The seL4® microkernel is a cost-effective, open source solution you can use to build products on a trusted software base, and DornerWorks, an inaugural member of the seL4 Foundation, can accelerate your integration. We are leaders in accelerating integration of seL4 as the trusted software base for your product.
3. Is this actually secure?
Problem
PROBLEM
The traditional approach uses very detailed design
and penetration testing together.
• This often leads to a long development cycle of
design, develop, pen. test, design fixes for
bugs/vulnerabilities, develop, pen. test, etc.
• Even after you are ready for release, security
vulnerabilities and bugs are often still discovered.
• This results in long term maintenance and providing
customers with frequent security patches, leaving
them to ask, "Is this actually secure?"
5. The Proof
What does the formal proof of the seL4 microkernel accomplish?
THE PROOFUndefined behavior Buffer overflows Null pointer
deferences
(Pointer errors)
Arithmetic overflows
and exceptions
The binary code of the seL4 microkernel correctly implements the behavior described in its abstract specification
and nothing more. This is important because it means that the following can't occur:
Memory leaks
6. The Proof
Formally proven seL4 microkernel
The specification and the seL4 binary satisfy the classic security properties called
integrity and confidentiality.
• Integrity means that data cannot be changed without permission, and
confidentiality means that data cannot be read without permission.
• This is significant for any solution that requires extreme security and/or safety.
• These properties are the backbone for systems that rely on isolation.
• This makes seL4 an attractive solution for systems that may not have extreme security requirements, but
still want proven isolation between separate software components.
• There is no way you could make these claims without proof.
8. Verified Hardware
Make the most of your content
• The seL4 microkernel offers extreme security
when deployed on a verified hardware platform.
• Data61 developed seL4 to “provide a reliable,
secure, fast, and verified foundation for building
trustworthy systems.”
• Verified extreme security on the i.MX6 SOC
Sabre Lite platform.
• Functionally correct security on the x64 PC99
(64-bit) and NVIDIA Tegra K1 TK1-SOM
platforms.
• It works on ARM and x86 platforms as well
(verification may not be available).
DornerWorks has provided open
source binary verification tools for
the microkernel, and is expanding
the seL4 ecosystem through key
partnerships with organizations
aligned with aerospace and defense.
10. Open Source
Formally proven seL4 microkernel
•Most solutions that already have a security certification have
expensive licensing costs
• seL4 has no licensing costs and is free to use.
• The seL4 kernel is licensed under GPLv2
• The seL4 libraries and tools are mostly licensed under BSD
11. Open Source
Formally proven seL4 microkernel
•Open source software has many benefits
• Check out – “Open Source Software Can Enable These 9 Benefits
in Your Technology Development” for more ideas
https://dornerworks.com/blog/open-source-benefits
13. seL4 Design
Formally proven seL4 microkernel
The proof of seL4 informs its design. Therefore, it is important to understand
some of its less conventional implementations.
15. Kernel vs. User
Formally proven seL4 microkernel
KERNEL VS. USER
Device Drivers Libraries Stacks
• Kernel space and user space are well known concepts for all operating systems, but since seL4
is a microkernel, a specific approach is taken.
• The kernel is left as small as possible and components that would traditionally be in that
space are pushed out to the user space.
18. Capabilities
Formally proven seL4 microkernel
• Capabilities are a mechanism that is used to grant access to specific resources
in the system.
• The reason why capabilities form the basis of security in seL4 is the fact that
the kernel keeps track of everything in the capability derivation tree and a
capability is required for any operation on a kernel object.
• This prevents bad actor threads from gaining access to a resource in any
other thread that they are not given access.
20. Untyped Memory
Formally proven seL4 microkernel
• When seL4 boots, unused memory is given to the root thread.
• The application running as the root thread must “Re-Type” this memory as
other kernel objects which can then be passed around to build up and
architect the system.
• This is the building block for virtual memory spaces, capability spaces,
thread control blocks, and other kernel objects.
22. Endpoints
Formally proven seL4 microkernel
• Allow small amounts of data and capabilities to be transferred between
two threads
• Invoked with seL4 kernel system calls
o Blocking and Non-Blocking choices
• Requires two threads to have the capability to the same endpoint
23. Inter-Process Communication
Formally proven seL4 microkernel
• The mechanism for thread-to-thread and thread-to-kernel
communication.
• Messages can be sent to either an “Endpoint” or other kernel objects.
• Controlled by the kernel, so data only goes to where it is configured to go.
• Useful for communication data. Larger files should be transferred through
other means, such as shared data.
25. seL4 Kernel API
Formally proven seL4 microkernel
• To take advantage of the isolation and security properties offered by seL4, a
system designer must utilize the API correctly. In order to build a secure
system:
• Use primitives and mechanisms made available by the seL4 kernel
• Develop applications to adhere to seL4 system API calls
• Circumventing the API negates the proof
27. Architecting
Formally proven seL4 microkernel
• You can create isolated environments and dole out access to seL4 resources
and mechanisms at this point, but there are other tools that help a system
designer focus on high-level concepts:
• Data61 has developed CAmkES (Componentized Architecture for
microkernel Embedded Systems) which allows you to think about your
system as isolated components and connections.
• DornerWorks can help you architect a system either way and has
experience porting applications running on FreeRTOS to CAmkES.
29. Extreme Security
With mathematical proof
• Stay ahead of costly, brand damaging cyber threats
• DornerWorks will help you fill in the gaps to enhance your security story.
seL4 Center of Excellence
• Members: DornerWorks, Intelligent Automation, Inc. and US DARPA
• Mission: build up the seL4 ecosystem with an avenue for defense-focused product developers to
work with a US-based company on implementing seL4 into their system.
31. seL4 Communities
Join us and expand the seL4 ecosystem
LinkedIn
• seL4 Microkernel Development and Engineering
seL4 mailing list
• https://sel4.systems/lists/listinfo/
COMING SOON
• seL4 discourse group
• seL4 JIRA