adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/infoflow
History
Joel Beeren 4601f2a1ab Genericise deletion actions that occur after empty_slot 
This patch adds a generic "post_cap_deletion" step that is called by
finalise_slot. Previous to this, the only caps which had actions
required at this stage were IRQHandlerCaps -- it was required that the
IRQ bitmap be updated after the cap itself was removed (as the
invariants state that for any existing IRQHandlerCap, the corresponding
bit in the IRQ bitmap must be set).

By genericising this, we add the capacity for new, arch-specific post
cap deletion actions to occur in the future.
 		2018-02-23 09:12:55 +11:00
..
admin Import release snapshot. 2014-07-14 21:32:44 +02:00
figs Import release snapshot. 2014-07-14 21:32:44 +02:00
tools manually adjust non-obvious cases of tab to space replacement 2017-10-20 14:22:36 +11:00
ADT_IF.thy Genericise deletion actions that occur after empty_slot 2018-02-23 09:12:55 +11:00
ADT_IF_Refine.thy arm: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242) 2017-11-27 22:05:34 +11:00
ADT_IF_Refine_C.thy autocorres-crefine: update CRefine proofs for AutoCorres 2017-11-22 15:37:36 +11:00
Arch_IF.thy add constant definitions for bounds on untyped object sizes 2017-12-18 12:58:27 +11:00
CNode_IF.thy arm: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242) 2017-11-27 22:05:34 +11:00
Decode_IF.thy arm: update for simple_ko getter/setter 2017-12-14 18:02:48 +11:00
ExampleSystemPolicyFlows.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Example_Valid_State.thy arm : add AEndpoint and ANTFN a_type simplification 2017-12-14 07:17:27 +11:00
Example_Valid_StateH.thy update object and field widths for x64, and remove some magic numbers 2017-10-26 14:05:35 +11:00
FinalCaps.thy Genericise deletion actions that occur after empty_slot 2018-02-23 09:12:55 +11:00
Finalise_IF.thy Genericise deletion actions that occur after empty_slot 2018-02-23 09:12:55 +11:00
IRQMasks_IF.thy Genericise deletion actions that occur after empty_slot 2018-02-23 09:12:55 +11:00
Include_IF_C.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
InfoFlow.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
InfoFlow_Image_Toplevel.thy infoflow: add InfoFlow_Image_Toplevel 2017-11-27 21:00:14 +11:00
Interrupt_IF.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Ipc_IF.thy arm: update for simple_ko getter/setter 2017-12-14 18:02:48 +11:00
Noninterference.thy arm: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242) 2017-11-27 22:05:34 +11:00
Noninterference_Base.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Noninterference_Base_Alternatives.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Noninterference_Base_Enabledness_weak_asym.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Noninterference_Base_Refinement.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
Noninterference_Base_Refinement_Example.thy SELFOUR-421: infoflow and infoflow_c builds 2016-09-22 19:11:37 +10:00
Noninterference_Refinement.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
PasUpdates.thy arm: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242) 2017-11-27 22:05:34 +11:00
PolicyExample.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
PolicySystemSAC.thy Removes all trailing whitespaces 2017-07-12 15:13:51 +10:00
README.md infoflow: Move "EquivValid" out of "infoflow/", into "lib/". 2014-10-13 11:05:31 +11:00
Retype_IF.thy add constant definitions for bounds on untyped object sizes 2017-12-18 12:58:27 +11:00
Scheduler_IF.thy arm: revise scheduler / fastpath / scheduler bitmaps (SELFOUR-242) 2017-11-27 22:05:34 +11:00
Syscall_IF.thy arm: update for simple_ko getter/setter 2017-12-14 18:02:48 +11:00
Tcb_IF.thy Genericise deletion actions that occur after empty_slot 2018-02-23 09:12:55 +11:00
UserOp_IF.thy arm : add AEndpoint and ANTFN a_type simplification 2017-12-14 07:17:27 +11:00

README.md

Confidentiality Proof

This proof establishes that seL4 enforces information flow, and so enforces the security property of confidentiality. Information flow security is defined in terms of (intransitive) noninterference, and implies confidentiality: data cannot be inferred without appropriate read authority. This proof is described in a 2013 IEEE Symposium on Security and Privacy paper. This proof firstly establishes noninterference for seL4's abstract specification, building on top of the Access Control Proof, before transferring the noninterference result to the kernel's C implementation via the Design Spec Refinement Proof and the C Refinement Proof.

Building

To build from the l4v/ directory, run:

./isabelle/bin/isabelle build -d . -v -b InfoFlow

Important Theories

The top-level theory where noninterference is proved for the seL4 abstract specification is Noninterference; it is transferred to the C implementation via refinement in the theory Noninterference_Refinement. The base theory where noninterference is (generically) defined is Noninterference_Base. The bottom-level theory where confidentiality is formalised over the seL4 abstract specification is InfoFlow. Confidentiality is a relational property and the theory EquivValid defines these generically for the nondeterministic state monad of the abstract specification.