Reasoning About Information Flow Security of Separation Kernels with Channel-based Communication

TL;DR

This paper formally specifies and verifies the security of separation kernels with ARINC 653 channel-based communication, identifying and fixing security flaws to enhance information flow security assurance.

Contribution

It introduces the first formal specification and security verification of ARINC 653 separation kernels, revealing and correcting security flaws in the standard.

Findings

Identified security flaws in ARINC 653 standard causing information leakage

Provided formal security proofs for separation kernels in Isabelle/HOL

Validated security flaws in open-source ARINC 653 kernels

Abstract

Assurance of information flow security by formal methods is mandated in security certification of separation kernels. As an industrial standard for separation kernels, ARINC 653 has been complied with by mainstream separation kernels. Security of functionalities defined in ARINC 653 is thus very important for the development and certification of separation kernels. This paper presents the first effort to formally specify and verify separation kernels with ARINC 653 channel-based communication. We provide a reusable formal specification and security proofs for separation kernels in Isabelle/HOL. During reasoning about information flow security, we find some security flaws in the ARINC 653 standard, which can cause information leakage, and fix them in our specification. We also validate the existence of the security flaws in two open-source ARINC 653 compliant separation kernels.