muen an x86 64 separation kernel for high assurance
play

Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki - PowerPoint PPT Presentation

Nov 23, 2022 •509 likes •784 views

Outline Introduction Implementation Analysis Conclusion Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil

  1. Outline Introduction Implementation Analysis Conclusion Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil August 29, 2013 Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  2. Outline Introduction Implementation Analysis Conclusion Outline 1 Introduction Background Motivation Goals 2 Implementation Overview Subsystems 3 Analysis Separation 4 Conclusion Results Future Work Questions Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  3. Outline Introduction Implementation Analysis Conclusion Virtualization Virtualization performed by virtual machine monitor (VMM) Virtual Machine Virtual Machine VMM Hosting OS VMM Hardware Hardware (a) Type I, native or bare (b) Type II or hosted VMM. metal VMM. Runs directly The VMM runs on top of a on the hardware in the most conventional operating privileged processor mode. system and uses OS services. Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  4. Outline Introduction Implementation Analysis Conclusion Intel Virtualization Technologies VT-x is Intel’s technology for virtualization on the x86 platform Virtual machine state stored in virtual-machine control structure (VMCS) Virtual-machine extensions (VMX) provide CPU instructions to manage VMCS VMM runs in VMX root mode Virtual machines run in VMX non-root mode Hardware assisted virtualization simplifies implementation of VMM Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  5. Outline Introduction Implementation Analysis Conclusion SPARK Precisely defined programming language based on Ada Intended for writing high integrity and security software Program and proof annotations as Ada comments Allows proof of absence of runtime errors Allows partial proof of correctness Industrial usage in Avionics, Space, Medical Systems and Military type Color_Type is (Red , Green , Blue); 1 2 procedure Exchange (X, Y: in out Color_Type); 3 --# derives X from Y & 4 --# Y from X; 5 --# post X = Y ∼ and Y = X ∼ ; 6 Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  6. Outline Introduction Implementation Analysis Conclusion Separation Kernel Concept introduced by John Rushby (1981) Partition system into multiple subjects which behave as if they were running on dedicated hardware Kernel must guarantee component separation Ideal as basis for a component-based system No channels for information flow between components other than those explicitly provided Partitioning and isolation of resources (CPU, memory, devices, . . . ) Static configuration during integration Only includes necessary features → small TCB Well suited for formal verification Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  7. Outline Introduction Implementation Analysis Conclusion Motivation Currently available (monolithic) systems unsuitable Implementation suitable for high assurance systems Increase confidence in systems built with COTS hardware Public sources and documentation enable third-party review Many advances in Intel hardware support for virtualization Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  8. Outline Introduction Implementation Analysis Conclusion Goals Open-source separation kernel (GPLv3+) Implementation in SPARK Proof of absence of runtime errors Small code size Reduction to essential functionality Leverage latest hardware features of Intel platform (VT-x, EPT, VT-d, . . . ) Target platform is 64-bit Intel Only allow intended data flows Prevent or limit possible side-/covert channels Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  9. Outline Introduction Implementation Analysis Conclusion Architecture Kernel guarantees subject isolation Spatial isolation by memory management, VT-x Temporal isolation by scheduling Native VM Subject Subject Muen Separation Kernel Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  10. Outline Introduction Implementation Analysis Conclusion Policy Specifies system configuration Hardware of target platform Kernel configuration Subject configuration Scheduling plans skpolicy tool compiles XML to SPARK sources <subject id="2" name="crypter" profile="native" cpu="2" 1 pml4_address ="270000" io_bitmap_address ="274000" msr_bitmap_address ="276000"> & crypterinit ; 2 <memory_layout > 3 & cryptermem; 4 <!-- crypter request page --> 5 <memory_region physical_address ="29 d000" 6 virtual_address ="10000" size="4k" alignment="4k" writable="false" executable ="false" memory_type ="WB"/> Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  11. Outline Introduction Implementation Analysis Conclusion Scheduler I Fixed cyclic scheduler Use of VMX preemption timer VMX root VMX non-root Scheduling Plan VM exit Subject Kernel Main Scheduler VM enter Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  12. Outline Introduction Implementation Analysis Conclusion Scheduler II Major frame consisting of minor frames Minor frames specify subject and time slice in ticks Scheduling plan specifies minor frames per logical CPU τ 0 subject can switch scheduling plan Major frame Minor 1 Minor 2 Minor 3 Minor 4 Subject 1 Subject 2 Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  13. Outline Introduction Implementation Analysis Conclusion Scheduler III <major_frame > 1 <cpu > 2 <minor_frame subject_id ="0" ticks="200"/> 3 </cpu > 4 <cpu > 5 <minor_frame subject_id ="1" ticks="40"/> 6 <minor_frame subject_id ="2" ticks="80"/> 7 <minor_frame subject_id ="1" ticks="40"/> 8 <minor_frame subject_id ="2" ticks="40"/> 9 </cpu > 10 </ major_frame > 11 Major frame 1 Major frame 2 CPU0 CPU1 Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  14. Outline Introduction Implementation Analysis Conclusion Traps Transition to VMX root mode is called a trap Policy specifies per-subject trap table Trap causes subject handover according to policy Trap may inject interrupt in destination subject Reserved traps are handled differently VMX preemption timer External interrupt Interrupt window Hypercall Virtualization using ”Trap and Emulate” <trap_table > 1 <entry kind="*" dst_subject ="sm" dst_vector="36"/> 2 </trap_table > 3 Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  15. Outline Introduction Implementation Analysis Conclusion External Interrupts Policy assigns devices to subjects Setup of interrupt routing according to policy Subject 4 Inject event 2 VM exit Muen SK 1 IRQ Device 3 Handle IRQ 1 External interrupts cause traps on designated CPU 2 Kernel adds pending event to destination subject 3 Pending events are injected on resumption of subject 4 Subject handles injected event as interrupt Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  16. Outline Introduction Implementation Analysis Conclusion Event Handling Event is a hypercall triggered by subject using VMCALL instruction Policy specifies per-subject event table Handover events transfers execution to destination subject optionally injecting an interrupt Interrupt events inject interrupt in destination subject with optional IPI <event_table > 1 <interrupt event="1" dst_subject ="s2" dst_vector ="33" 2 send_ipi="true"/> <handover event="2" dst_subject ="s3"/> 3 </ event_table > 4 Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  17. Outline Introduction Implementation Analysis Conclusion Multicore Kernel starts on bootstrap processor (BSP) BSP starts application processors (APs) All CPUs synchronize on major frame changes System Memory Muen SK Muen SK INIT-SIPI-SIPI CPU storage CPU storage Stack Stack LAPIC LAPIC CPU0 CPU1 BSP AP Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  18. Outline Introduction Implementation Analysis Conclusion Inter-Core Events Request page Subject Subject Response page 1 4 2 3 Muen SK Muen SK IPI Handle Hypercall Handle Hypercall LAPIC LAPIC CPU0 CPU1 Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

  19. Outline Introduction Implementation Analysis Conclusion Demo Untrusted VM subject running MIT’s xv6 OS Native VT subject provides virtual terminals and keyboard Native subject monitor (SM) observes xv6 subject Emulates port I/O Halts xv6 on invalid operation Native crypter provides hashing service Inter-subject communication using shared memory pages Signalisation using event mechanism Subject Crypter VT xv6 VM Monitor Native Native Native Muen Separation Kernel Reto Buerki, Adrian-Ken Rueegsegger Muen Separation Kernel

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Muen Design Inzemamul Haque 25 Nov 2016 Introduction Muen is an open-source separation

Muen Design Inzemamul Haque 25 Nov 2016 Introduction Muen is an open-source separation

Muen Design Inzemamul Haque 25 Nov 2016 Introduction Muen is an open-source separation kernel for x86 platform Uses Intel hardware support for virtualization What Muen does? Takes a policy as input and works according to it

622 views • 32 slides
Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17

Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17

Introduction Muen Intel Virtualization Support Challenges Approach Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17 July 2017 Introduction Muen Intel Virtualization Support Challenges

272 views • 25 slides
Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop

Separation Kernel Protection Profile Revisited: Choices and Rationale Layered Assurance Workshop 2010 Austin, Texas Timothy Levin, Thuy Nguyen, Cynthia Irvine, Michael McEvilley LAW 2010 Overview Purpose Help users of SKPP understand

383 views • 17 slides
The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals

The Quest-V Separation Kernel Richard West richwest@cs.bu.edu Computer Science Goals Develop system for high-confidence (embedded) systems Mixed criticalities (timeliness and safety) Predictable real-time support

547 views • 41 slides
Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Data Separation x 2 x 2 Class #10: Kernel Functions and Support Vector Machines (SVMs) x 1 x 1 Machine Learning (COMP 135): M. Allen, 07 Oct. 19 Linear classification with a perceptron or logistic function look for a dividing line in } the

162 views • 5 slides
Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Fragile Separation Robust Separation x 2 x 2 x 2 x 2 New data x 1 x 1 x 1 x 1 } What

Data Separation x 2 x 2 Class #13: Support Vector Machines (SVMs) and Kernel Functions x 1 x 1 Machine Learning (COMP 135): M. Allen, 02 Mar. 20 Linear classification with a perceptron or logistic function look for a dividing line in } the

170 views • 6 slides
Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2

Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2

Audio separation Spectrogram models Results Conclusion Kernel Spectrogram Models for source separation Antoine Liutkus 1 , Zafar Rafii 2 , Bryan Pardo 2 Derry Fitzgerald 3 , Laurent Daudet 4 1 Inria, Universit e de Lorraine, LORIA, UMR 7503,

197 views • 18 slides
Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

1.16k views • 67 slides
PROCESS : SEPARATION ASSURANCE 30/05/2014 Context Introduction Dynamic Modeling of the ATC

PROCESS : SEPARATION ASSURANCE 30/05/2014 Context Introduction Dynamic Modeling of the ATC

HYBRID MODELING AND AUTOMATION OF AIR TRAFFIC CONTROLLER DECISION PROCESS : SEPARATION ASSURANCE 30/05/2014 Context Introduction Dynamic Modeling of the ATC Process Aircraft Dynamic Model for Flight Management System

492 views • 48 slides
CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410

CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410

1 CAN CLOUD COMPUTING SYSTEMS OFFER HIGH ASSURANCE WITHOUT LOSING KEY CLOUD PROPERTIES? CS6410 Ken Birman, Cornell University High Assurance in Cloud Settings 2 A wave of applications that need high assurance is fast approaching

672 views • 40 slides
Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege

Paper-Reading-Group Nested Kernel: An Operating System Architecture for Intra-Kernel Privilege Separation Nathan Dautenhahn, Theodoros Kasampalis, Will Dietz, John Criswell, and Vikram Adve Nested Kernel - Motivation Monoliths have single

398 views • 17 slides
Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West,

Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West,

Introduction Quest-V Overview Inter-Sandbox Communication Predictable Migration Conclusions Predictable Communication and Migration in the Quest-V Separation Kernel Ye Li, Richard West, Zhuoqun Cheng, Eric Missimer Boston University 1 / 29

870 views • 29 slides
Data Assurance in Opaque Computations High Assurance Systems Engineering Guy Haworth

Data Assurance in Opaque Computations High Assurance Systems Engineering Guy Haworth

Data Assurance in Opaque Computations High Assurance Systems Engineering Guy Haworth guy.haworth@bnc.oxon.org 1 Data Assurance - ACG12, 2009-05-11 Topics Motivation Systems Engineering Cycle Definition: the Problem Domain and the

824 views • 27 slides
A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric

Introduction Architecture Performance Conclusions Ongoing and Future Work A Virtualized Separation Kernel for Mixed Criticality Systems Ye Li, Richard West and Eric Missimer Boston University March 2nd, 2014 Introduction Architecture

449 views • 21 slides
Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory

Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory

Xenon: High-Assurance Xen John McDermott John.McDermott@NRL.Navy.Mil Naval Research Laboratory Center for High-Assurance Computer Systems http:/ / chacs.nrl.navy.mil Xenon Xen Beyond Buffer Overflows high-assurance Policy flaws Use the

565 views • 24 slides
High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B.

High-Assurance and High-Speed Cryptographic Implementations Using the Jasmin Language J.B. Almeida, M. Barbosa, G. Barthe, B. Grgoire, A. Koutsos , V. La- porte, T. Oliveira, P-Y. Strub Octobre 9th, 2019 1 Context 2 Context Cryptographic

985 views • 57 slides
No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing

No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing

IEEE S&amp;P 2016 No Pardon for the Interruption: New Inference Attacks on Android Through Interrupt Timing Analysis May 24, 2016 Wenrui Diao , Xiangyu Liu, Zhou Li, and Kehuan Zhang 2/18 Motivation -- Hardware and Kernel Mobile platform

700 views • 21 slides
Silberschatz and Galvin Chapter 2 Computer-System Structures CPSC 410-501 Fall 1994 01/19/99 1

Silberschatz and Galvin Chapter 2 Computer-System Structures CPSC 410-501 Fall 1994 01/19/99 1

CPSC 410-Richard Furuta Silberschatz and Galvin Chapter 2 Computer-System Structures CPSC 410-501 Fall 1994 01/19/99 1 Topics CPU/Device interface I/O structure Storage structure and hierarchy Hardware protection CPSC 410-501

689 views • 14 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (April 24, 2002) I E S R C E

UMBC A B M A L T F O U M B C I M Y O R T 1 (April 24, 2002) I E S R C E

Systems Design &amp; Programming Interrupts I CMPE 310 Interrupts Interrupt processing is an alternative to polling. Executing task on the Microprocessor Main program Keyboard ISR Printer ISR Time The Intel microprocessors support hardware

394 views • 25 slides
Embedded systems &amp; the Nios II soft core processor A Nios II processor system I equivalent to

Embedded systems &amp; the Nios II soft core processor A Nios II processor system I equivalent to

Embedded systems &amp; the Nios II soft core processor A Nios II processor system I equivalent to a microcontroller or System on a chip (SoC) The Nios II processor family consits of two configurable 32-bit Harvard architecture cores Fast (/f

121 views • 10 slides
PIC Timers And Interrupts ECE Senior Design 23 February 2017 Timers in the PIC16F18324

PIC Timers And Interrupts ECE Senior Design 23 February 2017 Timers in the PIC16F18324

PIC Timers And Interrupts ECE Senior Design 23 February 2017 Timers in the PIC16F18324 TMR0: 8/16-bit timer/counter with 15-bit Prescaler TMR1: 16-bit timer/counter with external enable TMR2: 8-bit timer with 8-bit Period

722 views • 25 slides
MA/CSSE 473 Day 31 Optimal BSTs MA/CSSE 473 Day 31 REMINDER: You may NOT use a late day

MA/CSSE 473 Day 31 Optimal BSTs MA/CSSE 473 Day 31 REMINDER: You may NOT use a late day

MA/CSSE 473 Day 31 Optimal BSTs MA/CSSE 473 Day 31 REMINDER: You may NOT use a late day for HW 12 Take-home exam available by Oct 29 (Friday) at 9:55 AM, due Nov 1 (Monday) at 8 AM. Part 1 is available now. (Look at the

203 views • 8 slides
Balanced Binary Search Trees Balanced Binary Search Trees height is O(log n), where n is the

Balanced Binary Search Trees Balanced Binary Search Trees height is O(log n), where n is the

Balanced Binary Search Trees Balanced Binary Search Trees height is O(log n), where n is the Indexed AVL trees number of elements in the tree Indexed red-black trees AVL (Adelson-Velsky and Landis) Indexed operations also

253 views • 6 slides
Red-Black Trees Outline From (2,4) trees to Red-Black trees Definition and height

Red-Black Trees Outline From (2,4) trees to Red-Black trees Definition and height

Red-Black Trees Outline From (2,4) trees to Red-Black trees Definition and height Search Insertion Restructuring Recoloring Deletion Restructuring Recoloring Adjustment Red-Black Trees 2 (2,4)

735 views • 22 slides

More recommend