00
InfoFlow.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
Interrupt_IF.thy arch_split: requalify abstract theories 2016-04-27 18:46:16 +10:00
Ipc_IF.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
Noninterference.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
Noninterference_Base.thy infoflow: 2015 update (apart from C refinement) 2015-05-16 18:14:59 +10:00
Noninterference_Base_Alternatives.thy infoflow: minor cleanup 2015-05-16 21:49:01 +10:00
Noninterference_Base_Enabledness_weak_asym.thy regression: add test to check theory import paths 2016-05-27 16:17:13 +10:00
Noninterference_Base_Refinement.thy Isabelle2016: infoflow update (partial) 2016-02-11 11:15:59 +11:00
Noninterference_Base_Refinement_Example.thy SELFOUR-421: infoflow and infoflow_c builds 2016-09-22 19:11:37 +10:00
Noninterference_Refinement.thy arch_split: InfoFlowC checking 2016-05-06 13:15:37 +10:00
PasUpdates.thy SELFOUR-64: Remove general Recycle operation 2016-11-18 14:11:12 +11:00
PolicyExample.thy terminology in comments: async ep -> notifications 2015-11-24 16:58:22 +13:00
PolicySystemSAC.thy add arch_tcb object to C, rename aep -> ntfn 2015-11-20 16:02:13 +11:00
README.md infoflow: Move "EquivValid" out of "infoflow/", into "lib/". 2014-10-13 11:05:31 +11:00
Retype_IF.thy SELFOUR-553: rebase and fix styles and comments 2016-11-21 20:47:15 +11:00
Scheduler_IF.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
Syscall_IF.thy Updating remaining proofs for tcb_arch reserved_irq and arch_fault changes 2016-11-25 13:51:07 +11:00
Tcb_IF.thy SELFOUR-553: rebase and fix styles and comments 2016-11-21 20:47:15 +11:00
UserOp_IF.thy SELFOUR-553: update rpidrurw in TCBConfigure for simpler Infoflow proofs. 2016-11-18 16:27:26 +11:00

README.md

Confidentiality Proof

This proof establishes that seL4 enforces information flow, and so enforces the security property of confidentiality. Information flow security is defined in terms of (intransitive) noninterference, and implies confidentiality: data cannot be inferred without appropriate read authority. This proof is described in a 2013 IEEE Symposium on Security and Privacy paper. This proof firstly establishes noninterference for seL4's abstract specification, building on top of the Access Control Proof, before transferring the noninterference result to the kernel's C implementation via the Design Spec Refinement Proof and the C Refinement Proof.

Building

To build from the l4v/ directory, run:

./isabelle/bin/isabelle build -d . -v -b InfoFlow

Important Theories

The top-level theory where noninterference is proved for the seL4 abstract specification is Noninterference; it is transferred to the C implementation via refinement in the theory Noninterference_Refinement. The base theory where noninterference is (generically) defined is Noninterference_Base. The bottom-level theory where confidentiality is formalised over the seL4 abstract specification is InfoFlow. Confidentiality is a relational property and the theory EquivValid defines these generically for the nondeterministic state monad of the abstract specification.