verified sel4 on secure risc v processors
play

Verified seL4 on Secure RISC-V Processors and Other News in seL4 - PowerPoint PPT Presentation

May 31, 2023 •516 likes •886 views

Verified seL4 on Secure RISC-V Processors and Other News in seL4 Land Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser LCA, Gold Coast, QLD, 2020-01-15 https://trustworthy.systems What is seL4? A 30-Year Dream 3 | LCA |

  1. Verified seL4 on Secure RISC-V Processors … and Other News in seL4 Land Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser • LCA, Gold Coast, QLD, 2020-01-15 https://trustworthy.systems

  2. What is seL4?

  3. A 30-Year Dream 3 | LCA | Gold Coast | Jan'20

  4. seL4: The Dream Come True! The world’s first operating- World’s most system kernel with provable advanced mixed- security enforcement Open Source criticality OS The world’s only The world’s fastest protected-mode OS microkernel, designed with complete, sound for real-world use timeliness analysis 4 | LCA | Gold Coast | Jan'20

  5. L4: 25 Years High-Performance Microkernels seL4: The latest member of the L4 microkernel family API Inheritance L4-embed. iOS secure Code Inheritance enclave OKL4-µKernel L4/MIPS OKL4-Microvisor Qualcomm modem chips L4/Alpha Codezero L3→L4 “X” Hazelnut Pistachio Fiasco Fiasco.OC GMD/IBM/Karlsruhe UNSW/NICTA/Data61 OK Labs Nova Dresden P4 → PikeOS Other (commercial) 93 94 95 01 02 03 04 05 06 07 08 09 10 11 12 96 97 98 99 00 5 | LCA | Gold Coast | Jan'20

  6. A Microkernel is not an OS VM Device drivers, file systems, crypto, Strong power management, virtual-machine App App Isolation App monitor are all usermode processes Linux Device Device App Device Device Driver Driver App File NW Device Process Memory Driver Driver App System Stack Driver Mgmt Mgmt VMM IPC Hypervisor Microkernel Microkernel = context-switching engine Processor Controlled Communication 6 | LCA | Gold Coast | Jan'20

  7. Core Mechanism: Object Capability Capability = Access Token: Eg. thread, Prima-facie evidence of privilege address Object space Obj reference Eg. read, Capabilities provide: write, send, Access rights • Fine-grained access execute… control • Reasoning about information flow 7 | seL4 Summit | DC | Sep'19

  8. Microkernel: seL4 vs Linux Licensing Valuable IP Valuable IP Your code (applications) Your code (applications) any… any… Your system TS system services: Your system services libs, drivers, file systems, services NW stacks, tools, … kernel.org source GPL v2 • core kernel any… BSD • device drivers • file systems Platform port: Platform port: • NW stacks Boiler • device drivers • timer • … • HW init TS kernel source • serial plate GPL v2 • HW init GPL v2 GPL v2 GPL v2 Boiler plate Details: https://microkerneldude.wordpress.com 8 | LCA | Gold Coast | Jan'20

  9. Military-Strength Security Autonomous trucks DARPA HACMS: DARPA HACMS: Retrofit existing Retrofit existing system! system! Unmanned Little Bird (ULB) Cross-Domain Secure Desktop Comms Compositor Dongle 9 | LCA | Gold Coast | Jan'20

  10. Verification

  11. World’s Most Secure OS: Arm v7 Confidentiality Integrity Availability Proof Proof f Model enforces o o r P security Abstract Functional correctness: Model C code only behaves Proof as specified Translation validation: Binary retains C Imple- Limitations (work in progress): C-code semantics mentation • Kernel initialisation not yet verified • MMU & caches modelled abstractly Proof Sound worst-case • Timing channels not ruled out execution time bound Binary code 11 | LCA | Gold Coast | Jan'20

  12. seL4 on RISC-V

  13. Background: HENSOLD Cyber Untrusted Secured app app File Crypto server Munich-based startup • Secure RISC-V processor • Based on open-source Ariane • Supply chain secured through logic encryption • Secure OS based on seL4 Disclosure: I have an interest • Targets defence, industrial control, critint, automotive in HENSOLDT Cyber 13 | LCA | Gold Coast | Jan'20

  14. Performance on RV64 Message-passing round-trip latency in cycles Not yet fully optimised! Arch Arch x86 32b x86 32b x86 64b x86 64b Arm 32b Arm 32b Arm 64b Arm 64b RISC-V 64b Intra address space Intra address space 427 427 565 565 625 625 752 752 690 Inter address space Inter address space 752 752 1041 1041 625 625 752 752 1006 Spectre-workaround disabled No ASIDS on HiFive (else much more expensive) Unleashed , else inter-AS would be same as intra-AS Hypervisor extensions (draft spec 0.5) supported in branch 14 | LCA | Gold Coast | Jan'20

  15. Verification: RISC-V Status Confidentiality Integrity Availability Proof Proof f o o r P Abstract Model Functional correctness: Proof RISC-V due Q1’20 Translation validation: C Imple- RISC-V due Q2’20 mentation Proof Sound WCET bound RISC-V in progress Binary code 15 | LCA | Gold Coast | Jan'20

  16. Experience with RISC-V Architecture • Kernel port straightforward: - simple and clean RISC architecture • Verification benefitted from cleanness U mode VU mode - … but some challenges from less typing in page tables apps VMM • Hypervisor (draft) extensions even simpler • M (machine) mode makes firmware explicit S mode HS mode - configures HW, delegates to S (supervisor) mode (Guest) OS hypervisor - emulates features not implemented in HW - should be verified M mode Firmware • Extensibility of ISA could be a concern - could undermine portability • Formal ISA spec is great! 16 | LCA | Gold Coast | Jan'20

  17. LCA’18 Refresher: Time Capabilities New thread attributes Classical thread attributes • Priority • Priority Not runnable Not runnable • Time slice if null if null • Scheduling context capability Limits CPU Capability Scheduling context object access! for time • T: period • C: budget (≤ T) Enables reasoning about time and temporal isolation C = 2 C = 250 for mixed-criticality systems T = 3 T = 1000 17 | LCA | Gold Coast | Jan'20

  18. Time Caps (MCS) Kernel Verification New Mainline MCS MCS Mainline Mainline Arm v7 Arm v7 RISC-V RISC-V Spec Spec Spec Spec Proof Proof Proof Proof Merge Merge Q2’20 Q1’20 Q1’20 C C C C Proof Proof Proof Proof Q2’20 Q2’20 Binary Binary Binary Binary 18 | LCA | Gold Coast | Jan'20

  19. Research: Time Protection

  20. Threats Speculation An “unknown unknown” until recently A “known unknown” for decades Microarchitectural Timing Channel 20 | seL4 Summit | DC | Sep'19

  21. Cause : Competition for HW Resources High Low Shared hardware • Inter-process interference Affect execution speed • Competing access to micro- architectural features • Hidden by the HW-SW contract! 21 | seL4 Summit | DC | Sep'19

  22. Sharing: Stateful Hardware High Low HW is capacity-limited • Interference during • concurrent access • time-shared access • Collisions reveal addresses • Usable as side channel Cache Any state-holding microarchitectural feature: • cache, branch predictor, pre-fetcher state machine 22 | seL4 Summit | DC | Sep'19

  23. Time Protection: Prevent Interference High Low Shared hardware Interference results from sharing Affect execution speed ⇒ Partition hardware: • spatially • temporally (time shared) 23 | seL4 Summit | DC | Sep'19

  24. Time Protection: Partition Hardware High Low High Low Temporally partition Flush Cache Cache Need Need Spatially partition both! both! Flushing useless for Cannot spatially partition on- High Low concurrent access core caches (L1, TLB, branch predictor, pre-fetchers) • HW threads • virtually-indexed • cores Cache • OS cannot control 24 | seL4 Summit | DC | Sep'19

  25. Spatially Partition: Cache Colouring High Low • Partitions get frames of disjoint colours PT TCB TCB PT • seL4: userland supplies kernel memory ⇒ colouring userland colours dynamic kernel memory • Per-partition kernel image to colour kernel [Ge et al. EuroSys’19] Cache RAM 25 | seL4 Summit | DC | Sep'19

  26. Temporal Partitioning: Flush on Switch Must remove any history dependence! Latency depends on prior execution! 1. T 0 = current_time() 2. Switch user context 3. Flush on-core state Time padding to Remove 4. Touch all shared data needed for return dependency 5. while (T 0 +WCET < current_time()) ; 6. Reprogram timer Ensure 7. return deterministic execution 26 | seL4 Summit | DC | Sep'19

  27. Challenge: Broken Hardware • Systematic study of COTS hardware (Intel and Arm) [Ge et al, APSys’18]: • contemporary processors hold state that cannot be reset HiSilicon A53 branch history buffer Intel branch history buffer 10 -1 Spy execution time 1000 10 -2 800 10 -3 10 -4 600 10 -5 400 Trojan signal 0 1 Small channel! Channel! 27 | seL4 Summit | DC | Sep'19

  28. Way Out: New HW-SW Contract! ISA is purely functional contract, abstracts too much away New contract (augmented ISA): All shared HW resources must be spatially or temporally partitionable by OS [Ge et al, APSys’18] RISC-V to the rescue: Strong commitment to making it happen! 28 | seL4 Summit | DC | Sep'19

  29. Community/ Ecosystem

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser |

The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser RTCSA Keynote, Aug20 https://trustworthy.systems What Is Needed For Mixed-Criticality? During a

539 views • 29 slides
RISC Processors Chapter 14 S. Dandamudi Outline Introduction Itanium processor

RISC Processors Chapter 14 S. Dandamudi Outline Introduction Itanium processor

RISC Processors Chapter 14 S. Dandamudi Outline Introduction Itanium processor Architecture Evolution of CISC Addressing modes processors Instruction set RISC design principles Instruction-level parallelism

1.35k views • 70 slides
End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About

End-to-end formal ISA verification of RISC-V processors with riscv-formal Clifford Wolf About RISC-V RISC-V is an Open Instruction Set Architecture (ISA) Can be freely used for any purpose Many implementations are available from

677 views • 22 slides
seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010 . . . . . . seL4: Formal Verification of an OS Kernel About seL4 What is seL4? Secure

169 views • 16 slides
RISC-V: towards a reference LLVM backend Alex Bradbury asb@lowrisc.org @asbradbury @lowRISC 3rd

RISC-V: towards a reference LLVM backend Alex Bradbury asb@lowrisc.org @asbradbury @lowRISC 3rd

RISC-V: towards a reference LLVM backend Alex Bradbury asb@lowrisc.org @asbradbury @lowRISC 3rd November 2016 What is RISC-V? A free to implement ISA originally developed at UC Berkeley Has Linux, QEMU, FreeBSD, seL4, Coreboot, ...

323 views • 7 slides
Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified trustworthy software systems April 2016 data61.csiro.au Formal verification of real systems is happening! Formal verification of real systems

981 views • 75 slides
ARM v4T CS2253 Owen Kaser, UNBSJ ARM v4T History of ARM processors R is for RISC

ARM v4T CS2253 Owen Kaser, UNBSJ ARM v4T History of ARM processors R is for RISC

ARM v4T CS2253 Owen Kaser, UNBSJ ARM v4T History of ARM processors R is for RISC Registers Status flags and conditional execution Memory Example program History of ARM v4T Acorn Computers in the UK, early 1980s

461 views • 16 slides
Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit:

Building Trustworthy Systems on seL4 Ihor Kuz seL4 Summit: 25 September 2019 www.data61.csiro.au Overview What is a Trustworthy System? What does

747 views • 26 slides
PROCESSOR DEVELOPMENT THE FREE AND OPEN RISC INSTRUCTION SET ARCHITECTURE Codasip is the

PROCESSOR DEVELOPMENT THE FREE AND OPEN RISC INSTRUCTION SET ARCHITECTURE Codasip is the

ENHANCED TOOLS FOR RISC-V PROCESSOR DEVELOPMENT THE FREE AND OPEN RISC INSTRUCTION SET ARCHITECTURE Codasip is the leading provider of RISC-V processor IP Codasip Bk : A portfolio of RISC-V processors Uniquely providing design automation tools

318 views • 9 slides
TEE Boot Procedure with Crypto-accelerators in RISC-V Processors Authors: Ckristian Duran,

TEE Boot Procedure with Crypto-accelerators in RISC-V Processors Authors: Ckristian Duran,

TEE Boot Procedure with Crypto-accelerators in RISC-V Processors Authors: Ckristian Duran, Trong-Thuc Hoang, Akira Tsukamoto, Kuniyasu Suzaki, and Cong-Kha Pham Outline Motivation Hardware Structure for Trusted Execution Environments

470 views • 33 slides
Nested Parallelism PageRank on RISC- V Vector Multi- Processors Al Alon Am Amid, Al Albert t

Nested Parallelism PageRank on RISC- V Vector Multi- Processors Al Alon Am Amid, Al Albert t

Nested Parallelism PageRank on RISC- V Vector Multi- Processors Al Alon Am Amid, Al Albert t Ou, Kr Krste te Asanov ovi , B Bor orivoj oje e Nikol oli Agenda Silicon-Proven Open Source Hardware and FPGA-Accelerated Problem

755 views • 51 slides
RV-IOV: Tethering RISC-V Processors via Scalable I/O Virtualization Luis Vega and Michael B.

RV-IOV: Tethering RISC-V Processors via Scalable I/O Virtualization Luis Vega and Michael B.

RV-IOV: Tethering RISC-V Processors via Scalable I/O Virtualization Luis Vega and Michael B. Taylor Bespoke Silicon Group University of Washington 1 Berkeleys Tethered Rocket core The host system provide support for: Rocket Core

1.24k views • 16 slides
Capabilities in seL4 Types of Authority Resource Management Implementation Model

Capabilities in seL4 Types of Authority Resource Management Implementation Model

Capabilities in seL4 David Cock Background Microkernel Systems seL4 &amp; Barrelfish Authorisation and Delegation Capabilities in seL4 Types of Authority Resource Management Implementation Model Representation David Cock Operations

1.41k views • 118 slides
ARM Cortex-M4 Programming Model ARM = Advanced RISC Machines, Ltd. ARM licenses IP to other

ARM Cortex-M4 Programming Model ARM = Advanced RISC Machines, Ltd. ARM licenses IP to other

ARM Cortex-M4 Programming Model ARM = Advanced RISC Machines, Ltd. ARM licenses IP to other companies (ARM does not fabricate chips) 2005: ARM had 75% of embedded RISC market, with 2.5 billion processors ARM available as microcontrollers, IP

611 views • 29 slides
Flexible Timing Simulation of RISC-V Processors with Sniper Neet eethu B Bal al M Mal ally

Flexible Timing Simulation of RISC-V Processors with Sniper Neet eethu B Bal al M Mal ally

Flexible Timing Simulation of RISC-V Processors with Sniper Neet eethu B Bal al M Mal ally lya 1 , Cecilia Gonzalez-Alvarez 2 , Trevor E. Carlson 1 1 National University of Singapore, Singapore 2 Ghent University, Belgium Outline Need

784 views • 28 slides
Protecting RISC-V Processors against Physical Attacks Stefan Mangard, Robert Schilling, Thomas

Protecting RISC-V Processors against Physical Attacks Stefan Mangard, Robert Schilling, Thomas

www.iaik.tugraz.at S C I E N C E P A S S I O N T E C H N O L O G Y Protecting RISC-V Processors against Physical Attacks Stefan Mangard, Robert Schilling, Thomas Unterluggauer, Mario Werner

621 views • 57 slides
Scaling Market-Based Results of a WASHPaLS Desk Review July 12, 2018 Sanitation: An Overview

Scaling Market-Based Results of a WASHPaLS Desk Review July 12, 2018 Sanitation: An Overview

Scaling Market-Based Results of a WASHPaLS Desk Review July 12, 2018 Sanitation: An Overview Presenters Jesse Shapiro (USAID) Rishi Agarwal, Morris Israel, Jeff Albert (WASHPaLS) What is WASHPaLS? Water, Sanitation, &amp; Hygiene

496 views • 31 slides
Contextual Privacy by Design for Integrated EHRs Timothy Kariotis @timothykariotis School of

Contextual Privacy by Design for Integrated EHRs Timothy Kariotis @timothykariotis School of

TK Contextual Privacy by Design for Integrated EHRs Timothy Kariotis @timothykariotis School of Computing and Information Systems Team TK Assistant Professor Darakhshan Mir Associate Professor Shanton Chang Department of Computer Science

640 views • 23 slides
Does it matter what validity means? Professor Paul E. Newton Date: 4 February 2013

Does it matter what validity means? Professor Paul E. Newton Date: 4 February 2013

Does it matter what validity means? Professor Paul E. Newton Date: 4 February 2013 Seminar: University of Oxford, Department of Education The most elusive of all assessment concepts? Validity is an integrated evaluative judgment

868 views • 42 slides
DYNAMIC INCENTIVES FOR BUY-SIDE ANALYSTS Maher Said with Rahul Deb (University of Toronto) and

DYNAMIC INCENTIVES FOR BUY-SIDE ANALYSTS Maher Said with Rahul Deb (University of Toronto) and

DYNAMIC INCENTIVES FOR BUY-SIDE ANALYSTS Maher Said with Rahul Deb (University of Toronto) and Mallesh Pai (Rice University) August 2019 MOTIVATION Analyst research plays an important role in modern capital markets. Analysts obtain

753 views • 28 slides
Integrated Information Theory: Some Philosophical Issues David Chalmers

Integrated Information Theory: Some Philosophical Issues David Chalmers

Integrated Information Theory: Some Philosophical Issues David Chalmers Two Issues What is consciousness, according to IIT? Are the axioms/postulates correct and

606 views • 27 slides
Shelf stability and mantle convection on Africas passive margins (Part 1) Neil Hodgson 1* and

Shelf stability and mantle convection on Africas passive margins (Part 1) Neil Hodgson 1* and

SPECIAL TOPIC: PETROLEUM GEOLOGY Shelf stability and mantle convection on Africas passive margins (Part 1) Neil Hodgson 1* and Karyna Rodriguez 2 demonstrate that dynamic topography offers a mechanism to contextualise basin stability and

251 views • 5 slides
The Other Side of Value: the Gross Profitability Premium Robert Novy-Marx Simon Graduate School

The Other Side of Value: the Gross Profitability Premium Robert Novy-Marx Simon Graduate School

The Other Side of Value: the Gross Profitability Premium Robert Novy-Marx Simon Graduate School of Business and NBER Main results Main results Gross profitability is a powerful predictor Gross profitability is a powerful predictor

456 views • 34 slides
Basic Eviction Defense Training Volunteer Lawyer Courthouse Project enables volunteer

Basic Eviction Defense Training Volunteer Lawyer Courthouse Project enables volunteer

Basic Eviction Defense Training Volunteer Lawyer Courthouse Project enables volunteer attorneys to represent low-income tenants facing wrongful eviction Provides valuable litigation experience for attorneys Attorneys will receive

707 views • 35 slides

More recommend