seL4 Reference Manual and Comprehensive Formal Verification of an OS Microkernel, TOCS 2014
Discussion lead: Luke Nelson & Kaiyuan Zhang
Give an overview of the procedure for creating a new thread in seL4, including a list of objects that need to be created (and by whom).
The seL4_IA32_Page_Map system call (Sections 7.2 and 10.4.11
of the reference manual) takes the following parameters: the
capability of a page, the capability of a page directory, the virtual
address to map the page to, and the page access permissions and
attributes. What checks do you think the seL4 kernel would have
to perform to guarantee safety? For instance, how can the kernel
make sure that the user space won’t be able to abuse the system
call to access an arbitrary page?
How does seL4 guarantee the correctness of virtual memory operations even though the kernel itself runs under virtual memory? For example, how do they guarantee that a dereference of a pointer in the kernel does not cause a fault?
List any questions or comments you had when reading the paper.