seL4/l4v seL4/l4v

  • Stars
    star
    510
  • Rank 86,627 (Top 2 %)
  • Language Isabelle
  • License
    Other
  • Created over 10 years ago
  • Updated 17 days ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
seL4/l4v
github

seL4

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

seL4 specification and proofs

DOI CI Proofs Weekly Clean External

MCS:
CI RT Proofs

The L4.verified Proofs

This is the L4.verified git repository with formal specifications and proofs for the seL4 microkernel.

Most proofs in this repository are conducted in the interactive proof assistant Isabelle/HOL. For an introduction to Isabelle, see its official website and documentation.

Setup

This repository is meant to be used as part of a Google repo setup. Instead of cloning it directly, please follow the directions for software dependencies and Isabelle installation in the setup.md file in the docs directory.

Contributing

Contributions to this repository are welcome. Please read CONTRIBUTING.md for details.

Overview

The repository is organised as follows.

  • docs: documentation on conventions, style, etc.

  • spec: a number of different formal specifications of seL4

    • abstract: the functional abstract specification of seL4

    • sep-abstract: an abstract specification for a reduced version of seL4 that is configured as a separation kernel

    • haskell: Haskell model of the seL4 kernel, kept in sync with the C code

    • machine: the machine interface of these two specifications

    • cspec: the entry point for automatically translating the seL4 C code into Isabelle

    • capDL: a specification of seL4 that abstracts from memory content and concrete execution behaviour, modelling the protection state of the system in terms of capabilities. This specification corresponds to the capability distribution language capDL that can be used to initialise user-level systems on top of seL4.

    • take-grant: a formalisation of the classical take-grant security model, applied to seL4, but not connected to the code of seL4.

    • There are additional specifications that are not tracked in this repository, but are generated from other files:

      • design: the design-level specification of seL4, generated from the Haskell model.
      • c: the C code of the seL4 kernel, preprocessed into a form that can be read into Isabelle. This is generated from the seL4 repository.

  • proof: the seL4 proofs

    • invariant-abstract: invariants of the seL4 abstract specification
    • refine: refinement between abstract and design specifications
    • crefine: refinement between design specification and C semantics
    • access-control: integrity and authority confinement proofs
    • infoflow: confidentiality and intransitive non-interference proofs
    • asmrefine: Isabelle/HOL part of the seL4 binary verification
    • drefine: refinement between capDL and abstract specification
    • sep-capDL: a separation logic instance on capDL
    • capDL-api: separation logic specifications of selected seL4 APIs

  • lib: generic proof libraries, proof methods and tools. Among these, further libraries for fixed-size machine words, a formalisation of state monads with nondeterminism and exceptions, a generic verification condition generator for monads, a recursive invariant prover for these (crunch), an abstract separation logic formalisation, a prototype of the Eisbach proof method language, a prototype levity refactoring tool, and others.

  • tools: larger, self-contained proof tools

    • asmrefine: the generic Isabelle/HOL part of the binary verification tool
    • c-parser: a parser from C into the Simpl language in Isabelle/HOL. Includes a C memory model.
    • autocorres: an automated, proof-producing abstraction tool from C into higher-level Isabelle/HOL functions, based on the C parser above
    • haskell-translator: a basic python script for converting the Haskell prototype of seL4 into the executable design specification in Isabelle/HOL.

  • misc: miscellaneous scripts and build tools

  • camkes: an initial formalisation of the CAmkES component platform on seL4. Work in progress.

  • sys-init: specification of a capDL-based, user-level system initialiser for seL4, with proof that the specification leads to correctly initialised systems.

Hardware requirements

Almost all proofs in this repository should work within 4GB of RAM. Proofs involving the C refinement, will usually need the 64bit mode of polyml and about 16GB of RAM.

The proofs distribute reasonably well over multiple cores, up to about 8 cores are useful.

Running the Proofs

If Isabelle is set up correctly, a full test for the proofs in this repository for seL4 on the ARM architecture can be run with the command

L4V_ARCH=ARM ./run_tests

from the directory l4v/.

Set the environment variable L4V_ARCH to one of ARM, ARM_HYP, X64, RISCV64, or AARCH64 to get the proofs for the respective architecture. ARM has the most complete set of proofs, the other architectures tend to support only a subset of the proof sessions defined for ARM.

Not all of the proof sessions can be built directly with the isabelle build command. The seL4 proofs depend on Isabelle specifications that are generated from the C source code and Haskell model. Therefore, it is recommended to always build using the run_tests command or the supplied Makefiles, which will ensure that these generated specs are up to date.

To do this, enter one level under the l4v/ directory and run make <session-name>. For example, to build the abstract specification, do

export L4V_ARCH=ARM
cd l4v/spec
make ASpec

See the HEAPS variable in the corresponding Makefile for available targets. The sessions that directly depend on generated sources are ASpec, ExecSpec, and CKernel. These, and all sessions that depend on them, need to be run using run_tests or make.

Proof sessions that do not depend on generated inputs can be built directly with

./isabelle/bin/isabelle build -d . -v -b <session name>

from the directory l4v/. For available sessions and their dependencies, see the corresponding ROOT files in this repository. There is roughly one session corresponding to each major directory in the repository.

For interactively exploring, say the invariant proof of the abstract specification on ARM, note that in proof/ROOT the parent session for AInvs is ASpec and therefore run:

export L4V_ARCH=ARM
./run_tests ASpec
./isabelle/bin/isabelle jedit -d . -R AInvs

or, if you prefer make:

export L4V_ARCH=ARM
cd spec; make ASpec
../isabelle/bin/isabelle jedit -d . -R AInvs

in l4v/ and open one of the files in proof/invariant-abstract.

More Repositories

1

seL4

The seL4 microkernel
C
4,718
star
2

rust-sel4

Rust support for seL4 userspace
Rust
117
star
3

isabelle

git mirror of the Munich isabelle hg repository
Isabelle
114
star
4

microkit

Microkit - A simple operating system framework for the seL4 microkernel
Rust
82
star
5

util_libs

C
55
star
6

seL4_libs

No-assurance libraries for rapid-prototyping of seL4 apps.
C
52
star
7

sel4-tutorials

Tutorials for working with seL4 and/or CAmkES.
Python
52
star
8

refos

Prototype no-assurance reference OS personality built on seL4
C
49
star
9

seL4_tools

Basic tools for building seL4 projects
C
43
star
10

capdl

Capability Distribution Language tools for seL4
Haskell
34
star
11

rumprun-sel4-demoapps

Apps for running with the rumprun unikernel on seL4.
C
29
star
12

camkes-tool

The main CAmkES tool
Python
29
star
13

camkes

Component Architecture test suite and example apps.
C
27
star
14

musllibc

C
25
star
15

sel4test

Test suite for seL4.
C
25
star
16

camkes-vm

Virtual Machine built as a CAmkES component.
C
24
star
17

refos-manifest

Reference Operating system based on seL4 --- example code
21
star
18

camkes-manifest

Top level project for CAmkES, a component platform that provides support for developing and building static seL4 systems as a collection of interacting components.
20
star
19

seL4_projects_libs

C
19
star
20

sel4bench

sel4 benchmarking applications and support library.
C
18
star
21

camkes-vm-examples

C
16
star
22

docs

This is the source of the seL4 docs.
C
16
star
23

verification-manifest

Manifests for the collection of verification repositories
15
star
24

sel4test-manifest

Project to build and test seL4 for many different platforms
14
star
25

seL4-CAmkES-L4v-dockerfiles

Dockerfiles defining the dependencies required to build seL4, CAmkES, and L4v.
Shell
13
star
26

sel4runtime

A minimal runtime for seL4 applications.
C
12
star
27

camkes-arm-vm

C
11
star
28

graph-refine

Python
10
star
29

sel4-tutorials-manifest

8
star
30

camkes-arm-vm-manifest

Manifest for building a virtual machine on seL4 on ARM.
7
star
31

sel4webserver

An seL4 reference webserver application
CMake
7
star
32

sel4bench-manifest

Manifest of the seL4bench project, which contains microbenchmarks for seL4.
6
star
33

camkes-vm-examples-manifest

6
star
34

camkes-vm-manifest

CAmkES code and examples
6
star
35

projects_libs

C++
6
star
36

camkes-vm-linux

CMake
4
star
37

global-components

C
4
star
38

rust-microkit-http-server-demo

Demonstrates the use of the seL4 crates with the seL4 Microkit
Rust
4
star
39

machine_queue

Machine Queue scripts for remote access to our CI system
Shell
4
star
40

website

The seL4.systems website
HTML
3
star
41

ci-actions

CI GitHub actions for the seL4 repositories
Python
3
star
42

rust-microkit-demo

Demonstrates the use of the seL4 crates with the seL4 Microkit
Rust
2
star
43

camkes-vm-images

Precompiled kernels etc. for use with camkes VMs.
CMake
2
star
44

sel4webserver-manifest

2
star
45

pruner

Tool for trimming functions from a C source file
C
2
star
46

rust-root-task-demo

Demonstrates the use of the seL4 crates to construct a simple system
Dockerfile
1
star
47

mcs-examples

Native seL4 and CAmkES examples of mixed criticality mechanisms.
C
1
star
48

cakeml_libs

A collection of libraries and utilities to be used with CakeML applications.
Standard ML
1
star