Skip to main content


A verified shared capability model


Andrew Boyton




This paper presents a high-level access control model of the seL4 microkernel. We extend an earlier formalisation by Elkaduwe et al with non-determinism, explicit sharing of capability storage, and a delete-operation for entities. We formally prove that this new model can enforce system-global security policies as well as authority confinement. The motivation for dealing with sharing explicitly in the high-level, abstract access control model is to simplify the refinement proof towards the seL4 implementation considerably. To our knowledge this is the first formal, machine-checked access control model with explicit sharing of authority.

BibTeX Entry

    author           = {Boyton, Andrew},
    month            = oct,
    year             = {2009},
    keywords         = {shared capabilities, interactive theorem proving},
    title            = {A Verified Shared Capability Model},
    booktitle        = {Systems Software Verification},
    pages            = {25--44},
    address          = {Aachen, Germany}


Served by Apache on Linux on seL4.