The document discusses the importance of a trustworthy operating system kernel, specifically the seL4 microkernel, which is designed for military-grade security and provable correctness. It highlights the challenges of software vulnerabilities in automotive systems and emphasizes the need for isolation and strong access control to ensure system trustworthiness. The document also compares seL4 with other operating systems and explores its integration with existing systems for enhanced security.

1. h"ps://sel4.systems
The Open-Source seL4 Kernel
Military-Grade Security Through Mathema@cs
Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser
Trustworthy Systems | Data61
Linaro Connect SFO’17

2. Car Hacking – What’s Behind?
Linaro Connect SFO'17 2 |
Engine
Control
etc
Sensor
Networking for:
• Entertainment
• Connected car
• Safety (@re pressure…)
• Maintenance (OTA upgrades)
Infotainment
etc
No security
whatsoever
on CAN bus!

3. Challenge of Networking
Linaro Connect SFO'17 3 |
Networking creates remote a"ack opportuni@es
• from passengers (wifi, Bluetooth)
• from nearby cars (wifi, Bluetooth) –
drive-by shoo@ng, spread of viruses
• from anywhere (cellular)
A"ack vectors:
• Insecure protocols
• Reusing crypto keys
• Soaware vulnerabili@es

4. Soaware Vulnerabili@es
System Complexity
Dependabilty, Security
Complexity Drivers
• Features/func@onality
• Legacy reuse
Linaro Connect SFO'17 4 |
Soaware-engineering rule of thumb:
• 1–5 bugs per 1,000 lines of quality code
Bluetooth protocol stack:
Mul@ple 100,000 lines
Linux kernel:
Tens of millions lines

5. Linux “Security”
Linaro Connect SFO'17 5 |
Soaware will break
The enemy will be on the plahorm!

6. OK, So Let’s Patch Regularly
Linaro Connect SFO'17 6 |
10M LOC
10k bugs
1 known vulnerability
10M LOC
10k bugs
10M LOC
10k-1 bugs
Patch
Patch-and-Pray: A losing proposi@on

7. • Imposes overhead (SWaP) or
• Runs on vulnerable OS ⇒ worthless if OS compromised
• Even more code – may increase a"ack surface
• No help for valid messages that trigger bugs in soaware
So, Let’s Use Firewalls!
Linaro Connect SFO'17 7 |
Engine
Control
etc
Sensor
Infotainment
etc
Firewalls treat symptoms,
not causes of problems!

8. • Runs on vulnerable OS ⇒ worthless if OS compromised
• Even more code – may increase a"ack surface
• Can only detect that system is already compromised
Let’s Use AI to Detect Compromise!
Linaro Connect SFO'17 8 |
Engine
Control
etc
Sensor
Infotainment
etc
Intrusion detec@on:
admission of defeat

9. Fundamental Security Requirement: Isola@on
Enforced by
trustworthy
separa@on
kernel
Processor
Uncri@cal/
untrusted
Sensi@ve/
cri@cal/
trusted
Strong
Isola@on
Communica@on
subject to global
security policy
Linaro Connect SFO'17 9 |

10. Claim:
A system must be considered untrustworthy unless
proved otherwise!
Corollary [with apologies to Dijkstra]:
Tes@ng, code inspec@on, etc. can only show
lack of trustworthiness!
Linaro Connect SFO'17 10 |
Trustworthiness: Can We Rely on Isola@on?
A system is trustworthy if and only if:
• it behaves exactly as it is specified,
• in a timely manner,
• while ensuring secure execution

11. Provably Secure Opera@ng System
Linaro Connect SFO'17 11 |
Small,
fast,
capability-based,
operating system kernel
World’s fastest (5–10X faster)
operating system designed for
security and safety
➡
Suitable for real-world deployment
~10,000 lines of C and ASM code
➡
Small attack surface,
Amenable to full verification
Code that runs in privileged mode of
the hardware
➡︎
Most critical part
Non-kernel code can only access
resources and communication
channels if explicitly authorised
with a per-object access token
(capability)
➡︎
• Confined damage
• Least privilege
ThreadsIPCVM
seL4
access control
components
hardware
Privileged mode
Unprivileged mode

12. L3→L4 “X” Hazelnut Pistachio
L4/Alpha
L4/MIPS
OKL4-µKernel
OKL4-Microvisor
Codezero
P4 → PikeOS
Fiasco Fiasco.OC
L4-embed.
Nova
GMD/IBM/Karlsruhe
UNSW/NICTA
Dresden
Other (commercial)
OK Labs
L4Re
20+ Years of L4 Microkernel R&D
June'17 12 |
API Inheritance
Code Inheritance
93 94 95 96 97 98 99 00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15
seL4: The latest (and most advanced)
member of the L4 microkernel family
Qualcomm
modem chips
iOS security
processor

13. Integrity
Abstract
Model
C Imple-
menta@on
Confiden-
@ality
Availability
Binary code
Proof Proof Proof
Func@onal
correctness
[SOSP’09]
Isola@on proper@es
[ITP’11, S&P’13]
Transla@on
correctness
[PLDI’13]
Exclusions (at present):
§ Ini@alisa@on
§ Low-level MMU model
§ caches
§ Mul@core
§ Covert >ming channels
Worst-case
execu@on @me
[RTSS’11, RTAS’16]
Provably impossible:
§ buffer overflow
§ null-pointer dereference
§ code injec@on
§ memory leaks
§ kernel crash
§ undefined behaviour
§ privilege escala@on
Proving Trustworthiness of seL4
Linaro Connect SFO'17 13 |

14. How Does seL4 Compare?
Linaro Connect SFO'17 14 |
Feature seL4 Other hypervisors, RTOSes,
separation kernels
Performance Fastest 2–10 × slower
Functional
correctness
Proved No Guarantee
Isolation Proved No Guarantee
Worst-case
latency bounds
Sound &
complete
Estimates only
Storage channel
freedom
Proved No Guarantee
Timing channel
prevention
Low overhead None or High Overhead
Mixed-criticality
support
Fully supported,
high utilisation
Limited, resource-wastive

15. Virtualisa@on
COMP9242 S2/2017 W04
guest OS
Guest apps VMM
Syscall
Hypercall Excep@on IPC
VM
User
Kernel
Hyp
guest OS
Guest apps VMM
VM

16. Uncri@cal/
untrusted
Security by Architecture
Linaro Connect SFO'17 16 |
Cri@cal
control
Uncri@cal/
untrusted
Linux
Apps
Apps
Apps
Device
driver
Virtual
machine
for legacy
Extract
cri@cal bits,
run na@ve
NW
stack
Cyber-retrofit!
Incremental
process: migrate
in pieces

17. Real-World Example: DARPA HACMS
Boeing Unmanned Li"le Bird
US Army Autonomous Trucks
TARDEC GVR-Bot SMACCMcopter
Research Vehicle
Retrofit
exis@ng
system!
Retrofit
exis@ng
system!
Develop
technology
Linaro Connect SFO'17 17 |

18. Example: Communica@ng Processes
June'17 18 |
Thread-ObjectA
CNodeA1
EP
Thread-ObjectB
CNodeB1
CNodeA2
VSpace
VSpace
CSpace CSpace
Send
Receive
PD
APTA1
FRAME
FRAME
...
...
...
...
...
...
CONTEXT
CONTEXT
A B
Communica@on
endpoint (port)

19. Component Middleware: CAmkES
June'17 19 |

20. 3
(

21. 3 *$8(-
3 ()))
component
connector
interface
Higher-level abstrac@ons of
low-level seL4 constructs

22. Example: Simplified HACMS UAV
June'17 20 |
Radio
Driver
Crypto
CAN
Driver
Data
Link
Uncri@cal/
untrusted
Uncri@cal/untrusted,
contained
Linux
Camera
Wifi

23. Enforcing the Architecture
Linaro Connect SFO'17 21 |
Architecture
specifica@on
language
A
CNode EP CNode
CSpace CSpace
Send
Receive
...
...
CONTEXT
CONTEXT
VSpace
component
code
+
CAmkES
capDL
glue
code
+ proof
initialised system + proof
+ proof
Thread
Object
Thread
Object
VSpace
A B
B
Low-level access rights
init.c
driver.c VMM.c glue.c
Compiler/
Linker
binary
Radio
Driver
Crypto
CAN
Driver
Data
Link
Uncri@cal/
untrusted
Uncri@cal/
untrusted,
contained
Linux
Camer
a
Wi
fi

24. Binary
Analysis
Tools
Open-Source Architecture Analysis
LCA'16 Geelong 22 |
Generate Generate CAmkES
Component
Descrip@on .h, .c
Glue
Code
Eclipse-
based IDE
Design AADL
Architecture Analysis
Descrip@on Language
Safety ✔

25. Military-Grade Security
Linaro Connect SFO'17 23 |
Cross-Domain Desktop Compositor
Mul@-level secure terminal
• Successful defence trial in AU
• Evaluated in US, UK, CA
• Formal security evalua@on soon
Pen10.com.au crypto
communica@on device undergoing
formal security evalua@on in UK

26. Contribu@ons
Linaro Connect SFO'17 24 |
Review
Pull request or
patch on mailing list