Copyright Notice School of Computer Science & Engineering COMP9242 Advanced Operating Systems These slides are distributed under the Creative Commons Attribution 3.0 License • You are free: • to share—to copy, distribute and transmit the work • to remix—to adapt the work • under the following conditions: 2019 T2 Week 09b • Attribution: You must attribute the work (but not in any way that Local OS Research suggests that the author endorses you or your use of the work) as @GernotHeiser follows: “Courtesy of Gernot Heiser, UNSW Sydney” The complete license text can be found at http://creativecommons.org/licenses/by/3.0/legalcode
1 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Quantifying OS-Design Security Impact
Approach: • Examine all critical Linux CVEs (vulnerabilities & exploits database)
• easy to exploit 115 critical • high impact Linux CVEs Quantifying Security Impact of • no defence available to Nov’17 • confirmed Operating-System Design • For each establish how microkernel-based design would change impact
2 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 3 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Hypothetical seL4-based OS Hypothetical Security-Critical App Functionality OS structured in isolated components, minimal comparable Trusted inter-component dependencies, least privilege to Linux Application computing App requires: base • IP networking Operating system Operating system • File storage xyz xyz • Display output Auth. Auth. Process Auth. ProcessProcess Server ServerServer Name Server File NameName ServerServer FileFile GPU Memory Server MemoryMemory Server IP Acc.Server Server NW Device Acc.Acc.Server Server NW NICDevice Server ServerServer Stack Control Stack Driver ControlControl Stack DriverDriver
Hardware Hardware
4 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 5 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Analysing CVEs Analysing CVEs
Map compromised component Map compromised component Example: to hypothetical OS to hypothetical OS Application Application Bug in page-table Not in TCB: management Operating system Attack defeated Operating system xyz xyz Auth. Auth. Auth. ProcessProcess Auth. ProcessProcess ServerServer ServerServer NameName ServerServer FileFile GPU NameName ServerServer FileFile GPU Server MemoryMemory Server IP Server MemoryMemory Server IP In microkernel: Acc.Acc.Server Server NW NICDevice Acc.Acc.Server Server NW NICDevice ServerServer Stack ServerServer Stack ControlControl Stack DriverDriver Example: ControlControl Stack DriverDriver Attack defeated USB driver bug by verifiation microkernel microkernel Hardware Hardware
6 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 7 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Analysing CVEs Analysing CVEs
Map compromised component Map compromised component No full compromise to hypothetical OS to hypothetical OS Application Only crash essential Application but integrity or confi- service (DoS): dentiality violation: Operating system Strongly mitigated Operating system Weakly mitigated xyz xyz Auth. Auth. Auth. ProcessProcess Auth. ProcessProcess ServerServer ServerServer NameName ServerServer FileFile GPU NameName ServerServer FileFile GPU Server MemoryMemory Server IP Server MemoryMemory Server IP Acc.Acc.Server Server NW NICDevice Example: Acc.Acc.Server Server NW NICDevice Example: ServerServer Stack ServerServer Stack ControlControl Stack DriverDriver File system ControlControl Stack DriverDriver GPU compromised compromised microkernel microkernel Hardware Hardware
8 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 9 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Analysing CVEs All Critical Linux CVEs to 2017 Still full system Map compromised component Example: compromise: Not in TCB: to hypothetical OS Driver exploit hijacks Application No effect Attack defeated I2C bus, allowing firmware reflush Operating system 4% No full compromise, xyz 30% • 41% eliminated Auth. but violates integrity Auth. ProcessProcess Server or confidentiality: • 58% low severity NameNameServer ServerServer File GPU 38% MemoryMemory File • 96% not critical ServerServer Server IP Weakly mitigated Acc.Acc. ServerServer Server NW NICDevice Control StackStack Driver Control Driver Full system 11% compromise: Only crash essential microkernel No effect In microkernel: service (availability): 17% Attack defeated Hardware Strongly mitigated by verification
10 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 11 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Summary
OS structure matters! • Microkernels definitely improve security • Monolithic OS design is fundamentally flawed from security point of view [Biggs et al., APSys’18] Cogent Use of a monolithic OS in security- or safety- critical scenarios is professional malpractice!
12 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 13 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Beyond the Kernel Cogent: Code & Proof Co-Generation Uncritical/ Aim: Reduce cost of 5 kLOC? 10 kLOC? untrusted Abstract Spec verified systems code Isabelle/HOL Apps 1 kLOC? 100 kLOC? Apps Apps 10 kLOC • Restricted, purely functional Manual, systems language equational 11 py Proof Device NW File Linux • Type- and memory safe, not Control Manual, driver stack system managed Cogent
Proof one-off • Turing incomplete Auto- • File system case-studies: matic
BilbyFs, ext2, F2FS, VFAT Proof
Aim: Verified TCB at affordable cost! [O’Connor et al, ICFP’16; C ADTs (C) Amani et al, ASPLOS’16]
14 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 15 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Manual Proof Effort Addressing Verification Cost
BilbyFS EffortEffort IsabelleIsabelle CogentCogent CostCost LoP/ Abstract Abstract Dependability-cost tradeoff: functions LoPLoP SLoCSLoC $/$/SLoCSLoC SLOC Spec Spec • Reduced faults through safe language isync()()/ 9.259.259.25 pm 13,00013,000 1,3501,350 150150 10 • Property-based testing (QuickCheck) iget() pm 8 py • Model checking Spec library Proof? reuse!
Proof • Full functional correctness proof sync()- 3.753.75 pm 5,7005,700 300300 260260 19 Cogent specific pm Executable Work in progress: iget()- 11 pm pm 1,8001,800 200200 100100 9 Spec • Language expressiveness specific 0 py • Reduce boiler-plate code seL4 1212 py py 180,000180,000 8,7008,700 C C 350350 20 3 py Proof
Proof • Network stacks BilbyFS: 4,200 LoC Cogent C C • Device drivers
16 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 17 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Refresh: Microarchitectural Timing Channels
High Low Contention for shared hardware resources affects execution speed, Time Protection Shared resources leading to timing channels
18 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 19 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
OS Must Enforce Time Protection Time Protection: No Sharing of HW State
High Low Temporally High Low High Low partition
Flush Cache Cache
Spatially Shared hardware partition
High Low What are the OS Preventing interference is core duty of the OS! mechanisms? • Memory protection is well established • Time protection is completely absent Cache
20 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 21 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Spatial Partitioning: Cache Colouring Spatial Partitioning: Cache Colouring Partitions • Partitions get frame pools of disjoint colours restricted to High Low coloured memory • seL4: userland supplies kernel memory System permanently ⇒ colouring userland colours kernel memory coloured TCB PT TCB PT High Low
SD SD I+D I+D
Cache Shared kernel image Initial process
RAM Init I+D I+D RAM
22 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 23 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Channel Through Kernel Code Colouring the Kernel Ensure deterministic access! Remaining shared kernel data: 700 0.100000 datafile using 1:2:3 Each partition has Raw 600 0.010000 • Scheduler queue array & bitmap 500 0.001000 own kernel image channel 400 0.000100 • Few pointers to current thread state 300 LLC misses��� 0.000010 0 1 2 3 Resource Manager Resource Manager
RM RM Kernel I+D I+D I+D I+D clone! Channel matrix: Conditional probability of observing output signal (time) given Global Resource Manager input signal (system-call number) RAM Init I+D I+D
24 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 25 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Spatial Partitioning: Cache Colouring Channel Through Kernel Code
• Partitions get frame pools of disjoint colours High Low 700 0.100000 datafile using 1:2:3 • seL4: userland supplies kernel memory Raw 600 0.010000 ⇒ colouring userland colours kernel memory 500 0.001000 channel 400 0.000100 300
TCB PT TCB PT LLC misses��� • Per-partition kernel image to colour kernel 0.000010 0 1 2 3
Ensure deterministic 0.100000 datafile using 1:2:3 access! 2300 0.010000 Channel with 2280 2260 0.001000 Cache cloned kernel 2240 0.000100 Remaining shared kernel data: LLC misses��� 2220 0.000010 0 1 2 3 • Scheduler queue array & bitmap seL4 system call��� • Few pointers to current thread state RAM
26 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 27 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Temporal Partitioning: Flush on Switch D-Cache Channel
Must remove any history dependence! 1. 6500 datafile using 1:2:3 0.1 2. Switch user context Raw 6000 5500 0.01 channel 5000 3. Flush on-core state 4500 0.001
Output (cycles) 4000 4. 0 10 20 30 40 50 60 Input (sets) 5. 7900 7850 datafile using 1:2:3 6. Reprogram timer 7800 0.01 Channel with 7750 7. return 7700 0.001 flushing 7650 Output (cycles) 0 10 20 30 40 50 60 Input (sets)
28 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 29 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Flush-Time Channel Temporal Partitioning: Flush on Switch
Must remove any Latency depends 3.227x106 datafile using 1:2:3 1. T0 = current_time() on prior execution! 3.226x106 history dependence! Raw 3.225x106 0.01 2. Switch user context 3.224x106 channel 3.223x106 0.001 3. Flush on-core state Offline time (cycles) 0 200 400 600 800 1000 4. Touch all shared data needed for return Input (sets) Time padding 5. while (T +WCET < current_time()) ; 0 to remove 6. Reprogram timer dependency 7. return Ensure deterministic execution
30 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 31 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Flush-Time Channel Performance Impact of Colouring Splash-2 benchmarks on Arm A9
3.227x106 7% datafile using 1:2:3 3.226x106 6% 50% colours base • Overhead mostly low Raw 3.225x106 0.01 50% colour clone 3.224x106 5% channel 6 • Not evaluated is cost of 3.223x10 4% 0.001 not using super pages Offline time (cycles) 0 200 400 600 800 1000 3% Input (sets) 2% [Ge et al., EuroSys’19] 6 Slowdown 3.302x10 datafile using 1:2:3 1 1% 3.3015x106 Channel with 3.301x106 0.1 6 0% 3.3005x10 0.01 deterministic 3.3x106 -1% 3.2995x106 0.001 lu Arch seL4 Linux flushing 3.299x106 fft Offline time (cycles) 0 200 400 600 800 1000 fmm radix barnes ocean MEAN clone fork+exec Input (sets) cholesky radiosity raytrace waterspatial x86 79 µs 257 µs Architecture x86 Arm waternsquared Arm 608 µs 4,300 µs Mean slowdown 3.4% 1.1%
32 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 33 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
A New HW/SW Contract Can Time Protection Be Verified?
1. Correct treatment of spatially partitioned state: For all shared microarchitectural resources: aISA: augmented ISA • Need hardware model that identifies all such state (augmented ISA) 1. Resource must be spatially partitionable or flushable • To prove: Functional property! 2. Concurrently shared resources must be spatially partitioned No two domains can access the same physical state 3. Resource accessed solely by virtual address Cannot share HW threads Transforms timing channels must be flushed and not concurrently accessed across security domains! 2. Correct flushing of time-shared state into storage channels! 4. Mechanisms must be sufficiently specified for OS to partition or reset • Not trivial: eg proving all cleanup code/data are forced into cache after flush • Needs an actual cache model 5. Mechanisms must be constant time, or of specified, bounded latency • Even trickier: need to prove padding is correct Functional property! 6. Desirable: OS should know if resettable state is derived from data, • … without explicitly reasoning about time! instructions, data addresses or instruction addresses
[Ge et al., APSys’18]
34 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 35 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Verifying Time Padding
• Idea: Minimal formalisation of hardware clocks (abstract time) • Monotonically-increasing counter • Can add constants to time values • Can compare time values
To prove: padding loop terminates Making COTS Hardware as soon as timer value ≥ T0+WCET Dependable
[Heiser et al., HotOS’19] Functional property
36 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 37 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Satellites: SWaP vs Dependability Traditional Redundancy Approaches Sphere of Space is becoming commodisized: Harsh evironment for electronics: replication Master Slave Slave • many, small (micro-) satellites • temperature fluctuations Master Slave Slave App App App • increasing cost pressure • ionising radiation App App App Lib Lib Lib Lib Lib Lib Watch- Radiation-hardened processors OS OS OS Syscall Emulation Layer dog are slow, bulky and expensive HW lockstepping/voting infrastructure OS CPU(s) Devices CPU Dev CPU Dev CPU Dev Use redundancy SW replication: of cheap COTS multicores Fault-tolerant HW: • cheap NCUBE2 by Bjørn Pedersen, NTNU (CC BY 1.0) • expensive • incomplete
38 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 39 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Redundant Co-Execution (RCoE) Sphere of RCoE: Two Variants Userland transparently replicated replication Device access: Loosely-coupled RCoE Closely-coupled RCoE • thin shim Primary Secondary Secondary • Sync on syscalls & exceptions • Sync on instruction • vote outputs • copy inputs App App App • Preemptions in usermode not • Precise preemptions further synchronised (imprecise) Lib Lib Lib Device Driver Driver Driver • Low overhead • High overhead interface • Cannot support racy apps, • Supports all apps Vote & sync Vote & sync threads, virtual machines • May need re-compile Device Core Core Core
• Vote on checksums No master-slave, but peer-to-peer of arguments & state • Logical time for sync
40 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 41 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Closely-Coupled RCoE Implementation Performance: Microbenchmarks
Precise logical time: Triple of: Next Vote No • event count Yes • user-mode branch count Leading Set Breakpoint on Dhrystone Whetstone • instruction pointer Replica? IP and catch up Arm x86 Arm x86 LC has low overhead for CPU-bound x86: Obtained from PMU Breakpoint Loosely- Base 146.1 108.1 108.9 120.3 Wait on Exception coupled LC 147.0 108.6 109.8 120.4 Barrier CC 153.4 111.9 133.5 143.0 Arm v7: Use gcc plugin Compare Closely- to count branches
42 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 43 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Performance: SPLASH-2 on x86 VMs Benchmark: Redis – YCSB Name N Base CC-D Factor • Execution time in sec BARNES 30 61 93 1.52 • DMR configuration CHOLESKY 300 66 792 12.08 In-memory • Base: unreplicated single-coreVM FFT 100 64 142 2.22 Yahoo! Cloud key-value store FFM 20 76 160 2.11 Slash-2 Splash-2 Service Benchmark Breakpoints in VM LU-C 30 64 437 6.83 are expensive: Linux VM Linux VM System under test LU-NC 20 62 381 6.12 Load trigger VM exits VMM VMM Redis Redis Redis OCEAN-C 1000 64 173 2.71 generator OCEAN-NC 1000 65 171 2.65 seL4 seL4 lwIP lwIP lwIP YCSB NIC driver NIC driver NIC driver RADIOSITY 25 66 75 1.12 CPU CPU RADIX 20 66 89 1.34 OS RAYTRACE 1000 60 65 1.09 NIC NIC Core Core Core VOLREND 100 86 133 1.54 Geometric mean overhead: 2.3× WATER-NS 600 66 92 1.41 WATER-S 600 67 84 1.25
44 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 45 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Performance: Redis on Arm Error Detection on Arm Not checksumming Checksumming 1000 transactions/S 1000 network data NW data
Base LC-D LC-T LC-D-N LC-T-N CC-D CC-T Injected faults 243k 202k 184k 224k 214k 205k 185k YCSB corruptions 647 3 1 381 299 3 0 1000 transactions/s YCSB errors 57 1 0 13 10 3 6 LC: loosely-coupled User errors 296 0 0 0 0 0 0 CC: closely-coupled Kernel exceptions 0 0 0 0 0 0 0 D: DMR Undetected 1000 4 1 394 309 6 6 T: TMR RCoE detected N/A 996 999 606 691 994 994 A: vote on interrupt Observed errors 1000 1000 1000 1000 1000 1000 1000 Overhead is 1.2–3 depending on configuration S: also vote on syscall
46 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 47 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Comparison to Rad-Hardened Processor
Sabre Lite RAD750 Cores @ clock 4 @ 800 MHz 1 @ 133 MHz Performance 4 ⨉ 2,000 DMIPS 240 DMIPS Power < 5 W < 6 W 2002 price Energy Efficiency 200 DMIPS/W 40 DMIPS/W Cost $200 $200,000 Real-World Use Perf/Cost 5 DMIPS/$ 0.0002 DMIPS/$ Assuming 2× overhead, TMR [Shen et al., DSN’19]
48 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 49 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
DARPA HACMS ULB Architecture
Retrofit Autonomous trucks existing Ground Mission GPS system! Station Computer Link Camera Unmanned Little Bird (ULB) Network
Flight Sensors Motors Develop Computer Off-the-shelf technology GVR-Bot Drone airframe
50 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 51 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Incremental Cyber Retrofit Incremental Cyber Retrofit Original Trusted Original Mission Trusted GS Lk Mission Trusted GS Lk Mission Manager Computer Computer Miss Miss Trusted Crypto Camera Mgr Trusted Mgr Mission Manager Local NW GPS Crypto Cam- Mission Manager Crypto Cam- Cam- era era era Crypto Camera Ground Stn Link GPS Crypto Camera GPS Trusted Crypto Mission Local NW GPS Linux Linux Linux Local NW GPS Linux Linux Linux Mngr Local Local Local Ground Stn Link Virt-Mach Monitor NW VMM VMM Ground Stn Link NW VMM VMM NW Comms GPS VMM Linux Linux
52 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 53 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Incremental Cyber Retrofit Issue: Capabilities are Low-Level Original [Klein et al, CACM, Oct’18] A B Mission A B Computer Thread-Object CSpace CSpace VSpace A Thread-ObjectB CNode EP Cyber-secure A1 CNodeB1 Trusted PDA Mission Computer PTA1 FRAME CNodeA2 Mission Manager Cam- Send ... CONTEXT CONTEXT Send ... Receive ... era FRAME ...
Trusted ...
Crypto Camera Receive ... VSpace Crypto Mission Local NW GPS Linux Mngr Local Ground Stn Link NW Comms GPS VMM >50 capabilities Linux for trivial program!
54 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 55 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Simple But Non-Trivial System Component Middleware: CAmkES
Higher-level abstractions of low-level seL4 constructs Interface
Comp A Comp B RPC Component
Connector
Shared memory Semaphore Comp C
56 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 57 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
HACMS UAV Architecture Enforcing the Architecture
Radio Driver Data Link Uncritical/ CAmkES untrusted, Wifi Security enforcement: contained Architecture Crypto component + Camera Linux only sees A B code specification CAN Driver encrypted data Linux language Low-level access rights Uncritical/ capDL Radio Driver Data Link A untrusted, B + proof glue Thread CSpace CSpace Thread code contained Wifi Object Object glue.c driver.c VMM.c CNode EP CNode + proof Crypto Camera Send CONTEXT CONTEXT ... Receive ... VSpace VSpace Compiler/ Linux CAN Driver Conditions Linker apply
initialised systeminit.c+ proof binary
58 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 59 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Architecture Analysis Military-Grade Security Analysis Tools Safety � Cross-Domain Desktop Compositor Multi-level secure terminal Eclipse-based Architecture Analysis & Design AADL • Successful defence trial in AU IDE Description Language Generate Architecture analysis • Evaluated in US, UK, CA and design language • Formal security evaluation soon
Component Glue CAmkES Generate .h, .c Description Code Pen10.com.au crypto communication device in
Compile use in AU, UK defence Binary
60 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 61 | COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License
Real-World Use Courtesy Boeing, DARPA
62 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License