the formally verified sel4 microkernel
play

The Formally Verified seL4 Microkernel High-Assurance Foundation - PowerPoint PPT Presentation

Aug 28, 2023 •247 likes •539 views

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser RTCSA Keynote, Aug20 https://trustworthy.systems What Is Needed For Mixed-Criticality? During a

  1. The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser • RTCSA Keynote, Aug’20 https://trustworthy.systems

  2. What Is Needed For Mixed-Criticality? During a review process, ca Aug’17: • [Gernot:] Temporal isolation is necessary for mixed criticality systems. • [Reviewer:] Wrong, temporal isolation is sufficient .

  3. What Is a Mixed-Criticality System? “A mixed-critical system […] supports the execution of safety-critical, mission- critical, and non-critical software within a single, secure compute platform.” [Barhorst’09] Criticality of a component is defined by the impact of failure: • loss of life • injury • inconvenience Certification of critical component must not depend on behaviour of less critical components ⇒ must prevent any interference by less critical components!

  4. Preventing Interference – The OS’s Job High Low Modify data criticality criticality Affect timing Operating System We need an OS that can guarantee the absence of interference! 4 | RTCSA Keynote, Aug'20

  5. seL4: Provable Isolation

  6. What is seL4? The world’s first operating- World’s most system kernel with provable advanced mixed- Open Source security enforcement criticality OS The world’s fastest The world’s only general-purpose protected-mode OS microkernel, designed with complete, sound for real-world use timeliness analysis 6 | RTCSA Keynote, Aug'20

  7. A Microkernel is not an OS VM Device drivers, file systems, crypto, Strong power management, virtual-machine App App Isolation App monitor are all usermode processes Linux Device Device App Device Device Driver Driver App File NW Device Process Memory Driver Driver App System Stack Driver Mgmt Mgmt VMM IPC Hypervisor Microkernel = context-switching engine Microkernel Processor Controlled Communication 7 | RTCSA Keynote, Aug'20

  8. Capability-Based Access Control Capability = Access Token: Eg. thread, address Prima-facie evidence of privilege Object space Obj reference Eg. read, Capabilities provide: Access rights write, send, • Fine-grained access execute… control • Reasoning about Any system call is invoking a capability: information flow err = method( cap, args ); 8 | RTCSA Keynote, Aug'20

  9. Proved Spatial Isolation Confidentiality Integrity Availability P Proof Model enforces Proof r o o f isolation Abstract Functional correctness: Model C code only behaves Proof as specified Translation validation: Binary retains Limitations (work in progress): C Imple- C-code semantics • Kernel initialisation not yet verified mentation • MMU & caches modelled abstractly Proof • Multicore version not yet verified • Timing channels not ruled out Binary code 9 | RTCSA Keynote, Aug'20

  10. Binary Code Verification Target of functional Proof correctness proof C Source Formalised C Formal C Semantics Proof Rewrite Rules Graph Graph Proof? Compiler Proof Language Language SMT Solver Proof De- compiler Symbol Tables Formalised Binary Code Binary Formal ISA Spec 10 RTCSA Keynote, Aug'20

  11. Isolation by Architecture 11 | RTCSA Keynote, Aug'20

  12. Issue: Capabilities are Low-Level A B A B CSpace CSpace Thread-ObjectA Thread-Object B VSpace EP CNode A1 CNode B1 PDA PT A1 Send Receive Receive CNode A2 CONTEXT CONTEXT Send FRAME ... ... ... ... FRAME ... VSpace ... >50 capabilities for trivial program! 12 | RTCSA Keynote, Aug'20

  13. Simple But Non-Trivial System 13 | RTCSA Keynote, Aug'20

  14. Component Middleware: CAmkES Higher-level abstractions of Interface low-level seL4 constructs Comp B Comp A RPC Component Connector Shared memory Semaphore Comp C 14 | RTCSA Keynote, Aug'20

  15. Trivial System in CAmkES Comp B Comp A RPC 15 | RTCSA Keynote, Aug'20

  16. HACMS UAV Architecture Security enforcement: Linux only sees encrypted data Data Radio Uncritical/ Link Driver untrusted, Wifi contained Crypto Camera CAN Linux Driver 16 | RTCSA Keynote, Aug'20

  17. Enforcing the Architecture Radio Data Uncritical/ Driver Link Architecture untrusted, Wifi contained specification Crypto Camera language CAN Linux Driver Low-level access rights capDL + pr A B glue.c driver.c VMM.c Thread Thread CSpace CSpace Object Object CNode CNode EP CONTEXT CONTEXT Receive Send Compiler/ ... ... VSpace VSpace Conditions Linker apply binary init.c 17 | RTCSA Keynote, Aug'20

  18. Military-Strength Security Autonomous trucks DARPA HACMS: DARPA HACMS: Retrofit existing Retrofit existing system! system! Unmanned Little Bird (ULB) Cross-Domain Secure Desktop Comms Compositor Dongle 18 | RTCSA Keynote, Aug'20

  19. Temporal Isolation: WCET Analysis 19 | RTCSA Keynote, Aug'20

  20. High-Assurance WCET Analysis Control Program Flow binary Graph Micro- Integer architecture linear WCET ILP solver Analysis tool model equations Loop Infeasible bounds path info Proved at C level, transferred to binary though translation- validation toolchain 20

  21. Temporal Isolation: Controlling Time 21 | RTCSA Keynote, Aug'20

  22. Mixed Criticality: Critical + Untrusted NW driver must preempt control loop • … to avoid packet loss • Driver must run at high prio • Driver must be trusted not to monopolise CPU Runs every 100 ms Runs frequently but for for few millisecods short time (order of µs) Critical: Untrusted: NW Sensor Control NW readings interrupts loop driver 22 | RTCSA Keynote, Aug'20

  23. MCS Challenge: Sharing Vehicle control must see consistent state Less Critical Updates critical Vehicle Shared Navigation Control Data 23 | RTCSA Keynote, Aug'20

  24. Sharing: Delegation to Resource Server Communication Single-threaded, endpoint (port) guarantees atomicity Control P 1 Server P S Navig. P 2 Implements immediate priority Who pays for ceiling protocol (IPCP) if P S ≥ max (P 1 , P 2 ) server time? 24 | RTCSA Keynote, Aug'20

  25. Solution: Time Capabilities Classical thread attributes New thread attributes • Priority • Priority Not runnable Not runnable • Time slice • Scheduling context capability if null if null Limits CPU access – Capability Scheduling context object sporadic server for time • T: period • C: budget (≤ T) Enables reasoning about time and temporal isolation C = 2 for mixed-criticality systems T = 3 25 | RTCSA Keynote, Aug'20

  26. MCS with Scheduling Contexts Runs every 100 ms Runs frequently but for for few millisecods short time (order of µs) Control NW Sensor NW loop driver readings interrupts P = low P = high C = 2 C = 25,000 T = 3 T = 100,000 Utilisation = 67% Utilisation = 25% 26 | RTCSA Keynote, Aug'20

  27. Shared Server Time Charged to Client Running Client is Running charged for Client 1 server’s time P 1 Server P S Client 2 P 2 Server runs on client’s scheduling Timeout exception context to deal with budget exhaustion 27 | RTCSA Keynote, Aug'20

  28. seL4 MCS Support • Time as a first-class resource: - Enforcement of delegatable time budgets - Suitable for formal reasoning - Verification to be completed this year • Status: - Functional correctness of MCS extensions presently being verified for Arm and RISC-V • To Do: - Proving scheduler properties - Formal framework for reasoning about timeliness of applications

  29. Thank You! 29 | RTCSA Keynote, Aug'20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fusing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned Karim

Fusing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned Karim

Fusing Hybrid Remote Attestation with a Formally Verified Microkernel: Lessons Learned Karim Eldefrawy, Norrathep Rattanavipanon , Gene Tsudik June 28, 2017 nrattana@uci.edu http://sprout.ics.uci.edu IoT/CPS/ES IoT/CPS/ES IoT/CPS/ES Remote

451 views • 33 slides
HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim

HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim

HYDRA: HYbrid Design for Remote Attestation (Using a Formally Verified Microkernel) Karim Eldefrawy , Norrathep Rattanavipanon, Gene Tsudik HRL Labs UC Irvine UC Irvine (Currently at SRI) July 18, 2017 karim.eldefrawy@sri.com IoT/CPS/ES 2

1.07k views • 41 slides
Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser |

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser LCA, Gold Coast, QLD, 2020-01-15 https://trustworthy.systems What is seL4? A 30-Year Dream 3 | LCA |

886 views • 36 slides
seL4 Microkernel Status Update Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser

seL4 Microkernel Status Update Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser

seL4 Microkernel Status Update Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser FOSDEM, Bruxelles, 2020-02-02 https://trustworthy.systems What is seL4? seL4: Assurance and Performance The worlds first operating- Worlds

253 views • 23 slides
Verifying the seL4 Microkernel Formal Proof in Mathematics and Computer Science Lukas Stevens

Verifying the seL4 Microkernel Formal Proof in Mathematics and Computer Science Lukas Stevens

Verifying the seL4 Microkernel Formal Proof in Mathematics and Computer Science Lukas Stevens 21st June 2018 Outline 2. Design process of seL4 3. Formal methods of the correctness proof 4. Layers of the correctness proof 5. Conclusion 1 1.

754 views • 64 slides
Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified

Roberto Guanciale Mads Dam Hamed Nemati Christoph Baumann Cache Storage Channels Alias-driven Attacks Formally Verified Platforms Formally Verified Platforms Caches Excluded Formally Verified from the analysis Platforms Caches Excluded

675 views • 64 slides
Capabilities in seL4 Types of Authority Resource Management Implementation Model

Capabilities in seL4 Types of Authority Resource Management Implementation Model

Capabilities in seL4 David Cock Background Microkernel Systems seL4 & Barrelfish Authorisation and Delegation Capabilities in seL4 Types of Authority Resource Management Implementation Model Representation David Cock Operations

1.41k views • 118 slides
Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1.

Formally verified constraint solvers Catherine Dubois 1 Sourour Elloumi 1 Arnaud Gotlieb 2 1. CEDRIC-ENSIIE, Evry, France 2. Certus V&V Center, SIMULA RESEARCH LAB., Lysaker, Norway Dagstuhl Seminar 15381 1 / 23 Formally verified

501 views • 28 slides
Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified

Formally Verified Cryptographic Web Applications J. Protzenko et al. MSR + INRIA Verified Cryptographic Web Applications in WASM May. 22 st , 2019 1 / 22 in WebAssembly Jonathan Protzenko Microsoft Research Benjamin Beurdouche INRIA

1.5k views • 57 slides
A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo

A Formally Verified Quadratic Unification Algorithm J.-L. Ruiz-Reina, J.-A. Alonso, M.-J. Hidalgo and F .-J. Mart n-Mateos Computational Logic Group Dept. of Computer Science and Artificial Intelligence University of Seville A Formally

356 views • 32 slides
Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of

Towards Formally Verified Theorem Provers Ramana Kumar Computer Laboratory, University of Cambridge Twenty Years of the QED Manifesto Vienna Summer of Logic, 2014 HOL Verified Goals of the Project An implementation of HOL Light 1. that runs

428 views • 13 slides
VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina

VigNAT: A Formally Verified NAT Arseniy Zaostrovnykh, Solal Pirelli, Luis Pedrosa, Katerina Argyraki, George Candea Formally verify a stateful NF with competitive performance and reasonable human effort 2 Formally verify a stateful NF with

836 views • 81 slides
Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ,

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer , Vincent Rahli, Ivana Vukotic, Marcus Vlp, Andr Platzer Thanks to: Johannes Hlzl, Fabian Immler, Tobias Nipkow, et. al. + Coquelicot team

540 views • 38 slides
Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified trustworthy software systems April 2016 data61.csiro.au Formal verification of real systems is happening! Formal verification of real systems

981 views • 75 slides
A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu

A Formally Verified Symmetry Breaking Tool for SAT David E. Narv aez den9562@rit.edu Rochester Institute of Technology Rochester, NY, USA FMCAD-18 Student Forum David E. Narv aez (RIT) Formally Verified Symmetry Breaking Tool FMCAD-18

215 views • 6 slides
Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts

Towards an Open-Source, Formally-Verified Secure Processor Srini Devadas Massachusetts Institute of Technology Architectural Isolation of Processes Fundamental to maintaining correctness and privacy! 2 Performance Dictates

959 views • 43 slides
The Communications Market Report 2016 4 August 2016 Agenda Introduction Jane Rumble, Director

The Communications Market Report 2016 4 August 2016 Agenda Introduction Jane Rumble, Director

Ofcom analyst briefing The Communications Market Report 2016 4 August 2016 Agenda Introduction Jane Rumble, Director of Market Intelligence Market overview Jessica Rees, Researcher, Market Research The audio-visual industries Stefan

782 views • 60 slides
NDS2 Secure storage, sharing and publishing of data in the NDS Maciej Brzeniak,

NDS2 Secure storage, sharing and publishing of data in the NDS Maciej Brzeniak,

NDS2 Secure storage, sharing and publishing of data in the NDS Maciej Brzeniak, Supercomputing Dept. of PSNC, www.psnc.pl TF-Storage meeting @Dubrovnik, Sep., 26-27th 2012 Project funded by: NCBiR for 2011-2013 under KMD2 project (no.

769 views • 21 slides
FMC (Fixed Mobile Convergence) Wh t Ab What About Security? t S it ? Vancouver June 2008

FMC (Fixed Mobile Convergence) Wh t Ab What About Security? t S it ? Vancouver June 2008

FMC (Fixed Mobile Convergence) Wh t Ab What About Security? t S it ? Vancouver June 2008 Vancouver June 2008 Franck Veysset, Orange Labs Firstname.lastname at orange-ftgroup dot com research & development Agenda Introduction

463 views • 30 slides
RUNNING SvSAN ON THE NEW CISCO ISR 4461 AND UCS E-SERIES With Craig Collier and Ian McLaughlin

RUNNING SvSAN ON THE NEW CISCO ISR 4461 AND UCS E-SERIES With Craig Collier and Ian McLaughlin

RUNNING SvSAN ON THE NEW CISCO ISR 4461 AND UCS E-SERIES With Craig Collier and Ian McLaughlin Hosted by Kelynn Renals MAKING THE COMPLEX SIMPLE CONFIDENTIAL ENTERPRISES FACE DIFFICULTIES IN EDGE DEPLOYMENT 2 CONFIDENTIAL CISCO AND STORMAGIC

366 views • 8 slides
An ultra-low-cost antenna array frontend for GNSS application Thuan D. Nguyen, Vinh T. Tran Tung

An ultra-low-cost antenna array frontend for GNSS application Thuan D. Nguyen, Vinh T. Tran Tung

International Collaboration Centre for Research and Development on Satellite Navigation Technology in South East Asia An ultra-low-cost antenna array frontend for GNSS application Thuan D. Nguyen, Vinh T. Tran Tung H. Ta, Letizia Lo Presti

333 views • 15 slides
twitter backchannel #iBeaconsXW15 http://slides.com/plite/ibeacons-7/ iOS app store apps Paul

twitter backchannel #iBeaconsXW15 http://slides.com/plite/ibeacons-7/ iOS app store apps Paul

twitter backchannel #iBeaconsXW15 http://slides.com/plite/ibeacons-7/ iOS app store apps Paul Cowan Innovation & Technology Team Manager near Faculty of Education beacondo University of Waikato dartle p.cowan@waikato.ac.nz A Brief

737 views • 26 slides
connected car, they say? what's there, already? the CAN bus developed since1983

connected car, they say? what's there, already? the CAN bus developed since1983

connected car, they say? what's there, already? the CAN bus developed since1983 by Bosch GmbH initially invented to reduce the huge amount of cables to one cable/bus for all a serial bus that connects all electronic

827 views • 20 slides
Just a T.A.D. (Traffic Analysis Drone) Senior Design Project 2017: Preliminary Design Review 1

Just a T.A.D. (Traffic Analysis Drone) Senior Design Project 2017: Preliminary Design Review 1

Just a T.A.D. (Traffic Analysis Drone) Senior Design Project 2017: Preliminary Design Review 1 Department of Electrical and Computer Engineering Department of Electrical and Computer Engineering SDP17 - TAD Meet the Team Cyril Caparanga

489 views • 19 slides

More recommend