
SeL4 Design Principles - snvzz
https://microkerneldude.wordpress.com/2020/03/11/sel4-design-principles/
======
oldgradstudent
Has anyone attempted attacking SeL4 seriously? What were the results?

Having some experience with formal verification, I have a deep mistrust of the
proofs.

It is so easy to mistake a proof of the property you want with the proof of a
property you've written, or even with a minor misstatement of the environment

~~~
panpanna
What the sel4 people have achieved is to separate a very small part of the OS
and verify it (supposedly - there are some arguments over this).

But is the entire _system_ secure if you use sel4?

Not necessarily. I fact it may be less secure than vanilla Linux because (1)
you need to implement more yourself (2) the distributed approach makes your
system more susceptible to certain classes of vulnerabilities (e.g. higher
risk for race conditions) and (3) the sel4 security proofs apply to a very
specific environment and usage and you could unknowingly break any one of
them.

~~~
snvzz
seL4 does very little, but it provides the fundamental pieces that a secure
system can be built on; The capability model maps very well to this problem
space.

Trying to build a secure system on a kernel that is not secure is a hopeless
effort. An example such kernel is Linux, with over a million LoC running in
supervisor mode. There's no use trying to make that secure. It only takes a
single bug in Linux's code to compromise the whole.

~~~
panpanna
Linux is not running millions lines of code, this is a very dishonest
statement!

The Linux core is very small. The millions lines are mainly drivers and
support for different architecture.

You can compile a minimal Linux kernel (there is even a kernel configuration
for that) and put certain drivers in user-space. Still not as small as sel4
but quite close to it's commercial siblings.

~~~
indolering
> Linux is not running millions lines of code ... the millions lines are
> mainly drivers and support for different architecture.

But it's pretty easy to reach into the kernel and access buggy drivers and
plenty of other non-essential kernel code (file systems, networking, SMB,
etc).

> You can compile a minimal Linux kernel (there is even a kernel configuration
> for that) and put certain drivers in user-space. Still not as small as sel4
> but quite close to it's commercial siblings.

But it still means that any exploit in driver code == total system compromise.

------
akavel
For "higher level abstraction layers" improving the "ease of use" mentioned in
the article, see e.g. [https://genode.org/](https://genode.org/) (not
affiliated, just a fan)

~~~
snvzz
And if you want to try it, it's a good time to, as they have just released a
new version of Sculpt, a general-purpose system built on Genode.

