Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, - - PowerPoint PPT Presentation

hyperkernel push button verification of an os kernel
SMART_READER_LITE
LIVE PREVIEW

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, - - PowerPoint PPT Presentation

Jun 26, 2023 297 likes •872 views

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential for application correctness and

slide-1
SLIDE 1

Hyperkernel: Push-Button Verification of an OS Kernel

Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang

slide-2
SLIDE 2

The OS Kernel is a critical component

  • Essential for application correctness and security
  • Kernel bugs can compromise the entire system

Kernel App App App

slide-3
SLIDE 3
slide-4
SLIDE 4
slide-5
SLIDE 5

Formal verification: high correctness assurance

  • Write a spec of expected behavior
  • Prove that implementation matches the spec
  • Goal: How much can we minimize the proof burden

IronClad

slide-6
SLIDE 6

Formal verification: high correctness assurance

  • Write a spec of expected behavior
  • Prove that implementation matches the spec
  • Goal: How much can we minimize the proof burden

IronClad

Proof effort: 11 person years

slide-7
SLIDE 7

Our result: Hyperkernel

  • Unix-like OS kernel: based on xv6
  • Fully automated verification using the Z3 solver
  • Functional correctness of system calls
  • Crosscutting properties (e.g., process isolation)
  • Limitations:
  • Uniprocessor
  • Initialization & glue code unverified
slide-8
SLIDE 8

Designing Hyperkernel for proof automation

Xv6

  • Syscall semantics are loop-y and

require writing loop invariants

  • Kernel pointers difficult to

reason about

  • C is difficult to model

Hyperkernel

  • Finite interface
  • Separate user and kernel spaces &

identity mapping for the kernel

  • Verify LLVM intermediate

representation (IR)

slide-9
SLIDE 9

Designing Hyperkernel for proof automation

Xv6

  • Syscall semantics are loop-y and

require writing loop invariants

  • Kernel pointers difficult to

reason about

  • C is difficult to model

Hyperkernel

  • Finite interface
  • Separate user and kernel spaces &

identity mapping for the kernel

  • Verify LLVM intermediate

representation (IR)

slide-10
SLIDE 10

Designing Hyperkernel for proof automation

Xv6

  • Syscall semantics are loop-y and

require writing loop invariants

  • Kernel pointers difficult to

reason about

  • C is difficult to model

Hyperkernel

  • Finite interface
  • Separate user/kernel spaces and

use identity mapping for kernel

  • Verify LLVM intermediate

representation (IR)

slide-11
SLIDE 11

Designing Hyperkernel for proof automation

Xv6

  • Syscall semantics are loop-y and

require writing loop invariants

  • Kernel pointers difficult to

reason about

  • C is difficult to model

Hyperkernel

  • Finite interface
  • Separate user/kernel spaces and

use identity mapping for kernel

  • Verify LLVM intermediate

representation (IR)

slide-12
SLIDE 12

Designing Hyperkernel for proof automation

Xv6

  • Syscall semantics are loop-y and

require writing loop invariants

  • Kernel pointers difficult to

reason about

  • C is difficult to model

Hyperkernel

  • Finite interface
  • Separate user/kernel spaces and

use identity mapping for kernel

  • Verify LLVM intermediate

representation (IR)

slide-13
SLIDE 13

Outline

  • Verification workflow
  • Finite interface design
  • Demo
  • Evaluation & lessons learned
slide-14
SLIDE 14

Outline

  • Verification workflow
  • Finite interface design
  • Demo
  • Evaluation & lessons learned
slide-15
SLIDE 15

Overview of verification workflow

Syscall Implementation

slide-16
SLIDE 16

Overview of verification workflow

Syscall Implementation State Machine Specification pre new

  • ld
slide-17
SLIDE 17

Overview of verification workflow

Syscall Implementation State Machine Specification pre new

  • ld
slide-18
SLIDE 18

Overview of verification workflow

Syscall Implementation State Machine Specification pre new

  • ld
slide-19
SLIDE 19

Overview of verification workflow

Syscall Implementation State Machine Specification pre new

  • ld
slide-20
SLIDE 20

Overview of verification workflow

Syscall Implementation State Machine Specification pre new

  • ld
slide-21
SLIDE 21

Overview of verification workflow

Syscall Implementation State Machine Specification Verifier LLVM pre new

  • ld
slide-22
SLIDE 22

Overview of verification workflow

Syscall Implementation State Machine Specification Verifier Bug Counterexample

  • ld

LLVM pre new

  • ld
slide-23
SLIDE 23

Syscall Implementation Verifier Bug Counterexample

  • ld

Declarative Specification

P

LLVM State Machine Specification pre new

  • ld
slide-24
SLIDE 24

Syscall Implementation State Machine Specification Verifier Bug Counterexample

  • ld

Declarative Specification

P

LLVM pre new

  • ld
slide-25
SLIDE 25

Syscall Implementation Verifier Counterexample

  • ld

LLVM State Machine Specification pre new

  • ld

Bug Declarative Specification

P

Cross-cutting properties:

  • Correctness of reference counters
  • Scheduler safety property
  • Process Isolation
slide-26
SLIDE 26

Syscall Implementation Verifier Counterexample

  • ld

LLVM State Machine Specification pre new

  • ld

Bug

Cross-cutting properties:

  • Correctness of reference counters
  • Scheduler safety property
  • Process Isolation

For any virtual address in a process p, if the virtual address maps to a page the page must be exclusively owned by p.

Declarative Specification

P

slide-27
SLIDE 27

Syscall Implementation Verifier Counterexample

  • ld

LLVM State Machine Specification pre new

  • ld

Bug

Cross-cutting properties:

  • Correctness of reference counters
  • Scheduler safety property
  • Process Isolation

For any virtual address in a process p, if the virtual address maps to a page the page must be exclusively owned by p.

Declarative Specification

P

slide-28
SLIDE 28

Syscall Implementation State Machine Specification Verifier Bug Counterexample

  • ld

Declarative Specification

P

LLVM pre new

  • ld
slide-29
SLIDE 29

Syscall Implementation State Machine Specification Verifier LLVM Bug Counterexample

  • ld

Declarative Specification

P

OK Kernel Image pre new

  • ld
slide-30
SLIDE 30

Outline

  • Verification workflow
  • Finite interface design
  • Demo
  • Evaluation & lessons learned
slide-31
SLIDE 31

Verification through symbolic execution

  • Goal: Minimize proof burden
  • No manual proofs or code annotations
  • Symbolic execution
  • Fully automated technique, used in bug-finding
  • Full functional verification if program is free of loops and state is finite
  • Feasible when units of work sufficiently small for solving
  • Hyperkernel approach: Finite interface design
slide-32
SLIDE 32

Overview of techniques

  • Safely push loops into user space
  • Explicit resource management
  • Decompose complex syscalls
  • Validate linked data structures
  • Smart SMT encodings
slide-33
SLIDE 33

Overview of techniques

  • Safely push loops into user space
  • Explicit resource management
  • Decompose complex syscalls
  • Validate linked data structures
  • Smart SMT encodings
slide-34
SLIDE 34

The sbrk() system call

User space virtual address space

brk

void *sbrk(intptr_t increment)

slide-35
SLIDE 35

The sbrk() system call

increments the programs data space by increment bytes

User space virtual address space

brk

void *sbrk(intptr_t increment)

increment

slide-36
SLIDE 36

The sbrk() system call

User space virtual address space

brk

void *sbrk(intptr_t increment) increments the programs data space by increment bytes

slide-37
SLIDE 37

The sbrk() system call

Goal: Redesign sbrk(); ensuring process isolation.

User space virtual address space

brk

void *sbrk(intptr_t increment) increments the programs data space by increment bytes

slide-38
SLIDE 38

The sbrk() system call: Dealing with loops

void *sbrk(intptr_t increment)

slide-39
SLIDE 39

The sbrk() system call: Dealing with loops

void *sbrk(intptr_t increment)

slide-40
SLIDE 40

The sbrk() system call: Dealing with loops

void *sbrk(intptr_t increment)

page table root

entry

4K page

slide-41
SLIDE 41

The sbrk() system call: Dealing with loops

void *sbrk(intptr_t increment) void *sbrk_one_page()

page table root

entry

4K page

slide-42
SLIDE 42

The sbrk() system call: Decomposition

page table root

entry

4K page

void *sbrk_one_page()

slide-43
SLIDE 43

The sbrk() system call: Decomposition

PML4 table

entry

4K page page directory page table

entry

page directory

entry

page table

entry

void *sbrk_one_page()

slide-44
SLIDE 44

The sbrk() system call: Decomposition

PML4 table

entry

4K page page directory page table

entry

page directory

entry

page table

entry

alloc_pdpt(…) alloc_pd(…) alloc_pt(…) alloc_frame(…) void *sbrk_one_page()

slide-45
SLIDE 45

The sbrk() system call: Decomposition

PML4 table

entry

4K page page directory page table

entry

page directory

entry

page table

entry

alloc_pdpt(…) alloc_pd(…) alloc_pt(…) alloc_frame(…) void *sbrk_one_page()

slide-46
SLIDE 46

The sbrk() system call: Decomposition

int alloc_pdpt(int pml4, size_t index) int alloc_pd(int pdpt, size_t index) int alloc_pt(int pd, size_t index) int alloc_frame(int pt, size_t index)

slide-47
SLIDE 47

The sbrk() system call: Explicit allocation

App Kernel

Search for free page

alloc page#

1 2 3

slide-48
SLIDE 48

The sbrk() system call: Explicit allocation

App Kernel

alloc, page# success/fail

  • Kernel keeps track of per-page metadata: owner/type
  • User space searches for free page; kernel validates
slide-49
SLIDE 49

The sbrk() system call: Finite Interface

  • Any composition of these system calls maintains isolation

int alloc_pdpt(int pml4, size_t index, int free_pn) int alloc_pd(int pdpt, size_t index, int free_pn) int alloc_pt(int pd, size_t index, int free_pn) int alloc_frame(int pt, size_t index, int free_pn)

For any virtual address in a process p, if the virtual address maps to a page the page must be exclusively owned by p.

slide-50
SLIDE 50

Implementation

Component Lines Languages Kernel implementation 7,616 C, assembly State-machine specification 804 Python Declarative specification 263 Python Verifier 2,878 C++, Python User-space implementation 10,025 C, assembly

slide-51
SLIDE 51

Outline

  • Verification workflow
  • Finite interface design
  • Demo
  • Evaluation & lessons learned
slide-52
SLIDE 52

Demo

  • Hyperkernel in action
  • Catching a low-level bug

producing a stack trace

  • Catching a process isolation bug

producing a visualized counterexample

slide-53
SLIDE 53

Outline

  • Verification workflow
  • Finite interface design
  • Demo
  • Evaluation & lessons learned
slide-54
SLIDE 54

What was the development effort?

  • Write a state machine specification
  • Relate LLVM data structures to

abstract specification state

  • Write checks for the representation

invariants if needed.

slide-55
SLIDE 55

What was the development effort?

  • Adding and verifying a system call usually takes < 1 hour
  • Write a state machine specification
  • Relate LLVM data structures to

abstract specification state

  • Write checks for the representation

invariants if needed.

slide-56
SLIDE 56

Is the design effective for scalable verification?

  • 45 minutes on a single core machine
  • 15 minutes on an 8-core Intel i7
  • Not sensitive to system parameters (e.g., number of pages)
  • Design is effective for scalable verification
slide-57
SLIDE 57

Conclusion

  • Feasible to verify simple Unix-like OS kernel
  • Automatic verification through symbolic execution
  • Make interface finite
  • Decompose complex system calls to scale verification
  • Verifiability as a first-class system design concern
  • http://locore.cs.washington.edu/hyperkernel