The Formally Verified seL4 Microkernel High-Assurance Foundation - - PowerPoint PPT Presentation

https://trustworthy.systems

The Formally Verified seL4 Microkernel

Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser

• RTCSA Keynote, Aug’20

High-Assurance Foundation for MCS

What Is Needed For Mixed-Criticality?

During a review process, ca Aug’17:

• [Gernot:] Temporal isolation is necessary for mixed criticality systems.
• [Reviewer:] Wrong, temporal isolation is sufficient.

What Is a Mixed-Criticality System?

“A mixed-critical system […] supports the execution of safety-critical, mission- critical, and non-critical software within a single, secure compute platform.” [Barhorst’09]

Criticality of a component is defined by the impact of failure:

• loss of life
• injury
• inconvenience

Certification of critical component must not depend on behaviour of less critical components ⇒ must prevent any interference by less critical components!

Preventing Interference – The OS’s Job

RTCSA Keynote, Aug'20 4 |

High criticality Low criticality

Operating System

We need an OS that can guarantee the absence of interference!

Modify data Affect timing

seL4: Provable Isolation

What is seL4?

RTCSA Keynote, Aug'20 6 |

The world’s first operating- system kernel with provable security enforcement The world’s fastest general-purpose microkernel, designed for real-world use The world’s only protected-mode OS with complete, sound timeliness analysis World’s most advanced mixed- criticality OS

Open Source

A Microkernel is not an OS

RTCSA Keynote, Aug'20 7 |

Processor Device Driver Device Driver Device Driver NW Stack Device Driver Device Driver File System Process Mgmt Memory Mgmt App App App

Strong Isolation Device drivers, file systems, crypto, power management, virtual-machine monitor are all usermode processes

IPC

Controlled Communication

VM Linux App App App VMM Microkernel = context-switching engine Hypervisor Microkernel

Capability-Based Access Control

RTCSA Keynote, Aug'20 8 |

Any system call is invoking a capability:

err = method( cap, args ); Obj reference Access rights

Capability = Access Token: Prima-facie evidence of privilege

• Eg. read,

write, send, execute…

Capabilities provide:

• Fine-grained access

control

• Reasoning about

information flow

• Eg. thread,

address space

Object

Abstract Model

Proof

C Imple- mentation

P r

• f

Confidentiality Availability Binary code

Proof Proof Proof

Functional correctness: C code only behaves as specified Model enforces isolation Translation validation: Binary retains C-code semantics Limitations (work in progress):

• Kernel initialisation not yet verified
• MMU & caches modelled abstractly
• Multicore version not yet verified
• Timing channels not ruled out

Proved Spatial Isolation

RTCSA Keynote, Aug'20 9 |

Integrity

Proof? Rewrite Rules C Source Binary Code Formalised C Formalised Binary Graph Language Graph Language

10 RTCSA Keynote, Aug'20

Target of functional correctness proof Proof Formal C Semantics Proof SMT Solver De- compiler Proof Formal ISA Spec Compiler Symbol Tables Proof

Binary Code Verification

Isolation by Architecture

RTCSA Keynote, Aug'20 11 |

Issue: Capabilities are Low-Level

RTCSA Keynote, Aug'20 12 |

Thread-ObjectA CNodeA1 EP Thread-ObjectB CNodeB1 CNodeA2 VSpace VSpace CSpace CSpace Send Receive PDA PTA1

FRAME FRAME

...

... ... ... ... ...

CONTEXT CONTEXT

A B >50 capabilities for trivial program!

Send Receive

A B

Simple But Non-Trivial System

RTCSA Keynote, Aug'20 13 |

Component Middleware: CAmkES

RTCSA Keynote, Aug'20 14 |

Higher-level abstractions of low-level seL4 constructs

Comp A Comp C Comp B Semaphore Shared memory RPC

Interface Component Connector

Trivial System in CAmkES

RTCSA Keynote, Aug'20 15 |

Comp A Comp B RPC

HACMS UAV Architecture

RTCSA Keynote, Aug'20 16 |

Radio Driver CAN Driver Data Link Crypto Uncritical/ untrusted, contained Linux Camera Wifi

Security enforcement: Linux only sees encrypted data

Enforcing the Architecture

RTCSA Keynote, Aug'20 17 |

Architecture specification language

CNode EP CNode CSpace CSpace Send Receive

... ...

CONTEXT CONTEXT

VSpace

capDL

+ pr

Thread Object Thread Object VSpace

A B

Low-level access rights

Radio Driver Crypto CAN Driver Data Link Uncritical/ untrusted, contained Linux Camera Wifi

driver.c VMM.c glue.c Compiler/ Linker binary init.c Conditions apply

Military-Strength Security

RTCSA Keynote, Aug'20 18 |

Unmanned Little Bird (ULB) Autonomous trucks

Cross-Domain Desktop Compositor Secure Comms Dongle DARPA HACMS: Retrofit existing system! DARPA HACMS: Retrofit existing system!

Temporal Isolation: WCET Analysis

RTCSA Keynote, Aug'20 19 |

High-Assurance WCET Analysis

Program binary Control Flow Graph Loop bounds Micro- architecture model Integer linear equations Infeasible path info WCET ILP solver Analysis tool

20

Proved at C level, transferred to binary though translation- validation toolchain

Temporal Isolation: Controlling Time

RTCSA Keynote, Aug'20 21 |

Mixed Criticality: Critical + Untrusted

RTCSA Keynote, Aug'20 22 |

Critical: Control loop Sensor readings Untrusted: NW driver NW interrupts

NW driver must preempt control loop

• … to avoid packet loss
• Driver must run at high prio
• Driver must be trusted not to monopolise CPU

Runs frequently but for short time (order of µs) Runs every 100 ms for few millisecods

MCS Challenge: Sharing

RTCSA Keynote, Aug'20 23 |

Critical Less critical Vehicle Control Navigation Shared Data Vehicle control must see consistent state Updates

Sharing: Delegation to Resource Server

RTCSA Keynote, Aug'20 24 |

Control P1 Server PS Navig. P2 Single-threaded, guarantees atomicity Communication endpoint (port) Who pays for server time?

Implements immediate priority ceiling protocol (IPCP) if PS ≥ max (P1, P2)

Solution: Time Capabilities

Classical thread attributes

• Priority
• Time slice

New thread attributes

• Priority
• Scheduling context capability

RTCSA Keynote, Aug'20 25 |

Not runnable if null Not runnable if null Scheduling context object

• T: period
• C: budget (≤ T)

Limits CPU access – sporadic server

Enables reasoning about time and temporal isolation for mixed-criticality systems

C = 2 T = 3 Capability for time

MCS with Scheduling Contexts

RTCSA Keynote, Aug'20 26 |

Runs every 100 ms for few millisecods Runs frequently but for short time (order of µs) Control loop P = low Sensor readings NW driver P = high NW interrupts C = 2 T = 3 Utilisation = 67% C = 25,000 T = 100,000 Utilisation = 25%

Client1 P1

Shared Server Time Charged to Client

RTCSA Keynote, Aug'20 27 |

Server PS Running Running Server runs on client’s scheduling context Client is charged for server’s time Client2 P2 Timeout exception to deal with budget exhaustion

seL4 MCS Support

• Time as a first-class resource:
• Enforcement of delegatable time budgets
• Suitable for formal reasoning
• Verification to be completed this year
• Status:
• Functional correctness of MCS extensions presently being verified for Arm and RISC-V
• To Do:
• Proving scheduler properties
• Formal framework for reasoning about timeliness of applications

Thank You!

RTCSA Keynote, Aug'20 29 |