hyperkernel push button verification of an os kernel
play

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, - PowerPoint PPT Presentation

Jun 26, 2023 •297 likes •871 views

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential for application correctness and

  1. Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang

  2. The OS Kernel is a critical component • Essential for application correctness and security • Kernel bugs can compromise the entire system App App App Kernel

  5. Formal verification: high correctness assurance • Write a spec of expected behavior • Prove that implementation matches the spec IronClad • Goal: How much can we minimize the proof burden

  6. Formal verification: high correctness assurance • Write a spec of expected behavior • Prove that implementation matches the spec IronClad Proof effort: 11 person years • Goal: How much can we minimize the proof burden

  7. Our result: Hyperkernel • Unix-like OS kernel: based on xv6 • Fully automated verification using the Z3 solver • Functional correctness of system calls • Crosscutting properties (e.g., process isolation) • Limitations: • Uniprocessor • Initialization & glue code unverified

  8. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user and kernel spaces & reason about identity mapping for the kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  9. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user and kernel spaces & reason about identity mapping for the kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  10. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user/kernel spaces and reason about use identity mapping for kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  11. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user/kernel spaces and reason about use identity mapping for kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  12. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user/kernel spaces and reason about use identity mapping for kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  13. Outline • Verification workflow • Finite interface design • Demo • Evaluation & lessons learned

  14. Outline • Verification workflow • Finite interface design • Demo • Evaluation & lessons learned

  15. Overview of verification workflow Syscall Implementation

  16. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  17. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  18. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  19. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  20. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  21. Overview of verification workflow State Machine Specification pre Verifier old new Syscall Implementation LLVM

  22. Overview of verification workflow Counterexample old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  23. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  24. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  25. Declarative Specification Cross-cutting properties: Counterexample P • Correctness of reference counters • Scheduler safety property old • Process Isolation State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  26. Declarative Specification Cross-cutting properties: Counterexample P • Correctness of reference counters • Scheduler safety property old • Process Isolation State Machine Specification Bug pre For any virtual address in a process p, Verifier old new if the virtual address maps to a page the page must be exclusively owned by p. Syscall Implementation LLVM

  27. Declarative Specification Cross-cutting properties: Counterexample P • Correctness of reference counters • Scheduler safety property old • Process Isolation State Machine Specification Bug pre For any virtual address in a process p, Verifier old new if the virtual address maps to a page the page must be exclusively owned by p. Syscall Implementation LLVM

  28. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  29. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation OK LLVM Kernel Image

  30. Outline • Verification workflow • Finite interface design • Demo • Evaluation & lessons learned

  31. Verification through symbolic execution • Goal: Minimize proof burden • No manual proofs or code annotations • Symbolic execution • Fully automated technique, used in bug-finding • Full functional verification if program is free of loops and state is finite • Feasible when units of work sufficiently small for solving • Hyperkernel approach: Finite interface design

  32. Overview of techniques • Safely push loops into user space • Explicit resource management • Decompose complex syscalls • Validate linked data structures • Smart SMT encodings

  33. Overview of techniques • Safely push loops into user space • Explicit resource management • Decompose complex syscalls • Validate linked data structures • Smart SMT encodings

  34. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space brk

  35. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space increments the programs data space by increment bytes increment brk

  36. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space increments the programs data space by increment bytes brk

  37. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space increments the programs data space by increment bytes brk Goal: Redesign sbrk(); ensuring process isolation.

  38. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment)

  39. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment )

  40. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment ) page table root entry 4K page

  41. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment) void * sbrk_one_page () page table root entry 4K page

  42. The sbrk() system call: Decomposition void *sbrk_one_page() page table root entry 4K page

  43. The sbrk() system call: Decomposition void *sbrk_one_page() page directory page directory page table PML4 table page table entry entry entry entry 4K page

  44. The sbrk() system call: Decomposition void *sbrk_one_page() alloc_pd (…) alloc_pdpt (…) alloc_pt (…) alloc_frame (…) page directory page directory page table PML4 table page table entry entry entry entry 4K page

  45. The sbrk() system call: Decomposition void *sbrk_one_page() alloc_pd (…) alloc_pdpt (…) alloc_pt (…) alloc_frame (…) page directory page directory page table PML4 table page table entry entry entry entry 4K page

  46. The sbrk() system call: Decomposition int alloc_pdpt (int pml4, size_t index) int alloc_pd (int pdpt, size_t index) int alloc_pt (int pd, size_t index) int alloc_frame (int pt, size_t index)

  47. The sbrk() system call: Explicit allocation 2 Search for 1 free page alloc App Kernel page# 3

  48. The sbrk() system call: Explicit allocation • Kernel keeps track of per-page metadata: owner/type • User space searches for free page; kernel validates alloc, page# App Kernel success/fail

  49. The sbrk() system call: Finite Interface int alloc_pdpt(int pml4, size_t index, int free_pn ) int alloc_pd(int pdpt, size_t index, int free_pn ) int alloc_pt(int pd, size_t index, int free_pn ) int alloc_frame(int pt, size_t index, int free_pn ) • Any composition of these system calls maintains isolation For any virtual address in a process p, if the virtual address maps to a page the page must be exclusively owned by p.

  50. Implementation Component Lines Languages Kernel implementation 7,616 C, assembly State-machine specification 804 Python Declarative specification 263 Python Verifier 2,878 C++, Python User-space implementation 10,025 C, assembly

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson , James

Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson , James

Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson , James Bornholt, Emina Torlak, Xi Wang University of Washington 1 / 24 File systems are hard to get right Complex hierarchical on-disk data structures

799 views • 43 slides
Designing Systems for Push-Button Verification Luke Nelson Joint work with James Bornholt, Dylan

Designing Systems for Push-Button Verification Luke Nelson Joint work with James Bornholt, Dylan

Designing Systems for Push-Button Verification Luke Nelson Joint work with James Bornholt, Dylan Johnson, Helgi Sigurbjarnarson, Emina Torlak, Xi Wang, Kaiyuan Zhang OSes are everywhere OSes (& bugs) are everywhere Goals Develop

289 views • 15 slides
Controlling 280 Turnout Servos Using Small Push-Button Fascia Panels By Bob Judge and Al

Controlling 280 Turnout Servos Using Small Push-Button Fascia Panels By Bob Judge and Al

Controlling 280 Turnout Servos Using Small Push-Button Fascia Panels By Bob Judge and Al Zimmerschied NMRA 2015 National Convention Portland Oregon August 23-29, 2015 1 Forced to move, the Boeing Employees Model Railroad Club (BEMRRC)

656 views • 43 slides
push button, send product - Configuration, Version, and Release Management Sommerville,

push button, send product - Configuration, Version, and Release Management Sommerville,

push button, send product - Configuration, Version, and Release Management Sommerville, Chapter 29 Instructor: Peter Baumann email: p.baumann@jacobs-university.de tel: -3178 "Good, Fast, Cheap: office: room 88, Research 1

363 views • 20 slides
Push Button A or is it B? Alarming design Real consequences for real people If you are

Push Button A or is it B? Alarming design Real consequences for real people If you are

Push Button A or is it B? Alarming design Real consequences for real people If you are delivering a system or product, you should set up a register of hazards containing information about each hazard. 16.2.2 a Can we find some hazards?

769 views • 66 slides
Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Towards Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal Fontaine Stephan Schulz Uwe Waldmann Vision: Take the Hard Labor out of Vision: Interactive Verification Push button automation for

263 views • 14 slides
Uber Virginia Disruptive Technologies for Tomorrow April 2016 Push a Button, Get a Ride More

Uber Virginia Disruptive Technologies for Tomorrow April 2016 Push a Button, Get a Ride More

Uber Virginia Disruptive Technologies for Tomorrow April 2016 Push a Button, Get a Ride More Choice = Good Thing A Complement to Public Transit UBER + PSTA Pinellas Suncoast Transit Authority pays half the cost of any trip (up to $6) to or

354 views • 7 slides
Computing Power at the push of a button: Dynamic Services for Infrastructure. TERENA TF-Storage,

Computing Power at the push of a button: Dynamic Services for Infrastructure. TERENA TF-Storage,

Computing Power at the push of a button: Dynamic Services for Infrastructure. TERENA TF-Storage, February 21, 2012 - Public - Dynamic Services for Infrastructure, Version 2.0 July, 2011 1 The cloud is out there. But what's inside?

516 views • 22 slides
Leica Sprinter 50 / 150 / 150M / 250M Push the Button Leica Sprinter 50 / 150 Construction

Leica Sprinter 50 / 150 / 150M / 250M Push the Button Leica Sprinter 50 / 150 Construction

Leica Sprinter 50 / 150 / 150M / 250M Push the Button Leica Sprinter 50 / 150 Construction Levels Product Offering Sprinter 50 (Standard / US) Sprinter 150 Art. No. 762628 / 764686 Art. No. 762629 Sprinter 50, 2.0 mm,

249 views • 11 slides
SoCGen: A Push Button Idea to GDS2 SoC Design Flow Habiba Gamal, Amr Gouhar, Mohamed Shalan What

SoCGen: A Push Button Idea to GDS2 SoC Design Flow Habiba Gamal, Amr Gouhar, Mohamed Shalan What

SoCGen: A Push Button Idea to GDS2 SoC Design Flow Habiba Gamal, Amr Gouhar, Mohamed Shalan What is SoCGen? - System on Chip (SoC) design automation tool Motivation - Facilitate SoC design - Reduce time-to-fabrication - Making use of the

563 views • 22 slides
Button Click Many ways use Button in Android SetOnClickListener (just click button)

Button Click Many ways use Button in Android SetOnClickListener (just click button)

Button Click Many ways use Button in Android SetOnClickListener (just click button) SetOnLongClickListener (on long press) SetOnTouchListener (until button is pressed) OnClick (simple click using XML) Many other ways

470 views • 30 slides
SI232 push(2) SlideSet #4: Procedures push(1) (more Chapter 2) pop() pop() push(6) pop()

SI232 push(2) SlideSet #4: Procedures push(1) (more Chapter 2) pop() pop() push(6) pop()

Stack Example Action Stack Output push(3) SI232 push(2) SlideSet #4: Procedures push(1) (more Chapter 2) pop() pop() push(6) pop() pop() pop() Procedure Example & Terminology Big Picture Steps for Executing a Procedure 1.

244 views • 12 slides
seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010 . . . . . . seL4: Formal Verification of an OS Kernel About seL4 What is seL4? Secure

169 views • 16 slides
HV302 Hands-on Training HV302 Controls Scan Button Rotation Button Scan Button Rotation Button

HV302 Hands-on Training HV302 Controls Scan Button Rotation Button Scan Button Rotation Button

January 2015 HV302 Hands-on Training HV302 Controls Scan Button Rotation Button Scan Button Rotation Button Slope/Alignment Buttons HI-/Manual- Standby - LED Level-LED Battery Status LED Power Button Manual/Single Slope Mode/ Standby

612 views • 38 slides
1 Push-down Automata A push-down automaton is a finite automaton with an additional last-in

1 Push-down Automata A push-down automaton is a finite automaton with an additional last-in

1 Push-down Automata A push-down automaton is a finite automaton with an additional last-in first-out push-down stack; anything read from the stack is immediately de- stroyed. Push-down automata are partway to a Turing machine. Push-down

428 views • 4 slides
Eliminating bugs in BPF JITs using automated formal verification Luke Nelson with Jacob van Ge

Eliminating bugs in BPF JITs using automated formal verification Luke Nelson with Jacob van Ge

Eliminating bugs in BPF JITs using automated formal verification Luke Nelson with Jacob van Ge ff en, Emina Torlak, and Xi Wang BPF is used throughout the kernel Many uses for BPF: tracing, networking, security, etc. In-kernel JIT

849 views • 48 slides
Challenges in Pre-Operative I have no disclosures Evaluation Geoff Stetson, MD Assistant

Challenges in Pre-Operative I have no disclosures Evaluation Geoff Stetson, MD Assistant

Challenges in Pre-Operative I have no disclosures Evaluation Geoff Stetson, MD Assistant Professor of Medicine, UCSF Hospitalist, San Francisco VA Medical Center Special Thanks Roadmap Heather Nye, MD, PhD Overview of pre-op

773 views • 20 slides
WEBINAR November 29, 2018 1 Webinar Logistics Webinar will last approximately 90 minutes

WEBINAR November 29, 2018 1 Webinar Logistics Webinar will last approximately 90 minutes

N E W L O N G - T E R M R E N T A L A S S I S T A N C E C O N T R A C T S F O R T H E P R E S E R V A T I O N O F P R E - 1 9 7 4 S E C T I O N 2 0 2 D I R E C T L O A N P R O P E R T I E S WEBINAR November 29, 2018 1 Webinar

649 views • 23 slides
Clojure und core.logic ...hello to the world of logic programming christian.meichsner@xelog.com

Clojure und core.logic ...hello to the world of logic programming christian.meichsner@xelog.com

Clojure und core.logic ...hello to the world of logic programming christian.meichsner@xelog.com 25. Februar 2014 Visual Index Clojure and me Dark is life, dark is death What is logic programming LISP & Clojure Primer Logic programming

523 views • 39 slides
Useful Rails Concepts May 20, 2013 1 Yet another list Rails API, active_model_serializers,

Useful Rails Concepts May 20, 2013 1 Yet another list Rails API, active_model_serializers,

Useful Rails Concepts May 20, 2013 1 Yet another list Rails API, active_model_serializers, JSON API, Ember.Data, token access Rails 2, Rails 3, Rails 4 RubyMine Rails Admin, Active Admin kaminari, paging gem

548 views • 23 slides
CS7015 (Deep Learning) : Lecture 9 Greedy Layerwise Pre-training, Better activation functions,

CS7015 (Deep Learning) : Lecture 9 Greedy Layerwise Pre-training, Better activation functions,

CS7015 (Deep Learning) : Lecture 9 Greedy Layerwise Pre-training, Better activation functions, Better weight initialization methods, Batch Normalization Mitesh M. Khapra Department of Computer Science and Engineering Indian Institute of

1.19k views • 69 slides
CS 170: Algorithms Prof David Wagner. Slides edited from a version created by Prof. Satish Rao.

CS 170: Algorithms Prof David Wagner. Slides edited from a version created by Prof. Satish Rao.

CS 170: Algorithms Prof David Wagner. Slides edited from a version created by Prof. Satish Rao. For UC-Berkeley CS170 Fall 2014 students use only. Do not re-post or distribute David Wagner (UC Berkeley) CS 170: Fall 2014 September 19, 2014 1

623 views • 14 slides
RAA 2019 ANNUAL CONVENTION PRE-CONFERENCE EXHIBITOR WEBINAR WELCOME! Wednesday, August 7, 2019

RAA 2019 ANNUAL CONVENTION PRE-CONFERENCE EXHIBITOR WEBINAR WELCOME! Wednesday, August 7, 2019

RAA 2019 ANNUAL CONVENTION PRE-CONFERENCE EXHIBITOR WEBINAR WELCOME! Wednesday, August 7, 2019 10:00 AM CST/11:00 AM EST RAA 2019 44th Annual Convention - September 4-7, 2019 AGENDA Exhibit Hall Schedule Raffle Nashville Map

215 views • 19 slides
Outline Public-key crypto basics CSci 5271 Introduction to Computer Security Announcements Day

Outline Public-key crypto basics CSci 5271 Introduction to Computer Security Announcements Day

Outline Public-key crypto basics CSci 5271 Introduction to Computer Security Announcements Day 16: Cryptography part 2: public-key Stephen McCamant Public key encryption and signatures University of Minnesota, Computer Science &

465 views • 5 slides

More recommend