The document introduces the sel4 microkernel, emphasizing its formally proven security properties of integrity and confidentiality, making it suitable for high-security applications. It outlines the advantages of using sel4 on verified hardware and its open-source nature, which eliminates licensing costs. Additionally, the document discusses key design elements such as capabilities for resource access control and inter-process communication mechanisms, presenting sel4 as an effective solution for trustworthy systems.

1. Enable
Enhanced
Security with the
seL4 Microkernel
An introduction to seL4

2. Visit DornerWorks.com/sel4-microkernel
• Learn more about seL4
• Get the source code
Getting Started

3. Is this actually secure?
Problem
PROBLEM
The traditional approach uses very detailed design
and penetration testing together.
• This often leads to a long development cycle of
design, develop, pen. test, design fixes for
bugs/vulnerabilities, develop, pen. test, etc.
• Even after you are ready for release, security
vulnerabilities and bugs are often still discovered.
• This results in long term maintenance and providing
customers with frequent security patches, leaving
them to ask, "Is this actually secure?"

4. Solution
Formally proven seL4 microkernel

5. The Proof
What does the formal proof of the seL4 microkernel accomplish?
THE PROOFUndefined behavior Buffer overflows Null pointer
deferences
(Pointer errors)
Arithmetic overflows
and exceptions
The binary code of the seL4 microkernel correctly implements the behavior described in its abstract specification
and nothing more. This is important because it means that the following can't occur:
Memory leaks

6. The Proof
Formally proven seL4 microkernel
The specification and the seL4 binary satisfy the classic security properties called
integrity and confidentiality.
• Integrity means that data cannot be changed without permission, and
confidentiality means that data cannot be read without permission.
• This is significant for any solution that requires extreme security and/or safety.
• These properties are the backbone for systems that rely on isolation.
• This makes seL4 an attractive solution for systems that may not have extreme security requirements, but
still want proven isolation between separate software components.
• There is no way you could make these claims without proof.

7. Verified Hardware
Make the most of seL4

8. Verified Hardware
Make the most of your content
• The seL4 microkernel offers extreme security
when deployed on a verified hardware platform.
• Data61 developed seL4 to “provide a reliable,
secure, fast, and verified foundation for building
trustworthy systems.”
• Verified extreme security on the i.MX6 SOC
Sabre Lite platform.
• Functionally correct security on the x64 PC99
(64-bit) and NVIDIA Tegra K1 TK1-SOM
platforms.
• It works on ARM and x86 platforms as well
(verification may not be available).
DornerWorks has provided open
source binary verification tools for
the microkernel, and is expanding
the seL4 ecosystem through key
partnerships with organizations
aligned with aerospace and defense.

9. Open Source
Formally proven seL4 microkernel

10. Open Source
Formally proven seL4 microkernel
•Most solutions that already have a security certification have
expensive licensing costs
• seL4 has no licensing costs and is free to use.
• The seL4 kernel is licensed under GPLv2
• The seL4 libraries and tools are mostly licensed under BSD

11. Open Source
Formally proven seL4 microkernel
•Open source software has many benefits
• Check out – “Open Source Software Can Enable These 9 Benefits
in Your Technology Development” for more ideas
https://dornerworks.com/blog/open-source-benefits

12. seL4 Design
Formally proven seL4 microkernel

13. seL4 Design
Formally proven seL4 microkernel
The proof of seL4 informs its design. Therefore, it is important to understand
some of its less conventional implementations.

14. Kernel vs. User
Formally proven seL4 microkernel

15. Kernel vs. User
Formally proven seL4 microkernel
KERNEL VS. USER
Device Drivers Libraries Stacks
• Kernel space and user space are well known concepts for all operating systems, but since seL4
is a microkernel, a specific approach is taken.
• The kernel is left as small as possible and components that would traditionally be in that
space are pushed out to the user space.

16. Kernel vs. User
Formally proven seL4 microkernel

17. Capabilities
Formally proven seL4 microkernel

18. Capabilities
Formally proven seL4 microkernel
• Capabilities are a mechanism that is used to grant access to specific resources
in the system.
• The reason why capabilities form the basis of security in seL4 is the fact that
the kernel keeps track of everything in the capability derivation tree and a
capability is required for any operation on a kernel object.
• This prevents bad actor threads from gaining access to a resource in any
other thread that they are not given access.

19. Untyped Memory
Formally proven seL4 microkernel

20. Untyped Memory
Formally proven seL4 microkernel
• When seL4 boots, unused memory is given to the root thread.
• The application running as the root thread must “Re-Type” this memory as
other kernel objects which can then be passed around to build up and
architect the system.
• This is the building block for virtual memory spaces, capability spaces,
thread control blocks, and other kernel objects.

21. Endpoints & IPC
Formally proven seL4 microkernel

22. Endpoints
Formally proven seL4 microkernel
• Allow small amounts of data and capabilities to be transferred between
two threads
• Invoked with seL4 kernel system calls
o Blocking and Non-Blocking choices
• Requires two threads to have the capability to the same endpoint

23. Inter-Process Communication
Formally proven seL4 microkernel
• The mechanism for thread-to-thread and thread-to-kernel
communication.
• Messages can be sent to either an “Endpoint” or other kernel objects.
• Controlled by the kernel, so data only goes to where it is configured to go.
• Useful for communication data. Larger files should be transferred through
other means, such as shared data.

24. seL4 Kernel API
Formally proven seL4 microkernel

25. seL4 Kernel API
Formally proven seL4 microkernel
• To take advantage of the isolation and security properties offered by seL4, a
system designer must utilize the API correctly. In order to build a secure
system:
• Use primitives and mechanisms made available by the seL4 kernel
• Develop applications to adhere to seL4 system API calls
• Circumventing the API negates the proof

26. Architecting
Formally proven seL4 microkernel

27. Architecting
Formally proven seL4 microkernel
• You can create isolated environments and dole out access to seL4 resources
and mechanisms at this point, but there are other tools that help a system
designer focus on high-level concepts:
• Data61 has developed CAmkES (Componentized Architecture for
microkernel Embedded Systems) which allows you to think about your
system as isolated components and connections.
• DornerWorks can help you architect a system either way and has
experience porting applications running on FreeRTOS to CAmkES.

28. Extreme Security
with mathematical proof

29. Extreme Security
With mathematical proof
• Stay ahead of costly, brand damaging cyber threats
• DornerWorks will help you fill in the gaps to enhance your security story.
seL4 Center of Excellence
• Members: DornerWorks, Intelligent Automation, Inc. and US DARPA
• Mission: build up the seL4 ecosystem with an avenue for defense-focused product developers to
work with a US-based company on implementing seL4 into their system.

30. Keep it Going
Continue the conversation on seL4

31. seL4 Communities
Join us and expand the seL4 ecosystem
LinkedIn
• seL4 Microkernel Development and Engineering
seL4 mailing list
• https://sel4.systems/lists/listinfo/
COMING SOON
• seL4 discourse group
• seL4 JIRA

32. Thank You
616.245.8369
sales@dornerworks.com
https://dornerworks.com/