Verification of a Separation Kernel Inzemamul Haque Indian - - PowerPoint PPT Presentation

Introduction Muen Intel Virtualization Support Challenges Approach

Verification of a Separation Kernel

Inzemamul Haque

Indian Institute of Science, Bangalore

17 July 2017

Introduction Muen Intel Virtualization Support Challenges Approach

Outline

1

Introduction

2

Muen

3

Intel Virtualization Support

4

Challenges

5

Approach

Introduction Muen Intel Virtualization Support Challenges Approach

Motivation

Defense and aerospace applications need to run security-critical programs along with untrusted programs, on the same machine. Commercial O/Ss have many vulnerabilities which make them unsuitable for this task. A Separation Kernel provides such a solution. Would like to prove certain security properties of a separation kernel. Formal verification gives highest level of assurance that a system satisfies a required property.

Introduction Muen Intel Virtualization Support Challenges Approach

Separation Kernel

App App Security−Critical S e c u r i t y − C r i t i c a l Processor / Hardware Linux Kernel Security−Critical S e c u r i t y − C r i t i c a l Processor / Hardware Separation Kernel Guest OS Guest OS App App

Introduction Muen Intel Virtualization Support Challenges Approach

Objective

Goal To give a machine-checked proof of correctness of a separation ker- nel. How does it address the security concern? Security is part of the abstract model.

Introduction Muen Intel Virtualization Support Challenges Approach

Methodology

Define an abstract model which captures the correct behaviour of the separation kernel. To show that for every execution in the concrete there is a corresponding execution in the abstract. Inductive proof by defining an abstraction relation.

Abstract Concrete

. . . . . .

init init init init Abstract init init Concrete

= ⇒ ρ

Abstract Concrete

ρ ρ = ⇒ ρ

Introduction Muen Intel Virtualization Support Challenges Approach

Muen Separation Kernel

Build Policy File (in XML)

Processor

Intel VT−x EPT Intel VT−d Subject 1 Subject 2 Subject 3 Shared Resources

Muen Separation Kernel

Muen Other normal processor features Tool−chain Muen

Introduction Muen Intel Virtualization Support Challenges Approach

Example Policy File

Introduction Muen Intel Virtualization Support Challenges Approach

Intel VT-x

Ring 1 Ring 2 Ring 0 Ring 3 (User applications) (Operating System)

Privilege Rings VMX root mode (VMM)

Ring 1 Ring 2 Ring 3 Ring 0

VMX non−root mode

(Operating System) (User applications)

Introduction Muen Intel Virtualization Support Challenges Approach

Life-cycle of a VMM

Introduction Muen Intel Virtualization Support Challenges Approach

Life-cycle of a VMM

How to manage states during VM-entry and VM-exit?

Introduction Muen Intel Virtualization Support Challenges Approach

Virtual Machine Control Structure (VMCS)

Introduction Muen Intel Virtualization Support Challenges Approach

VMCS Data

Fields in VMCS can be classified as following: Guest state area - mainly register state of the guest Host state area - processor state to be loaded at VM exits VM-execution control fields - fields like external interrupt exiting, CR3 load exiting, etc. VM-entry control fields - fields which tell what to be saved during VM entry. VM-exit control fields - fields which tell what to be saved during VM exit. VM-exit information fields

Introduction Muen Intel Virtualization Support Challenges Approach

Causes of VM-Exit

Instructions causing unconditional exits

INVD, CPUID, etc.

Instructions causing conditional exits

HLT, if HLT-exiting field is set Mov from CR3, if CR3-exiting field is set

External interrupts if external interrupt exiting field is set. VMX preemption timer counts to zero.

Introduction Muen Intel Virtualization Support Challenges Approach

Extended Page Tables

Introduction Muen Intel Virtualization Support Challenges Approach

Extended Page Tables

Introduction Muen Intel Virtualization Support Challenges Approach

Muen Separation Kernel

BIOS Bootloader Initialize VM Launcher VM−entry Subject VM−exit handler Processor reset running VM−exit

Introduction Muen Intel Virtualization Support Challenges Approach

Challenges

Dealing with the mixture of assembly and Ada. Proof for a general policy Reasoning about the invariants involved

Introduction Muen Intel Virtualization Support Challenges Approach

Abstract Model

Our model is a state transition system. Policy also specifies number of CPUs and order of execution

• f subjects.

Every subject runs on a standalone machine according to the schedule specified in the policy.

Introduction Muen Intel Virtualization Support Challenges Approach

Abstract Model

S0 S1 CPU 0 CPU 2 S4 S3 S2 S5 CPU 3 S6 S7 CPU 1

Time S0 S1 end of major frame end of major frame S0 S1 S2 S3 S5 S4 S7 S6 S7 S6 S5 S4 S3 S2

Introduction Muen Intel Virtualization Support Challenges Approach

State in the Model

Introduction Muen Intel Virtualization Support Challenges Approach

Transitions in the Model

Tick Local operation - memory accessed by the subjects External interrupt Events Read channel Write channel

Introduction Muen Intel Virtualization Support Challenges Approach

AdaCore SPARK

Tool to prove certain properties of Ada programs like

satisfiability of pre- and post-conditions for a program. checking assertions at certain points in the program. absence of run-time errors like division by zero, dangling pointers.

Carried out small exercise to verify virtual memory translator.

Introduction Muen Intel Virtualization Support Challenges Approach

Dealing with mixture of assembly and Ada code

Writing the assembly instructions as Ada functions. e.g. a 64-bit register as a 64-bit modular datatype in Ada

Introduction Muen Intel Virtualization Support Challenges Approach

Conclusion

Giving a machine checked proof of correctness of a separation kernel We have modelled the Muen separation kernel Focusing on correctness of initialization part of the kernel as

• f now.

Initially working on a fixed policy