Towards Proving Security in the Presence of Large Untrusted Components
This paper proposes a generalized framework to build large, complex systems where security guarantees can be given for the overall systems implementation. The paper builds on the formally proven correct seL4 microkernel and on its fine-grained access control. This access control mechanism allows large untrusted components to be isolated in a way that prevents them from violating a defined security property, leaving only the trusted components to be formally verified. The first steps of the approach are illustrated by the formalisation of a multilevel secure access device and a proof in Isabelle/HOL that information cannot flow from one back-end network to another.