Skip to main content


Towards proving security in the presence of large untrusted components


June Andronick, David Greenaway and Kevin Elphinstone




This paper proposes a generalized framework to build large, complex systems where security guarantees can be given for the overall system's implementation. The work builds on the formally proven correct seL4 microkernel and on its fine-grained mandatory access control. This access control mechanism allows large untrusted components to be isolated in a way that prevents them from violating a defined security property, leaving only the trusted components to be formally verified. The first steps of the approach are illustrated by the formalisation of a multilevel secure access device and a proof in Isabelle/HOL that information cannot flow from one back-end network to another.

BibTeX Entry

    publisher        = {USENIX},
    author           = {Andronick, June and Greenaway, David and Elphinstone, Kevin},
    month            = {oct},
    editor           = {{Ralf Huuck, Gerwin Klein, Bastian Schlich}},
    year             = {2010},
    title            = {Towards proving security in the presence of large untrusted components},
    booktitle        = {Systems Software Verification},
    pages            = {9},
    address          = {Vancouver, Canada }