From imagination to impact

Transcription

1 From imagination to impact

2 Kernel Design for Isolation an Assurance of Physical Memory Dhammika Elkauwe Philip Derrin Kevin Elphinstone

3 Embee Systems Increasing functionality Increasing software complexity Millions of lines of coe Mutually untruste SW venors Consoliate functionality Connectivity Attacks from outsie No longer close systems Downloa SW IIES08/seL4 1

4 Embee Systems Diverse applications Real-time Vs. best effort Tight resource bugets Mission/life- critical applications Sensitive information Reliability is paramount IIES08/seL4 2

5 Small Kernel Approach Smaller, more trustworthy founation Hypervisor, microkernel, isolation kernel,.. Facilitate controlle integration an isolation Isolate: fault isolation, iversity Untruste Sensitive Sensitive Sensitive Sensitive Integrate: performance Linux Server Device Driver Device Driver Device Driver Supervisor Small kernel (e.g. Microkernel) Harware IIES08/seL4 3A

6 Small Kernel Approach Smaller, more trustworthy founation Hypervisor, microkernel, isolation kernel,.. Facilitate controlle integration an isolation Isolate: fault isolation, iversity Untruste Sensitive Sensitive Sensitive Sensitive Integrate: performance Linux Server Device Driver Device Driver Device Driver Microkernel shoul: Provie sufficient API Correct realisation of API Ahere to isolation/integration requirements of the system Supervisor Small kernel (e.g. Microkernel) Harware IIES08/seL4 3

7 Issue Kernel consumes resources Machine cycles Physical memory (kernel metaata) Example: threas threa control block, Untruste Sensitive Sensitive Sensitive Sensitive aress space page-tables bookkeeping to reclaim memory Linux Server Device Driver Device Driver Device Driver Supervisor P T Microkernel P T IIES08/seL4 4

8 Possible Approaches How o we manage kernel metaata? Cache like behaviour [ER,Cache kernel, HiStart..] No preictability, limite RT applicability Static allocations Works for static systems Dynamic systems: overcommit or fail uner heavy loa Domain specific kernel moifications? Linux Server Untruste Device Driver Supervisor Sensitive Sensitive Sensitive Sensitive Device Driver Device Driver P T Microkernel P T IIES08/seL4 5

9 Moifie Verifie L4.Verifie project: Formally verify the implementation correctness of the kernel Properties: Isolation, information flow... Formal refinement Formally connect the properties with the kernel implementation Mathematically proven properties Abstract Moel Property preserving refinement C Coe HW IIES08/seL4 6A

10 Moifie Verifie L4.Verifie project: Formally verify the implementation correctness of the kernel Properties: Isolation, information flow... Formal refinement Formally connect the properties with the kernel implementation Mathematically proven properties Abstract Moel Property preserving refinement C Coe HW IIES08/seL4 6

11 Moifie Verifie L4.Verifie project: Formally verify the implementation correctness of the kernel Properties: Isolation, information flow... Formal refinement Formally connect the properties with the kernel implementation Moifications invaliate refinement Verification is labour intensive 10K C-lines = 100K proof lines (1 st refinement) Memory management is core functionality Mathematically proven properties Abstract Moel C Coe Property preserving refinement HW IIES08/seL4 6C

12 Approach in a nutshell Truste Kernel heap... supervisory sel4 Microkernel No implicit allocations within the kernel No heap, no slab allocation etc.. All abstractions are provie by first-class kernel objects Threas object Aress space Page table objects All objects are create upon explicit user request IIES08/seL4 7

13 Memory Management Moel Truste... No implicit allocations within the kernel Physical memory is ivie into untype objects Authority conferre via capabilities supervisory Untype capability is sufficient authority to allocate kernel objects Kernel Coe sel4 Microkernel untype object1 untype object2.. untype object n All abstractions are provie via first class kernel objects Allocate on explicit user request Creator gets the full authority Distribute capabilities to allow other access the service IIES08/seL4 8A

14 Memory Management Moel Truste Kernel Coe... supervisory sel4 Microkernel Kernel objects Untype untype object2 (Threa Control locks) Capability tables (CT) Comm. ports..... untype object n No implicit allocations within the kernel Physical memory is ivie into untype objects Authority conferre via capabilities Untype capability is sufficient authority to allocate kernel objects All abstractions are provie via first class kernel objects Allocate on explicit user request Creator gets the full authority Distribute capabilities to allow other access the service IIES08/seL4 8

15 Memory Management Moel Truste Kernel Coe... supervisory sel4 Microkernel Kernel objects Untype PT PT (Threa Control locks) Capability tables (CT) Comm. ports... Objects are manage by user-level.. untype object n No implicit allocations within the kernel Physical memory is ivie into untype objects Authority conferre via capabilities Untype capability is sufficient authority to allocate kernel objects All abstractions are provie via first class kernel objects Allocate on explicit user request Creator gets the full authority Distribute capabilities to allow other access the service IIES08/seL4 8C

16 Memory Management Moel... Truste... Delegate authority Allow others to obtain services Delegate resource management Kernel Coe supervisory Microkernel untype object2.. untype object n Memory management policy is completely in user-space Isolation of physical memory = Isolation of authority (capabilities) Capability issemination is controlle by a Take-Grant like protection moel IIES08/seL4 8D

17 Memory Management Moel... Truste... De-allocation upon explicit user request Call revoke on the Untype capability Memory can be reuse supervisory Kernel tracks capability erivations Kernel Coe sel4 Microkernel unty pe cap 1 untype object2 CDT.. untype object n Recore in capability erivation tree (CDT) Nee bookkeeping Doubly-linke list through capabilities Space allocate with capability tables T C T C copy T C IIES08/seL4 9

18 Capability Derivation Tree Truste Kernel Coe... supervisory sel4 Microkernel unty pe cap 1 untype object2 CDT.. untpe object n For allocation: The untype capability shoul not have any CDT chilren Guarantees that there are no previously allocate objects Size of the object(s) must be small or equal to untype object T C T C copy T C IIES08/seL4 10

19 Evaluation Formal properties: Formalise the protection moel in Isabelle/HOL Machine checke, abstract moel of the kernel Formal, machine checke proof that mechanisms are sufficient for enforcing spatial partitioning Proof also ientify the invariants the supervisory nees to enforce for isolation to hol... supervisory sel4 Microkernel IIES08/seL4 11A

20 Evaluation Formal properties: Formalise the protection moel in Isabelle/HOL Machine checke, abstract moel of the kernel Formal, machine checke proof that mechanisms are sufficient for enforcing spatial partitioning Proof also ientify the invariants the supervisory nees to enforce for isolation to hol Can not share moifiable page/capability tables Can not share threa control blocks Can not have communication channels that allow capability propagation... supervisory sel4 Microkernel IIES08/seL4 11

21 Evaluation... Performance Use paravirtualise Linux as an example Compare with L4/Wombat (Linux) for running LMench Linux Driv ers... supervisory sel4 Microkernel ench mark L4 ( s) sel4( s) Gain(%) fork exec shell page faults Null Syscall ctx Proxy via Iguana Linux Driv (Wom ers bat)... Iguana L4 Microkernel IIES08/seL4 12

22 Status Empirical work Runs on ARM11 Investigate performance as a virtualisation platform Mathematically proven properties Formal work Information flow properties Abstract Moel (example: Clark-Wilson) Formal refinement work in progress Property preserving refinement C Coe HW Performance IIES08/seL4 13

23 Conclusion No implicit allocations within the kernel Users explicitly allocate kernel objects No heap, slab.. (no hien bookkeeping) Authority confinement guarantees control of kernel memory All kernel memory management policy is outsie the kernel Different isolation/integration configurations Support iverse, co-existing policies No moification to the kernel (remains verifie) Har guarantees on kernel memory consumption Facilitate formal reasoning of physical memory consumption Improve performance by controlle elegation Similar performance in other case IIES08/seL4 14

24 Questions?

25 From imagination to impact