compositional verification of security properties for
play

Compositional Verification of Security Properties for Embedded - PowerPoint PPT Presentation

Sep 29, 2023 •251 likes •903 views

Compositional Verification of Security Properties for Embedded Execution Platforms Christoph Baumann , Oliver Schwarz , Mads Dam KTH Royal Institute of Technology, Stockholm, Sweden RISE.SICS, Kista, Sweden cbaumann@kth.se

  1. Compositional Verification of Security Properties for Embedded Execution Platforms Christoph Baumann ∗ , Oliver Schwarz ⋆ , Mads Dam ∗ ∗ KTH Royal Institute of Technology, Stockholm, Sweden ⋆ RISE.SICS, Kista, Sweden cbaumann@kth.se PROOFS, Taipei, 2017-09-29

  2. Low and High Level System Security Bugs Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 2 / 16

  3. Inter-guest communication (IGC) minimal COTS hypervisor for ARMv8: fixed #guests, fixed memory size cores and devices owned exclusively no device virtualization, except: GIC secure boot loader memory isolation through HW extensions & SMMUs communication only through pre-defined channels Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 3 / 16

  4. Inter-guest communication (IGC) minimal COTS hypervisor for ARMv8: fixed #guests, fixed memory size cores and devices owned exclusively no device virtualization, except: GIC secure boot loader memory isolation through HW extensions & SMMUs communication only through pre-defined channels Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 3 / 16

  5. Inter-guest communication (IGC) minimal COTS hypervisor for ARMv8: fixed #guests, fixed memory size cores and devices owned exclusively no device virtualization, except: GIC secure boot loader memory isolation through HW extensions & SMMUs communication only through pre-defined channels Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 3 / 16

  6. Goal: Bisimulation with Ideal Model R ⇔ ideal model: secure by construction bisimulation relation R : transfer information flow properties verification: focus on arbitrary guest steps here Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 4 / 16

  7. SoCs complex / formal verification expensive Decomposition: utilize HW-specific properties & features compositionality fixed communication channels Abstraction: lots of details irrelevant for security focus on communication hide internal state refine component models later Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 5 / 16

  8. SoCs complex / formal verification expensive Decomposition: utilize HW-specific properties & features compositionality fixed communication channels Abstraction: lots of details irrelevant for security focus on communication hide internal state refine component models later Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 5 / 16

  9. ARMv8 platform model Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  10. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  11. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  12. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Device: mostly uninterpreted, DMA enabled?, track communication Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  13. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Device: mostly uninterpreted, DMA enabled?, track communication Memory: flat map of contents, received requests, forwarded I/O Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  14. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Device: mostly uninterpreted, DMA enabled?, track communication Memory: flat map of contents, received requests, forwarded I/O GIC: hypervisor-accessed registers, abstract interrupt state Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  15. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Device: mostly uninterpreted, DMA enabled?, track communication Memory: flat map of contents, received requests, forwarded I/O GIC: hypervisor-accessed registers, abstract interrupt state hypervisor: fine-grained LTS, communication with GIC Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  16. Hypervisor LTS: IGC interrupt injection Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 7 / 16

  17. Hypervisor LTS: IGC interrupt injection Inject await cwait iwait deact rcv k C Inject Deact k A c h c e c e A r h r snd d k d c snd c c n C n k v v s s Deact entry inject check dwait snd D e a r c c v t Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 7 / 16

  18. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  19. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  20. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode (S)MMU: active after init, points to right page table Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  21. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode (S)MMU: active after init, points to right page table Device: inactive at boot Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  22. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode (S)MMU: active after init, points to right page table Device: inactive at boot Memory: correct page tables set up Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  23. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode (S)MMU: active after init, points to right page table Device: inactive at boot Memory: correct page tables set up GIC: correct distributor configuration Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  24. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  25. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  26. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts IGC shared memory duplicated and copied on write Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  27. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts IGC shared memory duplicated and copied on write ideal GIC: interrupt separation by construction Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  28. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts IGC shared memory duplicated and copied on write ideal GIC: interrupt separation by construction message buffers as placeholders for (S)MMUs Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  29. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts IGC shared memory duplicated and copied on write ideal GIC: interrupt separation by construction message buffers as placeholders for (S)MMUs memory: only guest portion, intermediate physical addresses Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  30. Verification: Bisimulation Theorem ⇓ R R Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 10 / 16

  31. Verification: Bisimulation Theorem ⇓ R R Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 10 / 16

  32. Verification: Bisimulation Theorem ⇑ R R Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 10 / 16

  33. Verification: Bisimulation Theorem ⇑ R R Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 10 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Viktor Vafeiadis Software Analysis & Verification Full functional verification

Viktor Vafeiadis Software Analysis & Verification Full functional verification

Viktor Vafeiadis Software Analysis & Verification Full functional verification Compilers , concurrent programs , theorem provers Program equivalence / Compositional reasoning Compositional compiler verification

266 views • 3 slides
Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 Understanding the Security Properties of Ballot-Based Verification 1 WARNING This talk contains no research content.

284 views • 15 slides
Compositional Verification of PLC Software using Horn Clauses and Mode Abstraction Dimitri

Compositional Verification of PLC Software using Horn Clauses and Mode Abstraction Dimitri

Compositional Verification of PLC Software using Horn Clauses and Mode Abstraction Dimitri Bohlender | Stefan Kowalewski WODES 2018, June 1, 2018 Introduction CHC-based Verification Conclusion Outline Introduction CHC-based Verification

1.75k views • 118 slides
COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction)

COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction)

COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction) Mykola (Nikolaj) S. Nikitchenko Taras Shevchenko National University of Kyiv Linz, JKU, November 08-19, 2012 1 Contents Introduction

783 views • 40 slides
Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Certification: 1 Systems, Components, and Properties Security, for example, is a system property

522 views • 17 slides
Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng Department of Computer Science and Engineering University of South Florida H. Zheng (CSE USF) Local State Space Construction for Compositional

1.12k views • 50 slides
Compositional Verification of Software Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash

Compositional Verification of Software Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash

Compositional Verification of Software Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard 2 1 Technische Universit at Braunschweig, Germany 2 Kungliga Tekniska H ogskolan, Stockholm, Sweden Deduction at Scale 2011 Schlo

662 views • 26 slides
Compositional Verification of Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard

Compositional Verification of Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard

Compositional Verification of Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard 2 1 Technische Universit at Braunschweig, Germany 2 Kungliga Tekniska H ogskolan, Stockholm, Sweden Formal Methods for Components and Objects

270 views • 25 slides
Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem Penninckx, Bart Jacobs, Frank Piessens Department of Computer Science, KU Leuven, Belgium DRADS 2014 Table of Contents Introduction Requirements

660 views • 45 slides
Learning minimal separating DFA for Compositional Verification Karsten Fix February 23, 2017

Learning minimal separating DFA for Compositional Verification Karsten Fix February 23, 2017

Overview Definitions Algorithm References Learning minimal separating DFA for Compositional Verification Karsten Fix February 23, 2017 Karsten Fix Learning minimal separating DFA for Compositional Verification Overview Definitions

525 views • 35 slides
Compositional Verification of Events and Observers Cynthia Disenfeld and Shmuel Katz Technion -

Compositional Verification of Events and Observers Cynthia Disenfeld and Shmuel Katz Technion -

Compositional Verification of Events and Observers Cynthia Disenfeld and Shmuel Katz Technion - Israel Institute of Technology March 21, 2011 Standard Aspect Model Pointcuts determine the places where aspects should be woven. Aspect

464 views • 20 slides
Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search

Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search

Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search and Optimization Lionel Briand Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg ITEQS,

1.41k views • 113 slides
Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer Science Laboratory SRI International Menlo Park CA USA Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I Compositional Security

466 views • 25 slides
SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate

1 SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate Professor, NTU SG-CRC 2018 28 March 2018 2 Securify Approach Compositional Security Securify Architecture Reasoning with Untrusted Components

418 views • 13 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
Spark Marco Serafini COMPSCI 532 Lecture 4 Goals Support for iterative jobs Reuse of

Spark Marco Serafini COMPSCI 532 Lecture 4 Goals Support for iterative jobs Reuse of

Spark Marco Serafini COMPSCI 532 Lecture 4 Goals Support for iterative jobs Reuse of intermediate results without writing to disk Lineage-based fault tolerance Does not require checkpointing all intermediate results 3 3

533 views • 15 slides
Distributed Execution William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of

Distributed Execution William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of

D EPARTMENT OF C OMPUTER S CIENCES Distributed Execution William Cook and Jayadev Misra f cook,misra g @cs.utexas.edu Department of Computer Science University of Texas at Austin Email: web: http://www.cs.utexas.edu/users/psp U NIVERSITY OF T

301 views • 18 slides
Investor Presentation 24 August 2015 ASEAN Stars Conference 2012 1 March 2012 Asias First

Investor Presentation 24 August 2015 ASEAN Stars Conference 2012 1 March 2012 Asias First

4Q FY2011/12 1Q FY2015/16 Investor Presentation Investor Presentation 24 August 2015 ASEAN Stars Conference 2012 1 March 2012 Asias First Listed Indian Property Trust Asias First Listed Indian Property Trust Disclaimer This presentation

739 views • 50 slides
A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato,

A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato,

A Formal Analysis of Some Properties of Kerberos 5 Using MSR Frederick Butler, Iliano Cervesato, Aaron D. Jaggard, and Andre Scedrov Project Goals Give precise statement and formal analysis of a real world protocol Find a real world

474 views • 25 slides
Limits Definition 1 (Limit) . If the values f ( x ) of a function f : A B get very close to a

Limits Definition 1 (Limit) . If the values f ( x ) of a function f : A B get very close to a

Limits Definition 1 (Limit) . If the values f ( x ) of a function f : A B get very close to a specific, unique number L when x is very close to, but not necessarily equal to , a limit point c , we say the limit of f ( x ), as x approaches c , is

641 views • 53 slides
Universal constructions: limits and colimits Consider and arbitrary but fixed category K for a

Universal constructions: limits and colimits Consider and arbitrary but fixed category K for a

Universal constructions: limits and colimits Consider and arbitrary but fixed category K for a while. Andrzej Tarlecki: Category Theory, 2018 - 59 - Initial and terminal objects An object I | K | is initial in K if for each object A | K

239 views • 22 slides
Dynamic Panel Data estimators Christopher F Baum ECON 8823: Applied Econometrics Boston College,

Dynamic Panel Data estimators Christopher F Baum ECON 8823: Applied Econometrics Boston College,

Dynamic Panel Data estimators Christopher F Baum ECON 8823: Applied Econometrics Boston College, Spring 2015 Christopher F Baum (BC / DIW) Dynamic Panel Data estimators Boston College, Spring 2015 1 / 50 Dynamic panel data estimators

882 views • 50 slides
SOLUTIONS FOR CHAPTER 1 1.1 Fast computing tends to minimize the average response time of

SOLUTIONS FOR CHAPTER 1 1.1 Fast computing tends to minimize the average response time of

SOLUTIONS FOR CHAPTER 1 1.1 Fast computing tends to minimize the average response time of computation activities, whereas real-time computing is required to

378 views • 20 slides

More recommend