Communications of the ACM

Figure 1. Isolation and controlled communication with seL4.

Figure 2. Kernel objects for an example seL4-based system with two threads communicating via an endpoint. seL4

Untrusted VM

Guest apps
Guest OS
Native apps Native apps
TrustedUntrusted

Hardware
Thread ObjectA
CNodeA1 EP

Thread Object B CNodeB1

CNodeA2

VSpace

CSpace CSpace

Se
n
d
Re
cei
ve

PDA

PTA1 FRAME FRAME

...

. . . CON
T
EX
T
CO
N T
EX
T

AB
other publicly available software in hu-
man history in terms not only of lines
of proof but strength of properties
proved. At the heart of this verification
story sits the proof of “functional cor-
rectness” of the kernel’s C implemen-
tation, 23 guaranteeing every behavior
of the kernel is predicted by its formal
abstract specification; see the online
appendix ( dl.acm.org/citation.cfm?
doid=3230627&picked=formats) for an
idea of how these proofs look. Following
this guarantee, we added further proofs
we explain after first introducing the
main kernel mechanisms.
seL4 API. The seL4 kernel provides a
minimal set of mechanisms for imple-
menting secure systems: threads, ca-
pability management, virtual address
spaces, inter-process communication
(IPC), signaling, and interrupt delivery.
The kernel maintains its state in
“kernel objects.” For example, for each
thread in a system there is a “thread
object” that stores information about
scheduling, execution, and access con-
trol. User-space programs can refer to
kernel objects only indirectly through
“capabilities” 10 that combine a refer-
ence to an object with a set of access
rights to this object. For example, a
thread cannot start or stop another
thread unless it has a capability to the
corresponding thread object.
Threads communicate and syn-
chronize by sending messages through
IPC “endpoint” objects. One thread
with a send capability to an appropri-
ate endpoint can message another
thread that has a receive capability to
that endpoint. “Notification” objects
provide synchronization through sets
of binary semaphores. Virtual address
translation is managed by kernel ob-
jects that represent page directories,
are toy systems. For instance, Comp-
Cert is a commercial product, the seL4
microkernel is used in aerospace, au-
tonomous aviation, and as an Internet
of Things platform, and the CoCon
system has been used in multiple full-
scale scientific conferences.

These verification projects required significant effort, and for verification to be practical for widespread use, the effort needs to decrease. Here, we demonstrate how strategically combining formal and informal techniques, partially automating the formal ones, and carefully architecting the software to maximize the benefits of isolated components, allowed us to dramatically increase the assurance of systems whose overall size and complexity is orders-of-magnitude greater than that of the systems mentioned earlier.

Note we primarily use formal veri-
fication to provide proofs about cor-
rectness of code that a system’s safety
or security relies on. But it has other
benefits as well. For example, code
correctness proofs make assumptions
about the context in which the code is
run (such as behavior of hardware and
configuration of software). Since for-
mal verification makes these assump-
tions explicit, developer effort can
focus on ensuring the assumptions
hold—through other means of verifi-
cation like testing. Moreover, in many
cases systems consist of a combina-
tion of verified and non-verified code,
and in them, formal verification acts
as a lens, focusing review, testing, and
debugging on the system’s critical non-
verified code.

seL4

We begin with the foundation for building provably trustworthy systems—the operating system (OS) kernel, the system’s most critical part and enabler of cost-effective trustworthiness of the entire system.

The seL4 microkernel provides a formally verified minimal set of mechanisms for implementing secure systems. Unlike standard separation kernels31 they are purposefully general and so can be combined for implementing a range of security policies for a range of system requirements.

One of the main design goals of seL4 (see the sidebar “Proof Effort”) is to enforce strong isolation between mutually distrusting components that may run on top of it. The mechanisms support its use as a hypervisor to, say, host entire Linux operating systems while keeping them isolated from se-curity-critical components that might run alongside, as outlined in Figure 1. In particular, this functionality allows system designers to deploy legacy components that may have latent vulnerabilities alongside highly trustworthy components.

The seL4 kernel is unique among general-purpose microkernels. Not only does it deliver the best performance in its class, 20 its 10,000 lines of C code have been subjected to more formal verification than any