Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish Thomas Sewell Harvey Tuch Simon Winwood
1 microkernel 8,700 l ines of C 0 bugs * qed *conditions apply
The Goal 2
The Problem 3
Small Kernels Small trustworthy foundation hypervisor, microkernel, nano-kernel, virtual machine, separation kernel, exokernel... High assurance components in presence of other components sel4 API: - IPC - Threads - VM - IRQ - Capabilities Untrusted Legacy Apps Legacy App. Legacy App. Linux Server Hardware Trusted Sensitive App Trusted Service NICTA 2009 5
Small Kernels Small trustworthy foundation hypervisor, microkernel, nano-kernel, virtual machine, separation kernel, exokernel... High assurance components in presence of other components sel4 API: - IPC - Threads - VM - IRQ - Capabilities Untrusted Legacy Apps Legacy App. Legacy App. Linux Server sel4 Hardware Trusted Sensitive App Trusted Service NICTA 2009 5
Functional Correctness Specification Proof Code NICTA 2009 7
Functional Correctness What Specification definition schedule :: unit s_monad where schedule do threads allactivetcbs; thread select threads; switch_to_thread thread od OR switch_to_idle_thread Proof Code NICTA 2009 7
Functional Correctness What Specification definition schedule :: unit s_monad where schedule do threads allactivetcbs; thread select threads; switch_to_thread thread od OR switch_to_idle_thread Proof How Code NICTA 2009 7
*conditions apply Specification Proof Code NICTA 2009 8
*conditions apply Specification Proof Code Assumptions NICTA 2009 8
*conditions apply Expectation Specification Proof Code Assumptions NICTA 2009 8
*conditions apply Proof Specification Assume correct: Expectation - compiler + linker (wrt. C op-sem) - assembly code (600 loc) - hardware (ARMv6) - cache and TLB management - boot code (1,200 loc) Code Assumptions NICTA 2009 8
Implications Execution always defined: no null pointer de-reference no buffer overflows no code injection no memory leaks/out of kernel memory no div by zero, no undefined shift no undefined execution no infinite loops/recursion Specification C Code Not implied: secure (define secure) zero bugs from expectation to physical world covert channel analysis NICTA 2009 9
Proof Architecture Specification Proof C Code NICTA 2009 10
Proof Architecture Specification Design C Code NICTA 2009 11
Proof Architecture Specification Design C Code NICTA 2009 12
Proof Architecture Access Control Spec Confinement Specification Design C Code NICTA 2009 12
Proof Architecture Access Control Spec Confinement Specification Design Haskell Prototype C Code NICTA 2009 12
Proof Architecture Access Control Spec Confinement Specification definition schedule :: unit s_monad where schedule do threads allactivetcbs; thread select threads; switch_to_thread thread od OR switch_to_idle_thread Design Haskell Prototype C Code NICTA 2009 12
Proof Architecture Access Control Spec Confinement Specification Design Haskell Prototype C Code NICTA 2009 12
Proof Architecture Access Control Spec Confinement Specification Design Haskell Prototype C Code NICTA 2009 12
System Model States: User, Kernel, Idle Events: Syscall, Exception, IRQ, VM Fault idle event I idle U kernel exit event K kernel mode NICTA 2009 13
System Model States: User, Kernel, Idle Events: Syscall, Exception, IRQ, VM Fault idle event I idle U kernel exit event K kernel mode NICTA 2009 13
sel4
Two Teams Formal Methods Practitioners Kernel Developers NICTA 2009 16
Two Teams Formal Methods Practitioners Kernel Developers The Power of Abstraction (Liskov 09) Exterminate All OS Abstractions! (Engler 95) NICTA 2009 16
Iterative Design and Formalisation Whiteboard Haskell Prototype Formal Design Formal Specification C Code NICTA 2009 17
Iterative Design and Formalisation Whiteboard Haskell Prototype Formal Design Formal Specification C Code NICTA 2009 17
Iterative Design and Formalisation Whiteboard Haskell Prototype Formal Design Formal Specification C Code NICTA 2009 18
Iterative Design and Formalisation Whiteboard Haskell Prototype Formal Design Formal Specification C Code NICTA 2009 18
Design for Verification Reducing Complexity Hardware drivers outside kernel Concurrency event based kernel limit preemption Code derive from functional representation NICTA 2009 19
C subset Everything from C standard including: - pointers, casts, pointer arithmetic - data types - structs, padding - pointers into structs - precise finite integer arithmetic minus: - goto, switch fall-through - reference to local variable - side-effects in expressions - function pointers (restricted) - unions plus compiler assumptions on: - data layout, encoding, endianess NICTA 2009 20
Did you find any Bugs? Bugs found Effort during testing: 16 Haskell design First C impl. Debugging/Testing Kernel verification Formal frameworks 2 py 2 weeks 2 months 12 py 10 py during verification: in C: 160 in design: ~150 in spec: ~150 460 bugs Total Cost Common Criteria EAL6: L4.verified: 25 py $87M $6M NICTA 2009 21
Did you find any Bugs? Bugs found Effort during testing: 16 Haskell design First C impl. Debugging/Testing Kernel verification Formal frameworks 2 py 2 weeks 2 months 12 py 10 py during verification: in C: 160 in design: ~150 in spec: ~150 460 bugs Total Cost Common Criteria EAL6: L4.verified: 25 py $87M $6M NICTA 2009 21
Summary Formal proof all the way from spec to C. 200kloc handwritten, machine-checked proof ~460 bugs (160 in C) Verification on code, design, and spec Hard in the proof Hard in the implementation Formal Code Verification up to 10kloc: It works. It s feasible. It s cheaper. (It s fun, too. And we re hiring..) NICTA 2009 22