Verifying enclave systems with Serval Luke Nelson w/ James - - PowerPoint PPT Presentation

verifying enclave systems with serval
SMART_READER_LITE
LIVE PREVIEW

Verifying enclave systems with Serval Luke Nelson w/ James - - PowerPoint PPT Presentation

Aug 19, 2023 282 likes •437 views

Open Source Enclave Workshop July 2019 Berkeley, CA Verifying enclave systems with Serval Luke Nelson w/ James Bornholt, Ronghui Gu, Andrew Baumann, Emina Torlak, Xi Wang University of Washington, Columbia University, Microsoft Research 1

slide-1
SLIDE 1

Verifying enclave systems with Serval

Luke Nelson

w/ James Bornholt, Ronghui Gu, Andrew Baumann, Emina Torlak, Xi Wang University of Washington, Columbia University, Microsoft Research

1

Open Source Enclave Workshop July 2019 Berkeley, CA

slide-2
SLIDE 2

Enclave monitors are hard to get right

  • Correctness of enclave monitor code is critical for security
  • Many different kinds of bugs are security vulnerabilities:

○ Low-level bugs: e.g., buffer overflow or division-by-zero ○ Logic bugs: implementation does something unintended ○ Design bugs: intended design of the system is not secure

  • Each can be exploited to compromise the entire system

2

slide-3
SLIDE 3

Eliminating bugs with formal verification

  • Goal: prove absence of low-level, logic, and design bugs
  • Approach: Use automated verification techniques
  • Low proof burden: symbolic evaluation / SMT solvers
  • Bounded loops in code, likely true of monitors
  • Limitations: no concurrency or side channels

3

slide-4
SLIDE 4

Challenges

  • Difficulty of building verifiers
  • Need detailed RISC-V machine model
  • Need to reason at ISA level
  • Difficulty of scaling to practical systems
  • Symbolic evaluation
  • SMT solving

4

slide-5
SLIDE 5

Serval: A framework for verifying low-level systems

  • Built on top of Rosette
  • Lift ISA interpreter into verifier
  • Easier to write and test
  • Supports LLVM IR and RISC-V
  • Use symbolic profiling to identify verification bottlenecks
  • Use symbolic optimizations to scale verification

5

slide-6
SLIDE 6

Main Results

  • Applied to CertiKOS (PLDI’16) and Komodo (SOSP’17),

previously manually verified using Coq and Dafny

  • Found and fixed 15 Linux BPF JIT bugs, all now upstreamed.

○ https://git.kernel.org/linus/1e692f09e091 ○ https://git.kernel.org/linus/46dd3d7d287b ○ https://git.kernel.org/linus/68a8357ec15b ○ https://git.kernel.org/linus/6fa632e719ee

  • Work in progress: identified implementation and design bugs

in Keystone

6

slide-7
SLIDE 7

Outline

  • Verification stack
  • Workflow
  • Demo

7

slide-8
SLIDE 8

Verification stack

8

Rosette Symbolic evaluation Symbolic profiling Symbolic reflection Inputs System implementation System specification Serval Automated verifiers Symbolic

  • ptimizations

Solver Satisfiability checking Counterexample generation

slide-9
SLIDE 9

[1/3] Proving absence of low-level bugs

9

C program LLVM IR + UBsan checks Clang Serval LLVM verifier

slide-10
SLIDE 10

[2/3] Proving functional correctness

10

s1 t1 s2 t2

Abstraction function

Monitor call RISC-V instructions from GCC Monitor call specification

slide-11
SLIDE 11

[3/3] Proving noninterference

  • Example: bogus monitor call that returns enclave secrets
  • Integrity — OS should not be able to modify enclave-

visible state

  • Confidentiality — Behavior of OS is independent of

enclave secrets

11

OS Enclave 1 Enclave 2 Monitor

slide-12
SLIDE 12

Demo: Komodo

  • A verified software enclave monitor
  • We have ported to RISC-V and verified using Serval
  • Demonstration:
  • Low-level buffer overflow vulnerability

12

slide-13
SLIDE 13

Demo

13

slide-14
SLIDE 14

Conclusion

  • Automated verification is effective at eliminating bugs in

low-level systems

  • If you are building enclave systems, talk to us!
  • Paper to appear at SOSP’19
  • Code will be released shortly

14

https://serval.unsat.systems/