From: Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP>
Subject: Re: seL4 as base of an AdaOS with some Spark proofing?
Date: Thu, 31 Jul 2014 00:31:11 +0000 (UTC)
Date: 2014-07-31T00:31:11+00:00 [thread overview]
Message-ID: <lrc2of$36l$1@dont-email.me> (raw)
In-Reply-To: NcaCv.85303$qR1.74779@fx02.iad
On 2014-07-30, Shark8 <OneWingedShark@gmail.com> wrote:
> On 30-Jul-14 02:22, kug1977@web.de wrote:
>> NICTA and General Dynamics C4 Systems have made seL4 Open Source (GPLv2/ BSD).
>> seL4 is the world's first operating-system kernel with an end-to-end proof of
>> implementation correctness and security enforcement and claims to be the
>> world's most highly-assured OS.
>
> From their FAQ:
>> *What are the proof assumptions?*
>>
>> The brief version is: we assume that in-kernel assembly code is correct,
>> hardware behaves correctly, in-kernel hardware management (TLB and caches) is
>> correct, and boot code is correct. The hardware model assumes DMA to be off
>> or to be trusted. The security proofs additionally give a list of conditions
>> how the system is configured.
>
> Note what they're assuming are correct:
> (1) In-Kernel HW resource management,
TLB and cache management can be a _real_ pain on current processors.
I don't know how much you know about this, but a good example to examine
is the Cortex-A8 series. A specific example is the AM3359 MCU used in
the Beaglebone Black.
> (2) In-kernel ASM functions,
It's not clear if they mean some assembly language kernel functions or
if they are talking about the generated code from the compiler.
> (3) Boot[-loader?] is correct.
>
You forgot:
(4) "hardware behaves correctly" - IOW there's no nasty surprises waiting
for you in the MCU specific errata list.
> That's not very reasonably an end-to-end proof; though #3 is arguable,
> I'll grant the DMA assumption is. -- With Ada/Spark we *can* do better.
>
> Moreover, given Ada's (a) natural spec/body divide, (b) better
> numeric/enumeration model, and (c) generic facilities we can write it in
> a more portable manner than is possible w/ C.
It's true that Ada gives you more tools than C does here, but none of
that helps you get the TLB and cache management correct. :-)
It also doesn't help you with any security issues within the hardware
itself. For example, do you trust any hardware specific RNGs ?
Are there any hardware specific security issues such as the SMM on x86
processors ?
Simon.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
next prev parent reply other threads:[~2014-07-31 0:31 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-30 8:22 seL4 as base of an AdaOS with some Spark proofing? kug1977
2014-07-30 9:06 ` Georg Bauhaus
2014-07-30 10:41 ` Peter Chapin
2014-07-30 11:55 ` G.B.
2014-07-30 17:47 ` Shark8
2014-07-30 22:40 ` Peter Chapin
2014-07-30 22:53 ` Shark8
2014-07-31 0:31 ` Simon Clubley [this message]
2014-07-31 6:23 ` Georg Bauhaus
2014-07-30 17:58 ` anon
2014-07-31 22:03 ` gvdschoot
2014-08-01 7:42 ` kug1977
2014-08-01 8:27 ` gvdschoot
2014-08-01 9:04 ` gvdschoot
2014-08-01 19:32 ` Randy Brukardt
2014-08-01 19:17 ` anon
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox