For context, the Apple Secure Enclave chips run an NICTA L4-based microkernel, albeit not SeL4 specifically as far as I know (given the Secure Enclave launched in 2006 and NICTA released SeL4 in 2014). I wonder if this indicates plans to adopt SeL4?
SeL4 is extremely cool technology. It has been formally proven to be bug-free against its specification, which massively simplifies the development of high-security high-reliability systems. I feel like there’s a lot more development to be seen in this space.
What product from 2006 did it come with? My understanding was that the Secure Enclave came out with the iPhone 5s in 2013 (still before 2014, so your point stands, I’m just curious).
Maybe I'm naive but why do these small single-purpose chips need kernels? Ease of development? Their use-cases sometimes seem trivial enough for a simple finite state machine.
It depends on how much code runs on it. After a certain scale you want better tolerance for failures by isolating those failures. Team structure can also play a role.
The binary code of the ARM and RISCV64 versions of the seL4 microkernel correctly implement the behaviour described in its abstract specification and nothing more. Furthermore, the specification and the seL4 binary satisfy the classic security properties called *integrity* and *confidentiality*.
[...]
Previously, in 2009, we had only proved functional correctness between the C code of the kernel and its specification. Now we have additionally shown binary correctness, that is, the compiler and linker need not be trusted, and we have shown that the specification indeed implies strong security properties as intended.
So the specification has indeed been proven to be free of certain security bugs.
"Secure" is ambiguous, so of course they wouldn't claim X, whatever that is, is "secure". For instance, a microkernel does not provide cryptographic confidentiality, but some readers include such properties under the umbrella of "secure", so using that term would be dumb. When talking about proofs you describe the specific properties proven in a way that leaves no ambiguity.
I’m not sure If you are really convinced that’s true or it’s supposed to be understood as an exaggeration.
It is subjective, and I’ll grant it’s not the most intuitive thing to look at, but I don’t agree it’s worse than assembly. Besides the readability of the specification is not some priori limitation.
I'm not sure you should expect much development for a microkernel that has been proven to meet its specification and to be free of bugs. Microkernels are supposed to have a very small API, so there's not much development needed there unless it doesn't the specification or has other kinds of bugs, which is obviously not the case here.
By it's nature at this state (after the full proving effort is complete), any changes to the main/master branch are inherently "stable" and PRs are only accepted once they reach that state.
Hopefully they won’t be the absolute waste of time as a company that they have been on the web standards working groups. Hard to trust them at this point in any collaborative sense.
Interesting if unsurprising this is shortly after the AArch64 verification was completed.
And credit where it’s due, I know we love dumping on the national security apparatus, but the UK NCSC actually funded that work, which is a clear net win.
SeL4 is extremely cool technology. It has been formally proven to be bug-free against its specification, which massively simplifies the development of high-security high-reliability systems. I feel like there’s a lot more development to be seen in this space.