Towards a Practical, Verified Kernel

Similar documents
Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish

From imagination to impact

Translation Validation for a Verified OS Kernel

sel4: Formal Verification of an OS Kernel

Improving Interrupt Response Time in a Verifiable Protected Microkernel

Comprehensive Formal Verification of an OS Microkernel

Microkernel Design A walk through selected aspects of

Mechanised Separation Algebra

Turning proof assistants into programming assistants

sel4: Formal Verification of an Operating-System Kernel

Getting Started with AutoCorres

Software Security: Vulnerability Analysis

LYREBIRD David Cock

A Simpl Shortest Path Checker Verification

OS Verification Now!

Formal methods for software security

SAFE HASKELL. David Terei David Mazières. Simon Marlow Simon Peyton Jones

Bitfields and Tagged Unions in C Verification through Automatic Generation

Introduction. COMP /S2 Week Gernot Heiser UNSW/NICTA/OKL. Distributed under Creative Commons Attribution License 1

The COGENT Case for Property-Based Tes=ng

A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture. Anthony Fox and Magnus O. Myreen University of Cambridge

Applied Theorem Proving: Modelling Instruction Sets and Decompiling Machine Code. Anthony Fox University of Cambridge, Computer Laboratory

Verified Characteristic Formulae for CakeML. Armaël Guéneau, Magnus O. Myreen, Ramana Kumar, Michael Norrish April 27, 2017

Verified Protection Model of the sel4 Microkernel

Pip: A Minimal OS Kernel with Provable Isolation 1

Mapped Separation Logic

Runtime Checking for Program Verification Systems

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Towards High-Assurance Multiprocessor Virtualisation

Initial Evaluation of a User-Level Device Driver Framework

Formal proofs of code generation and verification tools

A Logic for Virtual Memory

Towards High-Assurance Multiprocessor Virtualisation

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Mind the Gap. A Verification Framework for Low-Level C. 1 NICTA, Australia

Operating System. Operating System Overview. Structure of a Computer System. Structure of a Computer System. Structure of a Computer System

RapiLog: Reducing System Complexity Through Verification

Introduction. COMP9242 Advanced Operating Systems 2010/S2 Week 1

Trickle: Automated Infeasible Path

sel4 Reference Manual Version 2.0.0

THREADS ADMINISTRIVIA RECAP ALTERNATIVE 2 EXERCISES PAPER READING MICHAEL ROITZSCH 2

The Evolution of Secure Operating Systems

Formal Specification of RISC-V Systems Instructions

How Efficient Can Fully Verified Functional Programs Be - A Case Study of Graph Traversal Algorithms

Functional Programming in Hardware Design

L4/Darwin: Evolving UNIX. Charles Gray Research Engineer, National ICT Australia

sel4 Reference Manual Version 8.0.0

Advanced Operating Systems. COMP9242 Introduction

Verified compilers. Guest lecture for Compiler Construction, Spring Magnus Myréen. Chalmers University of Technology

csci3411: Operating Systems

Automated proof-producing abstraction of C code

Verification of the GCC-generated binary of the sel4 microkernel

Advanced Operating Systems. COMP9242 Introduction

High-level languages

ADVANCED OPERATING SYSTEMS USB in a microkernel based operating system

An External Integrity Checker for Increasing Security of Open Source Operating Systems

Hoare logic. A proof system for separation logic. Introduction. Separation logic

Background. From my PhD (2009): Verified Lisp interpreter in ARM, x86 and PowerPC machine code

Protection. Thierry Sans

How Can You Trust Formally Verified Software?

COMPUTER ARCHITECTURE. Virtualization and Memory Hierarchy

Virtualization and memory hierarchy

CS 471 Operating Systems. Yue Cheng. George Mason University Fall 2017

Combining program verification with component-based architectures. Alexander Senier BOB 2018 Berlin, February 23rd, 2018

Lecture 3: O/S Organization. plan: O/S organization processes isolation

Implementing a Verified On-Disk Hash Table

Program Verification (6EC version only)

Abstracting Definitional Interpreters

6.828: OS/Language Co-design. Adam Belay

Creating a Practical Security Architecture Based on sel4

Embedded Systems. 5. Operating Systems. Lothar Thiele. Computer Engineering and Networks Laboratory

Staff. Advanced Operating Systems. Why are you here? What can you expect?

RESOURCE MANAGEMENT MICHAEL ROITZSCH

From IMP to Java. Andreas Lochbihler. parts based on work by Gerwin Klein and Tobias Nipkow ETH Zurich

Automated Verification of RISC-V Kernel Code. Antoine Kaufmann

Multiprocessors and Locking

A Memory Allocation Model For An Embedded Microkernel

An Annotated Language

Arrakis: The Operating System is the Control Plane

Staff. Advanced Operating Systems. Why are you here? What can you expect?

Side Effects (3A) Young Won Lim 1/13/18

Virtual Memory. Kevin Webb Swarthmore College March 8, 2018

OS Extensibility: SPIN and Exokernels. Robert Grimm New York University

CIS Operating Systems Memory Management Cache. Professor Qiang Zeng Fall 2017

MICROKERNEL CONSTRUCTION 2014

csci3411: Operating Systems

Exokernel Engler, Kaashoek etc. advantage: fault isolation slow (kernel crossings)

Efficient Software Based Fault Isolation. Software Extensibility

Exokernel: An Operating System Architecture for Application Level Resource Management

Chapter 13: Reference. Why reference Typing Evaluation Store Typings Safety Notes

RESOURCE MANAGEMENT MICHAEL ROITZSCH

Typed Assembly Language for Implementing OS Kernels in SMP/Multi-Core Environments with Interrupts

Push-button verification of Files Systems via Crash Refinement

Improving Interrupt Response Time in a Verifiable Protected Microkernel

Software System Design and Implementation

Developing Good Habits for Bare-Metal Programming

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014)

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

Presented in Open Source Series Workshop Linux & Memory Maps. Presented by : Abdul Qadeer December, 2010 ICOSST 2010

Transcription:

Towards a Practical, Verified Kernel Kevin Elphinstone and Gerwin Klein, National ICT Australia and the University of New South Wales Philip Derrin, National ICT Australia Timothy Roscoe, ETH Zürich Gernot Heiser, National ICT Australia, the University of New South Wales, and Open Kernel Labs 1

And the rest Dhammika Elkaduwe David Cock Thomas Sewell Simon Winwood Harvey Tuch Michael Norrish Jeremy Dawson Rafal Kolanski Jia Meng 2

Feature-Rich Embedded Systems Are they trustworthy? 3

Small Kernels Smaller, more trustworthy foundation Hypervisor, microkernel, nano-kernel, virtual machine monitor, isolation kernel, partitioning kernel, exokernel.. Fault isolation, fault identification, IP protection, modularity.. High assurance components in presence of other components Only as trustworthy as the foundation Code reviews? Testing? Static analysis? Sound and unsound Legacy Legacy Legacy App. Legacy App. App. App. Linux Server Untrusted Device Driver Trusted Supervisor sel4 Kernel Hardware Trusted Trusted Service Trusted Service Trusted Service Service Sensitive Sensitive Sensitive App. Sensitive App. App. App. Device Device Driver Driver 4

Our Goal -- A Formally Verified Kernel A formally specified API (abstract model) Proven properties such as spatial partitioning. High-performance implementation in C A formal refinement between model and implementation Guaranteed correct implementation!!!! Mathematically proven properties Abstract Model C Code Property preserving refinement HW 5

Success creates problems. Verified kernel is rigid Changes invalidate proofs Kernel Mechanism not policy Flexible distribution of authority Capabilities (KeyKOS/EROS) Address spaces Memory objects implemented at user level (L4/Xen/Nemesis) Partitioning to hold within the kernel No implicit memory allocation in kernel (Cambridge CAP) Event-based/Atomic (Fluke) Legacy Legacy Legacy App. Legacy App. App. App. Linux Server Device Driver Supervisor sel4 Kernel Hardware Trusted Trusted Service Trusted Service Trusted Service Service Sensitive Sensitive Sensitive App. Sensitive App. App. App. Device Device Driver Driver 6

Kernel Developers Versus Formal Methods Practitioners Abstract Model C Code HW 7

Bridging the gap Modelling? Well defined semantics Readily formalisable Exposed implementation details Programming language 8

Our Prototyping Approach Model the kernel in detail Literate Haskell to model.lhs Pure functional programming language Isabelle/ HOL LaTeX GHC Embedded documentation Close to Isabelle/HOL Executable Formal Model Kernel Reference Manual Kernel Prototype Supports running user-level code.c User-level Simulator GCC User App 9

Kernel Modelling in Haskell Kernel is event-based (single stack) mostly atomic API. Kernels are big state machines with events as input Imperative Rely on side-effects all the time P(s), make_runnable(tcb) Kernels manipulate the low-level machine Interrupts, TLBs, caches Preemption required Kernels can t always perform operations to completion 10

Kernel Code in a State Monad Kernel State monads are units of computation which consume and produce state State transformers Kernel monad encapsulates a state transformer of the kernel and machine Monads can be bound together using the bind operator Sequencing the computation Connects the plumbing to pass the state along Event Event Event Init Kernel >>= Kernel >>= Kernel >>= Kernel 11

Kernel Code in a Monad type Kernel = StateT KernelState MachineMonad callkernel :: Event -> Kernel () callkernel ev = handleevent ev >>= (\x -> schedule >>= (\y -> activatethread)) Event callkernel = handle >>= >>= Event schedule Activate Thread 12

Kernel Code in a Monad type Kernel = StateT KernelState MachineMonad callkernel :: Event -> Kernel () callkernel ev = do handleevent ev schedule activatethread Event Imperative in style Lowers barrier to entry for kernel developers callkernel = handle >>= >>= Event schedule Activate Thread 13

Kernel Monad Kernel Machine Monad ReaderT IO StateT Machine monad contains state to interface to simulator Kernel contains the state of physical memory 14

Machine Monad Lowest Level of Model getmemorytop :: MachineMonad (PPtr ()) getdeviceregions :: MachineMonad [(PPtr (), Int)] loadword :: PPtr Word -> MachineMonad Word storeword :: PPtr Word -> Word -> MachineMonad () insertmapping :: PPtr Word -> VPtr -> Int -> Bool -> MachineMonad () flushcaches :: MachineMonad () getactiveirq :: MachineMonad (Maybe IRQ) maskinterrupt :: Bool -> IRQ -> MachineMonad () ackinterrupt :: IRQ -> MachineMonad () waitforinterrupt :: MachineMonad IRQ configuretimer :: MachineMonad IRQ resettimer :: MachineMonad () Foreign Function Interface (FFI) Approximate machine-level C functions Close to real as possible Forces us to manage hardware 15

KernelState Monad Kernel Machine Monad ReaderT IO StateT Statically allocated global kernel data Current thread Scheduler queues Physical Memory 16

KernelState Monad Physical memory model Contents of dynamically-allocated memory Typed data used by the kernel Thread control blocks Capability and page tables... Indexed by physical memory address Forces us to model memory management (30% of kernel) Reduces the gap to C Pointers,not Haskell s heap Still provides strongly typed pointers CTE Pointers TCB Pointer Physical Address Space CTE Objects TCB Object 17

User-level Simulation User-level CPU simulator M5 Alpha simulator Locally-developed ARMv6 simulator QEMU Executes compiled user-level binaries Sends events to the Haskell kernel.c.c GCC ARMv6 Binary Simulator.lhs.lhs GHC Save/Restore Event Kernel Load/Store TLB Access 18

Prototyping Environment Verification team identifying conceptual and verification issues. Exercisable Kernel API + User-level Instruction Simulator Kernel team identifying conceptual and potential performance issues. L4.verified Porting Iguana Embedded OS + Other Stuff 19

Proof Overview Formal proof: concrete behaviour captured at abstract level Abstract Model Executable Model Monadic functional programs Manual System Specification (Isabelle/HOL) Haskell Prototype Hoare Logic Separation Logic Leverage already proven invariants Tool to import subset of C into theorem prover C Code HW High Performance Implementation (C/asm) 20

The Proof - Summary Statistics: 3.5kloc abstract, 7kloc concrete spec (about 3k Haskell) 53kloc proof so far (estm. 60kloc final, about 10kloc/month) 37 patches to Haskell kernel, 110 to abstract spec Proven lots of invariants: well typed references, aligned objects thread states and port queues well formed current thread, scheduler queues Proof of termination Expect to prove does not fail Pen-paper proof of spatial partitioning Identified set of invariants required of supervisor 21

Conclusions Significant gap between kernel development and formal verification Haskell (Functional Programming) middle ground Programming language Model low-level details Readily formalisable Make proving easier explicitly manage side-effects Overall Status Very close to a verified detailed executable kernel model Immature C version of the design 22

Questions 23

Kernel Development => Iterative Prototyping Required Natural language specification: Ambiguous, incomplete Low-level implementation (C, C++): Slow development Not easy to formalise High-level implementation: High performance difficult to achieve Temporal guarantees difficult Formal models: Don t provide programming environments Hard to build testable prototypes or expose implementation issues Design & Specify High-performance 'C' implementation Formal Model Refinement Proof of Properties 24

Kernel Code in a Monad type Kernel = StateT KernelState MachineMonad callkernel :: Event -> Kernel () callkernel ev = do runerrort $ handleevent ev `catcherror` \irq -> withoutpreemption $ handleinterrupt irq schedule activatethread Interrupt Kernel Kernel >>= Kernel Machine Monad ReaderT IO StateT ErrorT 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback