DOCSLIB.ORG

An X86/64 Separation Kernel for High Assurance

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
An X86/64 Separation Kernel for High Assurance Muen - An x86/64 Separation Kernel for High Assurance Reto Buerki Adrian-Ken Rueegsegger August 29, 2013 University of Applied Sciences Rapperswil (HSR), Switzerland ii Abstract Computer systems are used to store and protect highly sensitive data. At the same time the resources and determination of attackers have increased significantly. Therefore, systems capable of safeguarding critical information must conform to rigorous quality standards to establish trust in the correct functioning. Attaining high assurance for today's monolithic operating systems is exceptionally hard since they tend to be large and include complex functionality. This fact is highlighted by regular security updates provided by operating system vendors. Thus, they are a weak foundation for building secure systems. In contrast, microkernels can be well suited as a basis for systems with strict demands on robustness. They are by definition small, which is a precondition for rigorous verification of correctness. Additionally, they lend themselves to the construction of component-based systems where the incorrect behavior of one partition does not impact the whole system. A separation kernel (SK) is a specialized microkernel that provides an execution environment for multiple components that can only communicate according to a given policy and are otherwise isolated from each other. Hence, the isolation also includes the limitation of potential side- and covert channels. SKs are generally more static and smaller than dynamic microkernels, which minimizes the possibility of kernel failure and should ease the application of formal verification techniques. Recent addition of advanced hardware virtualization support for the Intel x86 architecture has the potential of greatly simplifying the implementation of a separation kernel which can support complex systems. This thesis presents a design of a separation kernel for the Intel x86 architecture using the latest Intel hardware features. An open-source prototype written in SPARK demonstrates the viability of the envisioned concept and the application of SPARK's proof capabilities increases the assurance of the correctness of the implementation. iii iv Acknowledgments Foremost, we would like to express our sincere gratitude to our advisor Prof. Dr. Andreas Steffen for the continuous support in the course of our studies and for the guidance in writing this master thesis. His help and generosity allowed us to work in such an interesting field of research. Many thanks also to our colleagues and friends at secunet Security Networks AG in Germany, Alexander Senier, Robert Dorn and Stefan Berghofer for their tremendous assistance not only during this thesis, but also during the many projects we have realized together. We were able to learn a lot and without their support and immense knowledge in the area of high-security platforms we would not have been able to implement the Muen kernel in such short time. We thank Prof. Dr. Endre Bangerter from the University of Applied Sciences in Bern for being our expert and reviewer. Thanks also to Daniel Bigelow for proofreading the report. Last but not least, many thanks to our families and friends for their support and understand- ing throughout the writing of this master thesis. v vi Contents Abstract iii Acknowledgments v 1 Introduction 1 1.1 Notation . .2 1.2 Related Literature . .2 1.3 Provenance of Name . .2 2 Background 3 2.1 SPARK . .3 2.1.1 Design Rationale . .4 2.1.2 Example . .5 2.1.3 SPARK 2014 . .5 2.2 Intel x86 Architecture . .5 2.2.1 Processor . .5 2.2.2 Memory Management . .7 2.2.3 Exceptions and Interrupts . .9 2.2.4 Programmable Interrupt Controller . .9 2.2.5 Chipset connectivity . 10 2.3 Virtualization . 11 2.3.1 Intel Virtualization Technology (VT) . 12 2.4 Separation Kernel . 14 2.4.1 Subjects . 15 2.5 Motivation . 15 2.6 Goals . 16 2.7 Related Work . 16 2.7.1 seL4 . 16 2.7.2 XtratuM . 16 2.7.3 NOVA . 17 2.7.4 Commercial Separation Kernels . 17 3 Design 19 3.1 Scope . 19 3.2 Requirements . 20 3.3 Subject . 21 3.3.1 Subject Specification . 21 3.3.2 Subject State . 21 vii CONTENTS CONTENTS 3.3.3 Subject Profile . 22 3.4 Architecture . 22 3.4.1 Subject Execution . 23 3.4.2 Policy . 24 3.4.3 Inter-Subject Communication . 26 3.4.4 Exceptions . 27 3.4.5 Interrupts . 28 3.4.6 Multicore . 28 3.4.7 Scheduling . 29 4 Implementation 31 4.1 Policy . 31 4.1.1 Data Types . 32 4.1.2 Hardware . 35 4.1.3 Kernel . 36 4.1.4 Binaries . 36 4.1.5 Subjects . 37 4.1.6 Scheduling . 40 4.2 Zero Footprint Runtime . 41 4.3 Subject . 42 4.3.1 Specification . 42 4.3.2 State . 42 4.4 Kernel . 44 4.4.1 Init . 44 4.4.2 Multicore Support . 46 4.4.3 Scheduling . 47 4.4.4 Interrupt Injection . 48 4.4.5 Traps . 49 4.4.6 External Interrupts . 50 4.4.7 Exceptions and Software-generated Interrupts . 51 4.4.8 Events . 52 4.4.9 Debug . 53 4.5 Build . 54 4.5.1 Subject Binary Analysis . 55 4.5.2 Policy Compilation . 56 4.5.3 Image Packaging . 57 4.5.4 Emulation . 58 4.6 Example System . 59 4.6.1 Subjects . 59 4.6.2 Keyboard Handling . 60 5 Analysis 63 5.1 Separation . 63 5.1.1 VMX Controls . 63 5.1.2 System Resources . 64 5.1.3 Execution Environment . 65 5.1.4 Temporal Isolation . 69 5.2 Information Flow . 70 5.2.1 Shared Memory . 70 viii CONTENTS CONTENTS 5.2.2 Events . 70 5.2.3 Traps . 70 5.3 Architecture Support . 71 5.3.1 Kernel . 71 5.3.2 Subject . 72 5.4 Implementation Assurance . 72 5.4.1 Lean Implementation . ..
Load more

Recommended publications
  • UNIX and Computer Science Spreading UNIX Around the World: by Ronda Hauben an Interview with John Lions
    Winter/Spring 1994 Celebrating 25 Years of UNIX Volume 6 No 1 "I believe all significant software movements start at the grassroots level. UNIX, after all, was not developed by the President of AT&T." Kouichi Kishida, UNIX Review, Feb., 1987 UNIX and Computer Science Spreading UNIX Around the World: by Ronda Hauben An Interview with John Lions [Editor's Note: This year, 1994, is the 25th anniversary of the [Editor's Note: Looking through some magazines in a local invention of UNIX in 1969 at Bell Labs. The following is university library, I came upon back issues of UNIX Review from a "Work In Progress" introduced at the USENIX from the mid 1980's. In these issues were articles by or inter- Summer 1993 Conference in Cincinnati, Ohio. This article is views with several of the pioneers who developed UNIX. As intended as a contribution to a discussion about the sig- part of my research for a paper about the history and devel- nificance of the UNIX breakthrough and the lessons to be opment of the early days of UNIX, I felt it would be helpful learned from it for making the next step forward.] to be able to ask some of these pioneers additional questions The Multics collaboration (1964-1968) had been created to based on the events and developments described in the UNIX "show that general-purpose, multiuser, timesharing systems Review Interviews. were viable." Based on the results of research gained at MIT Following is an interview conducted via E-mail with John using the MIT Compatible Time-Sharing System (CTSS), Lions, who wrote A Commentary on the UNIX Operating AT&T and GE agreed to work with MIT to build a "new System describing Version 6 UNIX to accompany the "UNIX hardware, a new operating system, a new file system, and a Operating System Source Code Level 6" for the students in new user interface." Though the project proceeded slowly his operating systems class at the University of New South and it took years to develop Multics, Doug Comer, a Profes- Wales in Australia.
    [Show full text]
  • Formal Modelling of Separation Kernels
    The University of York Department of Computer Science Submitted in part fulfilment for the degree of MSc in Software Engineering. Formal Modelling of Separation Kernels Andrius Velykis 18th September 20091 Supervised by Dr Leo Freitas Number of words = 45327, as counted by detex <report.tex> j wc -w. This report consists of 98 pages in total. This includes the body of the report (without blank pages) and Appendix A, but not Appendices B, C, D, E and F. 1Updated transactional operation proofs, 21st September 2009. Abstract A separation kernel is an architecture for secure applications, which benefits from inherent security of distributed systems. Due to its small size and usage in high-integrity environments, it makes a good target for formal modelling and verification. This project presents results from mechanisation and modelling of separation kernel components: a process table, a process queue and a scheduler. The results have been developed as a part of the pilot project within the international Grand Challenge in Verified Software. This thesis covers full development life-cycle from project initiation through design and evaluation to successful completion. Important findings about kernel properties, formal modelling and design decisions are discussed. The developed formal specification is fully verified and contributes to the pilot project aim of creating a formal kernel model and refining it down to implementation code. Other reusable artefacts, such as general lemmas and a new technique of ensuring transactional properties of operations are defined. The results will be curated within the Verified Software Repository. i Robertai. Aˇci¯u. Acknowledgements I would like to thank Dr Leo Freitas for his supervision, encouragement and getting me hooked on formal methods.
    [Show full text]
  • Allan Unix Newsletter
    allan Unix User Gro Newsletter ~folume 5 rnber 1 The Australian UNIX* Users Group Newsletter Volume V Number i CONTENTS Editorial 2 Survey Responses 2 New Newsletters 3 Next AUUG Meeting 3 Books 4 Book Review 6 Nets 8 AUNET Directory Ii Netnews 28 Clippings 34 Symposium on UNIX 38 Review of August 1983 AUUG Meeting 39 From the EUUG Newsletter 49 From ;login: 61 USENIX Technical Sessions at UNIFORUM 65 Letters 95 February 1984 AUUG Meeting Details 102 Copyright (c) 1984. AUUGN is the journal of the Australian UNIX User Group, Copying without fee is permitted provided that copies are not made or distributed for commercial advantage and credit to the source is given. Abstracting with credit is permitted, No other reproduction is permitted without the prior permission of the Australian UNIX User Group, * UNIX is a trademark of Bell Telephone Laboratories, AUUGN Vol V No i Editorial Do you have the feeling you have missed something in the last few years? Have your doors been blowing closed more often because you cannot find those old AUUGN issues? Well, have no fear, the editor who brought you volumes two and three has returned to bring you volume five. I would like to take this opportunity to apologise to all our regular subscribers for the problems they may have experienced in dealing with the editors of AUUGN during 1982 and 1983. Particular apologies must go to subscribers like the CSIRO, who paid for volume IV and received nothing. Well, enough of problems, on to the good stuff! In This Issue You will notice the appearance of a few new departments in this volume.
    [Show full text]
  • User-Level Window Managers for UNIX
    User-LevelWindowManagers for UNIX Robert J.K. Jacob NavalResearch Laboratory Washington, D.C. 20375 ABSTRACT Wm manages a collection of windows on a display terminal. Each windowhas its ownshell or other interactive program, running in parallel with those in the other win- dows. This permits a user to conduct several interactions with the system in parallel, each in its own window. The user can move from one windowtoanother,re-position a window, orcreate or delete a windowatany time without losing his or her place in anyof the windows. Windows can overlap or completely obscure one another; obscured win- dows can be "lifted" up and placed on top of the other windows. This paper describes howsuch a windowmanager for UNIX† is implemented as a set of user processes, without modifications to the UNIX kernel. It shows howthe sim- ple, but well-chosen facilities provided by the original (Version 6) UNIX kernel are suffi- cient to support wm.Inaddition, subsequent versions of wm exploit features of the kernel introduced into newer versions of UNIX to provide faster and more sophisticated window operations, still implemented entirely at the user level. Introduction This paper describes the design of a display windowmanager for UNIX implemented entirely as a set of user processes, without modifications to the UNIX kernel. It shows howthe simple facilities provided by the original (Version 6) UNIX kernel are sufficient to support such a windowmanager.Inaddition, more recent versions of the windowmanager exploit features of the kernel introduced into newer versions of UNIX to provide faster and more sophisticated operations in windows, still implemented entirely outside the kernel.
    [Show full text]
  • MILS Architectural Approach Supporting Trustworthiness of the Iiot Solutions
    MILS Architectural Approach Supporting Trustworthiness of the IIoT Solutions An Industrial Internet Consortium Whitepaper Rance J. DeLong (The Open Group); Ekaterina Rudina (Kaspersky) MILS Architectural Approach Context and Overview 1 Context and Overview ...................................................................................................... 4 1.1 Need for Trustworthy System Operation ............................................................................. 5 1.2 What is MILS today .............................................................................................................. 6 1.3 How MILS Addresses Safety ................................................................................................. 7 1.4 How MILS Addresses Security .............................................................................................. 8 1.5 How MILS Supports Reliability, Resilience, and Privacy ........................................................ 9 2 MILS Concepts .................................................................................................................. 9 2.1 Centralized vs Distributed Security Architecture .................................................................. 9 2.1.1 Domain Isolation .................................................................................................................................. 10 2.1.2 Isolation and Information Flow Control ............................................................................................... 11 2.1.3 Separation
    [Show full text]
  • CBCE"1Jum11m(] CD~Cbul1 Ij0d~
    TOP SECRET OJalUOCDOJallb ~l!CBC!JWOU~ UJl]l!OJCB~ ll~WU l]l!~~l]l! l]f,J Wl5£ill!ll5 ~ W(lJ~~l1WllJC!l CBCE"1Jum11m(] CD~CBUl1 iJ0D~ 86-36 PARTIAL MACHINE TRANSLATION: FINAL REPORT (U) .. J . ~ .•• 1 TRACKS IN THE SANDS OF TIME (U)•••••••••••••••••Fred Mason •••••••• 0 ••••••••• 12 NSA-CROSTIC NO. 39 (U) •••••••••••••••••••••••••• David H. Willimas.~.•• •••••· •• 14 REVIEW: THE AMERICAN MAGIC (U) ...... _.......... ·I V··· . .; ......... 16 SHELL GAME (U) •••••••••••••••••••••••••••••••••• w. E. s ••••.•• ,/ .• .,,,~ ••... i ••. 20 WORD PROCESSING IN A4 (U)................... •.• • t ••• • ••..•• •i ••• • 22 BOOKBREAKERS' FORUM ON MACHINE AIDS (U)........ I••••••• •• •••• 27 PERSONAL COMPUTER APPLICATION (U) • • • • • • • • • • • • • • t ••••• 28 THIS 9QCUAIENT CQNT.~INS CQ9EWQR9 l\ft.:F8RIAb Sln\SSIFIEB BY NS1t/eSSM 123•2 TOP SECRET ItEVImf 6'M 16 Apt 2612 DP=classifiect and Approyeci for RP-lease o ... ..- t;JSA on 1 0-1 ?-201? pursuant to EC) 135 -:;- o M O R C::asR # $4 7 'j %"") DOCID: 4033690 Published by Pl. Techniques and Standards. for the Personnel of Operations Editorial VOL. IX. No. 4 APRIL 1982 By now it seems safe to announce that :.., J ~ · CRYPTOLOG is once again coming out on a '•;:. PUBLISHER monthly schedule. That was our objective bac~ in October, but there were a lot of questions BOARD OF EDITORS about whether it could be done. Editor-in-Chief • ._I______ _. (7119/8322s) Production ••••••••••• ~... ________I (3369s) We decided at the outset not to make any promises about publication schedules. These days there are so many people promising so Collection ...................l ___ .....,_~I (8555s) much, and yesterday's promises have a way of fading unfulfilled beneath the flood of ever Cryptanalysis ••••••••••• ~..
    [Show full text]
  • National Information Assurance Partnership
    National Information Assurance Partnership ® TM Common Criteria Evaluation and Validation Scheme Validation Report Green Hills Software INTEGRITY-178B Separation Kernel Report Number: CCEVS-VR-10119-2008 Dated: 01 September 2008 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6757 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6757 VALIDATION REPORT Green Hills Software INTEGRITY-178B Separation Kernel ACKNOWLEDGEMENTS Validation Team Shaun Gilmore Santosh Chokhani Ken Elliott Jerry Myers Paul Bicknell Common Criteria Testing Laboratory SAIC, Inc. Columbia, Maryland ii VALIDATION REPORT Green Hills Software INTEGRITY-178B Separation Kernel Table of Contents 1 Executive Summary................................................................1 1.1 Evaluation Details.............................................................2 2 Identification...........................................................................4 3 Threats to Security ..................................................................5 4 Security Policy........................................................................7 5 Assumptions............................................................................8 5.1 Physical Assumptions .......................................................8 5.2 Personnel Assumptions.....................................................8 5.3 Connectivity Assumptions................................................8
    [Show full text]
  • Network Driver for Micro Os Xv6
    NETWORK DRIVER FOR MICRO OS XV6 A Project Presented to the faculty of the Department of Computer Science California State University, Sacramento Submitted in partial satisfaction of the requirements for the degree of MASTER OF SCIENCE in Computer Science by Anmoldeep Singh Sandhu SPRING 2020 © 2020 Anmoldeep Singh Sandhu ALL RIGHTS RESERVED ii NETWORK DRIVER FOR MICRO OS XV6 A Project by Anmoldeep Singh Sandhu Approved by: __________________________________, Committee Chair Dr. Jinsong Ouyang __________________________________, Second Reader Dr. Jingwei Yang ____________________________ Date iii Student: Anmoldeep Singh Sandhu I certify that this student has met the requirements for format contained in the University format manual, and this thesis is suitable for electronic submission to the library. Credit is awarded for the Project. __________________________, Graduate Coordinator ___________________ Dr. Jinsong Ouyang Date Department of Computer Science iv Abstract of NETWORK DRIVER FOR MICRO OS XV6 by Anmoldeep Singh Sandhu The network driver is one of the primary requirements for any operating system. Xv6 is a micro-operating system based on version 6 Unix. The latest version of xv6 does not have support for the ethernet driver or the four-layer UDP/IP model. Our work extends the xv6 operating system to support a functioning network driver with the capability of handling a packet burst. This Project also adds support for UDP/IP and Ethernet protocol to the xv6 operating system. _______________________ Committee Chair Dr. Jinsong Ouyang _____________________ Date v ACKNOWLEDGMENTS I am thankful to Dr. Ouyang for providing me the opportunity to learn new skills in the field of driver development. Dr. Ouyang showed trust in me in carrying out this Project.
    [Show full text]
  • Partitioned System with Xtratum on Powerpc
    Tesina de M´asteren Autom´aticae Inform´aticaIndustrial Partitioned System with XtratuM on PowerPC Author: Rui Zhou Advisor: Prof. Alfons Crespo i Lorente December 2009 Contents 1. Introduction1 1.1. MILS......................................2 1.2. ARINC 653..................................3 1.3. PikeOS.....................................6 1.4. ADEOS....................................7 2. Overview of XtratuM 11 2.1. Virtualization and Hypervisor........................ 11 2.2. XtratuM.................................... 12 3. Overview of PowerPC 16 3.1. POWER.................................... 16 3.2. PowerPC.................................... 17 3.3. PowerPC in Safety-critical.......................... 19 4. Main PowerPC Drivers to Virtualize 20 4.1. Processors................................... 20 4.2. Timer..................................... 21 4.3. Interrupt.................................... 23 4.4. Memory.................................... 24 5. Porting Implementation 25 5.1. Hypercall................................... 26 5.2. Timer..................................... 27 5.3. Interrupt.................................... 28 5.4. Memory.................................... 31 5.5. Partition.................................... 32 6. Benchmark 34 7. Conclusions and Future Work 38 Abstract Nowadays, the diversity of embedded applications has been developed into a new stage with the availability of various new high-performance processors and low cost on-chip memory. As the result of these new advances in hardware, there is a
    [Show full text]
  • Empirical Performance Comparison of Hardware and Software Task Context Switching
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Calhoun, Institutional Archive of the Naval Postgraduate School Calhoun: The NPS Institutional Archive Theses and Dissertations Thesis Collection 2009-06 Empirical Performance Comparison of Hardware and Software Task Context Switching Schultz, Eric A. Monterey, California. Naval Postgraduate School http://hdl.handle.net/10945/46226 NAVAL POSTGRADUATE SCHOOL MONTEREY, CALIFORNIA THESIS EMPIRICAL PERFORMANCE COMPARISON OF HARDWARE AND SOFTWARE TASK CONTEXT SWITCHING by Eric A. Schultz June 2009 Thesis Advisor: Cynthia E. Irvine Second Reader: David J. Shifflett Approved for public release; distribution is unlimited THIS PAGE INTENTIONALLY LEFT BLANK ii Form Approved REPORT DOCUMENTATION PAGE OMB No. 0704–0188 The public reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to Department of Defense, Washington Headquarters Services, Directorate for Information Operations and Reports (0704–0188), 1215 Jefferson Davis Highway, Suite 1204, Arlington, VA 22202–4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to any penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. PLEASE DO NOT RETURN YOUR FORM TO THE ABOVE ADDRESS. 1. REPORT DATE (DD–MM–YYYY) 2. REPORT TYPE 3.
    [Show full text]
  • Raytheon Secure Systems and Networks Delivering Mission Assurance in a Hostile Cyberspace Feature the Benefits of Multi-Level Security
    TecHIGhHLIGHTnING RAoYTHEON l’S oTECHNOgLOGY y Tod2a007 Issyue 2 Raytheon Secure Systems and Networks Delivering Mission Assurance in a Hostile Cyberspace Feature The Benefits of Multi-Level Security ulti-level security (MLS) should be accessible to the individ - secret, confidential and unclassified has been a holy grail ever ual. To ameliorate this problem, data all can reside in a single MLS Msince the early days of high-speed guards requiring addi - domain. MLS provides the ability to applying computer systems to meet tional hardware and processing simultaneously receive, process, Col. Roger Shell was the automation needs of military overhead, or labor intensive proce - store and disseminate data of mul - the deputy director of and intelligence systems. In the dures such as manually reviewing tiple classifications within a domain the National Security 1970s, MITRE published a series of data, are commonly used when where not all users have the securi - Agency’s (NSA) papers (by Bell and LaPadua) that moving data between domains. ty clearance to access all the data National Computer describe the issues and rules of within the domain. MLS needs to Security Center (NCSC) determining access rights of individ - The single-level security domain permeate into the computing envi - as it was formed in the ual users to information, based on paradigm is not compatible with ronment (workstations, servers and early 1980s. Dr. Kenneth their credentials. In fact, in 1971, this time-sensitive collaborative pro - operating systems), the network, Kung joined NCSC in Dr. Roger Schell (then a U.S. Air cessing environment needed to the database and the mission appli - 1984 as one of the Force major) conducted his Ph.D.
    [Show full text]
  • Separation Kernels on Commodity Workstations
    Systems and Network Analysis Center Information Assurance Directorate Separation Kernels on Commodity Workstations 11 March 2010 SNAC DoD, 9800 Savage Rd. Ft. Meade, MD 20755-6704 410-854-6632 DSN: 244-6632 FAX: 410-854-6604 www.nsa.gov/snac [email protected] 1 Separation Kernels on Commodity Workstations 1 Executive Summary ................................................................................................. 3 2 Introduction .............................................................................................................. 4 2.1 SKPP Evaluation ................................................................................................ 4 2.2 Assurance Maintenance ..................................................................................... 5 3 Commodity Workstation Security ............................................................................. 7 3.1 Workstation Security Argument .......................................................................... 7 3.1.1 The Applications .......................................................................................... 7 3.1.2 The Operating System ................................................................................. 7 3.1.3 The Hardware Platform ................................................................................ 8 3.2 Evaluating the Workstation Security Argument .................................................. 8 3.3 Too Many Cooks in the Kitchen ........................................................................
    [Show full text]