seL4 Formally Verified Microkernel

seL4 is a high-assurance operating system microkernel with a complete mathematical proof of functional correctness, the world's first OS kernel verified at this level. Developed by Gerwin Klein, Kevin Elphinstone, Gernot Heiser, and team at NICTA (now Data61 CSIRO) with UNSW Sydney and Open Kernel Labs, the formal verification was completed in July 2009 after 11 person-years of proof effort using the Isabelle/HOL theorem prover. The kernel is 8,700 lines of C and 600 lines of assembly; the Isabelle proof script contains 200,000+ lines and proves 8,700+ lemmas. Properties proven: functional correctness (C implements the Haskell specification), security enforcement (capability-based access control is unbypassable by unprivileged code), and binary correctness (compiled ARM binary via gcc 4.5.2 matches the C source). Performance: IPC round-trip latency of 660 nanoseconds on 1.6 GHz ARM Cortex-A9 (OMAP4), comparable to OKL4 2.1 (622ns), faster than L4/Fiasco (1500ns). Capability-based security: all kernel resources accessed via capabilities stored in CNodes (2^5 to 2^27 slots). MCS (Mixed Criticality Systems) API verified in 2020, providing provable temporal isolation between components. Hardware: ARM Cortex-A53 (HiKey 620), A57 (HiKey 960), A72 (Raspberry Pi 4), RISC-V (SiFive HiFive), x86-64. Funded by DARPA, AFRL, Australia DoD. Deployed in Boeing AH-6 Little Bird helicopter (DARPA HACMS), autonomous vehicles, medical devices. Managed by seL4 Foundation (Linux Foundation, est. 2020). Version 13.0 (2024). GPL-2.0.