Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish

Similar documents
Towards a Practical, Verified Kernel

The Evolution of Secure Operating Systems

sel4: Formal Verification of an Operating-System Kernel

Translation Validation for a Verified OS Kernel

sel4: Formal Verification of an OS Kernel

Introduction. COMP /S2 Week Gernot Heiser UNSW/NICTA/OKL. Distributed under Creative Commons Attribution License 1

From imagination to impact

Introduction. COMP9242 Advanced Operating Systems 2010/S2 Week 1

Comprehensive Formal Verification of an OS Microkernel

Microkernel Design A walk through selected aspects of

Komodo: Using Verification to Disentangle Secure-Enclave Hardware from Software

Mechanised Separation Algebra

Improving Interrupt Response Time in a Verifiable Protected Microkernel

RapiLog: Reducing System Complexity Through Verification

OS Verification Now!

Towards High-Assurance Multiprocessor Virtualisation

Formal methods for software security

Towards High-Assurance Multiprocessor Virtualisation

A Simpl Shortest Path Checker Verification

Formal proofs of code generation and verification tools

Trickle: Automated Infeasible Path

Bitfields and Tagged Unions in C Verification through Automatic Generation

L4/Darwin: Evolving UNIX. Charles Gray Research Engineer, National ICT Australia

Staff. Advanced Operating Systems. Why are you here? What can you expect?

Advanced Operating Systems. COMP9242 Introduction

Avoiding Leakage and Synchronization Attacks through Enclave-Side Preemption Control

Implementing a Verified On-Disk Hash Table

Formally Verified Software in the Real World

Designing Systems for Push-Button Verification

Mind the Gap. A Verification Framework for Low-Level C. 1 NICTA, Australia

Program Verification (6EC version only)

Operating System Kernels

Operating Systems, Fall

LYREBIRD David Cock

Master level: Operating systems, distributed systems, networking,

Self-Referential Compilation, Emulation, Virtualization, and Symbolic Execution with Selfie. Christoph M. Kirsch, University of Salzburg, Austria

Creating a Practical Security Architecture Based on sel4

The Quest-V Separation Kernel for Mixed Criticality Systems

sel4 Reference Manual Version 2.0.0

The Last Mile An Empirical Study of Timing Channels on sel4

sel4 Reference Manual Version 8.0.0

The Quest-V Separation Kernel for Mixed Criticality Systems

Advanced Systems Security: Virtual Machine Systems

C Refresher, Advance C, Coding Standard, Misra C Compliance & Real-time Programming

Advanced Systems Security: Virtual Machine Systems

Advanced Operating Systems. COMP9242 Introduction

Staff. Advanced Operating Systems. Why are you here? What can you expect?

Initial Evaluation of a User-Level Device Driver Framework

Getting Started with AutoCorres

Ironclad Apps: End-to-End Security via Automated Full-System Verification. Danfeng Zhang

OS Extensibility: SPIN and Exokernels. Robert Grimm New York University

How Can You Trust Formally Verified Software?

Turning proof assistants into programming assistants

Part 1: Introduction to device drivers Part 2: Overview of research on device driver reliability Part 3: Device drivers research at ERTOS

Overview of the OS. CS 450 : Operating Systems Michael Saelee

The benefits and costs of writing a POSIX kernel in a high-level language

The Open-Source sel4 Kernel Military-Grade Security Through

Organisatorials. About us. Binary Search (java.util.arrays) When Tue 9:00 10:30 Thu 9:00 10:30. COMP 4161 NICTA Advanced Course

A Memory Allocation Model For An Embedded Microkernel

Tolerating Malicious Drivers in Linux. Silas Boyd-Wickizer and Nickolai Zeldovich

COMP9242 Advanced Operating Systems S2/2011 Week 9: Microkernel Design Gernot Heiser, NICTA

Real Time and Embedded Systems. by Dr. Lesley Shannon Course Website:

Verification & Validation of Open Source

csci3411: Operating Systems

Protection. Thierry Sans

Combining program verification with component-based architectures. Alexander Senier BOB 2018 Berlin, February 23rd, 2018

type classes & locales

CSE 120 Principles of Operating Systems

LOCAL OPERATING SYSTEMS R&D AND OPPOR TUNITIES FOR STUDENTS

RISCV with Sanctum Enclaves. Victor Costan, Ilia Lebedev, Srini Devadas

Blockchains: new home for proven-correct software. Paris, Yoichi Hirai formal verification engineer, the Ethereum Foundation

6.828: OS/Language Co-design. Adam Belay

Mapped Separation Logic

Computer Systems A Programmer s Perspective 1 (Beta Draft)

The COGENT Case for Property-Based Tes=ng

9/19/18. COS 318: Operating Systems. Overview. Important Times. Hardware of A Typical Computer. Today CPU. I/O bus. Network

A Formally Verified NAT Stack

Verified Protection Model of the sel4 Microkernel

Feasibility of Testing to Code. Feasibility of Testing to Code. Feasibility of Testing to Code. Feasibility of Testing to Code (contd)

The CertiKOS Project

MICROKERNELS: MACH AND L4

Push-button verification of Files Systems via Crash Refinement

The Weird Machines in Proof-Carrying Code

File Systems Deserve Verification Too!

THREADS ADMINISTRIVIA RECAP ALTERNATIVE 2 EXERCISES PAPER READING MICHAEL ROITZSCH 2

Static Program Analysis Part 1 the TIP language

Fault Isolation for Device Drivers

Pip: A Minimal OS Kernel with Provable Isolation 1

Bringing Android to Secure SDRs

FlexSC. Flexible System Call Scheduling with Exception-Less System Calls. Livio Soares and Michael Stumm. University of Toronto

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Operating System. Operating System Overview. Structure of a Computer System. Structure of a Computer System. Structure of a Computer System

Version:1.1. Overview of speculation-based cache timing side-channels

Helgi Sigurbjarnarson

An Extensible Programming Language for Verified Systems Software. Adam Chlipala MIT CSAIL WG 2.16 meeting, 2012

C-LANGUAGE CURRICULAM

CSE 120 Principles of Operating Systems

0x1A Great Papers in Computer Security

csci3411: Operating Systems

Operating System Security

Transcription:

Gerwin Klein Kevin Elphinstone Gernot Heiser June Andronick David Cock Philip Derrin Dhammika Elkaduwe Kai Engelhardt Rafal Kolanski Michael Norrish Thomas Sewell Harvey Tuch Simon Winwood

1 microkernel 8,700 l ines of C 0 bugs * qed *conditions apply

The Goal 2

The Problem 3

Small Kernels Small trustworthy foundation hypervisor, microkernel, nano-kernel, virtual machine, separation kernel, exokernel... High assurance components in presence of other components sel4 API: - IPC - Threads - VM - IRQ - Capabilities Untrusted Legacy Apps Legacy App. Legacy App. Linux Server Hardware Trusted Sensitive App Trusted Service NICTA 2009 5

Small Kernels Small trustworthy foundation hypervisor, microkernel, nano-kernel, virtual machine, separation kernel, exokernel... High assurance components in presence of other components sel4 API: - IPC - Threads - VM - IRQ - Capabilities Untrusted Legacy Apps Legacy App. Legacy App. Linux Server sel4 Hardware Trusted Sensitive App Trusted Service NICTA 2009 5

Functional Correctness Specification Proof Code NICTA 2009 7

Functional Correctness What Specification definition schedule :: unit s_monad where schedule do threads allactivetcbs; thread select threads; switch_to_thread thread od OR switch_to_idle_thread Proof Code NICTA 2009 7

Functional Correctness What Specification definition schedule :: unit s_monad where schedule do threads allactivetcbs; thread select threads; switch_to_thread thread od OR switch_to_idle_thread Proof How Code NICTA 2009 7

*conditions apply Specification Proof Code NICTA 2009 8

*conditions apply Specification Proof Code Assumptions NICTA 2009 8

*conditions apply Expectation Specification Proof Code Assumptions NICTA 2009 8

*conditions apply Proof Specification Assume correct: Expectation - compiler + linker (wrt. C op-sem) - assembly code (600 loc) - hardware (ARMv6) - cache and TLB management - boot code (1,200 loc) Code Assumptions NICTA 2009 8

Implications Execution always defined: no null pointer de-reference no buffer overflows no code injection no memory leaks/out of kernel memory no div by zero, no undefined shift no undefined execution no infinite loops/recursion Specification C Code Not implied: secure (define secure) zero bugs from expectation to physical world covert channel analysis NICTA 2009 9

Proof Architecture Specification Proof C Code NICTA 2009 10

Proof Architecture Specification Design C Code NICTA 2009 11

Proof Architecture Specification Design C Code NICTA 2009 12

Proof Architecture Access Control Spec Confinement Specification Design C Code NICTA 2009 12

Proof Architecture Access Control Spec Confinement Specification Design Haskell Prototype C Code NICTA 2009 12

Proof Architecture Access Control Spec Confinement Specification definition schedule :: unit s_monad where schedule do threads allactivetcbs; thread select threads; switch_to_thread thread od OR switch_to_idle_thread Design Haskell Prototype C Code NICTA 2009 12

Proof Architecture Access Control Spec Confinement Specification Design Haskell Prototype C Code NICTA 2009 12

Proof Architecture Access Control Spec Confinement Specification Design Haskell Prototype C Code NICTA 2009 12

System Model States: User, Kernel, Idle Events: Syscall, Exception, IRQ, VM Fault idle event I idle U kernel exit event K kernel mode NICTA 2009 13

System Model States: User, Kernel, Idle Events: Syscall, Exception, IRQ, VM Fault idle event I idle U kernel exit event K kernel mode NICTA 2009 13

sel4

Two Teams Formal Methods Practitioners Kernel Developers NICTA 2009 16

Two Teams Formal Methods Practitioners Kernel Developers The Power of Abstraction (Liskov 09) Exterminate All OS Abstractions! (Engler 95) NICTA 2009 16

Iterative Design and Formalisation Whiteboard Haskell Prototype Formal Design Formal Specification C Code NICTA 2009 17

Iterative Design and Formalisation Whiteboard Haskell Prototype Formal Design Formal Specification C Code NICTA 2009 17

Iterative Design and Formalisation Whiteboard Haskell Prototype Formal Design Formal Specification C Code NICTA 2009 18

Iterative Design and Formalisation Whiteboard Haskell Prototype Formal Design Formal Specification C Code NICTA 2009 18

Design for Verification Reducing Complexity Hardware drivers outside kernel Concurrency event based kernel limit preemption Code derive from functional representation NICTA 2009 19

C subset Everything from C standard including: - pointers, casts, pointer arithmetic - data types - structs, padding - pointers into structs - precise finite integer arithmetic minus: - goto, switch fall-through - reference to local variable - side-effects in expressions - function pointers (restricted) - unions plus compiler assumptions on: - data layout, encoding, endianess NICTA 2009 20

Did you find any Bugs? Bugs found Effort during testing: 16 Haskell design First C impl. Debugging/Testing Kernel verification Formal frameworks 2 py 2 weeks 2 months 12 py 10 py during verification: in C: 160 in design: ~150 in spec: ~150 460 bugs Total Cost Common Criteria EAL6: L4.verified: 25 py $87M $6M NICTA 2009 21

Did you find any Bugs? Bugs found Effort during testing: 16 Haskell design First C impl. Debugging/Testing Kernel verification Formal frameworks 2 py 2 weeks 2 months 12 py 10 py during verification: in C: 160 in design: ~150 in spec: ~150 460 bugs Total Cost Common Criteria EAL6: L4.verified: 25 py $87M $6M NICTA 2009 21

Summary Formal proof all the way from spec to C. 200kloc handwritten, machine-checked proof ~460 bugs (160 in C) Verification on code, design, and spec Hard in the proof Hard in the implementation Formal Code Verification up to 10kloc: It works. It s feasible. It s cheaper. (It s fun, too. And we re hiring..) NICTA 2009 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback