park ϋ ber Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor Amit Vasudevan (CyLab-CMU), Sagar Chaki (SEI-CMU), Petros Maniatis (Google Inc.), Limin Jia, Anupam Datta (ECE/CSD-CMU) http://uberspark.org
Introduction Motivating. Ex. Arch. Impl. Verif. Results Perf. Concl. Problem • Extensible Hypervisors raise significant security concerns • Number of bugs goes up with code size • Number of bugs goes up with frequency of updates • Number of bugs goes up with logical complexity • Number of bugs goes up with control-flow complexity • Both complex VMMs and micro-hypervisors are prone to bugs • E.g., VMware [VMSA-2009-006,Cloudburst], Xen [CVE-2008-3687], SecVisor [Franklin et. Al,2010] • Verified hypervisor is accompanied by proof of desirable (security) properties park ϋ ber Enforcing Verifiable Object Abstractions for Automated 2 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Introduction Motivating. Ex. Arch. Impl. Verif. Results Perf. Concl. Why aren’t we already doing this? • Cost of verification grows with Compositionality • The size of the code-base • The number of separate components • The number of configurations • The rate of revisions Commodity Compatibility • Benefit of verification shrinks with • Steep learning curve of developer-unwieldy programming • Lack of commodity hardware integration • Magnitude of the runtime overhead Performance park ϋ ber Enforcing Verifiable Object Abstractions for Automated 3 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Introduction Motivating. Ex. Arch. Impl. Verif. Results Perf. Concl. Why do this now? • Formal C static analysis tools are very practical [Frama-C] • Certifiable compilation tools [Compcert] are practical for moderate module sizes • It’s trendy! [seL4, IronClad, IronFleet, FSCQ, mCertiKOS] park ϋ ber Enforcing Verifiable Object Abstractions for Automated 4 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Motivating Example Intro. Arch. Impl. Verif. Results Perf. Concl. An extensible hypervisor Guest sysclog hyperdep ropdet aprvexec C + Assembly Hypervisor MMU Network VMX MSRs Hardware park ϋ ber Enforcing Verifiable Object Abstractions for Automated 5 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Motivating Example Intro. Arch. Impl. Verif. Results Perf. Concl. Challenge-1: Code size vs. HW de-privileging Guest Guest sysclog hyperdep sysclog hyperdep aprvexec ropdet aprvexec ropdet Network Hypervisor MMU Network MMU VMX MSRs Hypervisor VMX MSRs Hardware Performance Hardware park ϋ ber Enforcing Verifiable Object Abstractions for Automated 6 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Motivating Example Intro. Arch. Impl. Verif. Results Perf. Concl. Challenge-2: Continuous Development Guest hyperdep hyperdep sysclog hyperdep hyperdep ropdet ropdet aprvexec aprvexec ropdet Hypervisor MMU Network MMU Network MMU VMX MSRs VMX Hardware park ϋ ber Enforcing Verifiable Object Abstractions for Automated 7 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Motivating Example Intro. Arch. Impl. Verif. Results Perf. Concl. Challenge-3: Shared Resources Guest sysclog hyperdep ropdet aprvexec Hypervisor MMU Network VMX MSRs Hardware park ϋ ber Enforcing Verifiable Object Abstractions for Automated 8 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Motivating Example Intro. Arch. Impl. Verif. Results Perf. Concl. Challenge-4: Different Configurations Guest Guest Guest sysclog sysclog sysclog hyperdep hyperdep hyperdep aprvexec ropdet ropdet aprvexec ropdet aprvexec Hypervisor Hypervisor Hypervisor MMU Network Network MMU Network MMU VMX MSRs VMX MSRs VMX MSRs Hardware Hardware Hardware park ϋ ber Enforcing Verifiable Object Abstractions for Automated 9 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Motivating Example Intro. Arch. Impl. Verif. Results Perf. Concl. Challenge-5: Verification vs. Programming Paradigm • Programming Paradigm Guest • C + Assembly is de-facto • C + Assembly can clobber stuff! [stack, registers, MSRs etc.] sysclog hyperdep • HW access and ops. with multi-core ropdet aprvexec • State-of-the-art Verification Tools Hypervisor • Often impose use of “developer - unwieldy” Network MMU high-level languages with steep learning VMX MSRs curve [Coq, Haskell, Dafny] • Largely lack support for Assembly Hardware • Mainly target sequential code • Largely lack support for HW integration park ϋ ber Enforcing Verifiable Object Abstractions for Automated 10 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Architecture Intro. Motivating. Ex. Impl. Verif. Results Perf. Concl. ϋ ber park from above ϋ berObjects ϋ Blueprint • Goals • Compositionality [C + Assembly + ACSL] • Commodity Compatibility • Performance • Verifiable Object + Abstraction (uberObject) • Security invariants • Commodity HW + Software Verification System Resources Proofs [CPU (Privileged) Instructions, Memory, SW-Verif HW + SW-Verif HW Device Interfaces] park ϋ ber Enforcing Verifiable Object Abstractions for Automated 11 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Architecture Intro. Motivating. Ex. Impl. Verif. Results Perf. Concl. The ϋ berObject Performance Contract Use Manifest + Behavior Specifications in C-like language System Resources [CPU (Privileged) Instructions, Memory, Device Interfaces] park ϋ ber Enforcing Verifiable Object Abstractions for Automated 12 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Architecture Intro. Motivating. Ex. Impl. Verif. Results Perf. Concl. ϋ berObject: Sentinel • Sentinel • Establishes “call - ret” semantics • Object to object control- call, call-async call flow enforcer • ϋ berObjects verified not to write on other stack frames ret, ret-async ret • Enables sound application ϋ Object Shadow Stacks of sequential source code Contracts verification to verify invariants over sequential ϋ berobject invocations park ϋ ber Enforcing Verifiable Object Abstractions for Automated 13 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Architecture Intro. Motivating. Ex. Impl. Verif. Results Perf. Concl. ϋ berBlueprint & Concurrency HW initiated concurrent execution Concurrent execution HW initiated sequential execution Phase1 Sequential execution Startup Phase2 Phase3 Proofs Intercept Exception Abstract hypervisor as a non- deterministic sequential program prove invariant properties of individual ϋ objects and compose them park ϋ ber Enforcing Verifiable Object Abstractions for Automated 14 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Architecture Intro. Motivating. Ex. Impl. Verif. Results Perf. Concl. ϋ berObject: CASM Functions & HW Model • CASM Functions void gp_setup_vhmempgtbl(void){ • C functions composed u32 i, spatype, slabid=XMHF_SLAB_PRIME; solely of Assembly u64 flags; ... ... • (Any) Assembly void casm_writecr3(u32 value){ for(i=0; I < (SZ_PDPT*SZ_PDT*SZ_PT); ++i){ instruction as macro ci_movl_mesp_eax(0x4); spatype=_gp_getspatype(slabid, CASM Instructions • HW model specifies ci_movl_eax_cr3(); (u32)(i*SZB_4K)); ci_ret(); semantics flags=_gp_getptflags(slabid, } • Custom Frama-C (u32)(i*SZB_4K),spatype); vhpgtbl1t[i] = pae_make_pte((i*SZB_4K),flags); verification plugins } ... • Inline C99 semantics to CASM Function casm_writecr3(vhsmpgtbl4t[0]); verify } • Inline Assembly to compile down park ϋ ber Enforcing Verifiable Object Abstractions for Automated 15 / 24 Vasudevan et. al. Compositional Security Analysis of a Hypervisor
Recommend
More recommend
