provably trustworthy systems
play

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal - PowerPoint PPT Presentation

Jun 06, 2023 •224 likes •981 views

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified trustworthy software systems April 2016 data61.csiro.au Formal verification of real systems is happening! Formal verification of real systems

  1. Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified trustworthy software systems April 2016 data61.csiro.au

  2. Formal verification 
 of real systems is happening!

  3. Formal verification of real systems ‣ Increasingly many examples: 3 Proof Engineering | Gerwin Klein

  4. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation 3 Proof Engineering | Gerwin Klein

  5. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation 3 Proof Engineering | Gerwin Klein

  6. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system 3 Proof Engineering | Gerwin Klein

  7. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML 3 Proof Engineering | Gerwin Klein

  8. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • Candle – verified interactive HOL theorem prover implementation 3 Proof Engineering | Gerwin Klein

  9. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle – verified interactive HOL theorem prover implementation 3 Proof Engineering | Gerwin Klein

  10. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle • CoCon – verified interactive HOL theorem prover – verified conference system implementation 3 Proof Engineering | Gerwin Klein

  11. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle • CoCon – verified interactive HOL theorem prover – verified conference system implementation 3 Proof Engineering | Gerwin Klein

  12. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle • CoCon – verified interactive HOL theorem prover – verified conference system implementation • OpenSSL HMAC – verified crypto implementation 3 Proof Engineering | Gerwin Klein

  13. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle • CoCon – verified interactive HOL theorem prover – verified conference system implementation • FSCQ • OpenSSL HMAC – verified crash resistance file system – verified crypto implementation 3 Proof Engineering | Gerwin Klein

  14. But: Still far from mainstream

  15. Too Expensive ‣ Such projects are still big research results • Often break new ground • Multiple person years or person decades • Real, binary-level results still rare • Hard to maintain over long periods 5 Proof Engineering | Gerwin Klein

  16. Too Expensive ‣ Such projects are still big research results • Often break new ground • Multiple person years or person decades • Real, binary-level results still rare • Hard to maintain over long periods ‣ Still too expensive • But not that far off: – cheaper than traditional high-assurance dev – factor 2-3 over high-quality traditional embedded systems dev 5 Proof Engineering | Gerwin Klein

  17. What can be done?

  18. Better, cheaper, faster. ‣ Just needs to be cheaper: • economic pressure wins over time • everything else follows 7 Proof Engineering | Gerwin Klein

  19. Better, cheaper, faster. ‣ Just needs to be cheaper: • economic pressure wins over time • everything else follows ‣ Proof Productivity: • Tools – more automation, deeper automation, built for scale • Proof Engineering – predictability, estimation, scale • Languages – design for verification, increase verification productivity • … 7 Proof Engineering | Gerwin Klein

  20. The rest of this talk ‣ seL4 ‣ Scale ‣ Proof Engineering ‣ Proof Effort ‣ Future 8 Proof Engineering | Gerwin Klein

  21. seL4

  22. seL4: Isolation Untrusted Trusted Trustworthy Computing Base • message passing Legacy App. • virtual memory Legacy Legacy App. Sensitive Apps • interrupt handling App • access control Applications Trusted Linux • fault isolation Server Service • fault identification • IP protection • modularity Trusted next to Untrusted Hardware 10 Proof Engineering | Gerwin Klein

  23. seL4: Isolation Untrusted Trusted Trustworthy Computing Base • message passing Legacy App. • virtual memory Legacy Legacy App. Sensitive Apps • interrupt handling App • access control Applications Trusted Linux • fault isolation Server Service • fault identification • IP protection • modularity seL4 Trusted next to Untrusted Hardware 10 Proof Engineering | Gerwin Klein

  24. Functional Correctness Specification Proof Code 11 Proof Engineering | Gerwin Klein

  25. Functional Correctness definition schedule :: unit s_monad where schedule � do threads ⇥ allActiveTCBs; thread ⇥ select threads; What switch_to_thread thread od OR switch_to_idle_thread Specification Proof Code 11 Proof Engineering | Gerwin Klein

  26. Functional Correctness definition schedule :: unit s_monad where schedule � do threads ⇥ allActiveTCBs; thread ⇥ select threads; What switch_to_thread thread od OR switch_to_idle_thread Specification Proof Code How 11 Proof Engineering | Gerwin Klein

  27. *conditions apply Specification Proof Code 12 Proof Engineering | Gerwin Klein

  28. *conditions apply Expectation Specification Proof Code Assumptions 12 Proof Engineering | Gerwin Klein

  29. *conditions apply Assume correct: - compiler + linker (wrt. C op-sem) - assembly code (600 loc) Expectation - hardware (ARMv6) - cache and TLB management Specification - boot code (1,200 loc) Proof Code Assumptions 12 Proof Engineering | Gerwin Klein

  30. Proof Architecture Now Confidentiality Availability Integrity Isabelle Isabelle Specification Isabelle Design Haskell Prototype Isabelle C Code Semantics C Code Isabelle/SMT/HOL4 Binary Code Binary Code Semantics WCET Analysis 13 Proof Engineering | Gerwin Klein

  31. Proof Architecture Now High-level properties: Confidentiality Availability Integrity - functional correctness - integrity Isabelle Isabelle - authority confinement Specification - non-interference Isabelle - termination - user-level system initialisation Design Haskell Prototype - verified component platform Isabelle - worst-case execution time 
 C Code Semantics C Code (by static analysis) Roadmap: Isabelle/SMT/HOL4 - verified x64 version Binary Code Binary Code Semantics - virtualisation extensions - mixed-criticality real-time - timing side-channel elimination WCET Analysis 13 Proof Engineering | Gerwin Klein

  32. Proof Architecture Now High-level properties: Confidentiality Availability Integrity - functional correctness - integrity Isabelle Isabelle - authority confinement Specification - non-interference Open Source Isabelle - termination - user-level system initialisation Design Haskell Prototype http://seL4.systems - verified component platform https://github.com/seL4/ Isabelle - worst-case execution time 
 C Code Semantics C Code (by static analysis) Roadmap: Isabelle/SMT/HOL4 - verified x64 version Binary Code Binary Code Semantics - virtualisation extensions - mixed-criticality real-time - timing side-channel elimination WCET Analysis 13 Proof Engineering | Gerwin Klein

  33. As Real as it Gets ‣ Autonomous in 14 Proof Engineering | Gerwin Klein

  34. As Real as it Gets ‣ Autonomous in 3, 2, 1.. 14 Proof Engineering | Gerwin Klein

  35. Scale

  36. Scale Archive of Formal Proofs size of AFP entries by submission date 16 Proof Engineering | Gerwin Klein

  37. Scale size of AFP entries by submission date with Four-Colour theorem, Odd-Order theorem, Verisoft, seL4 17 Proof Engineering | Gerwin Klein

  38. Proof Introspection ‣ 500 files ‣ 22,000 lemmas stated ‣ 95,000 lemmas proved 18 Proof Engineering | Gerwin Klein

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Gaining Confidence in the Correctness of Robotic and Autonomous Systems Kerstin Eder Trustworthy

Gaining Confidence in the Correctness of Robotic and Autonomous Systems Kerstin Eder Trustworthy

Gaining Confidence in the Correctness of Robotic and Autonomous Systems Kerstin Eder Trustworthy Systems Laboratory Verification and Validation for Safety in Robots, Bristol Robotics Laboratory Designing Trustworthy Systems Create flawless

898 views • 65 slides
Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit: 25 September 2019 www.data61.csiro.au Overview What is a Trustworthy System? What does

747 views • 26 slides
Second Generation Model-based Testing Provably Strong Testing Methods for the Certification of

Second Generation Model-based Testing Provably Strong Testing Methods for the Certification of

CyPhyAssure Spring School Second Generation Model-based Testing Provably Strong Testing Methods for the Certification of Autonomous Systems Part II of III Provably Strong Testing Methods for Autonomous Systems Jan Peleska University of Bremen

634 views • 51 slides
How Trustworthy Can Systems Become? Vincent Rahli http://www.nuprl.org

How Trustworthy Can Systems Become? Vincent Rahli http://www.nuprl.org

How Trustworthy Can Systems Become? Vincent Rahli http://www.nuprl.org http://www.cs.cornell.edu/~rahli/ January 28, 2015 Vincent Rahli How Trustworthy Can Systems Become? January 28, 2015 1/62 My collaborators PRL group Abhishek Anand

964 views • 62 slides
What is the B-method? Welcome to Provably Correct Software http://www.it.uu.se/

What is the B-method? Welcome to Provably Correct Software http://www.it.uu.se/

What is the B-method? Welcome to Provably Correct Software http://www.it.uu.se/ edu/course/homepage/bkp/vt09 Instructor Lars-Henrik Eriksson lhe@it.uu.se, http://www.it.uu.se/katalog/lhe?lang=en Provably Correct Software Page 1 Updated

545 views • 18 slides
CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11:

CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11:

CTSRD CTSRD CRASH-worthy Trustworthy Systems Research and Development Beyond the PDP-11: Architectural support for a memory-safe C abstract machine David Chisnall , Colin Rothwell , Brooks Davis , Robert N.M. Watson ,

252 views • 22 slides
TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies

TRUSTWORTHY CYBER INFRASTRUCTURE FOR THE POWER GRID | TCIPG.OR G TCIPG TECHNICAL CLUSTERS AND THREADS Trustworthy Trustworthy Technologies for Wide Technologies for Local Responding To and Trust Assessment Area Monitoring and Area

291 views • 8 slides
A Set that is Streamless and Not Provably Noetherian Marc Bezem Department of Informatics

A Set that is Streamless and Not Provably Noetherian Marc Bezem Department of Informatics

A Set that is Streamless and Not Provably Noetherian A Set that is Streamless and Not Provably Noetherian Marc Bezem Department of Informatics University of Bergen (joint work with Keiko Nakata and Tarmo Uustalu) December 2011 A Set that is

135 views • 10 slides
Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark

Computational Complexity Provably-secure constructions Problems with provably-secure constructions Attempts at practical constructions Provably secure hash functions - do we care? Krystian Matusiewicz Technical University of Denmark Quo Vadis

874 views • 20 slides
Provably Correct Development of Reconfigurable Hardware Designs via Equational Reasoning Ian

Provably Correct Development of Reconfigurable Hardware Designs via Equational Reasoning Ian

Provably Correct Development of Reconfigurable Hardware Designs via Equational Reasoning Ian Graves, Adam Procter, Bill Harrison & Gerard Allwein FPT 2015 Introduction Provably Correct Development, Bird-Wadler Style Reference

397 views • 24 slides
Trustworthy Systems from Un-Trusted Components http://www.comp.nus.edu.sg/~tsunami PRESENTED BY

Trustworthy Systems from Un-Trusted Components http://www.comp.nus.edu.sg/~tsunami PRESENTED BY

Trustworthy Systems from Un-Trusted Components http://www.comp.nus.edu.sg/~tsunami PRESENTED BY PROF. ABHIK ROYCHOUDHURY NATIONAL UNIVERSITY OF SINGAPORE ABHIK@COMP.NUS.EDU.SG Enhancing local Ongoing NRF Project Overall capabilities Outlook

407 views • 25 slides
Trustworthy Self-Assembly: A Use-Case for Distributed Runtime Verification John Rushby Computer

Trustworthy Self-Assembly: A Use-Case for Distributed Runtime Verification John Rushby Computer

Trustworthy Self-Assembly: A Use-Case for Distributed Runtime Verification John Rushby Computer Science Laboratory SRI International Menlo Park, California, USA John Rushby, SR I Self-Integrating Systems 1 Introduction: Systems of Systems

491 views • 29 slides
CTSRD CRASH-worthy Trustworthy Systems Research and Development The CHERI CPU RISC in the

CTSRD CRASH-worthy Trustworthy Systems Research and Development The CHERI CPU RISC in the

CTSRD CTSRD CRASH-worthy Trustworthy Systems Research and Development The CHERI CPU RISC in the age of risk David Chisnall University of Cambridge Approved for public release; distribution is unlimited. This research is sponsored by the

803 views • 41 slides
Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu

8 + Block Ciphers Implementations Provably Secure Against Second Order Side Channel Analysis Matthieu Rivain 1 , 2 , Emmanuelle Dottax 1 & Emmanuel Prouff 1 Oberthur Card Systems University of Luxembourg February 11, 2008 M. Rivain, E.

812 views • 64 slides
Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic

Provably secure compilation of side-channel countermeasures: the case of cryptographic constant-time Gilles Barthe Benjamin Grgoire Vincent Laporte CSF18, 2018-07-12 Vincent Laporte et alii Provably secure compilation of

501 views • 25 slides
Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik

Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik

Provably weak instances of Ring-LWE revisited Wouter Castryck 1 , 2 , Ilia Iliashenko 1 , Frederik Vercauteren 1 , 3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE

717 views • 54 slides
Patrolling Games The Line Katerina Papadaki London School of Economics Steve Alpern

Patrolling Games The Line Katerina Papadaki London School of Economics Steve Alpern

Patrolling Games The Line Katerina Papadaki London School of Economics Steve Alpern University of Warwick Alec Morton University of Strathclyde Outline Introduce Patrolling Games on a graph. Strategies and earlier results. The

593 views • 37 slides
Outline Introduction (VM) Virtual Machine Research goals (PM) Physical Machine

Outline Introduction (VM) Virtual Machine Research goals (PM) Physical Machine

10/26/2014 Outline Introduction (VM) Virtual Machine Research goals (PM) Physical Machine Challenges Research questions Background Research contributions Ph.D. Dissertation Defense Supporting Infrastructure

618 views • 19 slides
Distribute d Work T e am Numbe r: 11 COVID-19 pandemic is a disruptive event that will

Distribute d Work T e am Numbe r: 11 COVID-19 pandemic is a disruptive event that will

Distribute d Work T e am Numbe r: 11 COVID-19 pandemic is a disruptive event that will accelerate the adoption of emerging practices. There will never be a return to previous normal. Distributed workforces will be the new model for

800 views • 10 slides
Virtualization and Cloud Environments Saurabh Srivastava Department of Computer Sc. & Engg.

Virtualization and Cloud Environments Saurabh Srivastava Department of Computer Sc. & Engg.

Introduction to Virtualization and Cloud Environments Saurabh Srivastava Department of Computer Sc. & Engg. IIT Kanpur At a glance Virtualization Introduction to virtualization Basic Concepts Hypervisors Cloud

432 views • 31 slides
Gal Youinou CGG gyouinou@cgg.com Overview of the BE Expanding Geosciences On Demand

Gal Youinou CGG gyouinou@cgg.com Overview of the BE Expanding Geosciences On Demand

BE18 Seismic Processing and Reservoir Simulation Gal Youinou CGG gyouinou@cgg.com Overview of the BE Expanding Geosciences On Demand EGEODE is a virtual Organization opened to Research Centers in geophysics and other geosciences

330 views • 5 slides
Authors: John Noll, Sarah Beecham , and I ta Richardson Pr e se nte r : Kasahun Abdisa IT

Authors: John Noll, Sarah Beecham , and I ta Richardson Pr e se nte r : Kasahun Abdisa IT

Global software Development and Collaboration: Barriers and Solutions Authors: John Noll, Sarah Beecham , and I ta Richardson Pr e se nte r : Kasahun Abdisa IT Doc tor al pr ogr am Addis Ababa University e-mail:

603 views • 29 slides
Cyberinfrastructure Framework for 21st Century Science & Engineering (CF21) NSF-wide

Cyberinfrastructure Framework for 21st Century Science & Engineering (CF21) NSF-wide

Cyberinfrastructure Framework for 21st Century Science & Engineering (CF21) NSF-wide Cyberinfrastructure Vision People, Sustainability, Innovation, Integration Edward Seidel/Alan Blatecky Acting Assistant Director, Mathematical and

191 views • 16 slides
Process Address Spaces and Binary Formats Don Porter CSE 306 Background Weve

Process Address Spaces and Binary Formats Don Porter CSE 306 Background Weve

Process Address Spaces and Binary Formats Don Porter CSE 306 Background Weve talked some about processes This lecture: discuss overall virtual memory organization Key abstraction: Address space We will learn about

641 views • 34 slides

More recommend