The binary code of the ARM and RISCV64 versions of the seL4 microkernel correctly implement the behaviour described in its abstract specification and nothing more. Furthermore, the specification and the seL4 binary satisfy the classic security properties called *integrity* and *confidentiality*.
[...]
Previously, in 2009, we had only proved functional correctness between the C code of the kernel and its specification. Now we have additionally shown binary correctness, that is, the compiler and linker need not be trusted, and we have shown that the specification indeed implies strong security properties as intended.
So the specification has indeed been proven to be free of certain security bugs.
"Secure" is ambiguous, so of course they wouldn't claim X, whatever that is, is "secure". For instance, a microkernel does not provide cryptographic confidentiality, but some readers include such properties under the umbrella of "secure", so using that term would be dumb. When talking about proofs you describe the specific properties proven in a way that leaves no ambiguity.
I’m not sure If you are really convinced that’s true or it’s supposed to be understood as an exaggeration.
It is subjective, and I’ll grant it’s not the most intuitive thing to look at, but I don’t agree it’s worse than assembly. Besides the readability of the specification is not some priori limitation.
Which itself is not know to be bugfree.
(And is 10x the size of the source code and in a language that is less readable than x64 assembler)