DB4SIL2 - Kernel assurance data for SIL2LinuxMP OpenTech Andreas - - PowerPoint PPT Presentation

▶

Jan 03, 2023 2.4k likes •2.83k views

DB4SIL2 - Kernel assurance data for SIL2LinuxMP OpenTech Andreas Platschek < andreas.platschek@opentech.at > May 11, 2016 Andreas Platschek (OpenTech) c December 1, 2016 1 / 30 Independence of Layers of LOPA Protection

SLIDE 1

DB4SIL2 - Kernel assurance data for SIL2LinuxMP

OpenTech Andreas Platschek <andreas.platschek@opentech.at> May 11, 2016

c Andreas Platschek (OpenTech) December 1, 2016 1 / 30

SLIDE 2

Data Aquisition .cfg List of test- executables trace data timing data meta data NCC callgraph data Path Comparision Path Coverage Consecutive Path Analysis Independence

f consecutive

calls Inherent Diversity Analysis Inherent Diversity Data Other analysis tools used to extract di

✁ernt kind of data

will be added here over time. ftrace con

✂g

tracing data testexec 1 testexec 2 testexec 3 testexec N ...... Independence

f Layers of

Protection Analysis LOPA Independence Data

c Andreas Platschek (OpenTech) December 1, 2016 2 / 30

SLIDE 3

SIL4LinuxDB

Student project at DSLab, Lanzhou University Uses ftrace and gcov for kernel tracing Automated by means of python scripts Input restricted to openposix-testsuite-1.52 (latest) Running on Linux 4.1

voluntary, preemptive, PREEMPT RT 100HZ, 1000HZ

c Andreas Platschek (OpenTech) December 1, 2016 3 / 30

SLIDE 4

DB4SIL2

Re-Implementation of backend Uses ftrace for kernel tracing (at the moment no gcov) Tests better configurable (posix test-suite, LTP, etc.) Designed for use on embedded targets, with post-processing

n a server.

Meta-Data is kept

test that performed this syscall trace position of asynchronous events (interrupts, page faults, etc.)

c Andreas Platschek (OpenTech) December 1, 2016 4 / 30

SLIDE 5

ftrace

Internal tracer of the Linux Kernel. ftrace can trace

Kernel functions Latencies (IRQs on/off, preemption, scheduling, etc.) Events (hundreds of static event points in the kernel) ... SYSCALLS

c Andreas Platschek (OpenTech) December 1, 2016 5 / 30

SLIDE 6

DB4SIL2 Principle

configure ftrace to trace system calls fork() a new process Configure ftrace to trace the new processes PID Start ftrace exec() the test Stop ftrace Store the trace Signal post-processing part to do its job on the trace

c Andreas Platschek (OpenTech) December 1, 2016 6 / 30

SLIDE 7

Per-Test Metadata

/home/andi/project/posixtestsuite/conformance/interfaces/sigdelset/1-4.test CALLSTART:1-4.tes-18753:156:SyS_mmap() CALLEND:1-4.tes-18753:342:1f65d059d567679f76dfdb4ae297b4f9 CALLSTART:1-4.tes-18753:1085:SyS_access() CALLEND:1-4.tes-18753:1154:0e8295ee790df45d12d93c9a82e038c3 CALLSTART:1-4.tes-18753:1155:SyS_open() ASYNCSTART:1407, smp_reschedule_interrupt() ASYNCEND:1409 CALLEND:1-4.tes-18753:1560:3bce71a2da4d26eac1d41a2448a83750 CALLSTART:1-4.tes-18753:1561:SyS_read() CALLEND:1-4.tes-18753:1600:474a8b4ed6cff638a4a47d7c93581991 CALLSTART:1-4.tes-18753:1652:SyS_mmap() CALLEND:1-4.tes-18753:1726:e4e8a3af87cd057615669ed8247de76d CALLSTART:1-4.tes-18753:1840:SyS_mmap() CALLEND:1-4.tes-18753:2044:e5140607342f88b02bd32e4fb4945992 CALLSTART:1-4.tes-18753:2212:SyS_mmap() CALLEND:1-4.tes-18753:2365:2c9b2d82941ad9df6ada92fe56572215 CALLSTART:1-4.tes-18753:3330:SyS_mmap() CALLEND:1-4.tes-18753:3387:26087860ce47d7beb5d05cdbfaece99a CALLSTART:1-4.tes-18753:3511:SyS_mmap() CALLEND:1-4.tes-18753:3568:26087860ce47d7beb5d05cdbfaece99a CALLSTART:1-4.tes-18753:3691:SyS_mmap()

c Andreas Platschek (OpenTech) December 1, 2016 7 / 30

SLIDE 8

Tracing Data

SyS_lseek() __fdget_pos() __fget_light() btrfs_file_llseek [btrfs]() _mutex_lock() rt_mutex_lock() generic_file_llseek() generic_file_llseek_size() migrate_disable() preempt_count_add() pin_current_cpu() preempt_count_sub() rt_spin_lock() rt_spin_unlock() migrate_enable() preempt_count_add() unpin_current_cpu() preempt_count_sub() _mutex_unlock() rt_mutex_unlock()

c Andreas Platschek (OpenTech) December 1, 2016 8 / 30

SLIDE 9

Metadata

/home/andi/project/posixtestsuite/conformance/interfaces/shm_open/26-2.test ASYNCSTART:587, __do_page_fault() ASYNCEND:664

c Andreas Platschek (OpenTech) December 1, 2016 9 / 30

SLIDE 10

Path Comparison

DB4SIL2 List of functions called by every function during tests. Static Code Analysis List of functions that may be called by every function. Comparison T est coverage based on calls between functions. c Andreas Platschek (OpenTech) December 1, 2016 10 / 30

SLIDE 11

SLIDE 12

Comparison CFG ⇔ Trace

c Andreas Platschek (OpenTech) December 1, 2016 12 / 30

SLIDE 13

Comparison CFG ⇔ Trace

c Andreas Platschek (OpenTech) December 1, 2016 13 / 30

SLIDE 14

Comparison CFG ⇔ Trace

c Andreas Platschek (OpenTech) December 1, 2016 14 / 30

SLIDE 15

Comparison CFG ⇔ Trace

c Andreas Platschek (OpenTech) December 1, 2016 15 / 30

SLIDE 16

Comparison CFG ⇔ Trace

c Andreas Platschek (OpenTech) December 1, 2016 16 / 30

SLIDE 17

Hardened NooM Container

CPU 0

RAMbank 0..n

CPU 1

RAMbank n+1..m

CPU 2

RAMbank m+1..i

CPU 3

RAMbank i+1..j

glibc busybox

Monitoring

glibc 32bit seccomp

Safety app. 32bit FP

glibc 64bit seccomp

Safety app. 64bit INT

SIL 0 Debian Container

SIL 2 SIL 2 SIL2LinuxMP base system

c Andreas Platschek (OpenTech) December 1, 2016 17 / 30

SLIDE 18

Independence of Layers

How to perform LOPA and show INDEPENDENCE of those different protection layers?

c Andreas Platschek (OpenTech) December 1, 2016 18 / 30

SLIDE 19

Independence of Layers

How to perform LOPA and show INDEPENDENCE of those different protection layers? Static code analysis Development data

c Andreas Platschek (OpenTech) December 1, 2016 18 / 30

SLIDE 20

Static Code Analysis

Analyze functions called by subsystems (callgraphs) Find and analyze overlaps in callgraphs

c Andreas Platschek (OpenTech) December 1, 2016 19 / 30

SLIDE 21

Intersection of Configurations

Basecon

✁g (BASE)

Basecon

✁g+Seccomp (SEC)

c Andreas Platschek (OpenTech) December 1, 2016 20 / 30

SLIDE 22

Intersection outside

f Baseconfig

Basecon

✁g (BASE)

Basecon

✁g+Seccomp (SEC)

Basecon

✁g+CGROUPS (CGR)

(SEC ✂ CGR) \ BASE = ∅

c Andreas Platschek (OpenTech) December 1, 2016 21 / 30

SLIDE 23

Intersection in Baseconfig

Basecon

✁g

c Andreas Platschek (OpenTech) December 1, 2016 22 / 30

SLIDE 24

Analysis of Subsystems

f3 RCU atomic new_funcs_base_both funcs_base_both

c Andreas Platschek (OpenTech) December 1, 2016 23 / 30

SLIDE 25

Preliminary Results

baseconfig: 20829 baseconfig+seccomp: 21401 seccomp: 572 baseconfig+cgroups: 21120 cgoups: 679 both_not_in_baseconfig: 0 funcs_base: 13792 funcs_base_seccomp: 7131 funcs_base_cgroups: 7391 funcs_base_both: 6665 rcu_funcs: 6511 atomic_funcs: 294 new_funcs_base_both: 185

c Andreas Platschek (OpenTech) December 1, 2016 24 / 30

SLIDE 26

seccomp developers

384 Kees Cook 255 Will Drewry 192 Andy Lutomirski 54 Linus Torvalds 52 Daniel Borkmann 52 Alexei Starovoitov 48 David Howells 30 AKASHI Takahiro 26 Andrea Arcangeli 5 Guenter Roeck 2 Thomas Gleixner 2 Roland McGrath 2 Ralf Baechle 2 Fabian Frederick 2 Eric Paris

c Andreas Platschek (OpenTech) December 1, 2016 25 / 30

SLIDE 27

cgroup developers

1079 Paul Menage 11 Mike Galbraith 2 Diego Calleja 505 Aristeu Rozanski 10 Hugh Dickins 2 Aneesh Kumar K.V 361 Li Zefan 10 Gao feng 2 Andrew Morton 258 Serge E. Hallyn 9 Greg Kroah-Hartman 2 Alexey Perevalov 211 Ben Blum 8 Gui Jianfeng 2 Alexey Dobriyan 203 Daniel Borkmann 7 Michael S. Tsirkin 1 stephen hemminger 178 KAMEZAWA Hiroyuki 7 Jiri Slaby 1 WANG Cong 149 Neil Horman 7 Jens Axboe 1 SeongJae Park 119 Vivek Goyal 7 Eric W. Biederman 1 Sasha Levin 116 Balbir Singh 7 Daniel Wagner 1 Paul Gortmaker 106 Matt Helsley 6 Lai Jiangshan 1 Paul E. McKenney 59 Zefan Li 6 Jianyu Zhan 1 Oleg Nesterov 54 Daniel Lezcano 5 Srivatsa Vaddagiri 1 Lucas De Marchi 38 Mandeep Singh Baines 5 Jun’ichi Nomura 1 Jiri Pirko 36 Johannes Weiner 5 Alban Crequy 1 Jesper Juhl 33 Herbert Xu 4 Thadeu Lima de Souza Cascardo 1 H Hartley Sweeten 27 Al Viro 4 Kirill A. Shutemov 1 Fabian Frederick 21 Bob Liu 4 Anjana V Kumar 1 Eric Dumazet 19 Peter Zijlstra 3 Thomas Graf 1 Bart Van Assche 19 Daisuke Nishimura 3 Frederic Weisbecker 1 Bandan Das 17 Joe Perches 3 David Howells 1 Arun Sharma 17 Divyesh Shah 3 Dan Carpenter 1 Adrian Bunk 16 Pavel Emelyanov 2 eparis@redhat 14 Namhyung Kim 2 Wanpeng Li 13 John Fastabend 2 Stephen Rothwell 13 Cliff Wickman 2 Sridhar Samudrala 12 Stephane Eranian 2 Linus Torvalds 12 Jerry Snitselaar 2 Jaswinder Singh Rajput 11 Vladimir Davydov 2 Dongsheng Yang c Andreas Platschek (OpenTech) December 1, 2016 26 / 30

SLIDE 28

Overlap

SECCOMP | CGROUPS

----------------------+---------------------------

54 Linus Torvalds | 2 Linus Torvalds 52 Daniel Borkmann | 203 Daniel Borkmann 48 David Howells | 3 David Howells 2 Fabian Frederick | 1 Fabian Frederick

c Andreas Platschek (OpenTech) December 1, 2016 27 / 30

SLIDE 29

Questions?

Ask now, or e-mail me later! Andreas Platschek <andreas.platschek@opentech.at>

c Andreas Platschek (OpenTech) December 1, 2016 28 / 30

SLIDE 30

c Andreas Platschek (OpenTech) December 1, 2016 29 / 30

SLIDE 31

c Andreas Platschek (OpenTech) December 1, 2016 30 / 30