Skip to main content


A verified shared capability model


Andrew Boyton




This paper presents a high-level access control model of the seL4 microkernel. We extend an earlier formalisation by Elkaduwe et al with non-determinism, explicit sharing of capability storage, and a delete-operation for entities. We formally prove that this new model can enforce system-global security policies as well as authority confinement. By treating sharing explicitly in the abstract access control model we simplify considerably the refinement proof towards the seL4 implementation. To our knowledge this is the first machine-checked access control model with explicit sharing of authority.

BibTeX Entry

    author           = {Boyton, Andrew},
    month            = oct,
    year             = {2009},
    keywords         = {shared capabilities, interactive theorem proving},
    title            = {A Verified Shared Capability Model},
    booktitle        = {Systems Software Verification},
    pages            = {25--44},
    address          = {Aachen, Germany}


Served by Apache on Linux on seL4.