adbrucker
/
lh-l4v
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
lh-l4v/proof/infoflow
History
Corey Lewis 02116815be proof+autocorres: update for select_wp and alternative_wp 
Signed-off-by: Corey Lewis <corey.lewis@proofcraft.systems>
 		2023-08-09 16:42:01 +10:00
..
ARM proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
RISCV64 proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
figs Import release snapshot. 2014-07-14 21:32:44 +02:00
refine proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
tools licenses: convert license tags to SPDX 2020-03-13 14:38:24 +08:00
ADT_IF.thy proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
Arch_IF.thy proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
CNode_IF.thy proofs: updates for monad refactor 2023-02-09 11:46:55 +11:00
Decode_IF.thy various: resolve some new fixmes 2021-11-12 09:39:16 +11:00
ExampleSystemPolicyFlows.thy infoflow: general cleanup 2021-10-05 08:46:11 +11:00
FinalCaps.thy proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
Finalise_IF.thy proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
IRQMasks_IF.thy proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
InfoFlow.thy infoflow: InfoFlow arch split 2021-10-05 08:46:11 +11:00
InfoFlow_IF.thy lib+proofs+sys-init+tools: proof updates for Fun_Pred_Syntax 2023-01-09 14:54:11 +11:00
InfoFlow_Image_Toplevel.thy infoflow: general cleanup 2021-10-05 08:46:11 +11:00
Interrupt_IF.thy infoflow: replace valid_ko_at_arch with valid_arch_state 2021-10-05 08:46:11 +11:00
Ipc_IF.thy infoflow: update for monadic rewrite changes 2023-06-16 13:51:36 +10:00
Noninterference.thy proofs: updates for monad refactor 2023-02-09 11:46:55 +11:00
Noninterference_Base.thy infoflow: general cleanup 2021-10-05 08:46:11 +11:00
Noninterference_Base_Alternatives.thy spec+proofs+autocorres: theory import fixes 2023-01-24 11:30:06 +11:00
Noninterference_Base_Refinement.thy licenses: convert license tags to SPDX 2020-03-13 14:38:24 +08:00
PasUpdates.thy proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
PolicyExample.thy infoflow: general cleanup 2021-10-05 08:46:11 +11:00
PolicySystemSAC.thy infoflow: general cleanup 2021-10-05 08:46:11 +11:00
README.md READMEs: use run_tests consistently in READMEs (#622) 2023-03-30 13:59:18 +11:00
Retype_IF.thy riscv infoflow: add Retype proofs 2021-11-12 09:39:16 +11:00
Scheduler_IF.thy proofs: hoare_pre_cont variable renamed 2023-02-09 11:46:51 +11:00
Syscall_IF.thy proof+autocorres: update for select_wp and alternative_wp 2023-08-09 16:42:01 +10:00
Tcb_IF.thy proofs: updates for monad refactor 2023-02-09 11:46:55 +11:00
UserOp_IF.thy infoflow: UserOp arch split 2021-10-05 08:46:11 +11:00

README.md

Confidentiality Proof

This proof establishes that seL4 enforces information flow, and so enforces the security property of confidentiality. Information flow security is defined in terms of (intransitive) noninterference, and implies confidentiality: data cannot be inferred without appropriate read authority. This proof is described in a 2013 IEEE Symposium on Security and Privacy paper. This proof firstly establishes noninterference for seL4's abstract specification, building on top of the Access Control Proof, before transferring the noninterference result to the kernel's C implementation via the Design Spec Refinement Proof and the C Refinement Proof.

Building

To build for the ARM architecture from the l4v/ directory, run:

L4V_ARCH=ARM ./run_tests InfoFlow

Important Theories

The top-level theory where noninterference is proved for the seL4 abstract specification is Noninterference; it is transferred to the C implementation via refinement in the theory Noninterference_Refinement. The base theory where noninterference is (generically) defined is Noninterference_Base. The bottom-level theory where confidentiality is formalised over the seL4 abstract specification is InfoFlow. Confidentiality is a relational property and the theory EquivValid defines these generically for the nondeterministic state monad of the abstract specification.