From: Shark8 <OneWingedShark@gmail.com>
Subject: Re: seL4 as base of an AdaOS with some Spark proofing?
Date: Wed, 30 Jul 2014 11:47:23 -0600
Date: 2014-07-30T11:47:23-06:00 [thread overview]
Message-ID: <NcaCv.85303$qR1.74779@fx02.iad> (raw)
In-Reply-To: <791c07d0-575d-42be-ad5c-219aa3cf7734@googlegroups.com>
On 30-Jul-14 02:22, kug1977@web.de wrote:
> NICTA and General Dynamics C4 Systems have made seL4 Open Source (GPLv2/ BSD).
> seL4 is the world's first operating-system kernel with an end-to-end proof of
> implementation correctness and security enforcement and claims to be the
> world's most highly-assured OS.
From their FAQ:
> *What are the proof assumptions?*
>
> The brief version is: we assume that in-kernel assembly code is correct,
> hardware behaves correctly, in-kernel hardware management (TLB and caches) is
> correct, and boot code is correct. The hardware model assumes DMA to be off
> or to be trusted. The security proofs additionally give a list of conditions
> how the system is configured.
Note what they're assuming are correct:
(1) In-Kernel HW resource management,
(2) In-kernel ASM functions,
(3) Boot[-loader?] is correct.
That's not very reasonably an end-to-end proof; though #3 is arguable,
I'll grant the DMA assumption is. -- With Ada/Spark we *can* do better.
Moreover, given Ada's (a) natural spec/body divide, (b) better
numeric/enumeration model, and (c) generic facilities we can write it in
a more portable manner than is possible w/ C.
next prev parent reply other threads:[~2014-07-30 17:47 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-30 8:22 seL4 as base of an AdaOS with some Spark proofing? kug1977
2014-07-30 9:06 ` Georg Bauhaus
2014-07-30 10:41 ` Peter Chapin
2014-07-30 11:55 ` G.B.
2014-07-30 17:47 ` Shark8 [this message]
2014-07-30 22:40 ` Peter Chapin
2014-07-30 22:53 ` Shark8
2014-07-31 0:31 ` Simon Clubley
2014-07-31 6:23 ` Georg Bauhaus
2014-07-30 17:58 ` anon
2014-07-31 22:03 ` gvdschoot
2014-08-01 7:42 ` kug1977
2014-08-01 8:27 ` gvdschoot
2014-08-01 9:04 ` gvdschoot
2014-08-01 19:32 ` Randy Brukardt
2014-08-01 19:17 ` anon
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox