provably secure execution platforms lecture four a simple
play

Provably Secure Execution Platforms - Lecture Four: A Simple - PowerPoint PPT Presentation

Mar 05, 2023 •468 likes •1.16k views

Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018 The Goal Hypervisor Context switch: Fixed round-robin

  1. Provably Secure Execution Platforms - Lecture Four: A Simple Separation Kernel and Its Verification Mads Dam KTH Royal Institute of Technology BISS spring school, Bertinoro 2018

  2. The Goal Hypervisor • Context switch: Fixed round-robin scheduling, assume two guests, statically allocated • Asynchronous message passing through hypercall (swi) • Paravirtualization Dam, Guanciale, Khakpour, Nemati, Schwarz: Formal Verification of Information Flow Security for a Simple ARM-Based Separation Kernel, CCS’13

  3. Kernel Basics Q: What is a kernel? A: A set of event handlers and some data structures for support Three types of events: • Exceptions – arise as result of a processor error conditions • Software interrupts – arise when a user program wants to invoke some service • Hardware interrupts – Arise when a piece of hardware (e.g. USB device, NIC, …) wants to invoke some service

  4. Kernel Basics Upon an event a handler routine is invoked, user state stored on stack and privilege level is raised Upon return user state is restored – In some suitable form Parameters transferred in registers – When applicable … Results returned in registers – When applicable … During handler execution, exceptions and interrupt may be disabled or not – Non-preemptive kernel: No nesting of interrupts Our kernel is preemptive

  5. Ideal Model Describes the abstract functionality of the system, here: • CPUs are virtual, with only user level functionality • All privileged execution replaced by ideal handlers • CPUs are ”physically separated” • Only communication between CPU CPU guests through communication and instruction cycle counting

  6. Ideal Model Context switching: • Only one of user CPUs active at any time Sending a message: • Hypercall swi 1 causes content of reg 0 to be written to msgbox Receiving a message: • If msgbox full on switch to receiver, CPU CPU instead of restoring receiver invoke user level handler Restoring receiver: • Once message processing done invoke swi 0 to restore receiver

  7. Ideal Model: Scheduling Scheduler Sender Receiver Scheduling round : Normal sender execution : Message processing : Send hypercall : Resume hypercall : Normal receiver execution

  8. Ideal Model Ideal model state: : User CPU states • : Messaging data structures • : Elapsed time • : Activity flag • Messaging data structures: : Indicates if guest i is ready to receive a message • : User context pointer used to switch • between message processing and normal execution : message box •

  9. Records and Contexts Context fields are stored consecutively in memory is field accessor is field update Also use tuple notation: •

  10. Ideal Model, Initial State Initial state : : Initial states with • – Registers zeroed initialized to make the user address spaces – disjoint and not contain the vector jump addresses suitably initialized within user address space – initialized to suitably large number (return to that) – • Message data structures initialized with , for suitable • • These are defined later

  11. Ideal Model, Transitions User step: User step, symmetric case: Many symmetric cases below, mostly omitted

  12. Ideal Model, Transitions Guest switch, message processing in progress: • : Pop context from stack, return to user mode • : Fixed number of cycles for handler, to be set later • • Similar transition rule for

  13. Ideal Model, Transitions Guest switch, no message pending: • cycles for handler • • Similar transition rule for

  14. restoreUser, restoreCtx Some helper functions: • • •

  15. Ideal Model, Transitions Guest switch, receive message: • , : • Entry points for guest 0/guest 1 message handlers •

  16. Ideal Model, Transitions Guest resume: • • + symmetric rule, as always

  17. Ideal Model, Transitions Guest send: • • + symmetric rule • Note: Up to guests to implement flow control

  18. Ideal Model, Exercises Exercise 1: Convince yourself that the transition semantics makes sense by mentally executing a few simple scenarios (and report to me any bugs you find!) Exercise 2: Prove some simple sanity properties, such as: • For any reachable state (state reachable from the initial state): – At most one of is in privileged state – If is in privileged state then ’s program counter is jump vector address – Stack pointers differ from their initial values only when one of the guests are in privileged state • To prove such properties use a suitable invariant

  19. Ideal Model, Exercises Exercise 3: Does the transition semantics pose any constraints on the choice of ? Exercise 4 (harder): Devise a ”single-sided” semantics in which only one guest is executing, sending and receiving data through transition labelled IO. States would have the shape . For transitions we would have a user transition: For privileged transitions, e.g.:

  20. Ideal Model, Exercises Exercise 4, continued: Show that for each trace of the ideal system there exists a corresponding pair of traces in the single-sided system such that the sequence of words exchanged in the ideal system trace corresponds to the sequence of words input, respectively output, in the single-sided trace.

  21. Ideal Model, Exercises Exercise 5: Propose an ideal model transition rule for exceptions. You may assume a pair of guest exception handler entry points fooo , . The exception handler needs to receive as parameter in register 0 the address of the offending instruction.

  22. Real Model Task: • Use only single processor • No ideal functionality (the handlers) • Handlers explicitly represented as code executing at privileged level • Data structures (e.g. channels, stacks) to be Hypervisor explicitly represented in memory • Code store in memory

  23. Memory Layout Two partitions/guests Execute in disjoint memory regions • Guest is active when Kernel memory regions • Vector region – Contains exception and interrupt jump addresses Kernel region • – Contains kernel code and data structures ,…: Kernel addresses holding the corresponding values

  24. Guest Memory Guest entry points: – – Guest message handlers: – – Guest exception handlers: – –

  25. Kernel Region: Task Switching Contexts: ref /* ”Normal” context for guest 0 – ref /* Do. For guest 1 –

  26. Kernel Region: Stacks Stack roots: – – Size? – – Each stack assigned a memory region with delimiters in: – – – –

  27. Kernel Region: Channels Channels: – /* ? /* Resume context – –

  28. Kernel Region: Handlers In kernel memory: – – – – – In vector region: – – – –

  29. Initialisation Processor initialised with: – Register 0,…,3, mode, time zeroed – – , ??? – , – – • as processor, but with , • • • • • •

  30. Handlers • Handlers are now executed on the ”real” machine, using the transition rules of lecture 3 • Handler tasks: – Extract state information: • Which guest? Not trivial since irq’s/exception’s can be nested. Use the stack pointer memory region. • Which state? Need to figure some state information to determine what action to take. – Update state: Channels, contexts – Prepare stack – Return from exception loads registers including pc in one atomic (!) step

  31. Handlers Show irq_entry.pseudo, swi1_entry (mask). (Find them in the course directory) Exercise 6. Give similar pseudo-code implementations of the other handlers. Exercise 7. Find a suitable Hoare-style specification of the irq_entry routine. Use weakest preconditions to show that it holds, under the assumption that it is never preempted.

  32. Handlers Exercise 8. t_sw1, t_sw2, t_rcv, t_res, t_send: The ideal model transition rules leave these numbers unspecified. Explain how to calculate them, and estimate t_rcv. Exercise 9. t_max: We have also left t_max unspecified. Propose a lower bound. Exercise 10. Stacks: Stacks can grow in an unbounded fashion in pathological cases. Present a simple condition that will prevent stacks from growing larger than 2|ctx|.

  33. Verification Goal: – Want to prove that, when running on top of the kernel, the two guest systems do not interfere in unintended ways. – What does ”interfere” mean? – What does ”in unintended ways” mean? Hypervisor

  34. Noninterference Proposal #1: Noninterference Can adapt definition of noninterference mod system variables, lecture 2, in the following way: • Variables: – High variables – content of guest 1 memory – System variables – content of kernel memory – Low variables – content of guest 0 memory • Observations: When is a guest active? – Content of low memory + activity of guest • Recapping: – Kernel (content of kernel memory) is NI, if whenever started in states s_0,s_1 for which kernel and low variables are identical, the observations are the same

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute

Provably Secure Execution Platforms - Lecture One: Introduction Mads Dam KTH Royal Institute of Technology Thanks to Roberto Guanciale, Musard Balliu, Christoph Baumann, Hamed Nemati, Oliver Schwarz, Victor Do, Christian Gehrmann, Jonas

1.41k views • 114 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work

Proof-Carrying Data: secure computation on untrusted execution platforms Eran Tromer Joint work with Alessandro Chiesa Eli Ben-Sasson Daniel Genkin 1 Technion Cryptoday June 16, 2011 Motivation 3 Motivation INTEGRITY CONFIDENTIALITY

725 views • 50 slides
Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J.

Introduction Contributions Conclusion Towards a Provably Secure DoS-Resilient Key Exchange Protocol with PFS 1 L. Kuppusamy * J. Rangasamy * D. Stebila * C. Boyd * J.M. Gonzlez Nieto * * Information Security Institute Queensland

943 views • 22 slides
Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure

Advanced Tools from Modern Cryptography Lecture 12 MPC: UC-secure OT UC-Secure OT UC-secure OT is impossible (even against PPT adversaries) in the plain model (i.e., without the help of another functionality) But possible from simple

527 views • 16 slides
Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts

Provably Secure Higher-Order Masking of AES Matthieu Rivain Emmanuel Prouff CryptoExperts Oberthur CHES 2010, Santa Barbara, Aug. 20 th CHES 2010 Provably Secure Higher-Order Masking of AES Outline 1 Introduction Higher-Order

1.1k views • 77 slides
Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure

Threshold Implementations Svetla Nikova Threshold Implementations A provably secure countermeasure Against (first) order power analysis based on multi party computation and secret sharing 2 Outline Threshold Implementations

990 views • 58 slides
Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G.

Provably Secure Key Assignment Schemes from Factoring Eduarda S. V. Freire and Kenneth G. Paterson Information Security Group Royal Holloway, University of London Outline of the Talk Hierarchical Key Assignment Schemes Definition of

802 views • 48 slides
ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12]

ObliviAd : Provably Secure and Practical Online Behavioral Advertising [IEEE S&P 12] Michael Backes 1 , 2 Aniket Kate 1 Matteo Maffei 2 Kim Pecina 2 1 MPI-SWS, Germany 2 Saarland University, Germany Tracking in the Advertising World Today

744 views • 35 slides
Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur

PETS 2017 The 17th Privacy Enhancing T echnologies Symposium July 1821, 2017 Minneapolis, MN, USA Provably Secure Anonymous-yet-Accountable Crowdsensing with Scalable Sublinear Revocatjon Sazzadur Rahaman 1 , Long Cheng 1 , Danfeng (Daphne)

650 views • 18 slides
Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop

Provably Secure Machine Learning Jacob Steinhardt ARO Adversarial Machine Learning Workshop September 14, 2017 Why Prove Things? Attackers often have more motivation/resources than defenders Heuristic defenses: arms race between attack and

738 views • 52 slides
Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine

Efficient and Provably Secure Methods for Switching from Arithmetic to Boolean Masking Blandine Debraize Leuven, September 10th, 2012 I NTRODUCTION 1 K NOWN TABLE - BASED METHODS 2 C ORON -T CHULKINE METHOD N EISSE -P ULKUS METHOD 3 C

413 views • 28 slides
Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint

Obtaining Provably Secure Services from Formally Verified Remote Attestation Gene Tsudik 1 Joint work with: Ivan De Oliveira Nunes 1 , Karim Eldefrawy 2 , Norrathep Rattanavipanon 1 University of California Irvine 1 , SRI International 2 1 In

847 views • 48 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE

On the Need for Provably Secure Distance Bounding Serge Vaudenay COLE POLYTECHNIQUE FDRALE DE LAUSANNE http://lasec.epfl.ch/ SV 2012 distance bounding CIoT 2012 1 / 39 Introduction to Distance-Bounding 1 Some Insecurity Case

600 views • 39 slides
Timo Sirainen Dovecot Solutions Oy http://www.dovecot.org/ Talk Overview Quick introduction

Timo Sirainen Dovecot Solutions Oy http://www.dovecot.org/ Talk Overview Quick introduction

Timo Sirainen Dovecot Solutions Oy http://www.dovecot.org/ Talk Overview Quick introduction v2.1: Statistics, Full Text Search changes v2.1/v2.2: dsync-based replication v2.1: IMAP Adaptor Questions Dovecot? IMAP, POP3

572 views • 20 slides
2 nd semester Topic 35: Messages on the phone In our daily life we are trying to save our

2 nd semester Topic 35: Messages on the phone In our daily life we are trying to save our

2 nd semester Topic 35: Messages on the phone In our daily life we are trying to save our time by sending short, but understandable messages to our friends This movement is on trend now Since we have connection to the internet

317 views • 6 slides
rs t rs

rs t rs

rs t rs t rt Ptr r r

619 views • 18 slides
Functional Programming June 2, 2019 Functional Programming June 2, 2019 1 / 24 Mayer Goldberg \

Functional Programming June 2, 2019 Functional Programming June 2, 2019 1 / 24 Mayer Goldberg \

Functional Programming June 2, 2019 Functional Programming June 2, 2019 1 / 24 Mayer Goldberg \ Ben-Gurion University Mayer Goldberg \ Ben-Gurion University Road Map Functional Programming June 2, 2019 2 / 24 Introduction to Functional

411 views • 24 slides
Exotic and CP violating Higgs Decays Grenoble, 02 July 2014 Based on work with Roberto

Exotic and CP violating Higgs Decays Grenoble, 02 July 2014 Based on work with Roberto

Adam Falkowski LPT Orsay Exotic and CP violating Higgs Decays Grenoble, 02 July 2014 Based on work with Roberto Vega-Morales 1405.1095, and with Yi Chen, Ian Low, Roberto Vega-Morales, 1405.6723 Plan Intro: Higgs: where do we stand? Part 1:

580 views • 47 slides
Locality-Sensitive Hashing & Image Similarity Search Andrew Wylie Overview; LSH given a

Locality-Sensitive Hashing & Image Similarity Search Andrew Wylie Overview; LSH given a

Locality-Sensitive Hashing & Image Similarity Search Andrew Wylie Overview; LSH given a query q (or not), how do we find similar items from a large search set quickly? Cant do all pairwise comparisons; n C 2 pairs define a

478 views • 20 slides
CSC165 Week 10 Larry Zhang, November 11, 2014 Test 2 result average: 8.9 + 6.2 + 6.6 = 21.7 / 30

CSC165 Week 10 Larry Zhang, November 11, 2014 Test 2 result average: 8.9 + 6.2 + 6.6 = 21.7 / 30

CSC165 Week 10 Larry Zhang, November 11, 2014 Test 2 result average: 8.9 + 6.2 + 6.6 = 21.7 / 30 fill in this form for re-marking request http://www.cdf.toronto.edu/~heap/165/F14/re-mark.txt Next week: no lecture, no tutorial Assignment 2

657 views • 49 slides
UPnP / DLNA plugin Smit Mehta GSoC 2012 - KDE Digikam Akademy 2012 Overview UPnP (Universal

UPnP / DLNA plugin Smit Mehta GSoC 2012 - KDE Digikam Akademy 2012 Overview UPnP (Universal

UPnP / DLNA plugin Smit Mehta GSoC 2012 - KDE Digikam Akademy 2012 Overview UPnP (Universal Plug and Play) is a set of protocols which allows discovery of and access to media contents in a home network (connected via router) DLNA

791 views • 9 slides

More recommend