{"id":19608666,"url":"https://github.com/sel4/l4v","last_synced_at":"2026-01-26T22:55:00.932Z","repository":{"id":18738800,"uuid":"21950486","full_name":"seL4/l4v","owner":"seL4","description":"seL4 specification and proofs ","archived":false,"fork":false,"pushed_at":"2024-04-13T10:53:20.000Z","size":87490,"stargazers_count":488,"open_issues_count":47,"forks_count":103,"subscribers_count":41,"default_branch":"master","last_synced_at":"2024-04-13T13:07:44.605Z","etag":null,"topics":["formalisation","isabelle","proof","sel4-microkernel","sel4-proofs"],"latest_commit_sha":null,"homepage":"https://sel4.systems","language":"Isabelle","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/seL4.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2014-07-17T17:08:39.000Z","updated_at":"2024-04-15T02:27:02.148Z","dependencies_parsed_at":"2024-02-09T00:01:57.577Z","dependency_job_id":"397d4baa-a1f2-46e0-bb72-8a98cb264bb2","html_url":"https://github.com/seL4/l4v","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seL4%2Fl4v","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seL4%2Fl4v/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seL4%2Fl4v/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/seL4%2Fl4v/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/seL4","download_url":"https://codeload.github.com/seL4/l4v/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240898274,"owners_count":19875151,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["formalisation","isabelle","proof","sel4-microkernel","sel4-proofs"],"created_at":"2024-11-11T10:16:19.745Z","updated_at":"2026-01-26T22:54:55.889Z","avatar_url":"https://github.com/seL4.png","language":"Isabelle","readme":"\u003c!--\n     Copyright 2020, Data61, CSIRO (ABN 41 687 119 230)\n\n     SPDX-License-Identifier: CC-BY-SA-4.0\n--\u003e\n\n[![DOI][0]](http://dx.doi.org/10.5281/zenodo.591732)\n[![CI](https://github.com/seL4/l4v/actions/workflows/push.yml/badge.svg)](https://github.com/seL4/l4v/actions/workflows/push.yml)\n[![Proofs](https://github.com/seL4/l4v/actions/workflows/proof-deploy.yml/badge.svg?branch=master)](https://github.com/seL4/l4v/actions/workflows/proof-deploy.yml?query=branch%3Amaster)\n[![Weekly Clean](https://github.com/seL4/l4v/actions/workflows/weekly-clean.yml/badge.svg)](https://github.com/seL4/l4v/actions/workflows/weekly-clean.yml)\n[![External](https://github.com/seL4/l4v/actions/workflows/external.yml/badge.svg)](https://github.com/seL4/l4v/actions/workflows/external.yml)\n\nMCS:\\\n[![CI](https://github.com/seL4/l4v/actions/workflows/push.yml/badge.svg?branch=rt)](https://github.com/seL4/l4v/actions/workflows/push.yml)\n[![MCS Proofs](https://github.com/seL4/l4v/actions/workflows/proof-deploy.yml/badge.svg?branch=rt)](https://github.com/seL4/l4v/actions/workflows/proof-deploy.yml?query=branch%3Art)\n\n  [0]: https://zenodo.org/badge/doi/10.5281/zenodo.591732.svg\n\n\n[The L4.verified Proofs][1]\n===========================\n\nThis is the L4.verified git repository with formal specifications and\nproofs for the seL4 microkernel.\n\nMost proofs in this repository are conducted in the interactive proof\nassistant [Isabelle/HOL][2]. For an introduction to Isabelle, see its\n[official website][2] and [documentation][3].\n\n  [1]: https://github.com/seL4/l4v                   \"L4.verified Repository\"\n  [2]: https://isabelle.in.tum.de                    \"Isabelle Website\"\n  [3]: https://isabelle.in.tum.de/documentation.html \"Isabelle Documentation\"\n\n\u003ca name=\"setup\"\u003e\u003c/a\u003e\nSetup\n-----\n\nThis repository is meant to be used as part of a Google [repo][5] setup. Instead\nof cloning it directly, please follow the directions for software dependencies\nand Isabelle installation in the [setup.md](docs/setup.md) file in the `docs`\ndirectory.\n\n[5]: https://gerrit.googlesource.com/git-repo/+/HEAD/README.md\n\nContributing\n------------\n\nContributions to this repository are welcome.\nPlease read [`CONTRIBUTING.md`](CONTRIBUTING.md) for details.\n\nOverview\n--------\n\nThe repository is organised as follows.\n\n * [`docs`](docs/): documentation on conventions, style, etc.\n\n * [`spec`](spec/): a number of different formal specifications of seL4\n    * [`abstract`](spec/abstract/): the functional abstract specification of seL4\n    * [`sep-abstract`](spec/sep-abstract/): an abstract specification for a reduced\n      version of seL4 that is configured as a separation kernel\n    * [`haskell`](spec/haskell/): Haskell model of the seL4 kernel, kept in sync\n      with the C code\n    * [`machine`](spec/machine/): the machine interface of these two specifications\n    * [`cspec`](spec/cspec/): the entry point for automatically translating the seL4 C code\n      into Isabelle\n    * [`capDL`](spec/capDL/): a specification of seL4 that abstracts from memory content and\n      concrete execution behaviour, modelling the protection state of the\n      system in terms of capabilities. This specification corresponds to the\n      capability distribution language *capDL* that can be used to initialise\n      user-level systems on top of seL4.\n    * [`take-grant`](spec/take-grant/): a formalisation of the classical take-grant security\n    model, applied to seL4, but not connected to the code of seL4.\n\n    * There are additional specifications that are not tracked in this repository,\n      but are generated from other files:\n      * [`design`](spec/design/): the design-level specification of seL4,\n        generated from the Haskell model.\n      * [`c`](spec/cspec/c/): the C code of the seL4 kernel, preprocessed into a form that\n        can be read into Isabelle. This is generated from the [seL4 repository](https://github.com/seL4/seL4).\n\n * [`proof`](proof/): the seL4 proofs\n    * [`invariant-abstract`](proof/invariant-abstract/): invariants of the seL4 abstract specification\n    * [`refine`](proof/refine/): refinement between abstract and design specifications\n    * [`crefine`](proof/crefine/): refinement between design specification and C semantics\n    * [`access-control`](proof/access-control/): integrity and authority confinement proofs\n    * [`infoflow`](proof/infoflow/): confidentiality and intransitive non-interference proofs\n    * [`asmrefine`](proof/asmrefine/): Isabelle/HOL part of the seL4 binary verification\n    * [`drefine`](proof/drefine/): refinement between capDL and abstract specification\n    * [`sep-capDL`](proof/sep-capDL/): a separation logic instance on capDL\n    * [`capDL-api`](proof/capDL-api/): separation logic specifications of selected seL4 APIs\n\n * [`lib`](lib/): generic proof libraries, proof methods and tools. Among these,\n   further libraries for fixed-size machine words, a formalisation of state\n   monads with nondeterminism and exceptions, a generic verification condition\n   generator for monads, a recursive invariant prover for these (`crunch`), an\n   abstract separation logic formalisation, a prototype of the [Eisbach][6] proof\n   method language, a prototype `levity` refactoring tool, and others.\n\n * [`tools`](tools/): larger, self-contained proof tools\n    * [`asmrefine`](tools/asmrefine/): the generic Isabelle/HOL part of the binary\n      verification tool\n    * [`c-parser`](tools/c-parser/): a parser from C into the Simpl language in Isabelle/HOL.\n       Includes a C memory model.\n    * [`autocorres`](tools/autocorres/): an automated, proof-producing abstraction tool from\n      C into higher-level Isabelle/HOL functions, based on the C parser above\n    * [`haskell-translator`](tools/haskell-translator/): a basic python script for converting the Haskell\n      prototype of seL4 into the executable design specification in\n      Isabelle/HOL.\n\n * [`misc`](misc/): miscellaneous scripts and build tools\n\n * [`camkes`](camkes/): an initial formalisation of the CAmkES component platform\n    on seL4. Work in progress.\n\n * [`sys-init`](sys-init/): specification of a capDL-based, user-level system initialiser\n    for seL4, with proof that the specification leads to correctly initialised\n    systems.\n\n\n  [6]: https://trustworthy.systems/publications/nictaabstracts/Matichuk_WM_14.abstract \"An Isabelle Proof Method Language\"\n\n\nHardware requirements\n---------------------\n\nAlmost all proofs in this repository should work within 4GB of RAM. Proofs\ninvolving the C refinement, will usually need the 64bit mode of polyml and\nabout 16GB of RAM.\n\nThe proofs distribute reasonably well over multiple cores, up to about 8\ncores are useful.\n\nRunning the Proofs\n------------------\n\nIf Isabelle is set up correctly, a full test for the proofs in this repository\nfor seL4 on the `ARM` architecture can be run with the command\n\n    L4V_ARCH=ARM ./run_tests\n\nfrom the directory `l4v/`.\n\nSet the environment variable `L4V_ARCH` to one of `ARM`, `ARM_HYP`, `X64`,\n`RISCV64`, or `AARCH64` to get the proofs for the respective architecture. `ARM`\nhas the most complete set of proofs, the other architectures tend to support\nonly a subset of the proof sessions defined for `ARM`.\n\nNot all of the proof sessions can be built directly with the `isabelle build`\ncommand. The seL4 proofs depend on Isabelle specifications that are generated\nfrom the C source code and Haskell model. Therefore, it is recommended to always\nbuild using the `run_tests` command or the supplied Makefiles, which will ensure\nthat these generated specs are up to date.\n\nTo do this, enter one level under the `l4v/` directory and run `make \u003csession-name\u003e`.\nFor example, to build the abstract specification, do\n\n    export L4V_ARCH=ARM\n    cd l4v/spec\n    make ASpec\n\nSee the `HEAPS` variable in the corresponding `Makefile` for available targets.\nThe sessions that directly depend on generated sources are `ASpec`, `ExecSpec`,\nand `CKernel`. These, and all sessions that depend on them, need to be run using\n`run_tests` or `make`.\n\nProof sessions that do not depend on generated inputs can be built directly with\n\n    ./isabelle/bin/isabelle build -d . -v -b \u003csession name\u003e\n\nfrom the directory `l4v/`. For available sessions and their dependencies, see\nthe corresponding `ROOT` files in this repository. There is roughly one session\ncorresponding to each major directory in the repository.\n\nFor interactively exploring, say the invariant proof of the abstract\nspecification on `ARM`, note that in `proof/ROOT` the parent session for\n`AInvs` is `ASpec` and therefore run:\n\n    export L4V_ARCH=ARM\n    ./run_tests ASpec\n    ./isabelle/bin/isabelle jedit -d . -R AInvs\n\nor, if you prefer `make`:\n\n    export L4V_ARCH=ARM\n    cd spec; make ASpec\n    ../isabelle/bin/isabelle jedit -d . -R AInvs\n\nin `l4v/` and open one of the files in `proof/invariant-abstract`.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsel4%2Fl4v","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsel4%2Fl4v","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsel4%2Fl4v/lists"}