Wish I had this years ago. Security kernels & their successors, separation kernels, were only OS kernels to ever survive pentesting by NSA & other TLA’s. That’s for both code injection & covert/side channels. They became de facto standard in high-assurance security for isolating apps or VM’s on untrustworthy CPU’s until get we get secure ones. This paper is packed with info on many (maybe all) implementations from FOSS to industry. It covers the different types of kernels, many examples, what formal methods were used for verification, tables for attribute comparisons, limitations, and areas for more work. Splendid survey.
Here’s a few papers showing how they’re often applied. One is academic typical of L4 traditions, FOSS implementation of similar one, another similar one became Turaya at Sirrix, and a different, commercial one with highest certification so far.
https://os.inf.tu-dresden.de/papers_ps/nizza.pdf
https://genode.org/
http://www.perseus-os.org/content/pages/Overview.htm
http://www.ghs.com/products/safety_critical/integrity-do-178b.html
Note: The two boxes at bottom of page give a nice view of all the analysis, testing, and configuration requirements of DO-178B Level A and EAL6+ certifications. The high-assurance requirements in certs or that brand of CompSci don’t just have formal methods. The entire lifecycle must be secured in a rigorous, thorough way.