Capabilities in Sel4

Capabilities in seL4

David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Capabilities in seL4 Resource Management Implementation Model Representation David Cock Operations Usage & Results The seL4 Proofs Applications May 13, 2015 Questions

1 / 32 • Threads • Address spaces • IPC

Microkernels Capabilities in seL4 David Cock

Background App App Microkernel Systems _g KS seL4 & Barrelﬁsh write recv Authorisation and Delegation ' Types of Authority FS IO Net Resource Management Implementation Kernel AS Model Representation Operations

Usage & Results The seL4 Proofs Applications

Questions • Partition an OS into servers. • Small, trusted kernel. • Core primitives:

2 / 32 • Address spaces • IPC

Microkernels Capabilities in seL4 David Cock

Usage & Results The seL4 Proofs Applications

Questions • Partition an OS into servers. • Small, trusted kernel. • Core primitives: • Threads

2 / 32 • IPC

Microkernels Capabilities in seL4 David Cock

Usage & Results The seL4 Proofs Applications

Questions • Partition an OS into servers. • Small, trusted kernel. • Core primitives: • Threads • Address spaces

2 / 32 Microkernels Capabilities in seL4 David Cock

Usage & Results The seL4 Proofs Applications

Questions • Partition an OS into servers. • Small, trusted kernel. • Core primitives: • Threads • Address spaces • IPC

2 / 32 seL4 & Barrelﬁsh Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation • Classical µkernel. • Multikernel. Model Representation • 1 CPU performance. • Scalability. Operations • • Usage & Results Embedded systems. Large systems. The seL4 Proofs • High assurance/veriﬁed. Applications Questions

• The seL4 capability system was adapted to Barrelﬁsh. • Concurrency means real challenges.

3 / 32 Systems on a Microkernel Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelfish An seL4/Barrelfish system is a set of processes, built from: Authorisation and Delegation Types of Authority Kernel Objects Resource Management Implementation • Execution contexts (Barrelfish) / Threads (seL4). Model Representation • Communication endpoints. Operations Usage & Results The seL4 Proofs Hardware Objects Applications Questions • Memory regions (frames). • Address translations (page tables). • Interrupt routing tables.

4 / 32 Access Control in seL4/Barrelﬁsh Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Subjects are user-level processes. Object access is kernel Delegation Types of Authority (seL4) / CPU driver (BF) -enforced. Resource Management Kernel Objects are only accessed during system calls, Implementation Model where the kernel checks permissions. Representation Operations

Hardware Objects are accessed through hardware security Usage & Results The seL4 Proofs mechanisms (e.g. MMU), which are Applications conﬁgured by the kernel via system calls. Questions

The kernel and MMU form a reference monitor.

5 / 32 Capabilities Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation subject Types of Authority Resource Management invokes Implementation Model Representation Capability / Object Operations Usage & Results The seL4 Proofs Authority is granted by capabilities (caps): Applications Questions • Unforgeable (kernel/CPU driver checked). • Transferrable. • Extensible.

6 / 32 The Capability System Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management Framecap Page Tablecap VSpacecap Implementation Model Representation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Operations Usage & Results Frame Page Table VSpace The seL4 Proofs Applications

Questions • All objects referred to by caps. • All system calls are cap invocations. • Hardware structures mirrored in cap structure. • Kernel ops are (mostly) atomic, also local on Barrelﬁsh.

7 / 32 The Capability System Capabilities in seL4 David Cock

Background Microkernel Systems map seL4 & Barrelﬁsh Authorisation and Delegation Types of Authority Resource Management Framecap Page Tablecap VSpacecap Implementation Model Representation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Operations Usage & Results The seL4 Proofs Frame Page Table VSpace Applications

7 / 32 The Capability System Capabilities in seL4 David Cock

Background Microkernel Systems map seL4 & Barrelﬁsh Authorisation and Delegation Types of Authority Resource Management Framecap / Page Tablecap VSpacecap Implementation Model Representation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Operations Usage & Results The seL4 Proofs Frame o Page Table VSpace Applications

7 / 32 The Capability System Capabilities in seL4 David Cock

Background Microkernel Systems map seL4 & Barrelﬁsh Authorisation and Delegation Types of Authority Resource Management Framecap / Page Tablecap / VSpacecap Implementation Model Representation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Operations Usage & Results The seL4 Proofs Frame o Page Table o VSpace Applications

7 / 32 The Capability System Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management Framecap / Page Tablecap / VSpacecap Implementation Model Representation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Operations Usage & Results Frame o Page Table o VSpace The seL4 Proofs Applications

7 / 32 • HW gives implicit authority e.g. read/write. • implicit authority 9 explicit authority.

CSpaces and Authority Capabilities in seL4 David Cock

thread1 Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Framecap / Page Table / VSpacecap Types of Authority cap Resource Management

Implementation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Model Representation Operations Frame o Page Table o VSpace Usage & Results The seL4 Proofs Applications

Questions thread2

• CSpaces hold caps: explicit authority.

8 / 32 • HW gives implicit authority e.g. read/write. • implicit authority 9 explicit authority.

CSpaces and Authority Capabilities in seL4 David Cock

thread1 Background Microkernel Systems seL4 & Barrelﬁsh CSpace CSpace CSpace Authorisation and w ' Delegation Framecap / Page Table / VSpacecap Types of Authority cap Resource Management

Questions thread2

• CSpaces hold caps: explicit authority.

8 / 32 • HW gives implicit authority e.g. read/write. • implicit authority 9 explicit authority.

CSpaces and Authority Capabilities in seL4 David Cock

thread1 Background Microkernel Systems seL4 & Barrelﬁsh CSpace CSpace CSpace Authorisation and w ' Delegation Framecap / Page Table / VSpacecap Types of Authority cap Resource Management

KOP KOP KOP Implementation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Model Representation Operations Frame o Page Table o VSpace Usage & Results The seL4 Proofs Applications

Questions thread2

• CSpaces hold caps: explicit authority.

8 / 32 • HW gives implicit authority e.g. read/write. • implicit authority 9 explicit authority.

CSpaces and Authority Capabilities in seL4 David Cock

thread1 Background Microkernel Systems seL4 & Barrelﬁsh CSpace CSpace CSpace Authorisation and w ' Delegation Framecap / Page Table / VSpacecap Types of Authority cap Resource Management

KOP KOP KOP Implementation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Model Representation Operations Frame o Page Table o VSpace Usage & Results 1 1 1 The seL4 Proofs Applications

Questions thread2

• CSpaces hold caps: explicit authority.

8 / 32 • HW gives implicit authority e.g. read/write. • implicit authority 9 explicit authority.

CSpaces and Authority Capabilities in seL4 David Cock

thread1 Background Microkernel Systems seL4 & Barrelﬁsh CSpace CSpace CSpace Authorisation and w ' Delegation Framecap / Page Table / VSpacecap Types of Authority cap Resource Management

KOP KOP KOP Implementation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Model Representation Operations Frame o Page Table o VSpace 6 Usage & Results 1 1 1 The seL4 Proofs VSpace Applications

Questions thread2

• CSpaces hold caps: explicit authority.

8 / 32 • HW gives implicit authority e.g. read/write. • implicit authority 9 explicit authority.

CSpaces and Authority Capabilities in seL4 David Cock

thread1 Background Microkernel Systems seL4 & Barrelﬁsh CSpace CSpace CSpace Authorisation and w ' Delegation Framecap / Page Table / VSpacecap Types of Authority cap Resource Management

KOP KOP KOP Implementation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Model Representation o HW o HW Operations Frame o Page Table o VSpace 6 Usage & Results 1 1 1 The seL4 Proofs VSpace Applications

Questions thread2

• CSpaces hold caps: explicit authority.

8 / 32 • implicit authority 9 explicit authority.

CSpaces and Authority Capabilities in seL4 David Cock

thread1 Background Microkernel Systems seL4 & Barrelﬁsh CSpace CSpace CSpace Authorisation and w ' Delegation Framecap / Page Table / VSpacecap Types of Authority cap Resource Management

KOP KOP KOP Implementation −−−−−−−−−−−−−−−−−−−−−−−−−−−−−− Model Representation o HW o HW Operations Frame o Page Table o VSpace h 6 Usage & Results 1 ,2 1 1 The seL4 Proofs R/W VSpace Applications

Questions thread2

• CSpaces hold caps: explicit authority. • HW gives implicit authority e.g. read/write.

8 / 32 CSpaces and Authority Capabilities in seL4 David Cock

thread1 Background Microkernel Systems seL4 & Barrelﬁsh CSpace CSpace CSpace Authorisation and w ' Delegation Framecap / Page Table / VSpacecap Types of Authority cap Resource Management

Questions thread2

• CSpaces hold caps: explicit authority. • HW gives implicit authority e.g. read/write. • implicit authority 9 explicit authority. 8 / 32 • Threads compete for shared resources. • Hard to account to threads. • Allocation policy in the kernel.

Kernel Resource Allocation Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation Operations

Usage & Results Traditional kernels, including L4, allocate resources for The seL4 Proofs Applications

clients: Scheduling queues, IPC queues, . . . . Questions

9 / 32 Kernel Resource Allocation Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation Operations

Usage & Results Traditional kernels, including L4, allocate resources for The seL4 Proofs Applications

clients: Scheduling queues, IPC queues, . . . . Questions • Threads compete for shared resources. • Hard to account to threads. • Allocation policy in the kernel.

9 / 32 • A grants new caps to mutually untrusting B & C. • B & C now have partioned resources. • They can perform further retyping themselves. • All kernel & user resources are allocated thusly.

Retyping Capabilities in seL4 David Cock

Background Microkernel Systems A seL4 & Barrelﬁsh RAM0–127 Authorisation and Delegation grant B grant C Types of Authority Resource Management B C Implementation RAM0–63 RAM64–127 Model Representation Operations B B C Usage & Results Frame EP Thread The seL4 Proofs Applications

Questions • Resource manager A retypes (splits) a RAM object.

10 / 32 • B & C now have partioned resources. • They can perform further retyping themselves. • All kernel & user resources are allocated thusly.

Retyping Capabilities in seL4 David Cock

Questions • Resource manager A retypes (splits) a RAM object. • A grants new caps to mutually untrusting B & C.

10 / 32 • They can perform further retyping themselves. • All kernel & user resources are allocated thusly.

Retyping Capabilities in seL4 David Cock

Questions • Resource manager A retypes (splits) a RAM object. • A grants new caps to mutually untrusting B & C. • B & C now have partioned resources.

10 / 32 • All kernel & user resources are allocated thusly.

Retyping Capabilities in seL4 David Cock

Questions • Resource manager A retypes (splits) a RAM object. • A grants new caps to mutually untrusting B & C. • B & C now have partioned resources. • They can perform further retyping themselves.

10 / 32 Retyping Capabilities in seL4 David Cock

10 / 32 The Authority Database Model Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and The kernel maintains a database of valid capabilities, with Delegation requirements: Types of Authority Resource Management Atomicity Users (subjects) always see a consistent state. Implementation Model Representation Performance Cap lookup is on the critical path. Operations No Allocation Bookkeeping must be stored somewhere. Usage & Results The seL4 Proofs Applications

Questions

I will describe the seL4/sequential case. Simon will discuss the Barrelﬁsh/concurrent case.

11 / 32 An endpoint.

• A CSpace is all caps reachable from a CRoot. • CNodes are themselves managed with caps. • What’s at 1000? • CSpaces may have cycles, but ﬁnite eﬀective depth. • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model . Representation Operations

Usage & Results The seL4 Proofs Applications

• CNodes objects store caps and bookkeeping. Questions

12 / 32 An endpoint.

• CNodes are themselves managed with caps. • What’s at 1000? • CSpaces may have cycles, but ﬁnite eﬀective depth. • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation . Operations

Usage & Results The seL4 Proofs Applications • CNodes objects store caps and bookkeeping. Questions • A CSpace is all caps reachable from a CRoot.

12 / 32 An endpoint.

• CNodes are themselves managed with caps. • What’s at 1000? • CSpaces may have cycles, but ﬁnite eﬀective depth. • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh RAM Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation . Operations

Usage & Results The seL4 Proofs Applications • CNodes objects store caps and bookkeeping. Questions • A CSpace is all caps reachable from a CRoot.

12 / 32 An endpoint.

• What’s at 1000? • CSpaces may have cycles, but ﬁnite eﬀective depth. • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh CNode RAM CNode Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation . Operations

Usage & Results The seL4 Proofs Applications • CNodes objects store caps and bookkeeping. Questions • A CSpace is all caps reachable from a CRoot. • CNodes are themselves managed with caps.

12 / 32 An endpoint.

• What’s at 1000? • CSpaces may have cycles, but ﬁnite eﬀective depth. • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh CNode RAM CNode Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation . Operations

Usage & Results The seL4 Proofs Applications • CNodes objects store caps and bookkeeping. Questions • A CSpace is all caps reachable from a CRoot. • CNodes are themselves managed with caps.

12 / 32 An endpoint.

• What’s at 1000? • CSpaces may have cycles, but ﬁnite eﬀective depth. • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh CNode RAM CNode Authorisation and Delegation Types of Authority EP RAM Resource Management Implementation Model Frame Thread Representation . Operations

Usage & Results The seL4 Proofs Applications • CNodes objects store caps and bookkeeping. Questions • A CSpace is all caps reachable from a CRoot. • CNodes are themselves managed with caps.

12 / 32 An endpoint. • CSpaces may have cycles, but ﬁnite eﬀective depth. • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

CRoot Background 00 01 10 Microkernel Systems seL4 & Barrelﬁsh CNode RAM CNode Authorisation and 00 01 Delegation Types of Authority EP RAM Resource Management 00 10 Implementation Model Frame Thread Representation . Operations

12 / 32 An endpoint. • CSpaces may have cycles, but ﬁnite eﬀective depth. • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

12 / 32 • CSpaces may have cycles, but ﬁnite eﬀective depth. • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

12 / 32 • Every invocation is an authority DB query.

CNodes Capabilities in seL4 David Cock

CRoot Background 00 01 10 Microkernel Systems seL4 & Barrelﬁsh CNode RAM CNode Authorisation and 00 01 11 Delegation Types of Authority EP RAM CNode Resource Management 00 10 Implementation Model Frame Thread Representation . Operations

Usage & Results The seL4 Proofs Applications • CNodes objects store caps and bookkeeping. Questions • A CSpace is all caps reachable from a CRoot. • CNodes are themselves managed with caps. • What’s at 1000? An endpoint. • CSpaces may have cycles, but ﬁnite eﬀective depth.

12 / 32 CNodes Capabilities in seL4 David Cock

12 / 32 Mint/Retype Derive new sub-objects, and caps to them. Copy Create a new cap to an object. The old and new caps are (mostly) indistinguishable. Move Move caps within or between CNodes. Delete Remove the cap. Destroy the object once the last cap is gone. Revoke Destroy all objects derived (via retype) from this one.

Delete and Revoke call each other, and are long-running. The recursion is not atomic — Preemptible on seL4, done in a user-level monitor on Barrelﬁsh.

Cap Operations Capabilities in seL4 David Cock

Background These mutate the authority DB: Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation Operations

Usage & Results The seL4 Proofs Applications

Questions

13 / 32 Copy Create a new cap to an object. The old and new caps are (mostly) indistinguishable. Move Move caps within or between CNodes. Delete Remove the cap. Destroy the object once the last cap is gone. Revoke Destroy all objects derived (via retype) from this one.

Delete and Revoke call each other, and are long-running. The recursion is not atomic — Preemptible on seL4, done in a user-level monitor on Barrelﬁsh.

Cap Operations Capabilities in seL4 David Cock

Background These mutate the authority DB: Microkernel Systems seL4 & Barrelﬁsh Mint/Retype Derive new sub-objects, and caps to them. Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation Operations

Usage & Results The seL4 Proofs Applications

Questions

13 / 32 Move Move caps within or between CNodes. Delete Remove the cap. Destroy the object once the last cap is gone. Revoke Destroy all objects derived (via retype) from this one.

Delete and Revoke call each other, and are long-running. The recursion is not atomic — Preemptible on seL4, done in a user-level monitor on Barrelﬁsh.

Cap Operations Capabilities in seL4 David Cock

Usage & Results The seL4 Proofs Applications

Questions

13 / 32 Delete Remove the cap. Destroy the object once the last cap is gone. Revoke Destroy all objects derived (via retype) from this one.

Delete and Revoke call each other, and are long-running. The recursion is not atomic — Preemptible on seL4, done in a user-level monitor on Barrelﬁsh.

Cap Operations Capabilities in seL4 David Cock

Usage & Results The seL4 Proofs Applications

Questions

13 / 32 Revoke Destroy all objects derived (via retype) from this one.

Delete and Revoke call each other, and are long-running. The recursion is not atomic — Preemptible on seL4, done in a user-level monitor on Barrelﬁsh.

Cap Operations Capabilities in seL4 David Cock

Background These mutate the authority DB: Microkernel Systems seL4 & Barrelﬁsh Mint/Retype Derive new sub-objects, and caps to them. Authorisation and Delegation Copy Create a new cap to an object. The old and Types of Authority new caps are (mostly) indistinguishable. Resource Management Implementation Move Move caps within or between CNodes. Model Representation Delete Remove the cap. Destroy the object once the Operations Usage & Results last cap is gone. The seL4 Proofs Applications

Questions

13 / 32 Delete and Revoke call each other, and are long-running. The recursion is not atomic — Preemptible on seL4, done in a user-level monitor on Barrelﬁsh.

Cap Operations Capabilities in seL4 David Cock

13 / 32 The recursion is not atomic — Preemptible on seL4, done in a user-level monitor on Barrelﬁsh.

Cap Operations Capabilities in seL4 David Cock

Delete and Revoke call each other, and are long-running.

13 / 32 Cap Operations Capabilities in seL4 David Cock

Delete and Revoke call each other, and are long-running. The recursion is not atomic — Preemptible on seL4, done in a user-level monitor on Barrelﬁsh.

13 / 32 Retype Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

RAM1 Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation Operations

Usage & Results CRoot RAM1 . The seL4 Proofs Applications RAM1 Questions

14 / 32 Retype Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

RAM1 RAM2 RAM3 Authorisation and L H Delegation Types of Authority Resource Management

Implementation Model Representation Operations

Usage & Results CRoot RAM1 . The seL4 Proofs Applications & + x & RAM1 RAM2 RAM3 RAM2 RAM3 Questions

RAM caps may be split.

14 / 32 Retype Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and L H Delegation Types of Authority Resource Management

Implementation Model Representation Operations

Usage & Results CRoot RAM1 . The seL4 Proofs Applications x & + x & CNode1 RAM1 RAM2 RAM3 RAM2 RAM3 Questions CNode1

CNodes are created like other objects.

14 / 32 Retype Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and L H Delegation Types of Authority Resource Management

Implementation Model Frame1 Frame2 Representation Operations

Usage & Results CRoot RAM1 . The seL4 Proofs Applications x & + x & CNode1 RAM1 RAM2 RAM3 RAM2 RAM3 Questions & x Frame1 Frame2 CNode1 Frame1 Frame2

RAM must become Frames before being mapped.

14 / 32 Move Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and L H Delegation Types of Authority Resource Management

Implementation Model Frame1 Frame2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x & + x & CNode1 RAM1 RAM2 RAM3 RAM2 RAM3 Questions & x Frame1 Frame2 CNode1 Frame1 Frame2

15 / 32 Move Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and L H Delegation Types of Authority Resource Management

Moving within CNode doesn’t aﬀect trees.

15 / 32 Move Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

CNode1 RAM1 RAM3 Authorisation and X H Delegation Types of Authority Resource Management

Implementation Model RAM2 Frame1 Frame2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x + x & CNode1 RAM1 RAM3 RAM2 RAM3 Questions x & x RAM2 Frame1 Frame2 CNode1 Frame1 Frame2

Moving between aﬀects CSpace but not ancestry.

15 / 32 Copy Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

CNode1 RAM1 RAM3 Authorisation and X H Delegation Types of Authority Resource Management

16 / 32 Copy Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Implementation Model RAM2 Frame1 Frame2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x + x & CNode1 RAM1 RAM3 RAM2 RAM3 Questions Ù x & x RAM2 Frame1 Frame2 CNode1 Frame1 Frame2

16 / 32 Copy Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Implementation Model RAM2 Frame1 Frame2 Frame2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x + x & CNode1 RAM1 RAM3 RAM2 RAM3 Questions Ù x 2 "* x RAM2 Frame1 Frame2 CNode1 Frame1 Frame2

Copies make the CSpace a proper DAG.

16 / 32 Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

17 / 32 Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Deleting non-ﬁnal leaf caps is easy.

17 / 32 Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Deleting non-ﬁnal leaf caps is easy.

17 / 32 Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Deleting the last cap deletes the object.

17 / 32 Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Implementation Model RAM2 Frame2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x + x & CNode1 RAM1 RAM3 RAM2 RAM3 Questions Ù x & RAM2 Frame2 CNode1 Frame2

Deleting the last cap deletes the object.

17 / 32 Revoke Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Implementation Model RAM2 Frame2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x + x & CNode1 RAM1 RAM3 RAM2 RAM3 Questions Ù x & RAM2 Frame2 CNode1 Frame2

Revoke walks the ancestry tree.

18 / 32 Revoke Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Implementation Model RAM2 Frame2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x + x & CNode1 RAM1 RAM3 RAM2 RAM3 Questions Ù x & RAM2 Frame2 CNode1 Frame2

Mark RAM3 for revocation.

18 / 32 Revoke Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Implementation Model RAM2 Frame2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x + x & CNode1 RAM1 RAM3 RAM2 RAM3 Questions Ù x & RAM2 Frame2 CNode1 Frame2

Mark its descendents for deletion.

18 / 32 Revoke Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Implementation Model RAM2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x + x & CNode1 RAM1 RAM3 RAM2 RAM3 Questions Ù x RAM2 CNode1

Delete them.

18 / 32 Revoke Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 RAM3 Authorisation and X L H Delegation Types of Authority Resource Management

Implementation Model RAM2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x + x & CNode1 RAM1 RAM3 RAM2 RAM3 Questions Ù x RAM2 CNode1

The root can now be deleted, if required.

18 / 32 Revoke Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 Authorisation and X L Delegation Types of Authority Resource Management

Implementation Model RAM2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x x CNode1 RAM1 RAM2 Questions Ù x RAM2 CNode1

18 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM1 RAM2 Authorisation and X L Delegation Types of Authority Resource Management

Implementation Model RAM2 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x x CNode1 RAM1 RAM2 Questions Ù x RAM2 CNode1

Move RAM1.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM2 Authorisation and X K Delegation Types of Authority Resource Management

Implementation Model RAM2 RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x x CNode1 RAM2 Questions Ù x & RAM2 RAM1 CNode1

There’s now a loop, with links in both trees.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM2 Authorisation and X K Delegation Types of Authority Resource Management

Implementation Model RAM2 RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x x CNode1 RAM2 Questions Ù x & RAM2 RAM1 CNode1

Let’s revoke RAM2, a child.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM2 Authorisation and X K Delegation Types of Authority Resource Management

Implementation Model RAM2 RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x x CNode1 RAM2 Questions Ù x & RAM2 RAM1 CNode1

Mark its descendents for deletion.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM2 Authorisation and X K Delegation Types of Authority Resource Management

Implementation Model RAM2 RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x x CNode1 RAM2 Questions Ù x & RAM2 RAM1 CNode1

Deleting a CNode ﬁrst deletes (revokes) its contents.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM2 Authorisation and X K Delegation Types of Authority Resource Management

Implementation Model RAM2 RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x x CNode1 RAM2 Questions Ù x & RAM2 RAM1 CNode1

Revoking RAM2 deletes RAM1.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM2 Authorisation and K Delegation Types of Authority Resource Management

Implementation Model RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x x CNode1 RAM2 Questions Ù & RAM2 RAM1 CNode1

Delete starts bottom up. This RAM2 cap is safe to delete.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems × seL4 & Barrelﬁsh CNode1 RAM2 Authorisation and ? Delegation Types of Authority Resource Management

Implementation Model RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x x CNode1 RAM2 Questions Ù & RAM2 RAM1 CNode1

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

CNode1 Authorisation and i Delegation Types of Authority Resource Management

Implementation Model RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x CNode1 Questions } & CNode1 RAM1

When RAM2 is destroyed, RAM1 adopts children. Now we’ve got an irreducible cycle.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

CNode1 Authorisation and i Delegation Types of Authority Resource Management

Implementation Model RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x CNode1 Questions } & CNode1 RAM1

RAM1’s revoke is ﬁnished, now delete it, but how?

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh CNode1 i Authorisation and T\ Delegation Types of Authority swap Resource Management Implementation Model RAM1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x CNode1 Questions } & CNode1 RAM1

In seL4, we swap the last two caps.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

RAM1 Authorisation and Delegation Types of Authority Resource Management

Implementation Model CNode1 Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x RAM1 Questions } & CNode1 CNode1

CNode1 can now safely be deleted.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

RAM1 Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation . Operations Usage & Results CRoot RAM1 The seL4 Proofs Applications x RAM1 Questions

Finally, RAM1 goes too.

19 / 32 Recursive Revoke & Delete Capabilities in seL4 David Cock

CRoot Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation . Operations Usage & Results CRoot The seL4 Proofs Applications

Questions

This process accidentally destroyed its whole world.

19 / 32 We’re not sure exactly how yet. We’d really like to.

• Ancestry is a tree (forest). • ∃Object → ∃Cap. • Barrelﬁsh is not identical.

Invariants Capabilities in seL4 David Cock In seL4 Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and CRoot RAM1 Delegation v ( v ( Types of Authority CNode1 RAM1 RAM3 RAM2 RAM3 Resource Management Implementation Ö v 2 $, v RAM2 Frame1 Frame2 CNode1 Frame1 Frame2 Model Representation Operations

Usage & Results The seL4 Proofs Applications

Questions

20 / 32 We’re not sure exactly how yet. We’d really like to.

• ∃Object → ∃Cap. • Barrelﬁsh is not identical.

Invariants Capabilities in seL4 David Cock In seL4 Background Microkernel Systems seL4 & Barrelﬁsh

Usage & Results The seL4 Proofs • Ancestry is a tree (forest). Applications Questions

20 / 32 We’re not sure exactly how yet. We’d really like to.

• Barrelﬁsh is not identical.

Invariants Capabilities in seL4 David Cock In seL4 Background Microkernel Systems seL4 & Barrelﬁsh

Usage & Results The seL4 Proofs • Ancestry is a tree (forest). Applications Questions • ∃Object → ∃Cap.

20 / 32 We’re not sure exactly how yet. We’d really like to.

Invariants Capabilities in seL4 David Cock In seL4 Background Microkernel Systems seL4 & Barrelﬁsh

Usage & Results The seL4 Proofs • Ancestry is a tree (forest). Applications Questions • ∃Object → ∃Cap. • Barrelﬁsh is not identical.

20 / 32 We’d really like to.

Invariants Capabilities in seL4 David Cock In seL4 Background Microkernel Systems seL4 & Barrelﬁsh

Usage & Results The seL4 Proofs • Ancestry is a tree (forest). Applications Questions • ∃Object → ∃Cap. • Barrelﬁsh is not identical. We’re not sure exactly how yet.

20 / 32 Invariants Capabilities in seL4 David Cock In seL4 Background Microkernel Systems seL4 & Barrelﬁsh

Usage & Results The seL4 Proofs • Ancestry is a tree (forest). Applications Questions • ∃Object → ∃Cap. • Barrelﬁsh is not identical. We’re not sure exactly how yet. We’d really like to.

20 / 32 Results Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation We know quite a bit already (in the Types of Authority Resource Management context of seL4). Implementation Model • Implementation proof. Representation • Integrity proof. Operations Usage & Results • The seL4 Proofs Conﬁdentiality proof. Applications • Applications of user-level Questions allocation.

21 / 32 The System is Correctly Implemented Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh Access Control Spec Confinement Authorisation and Delegation Types of Authority Resource Management

Implementation Specification Model Representation Operations

Usage & Results The seL4 Proofs Applications Haskell Design Questions Prototype

C Code

22 / 32 The System is Correctly Implemented Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation The abstract spec is all that matters now! Operations Usage & Results The seL4 Proofs Applications

Questions

23 / 32 Confinement Authority (caps) only flows along edges. Integrity Objects only modified via (transient) authority.

Authority Conﬁnement Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh T A B Send Send Send Authorisation and UNIV UNIV Delegation AEP AEP AEP Types of Authority 1 2 3 Read, Resource Management Write Recv Recv Recv Implementation Send Recv UNIV CTR EP RM R Model Representation Read, Read, UNIV Operations Write Write Usage & Results C D The seL4 Proofs Applications

Questions Figure: The Secure Access Controller

seL4 implements the take-grant model:

24 / 32 Integrity Objects only modiﬁed via (transient) authority.

Authority Conﬁnement Capabilities in seL4 David Cock

Questions Figure: The Secure Access Controller

seL4 implements the take-grant model: Conﬁnement Authority (caps) only ﬂows along edges.

24 / 32 Authority Conﬁnement Capabilities in seL4 David Cock

Questions Figure: The Secure Access Controller

seL4 implements the take-grant model: Confinement Authority (caps) only flows along edges. Integrity Objects only modified via (transient) authority.

24 / 32 • Builds on integrity proof. • No ﬂow via kernel mechanisms e.g. scheduler. • No IPC back channel (data diode).

Information Flow Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Page PD Thread Delegation Thread PD PT Types of Authority

R Resource Management SPage PT RW Thread CNode Implementation Model AsyncSend AEP CNode Recv Representation Partition 1 Partition 2 Operations

Usage & Results The seL4 Proofs Applications

Questions seL4 enforces information ﬂow policy:

25 / 32 • No ﬂow via kernel mechanisms e.g. scheduler. • No IPC back channel (data diode).

Information Flow Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Page PD Thread Delegation Thread PD PT Types of Authority

R Resource Management SPage PT RW Thread CNode Implementation Model AsyncSend AEP CNode Recv Representation Partition 1 Partition 2 Operations

Usage & Results The seL4 Proofs Applications

Questions seL4 enforces information ﬂow policy: • Builds on integrity proof.

25 / 32 • No IPC back channel (data diode).

Information Flow Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Page PD Thread Delegation Thread PD PT Types of Authority

R Resource Management SPage PT RW Thread CNode Implementation Model AsyncSend AEP CNode Recv Representation Partition 1 Partition 2 Operations

Usage & Results The seL4 Proofs Applications

Questions seL4 enforces information ﬂow policy: • Builds on integrity proof. • No ﬂow via kernel mechanisms e.g. scheduler.

25 / 32 Information Flow Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Page PD Thread Delegation Thread PD PT Types of Authority

R Resource Management SPage PT RW Thread CNode Implementation Model AsyncSend AEP CNode Recv Representation Partition 1 Partition 2 Operations

Usage & Results The seL4 Proofs Applications

Questions seL4 enforces information ﬂow policy: • Builds on integrity proof. • No ﬂow via kernel mechanisms e.g. scheduler. • No IPC back channel (data diode).

25 / 32 Lessons Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation Operations

Usage & Results The seL4 Proofs Applications

Questions

• Caps aren’t slow. • Strong security results are possible. • Interposability has seldom been used.

26 / 32 Capabilities in seL4

David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model Questions? Representation Operations

Usage & Results The seL4 Proofs Applications

Questions

27 / 32 + Allowed user paging & delegation. − Only exposed virtual addresses. − Kernel memory not covered.

Address Spaces in L4 Capabilities in seL4 David Cock

Background L4 used hierarchical virtual address spaces, and regions Microkernel Systems were granted to descendents. seL4 & Barrelﬁsh Authorisation and Delegation Types of Authority σ0 Resource Management Implementation Model } ! Representation σ1 σ3 Operations Usage & Results The seL4 Proofs Applications σ3 Questions

28 / 32 + Allowed user paging & delegation. − Only exposed virtual addresses. − Kernel memory not covered.

Address Spaces in L4 Capabilities in seL4 David Cock

Background L4 used hierarchical virtual address spaces, and regions Microkernel Systems were granted to descendents. seL4 & Barrelﬁsh Authorisation and Delegation Types of Authority grant X,Y σ0 Resource Management Implementation Model } ! Representation σ1 σ3 Operations Usage & Results The seL4 Proofs Applications σ3 Questions

28 / 32 + Allowed user paging & delegation. − Only exposed virtual addresses. − Kernel memory not covered.

Address Spaces in L4 Capabilities in seL4 David Cock

Background L4 used hierarchical virtual address spaces, and regions Microkernel Systems were granted to descendents. seL4 & Barrelﬁsh Authorisation and Delegation Types of Authority grant X,Y σ0 Resource Management Implementation Model } ! Representation σ1 σ3 Operations Usage & Results grant X The seL4 Proofs Ñ Applications σ3 Questions

28 / 32 − Only exposed virtual addresses. − Kernel memory not covered.

Address Spaces in L4 Capabilities in seL4 David Cock

Background L4 used hierarchical virtual address spaces, and regions Microkernel Systems were granted to descendents. seL4 & Barrelﬁsh Authorisation and Delegation Types of Authority grant X,Y σ0 Resource Management Implementation Model } ! Representation σ1 σ3 Operations Usage & Results grant X The seL4 Proofs Ñ Applications σ3 Questions

+ Allowed user paging & delegation.

28 / 32 Address Spaces in L4 Capabilities in seL4 David Cock

Background L4 used hierarchical virtual address spaces, and regions Microkernel Systems were granted to descendents. seL4 & Barrelﬁsh Authorisation and Delegation Types of Authority grant X,Y σ0 Resource Management Implementation Model } ! Representation σ1 σ3 Operations Usage & Results grant X The seL4 Proofs Ñ Applications σ3 Questions

+ Allowed user paging & delegation. − Only exposed virtual addresses. − Kernel memory not covered.

28 / 32 + Allows communication control. − Static and inﬂexible. − Introduces latency. − Addresses still global.

Clans and Chiefs Capabilities in seL4 David Cock clans Threads belong to . Messages between clans go via Background chiefs. Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation chief0 Types of Authority Resource Management

Implementation z % Model chief thread0 Representation 1 Operations

Usage & Results The seL4 Proofs z % Applications thread1 thread2 Questions

29 / 32 + Allows communication control. − Static and inﬂexible. − Introduces latency. − Addresses still global.

Clans and Chiefs Capabilities in seL4 David Cock clans Threads belong to . Messages between clans go via Background chiefs. Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation chief0 Types of Authority Resource Management

Implementation z % Model chief thread0 Representation 1 k Operations

Usage & Results The seL4 Proofs z % Applications thread1 thread2 Questions

29 / 32 + Allows communication control. − Static and inﬂexible. − Introduces latency. − Addresses still global.

Clans and Chiefs Capabilities in seL4 David Cock clans Threads belong to . Messages between clans go via Background chiefs. Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation chief0 Types of Authority Resource Management

Implementation z + % Model chief thread0 Representation 1 k Operations

Usage & Results The seL4 Proofs z % Applications thread1 thread2 Questions

29 / 32 − Static and inﬂexible. − Introduces latency. − Addresses still global.

Clans and Chiefs Capabilities in seL4 David Cock clans Threads belong to . Messages between clans go via Background chiefs. Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation chief0 Types of Authority Resource Management

Implementation z + % Model chief thread0 Representation 1 k Operations

Usage & Results The seL4 Proofs z % Applications thread1 thread2 Questions

+ Allows communication control.

29 / 32 Clans and Chiefs Capabilities in seL4 David Cock clans Threads belong to . Messages between clans go via Background chiefs. Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation chief0 Types of Authority Resource Management

Implementation z + % Model chief thread0 Representation 1 k Operations

Usage & Results The seL4 Proofs z % Applications thread1 thread2 Questions

+ Allows communication control. − Static and inﬂexible. − Introduces latency. − Addresses still global.

29 / 32 • Transparently replace object cap with endpoint cap. • Server implements object semantics.

Interposability Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh client / TCB invoke c Authorisation and Delegation Types of Authority Resource Management

Implementation Model EP server Representation Operations

Usage & Results The seL4 Proofs Applications Extend system w/o modifying kernel: Questions • Syscalls are messages to objects. • Send messages by invoking caps.

30 / 32 • Server implements object semantics.

Interposability Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

client TCB Authorisation and Delegation Types of Authority Resource Management

Implementation invoke c Model . EP server Representation Operations

Usage & Results The seL4 Proofs Applications Extend system w/o modifying kernel: Questions • Syscalls are messages to objects. • Send messages by invoking caps. • Transparently replace object cap with endpoint cap.

30 / 32 Interposability Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

client TCB Authorisation and Delegation Types of Authority Resource Management

Implementation invoke c Model . EP recv / server Representation Operations

30 / 32 Design for Veriﬁcation Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

The cost of veriﬁcation is high, so Authorisation and avoid kernel changes. Delegation Types of Authority • Mechanisms as general as Resource Management Implementation possible. Model Representation • Only one primitive to reason Operations about: cap invocation. Usage & Results The seL4 Proofs • Amenable to analysis: Applications take-grant model. Questions • Highly ﬂexible resolution/sharing model: GPT.

31 / 32 Cache Colouring Capabilities in seL4 David Cock

Background Microkernel Systems seL4 & Barrelﬁsh

Authorisation and Delegation Types of Authority Resource Management

Implementation Model Representation Operations

Usage & Results The seL4 Proofs Applications Example of delegated allocation: Questions • Isolate subsystems in cache for performance or security. • Requires control of physical allocation. • Also partitions kernel memory, with no kernel changes!

32 / 32