Verification of Programs in Virtual Memory Using Separation Logic
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Safety and Conservativity of Definitions in HOL and Isabelle/HOL
This is a repository copy of Safety and conservativity of definitions in HOL and Isabelle/HOL. White Rose Research Online URL for this paper: http://eprints.whiterose.ac.uk/161207/ Version: Published Version Article: Kunčar, O. and Popescu, A. orcid.org/0000-0001-8747-0619 (2018) Safety and conservativity of definitions in HOL and Isabelle/HOL. Proceedings of the ACM on Programming Languages, 2 (POPL). 24. ISSN 2475-1421 https://doi.org/10.1145/3158112 Reuse This article is distributed under the terms of the Creative Commons Attribution (CC BY) licence. This licence allows you to distribute, remix, tweak, and build upon the work, even commercially, as long as you credit the authors for the original work. More information and the full terms of the licence here: https://creativecommons.org/licenses/ Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request. [email protected] https://eprints.whiterose.ac.uk/ Safety and Conservativity of Definitions in HOL and Isabelle/HOL ONDŘEJ KUNČAR, Technische Universität München, Germany ANDREI POPESCU, Middlesex University London, United Kingdom and Institute of Mathematics Simion Stoilow of the Romanian Academy, Romania Deinitions are traditionally considered to be a safe mechanism for introducing concepts on top of a logic known to be consistent. In contrast to arbitrary axioms, deinitions should in principle be treatable as a form of abbreviation, and thus compiled away from the theory without losing provability. -
Quantifying Security Impact of Operating-System Design
Copyright Notice School of Computer Science & Engineering COMP9242 Advanced Operating Systems These slides are distributed under the Creative Commons Attribution 3.0 License • You are free: • to share—to copy, distribute and transmit the work • to remix—to adapt the work • under the following conditions: 2019 T2 Week 09b • Attribution: You must attribute the work (but not in any way that Local OS Research suggests that the author endorses you or your use of the work) as @GernotHeiser follows: “Courtesy of Gernot Heiser, UNSW Sydney” The complete license text can be found at http://creativecommons.org/licenses/by/3.0/legalcode 1 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Quantifying OS-Design Security Impact Approach: • Examine all critical Linux CVEs (vulnerabilities & exploits database) • easy to exploit 115 critical • high impact Linux CVEs Quantifying Security Impact of • no defence available to Nov’17 • confirmed Operating-System Design • For each establish how microkernel-based design would change impact 2 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License 3 COMP9242 2019T2 W09b: Local OS Research © Gernot Heiser 2019 – CC Attribution License Hypothetical seL4-based OS Hypothetical Security-Critical App Functionality OS structured in isolated components, minimal comparable Trusted inter-component dependencies, least privilege to Linux Application computing App requires: base • IP networking Operating system Operating system • File storage xyz xyz • Display -
The OKL4 Microvisor: Convergence Point of Microkernels and Hypervisors
The OKL4 Microvisor: Convergence Point of Microkernels and Hypervisors Gernot Heiser, Ben Leslie Open Kernel Labs and NICTA and UNSW Sydney, Australia ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. Microkernels vs Hypervisors > Hypervisors = “microkernels done right?” [Hand et al, HotOS ‘05] • Talks about “liability inversion”, “IPC irrelevance” … > What’s the difference anyway? ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. 2 What are Hypervisors? > Hypervisor = “virtual machine monitor” • Designed to multiplex multiple virtual machines on single physical machine VM1 VM2 Apps Apps AppsApps AppsApps OS OS Hypervisor > Invented in ‘60s to time-share with single-user OSes > Re-discovered in ‘00s to work around broken OS resource management ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. 3 What are Microkernels? > Designed to minimise kernel code • Remove policy, services, retain mechanisms • Run OS services in user-mode • Software-engineering and dependability reasons • L4: ≈ 10 kLOC, Xen ≈ 100 kLOC, Linux: ≈ 10,000 kLOC ServersServers ServersServers Apps Servers Device AppsApps Drivers Microkernel > IPC performance critical (highly optimised) • Achieved by API simplicity, cache-friendly implementation > Invented 1970 [Brinch Hansen], popularised late ‘80s (Mach, Chorus) ok-labs.com ©2010 Open Kernel Labs and NICTA. All rights reserved. 4 What’s the Difference? > Both contain all code executing at highest privilege level • Although hypervisor may contain user-mode code as well > Both need to abstract hardware resources • Hypervisor: abstraction closely models hardware • Microkernel: abstraction designed to support wide range of systems > What must be abstracted? • Memory • CPU • I/O • Communication ok-labs.com ©2010 Open Kernel Labs and NICTA. -
Extensible Distributed Operating System for Reliable Control Systems
194 Extensible Distributed Operating System for Reliable Control Systems Katsumi Maruyama, Kazuya Kodama, Soichiro Hidaka, Hiromichi Hashizume National Institute of Informatics, 2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo, Japan Email:{maruyama,kazuya,hidaka,has}@nii.ac.jp Abstract small monitor-like OSs are used. However, these monitor- like OSs lack program protection mechanisms, and program Since most control systems software is hardware-related, development is difficult. real-time-oriented and complex, adaptable OSs which help Therefore, an extensible/adaptable OS for control sys- program productivity and maintainability improvement are tems is required . We are developing a new OS character- in strong demand. ized by: We are developing an adaptable and extensible OS based on micro-kernel and multi-server scheme: each server runs • Use of an efficient and flexible micro-kernel (L4-ka). • Multi-server based modular OS. (Each OS service is in a protected mode interacting only via messages, and implemented as individual user-level process.) could be added/extended/deleted easily. Since this OS is • Robustness. Only the micro-kernel runs in kernel highly modularized, inter-process messaging overhead is a mode and in kernel space. Other modules run in a pro- concern. Our implementation proved good efficiency and tected user space and mode. maintainability. • Hardware driver programs in user-level process. • Flexible distributed processing by global message passing. 1. Introduction This OS structure proved to enhance OS modularity and ease of programming. However, inter-process messaging Most systems, from large scale public telephone switch- overhead should be considered . We measured the overhead, ing systems to home electronics, are controlled by software, and the overhead was proved to be small enough. -
Submission Data for 2020-2021 CORE Conference Ranking Process International Joint Conference on Automated Reasoning
Submission Data for 2020-2021 CORE conference Ranking process International Joint Conference on Automated Reasoning Franz Baader, Viorica Sofronie-Stokkermans Conference Details Conference Title: International Joint Conference on Automated Reasoning Acronym : IJCAR Rank: A* Requested Rank Rank: A* Recent Years Proceedings Publishing Style Proceedings Publishing: series Link to most recent proceedings: https://link.springer.com/conference/ijcar Further details: The proceedings are published in Springer Lecture Notes in Computer Science (LNCS) subseries Lecture Notes in Artificial Intelligence (LNAI). The proceedings usually contain regular papers and system descriptions accepted at the main conference. (IJCAR 2020 also contained a small number of short papers, which were clearly marked as short papers.) Most Recent Years Most Recent Year Year: 2018 URL: http://ijcar2018.org Location: Oxford, UK Papers submitted: 108 Papers published: 46 Acceptance rate: 43 Source for numbers: http://ijcar.org//conferences General Chairs Name: Ian Horrocks Affiliation: University of Oxford, UK Gender: M H Index: 96 GScholar url: https://scholar.google.com/citations?hl=en&user=0ypdmcYAAAAJ DBLP url: https://dblp.org/pid/h/IanHorrocks.html Program Chairs Name: Didier Galmiche Affiliation: UniversitÃľ de Lorraine, France Gender: M H Index: 19 (according to Semantic Scholar) GScholar url: https://scholar.google.com/scholar?hl=de&as_sdt=0%2C5&q=Didier+Galmiche&oq= DBLP url: https://dblp.org/pid/82/76.html 1 Second Most Recent Year Year: 2016 URL: https://www.uc.pt/en/congressos/ijcar2016 -
Towards a Practical, Verified Kernel
Towards a Practical, Verified Kernel Kevin Elphinstone∗ Gerwin Klein∗ PhilipDerrin TimothyRoscoe† Gernot Heiser∗‡ National ICT Australia§ Abstract properties such as guaranteed termination of system calls, and the kernel never throwing an internal exception. In the paper we examine one of the issues in designing, Successful OS kernels have generally been the result of specifying, implementing and formally verifying a small careful attention to performance issues, and repeatedly it- operating system kernel — how to provide a productive erating bottom-up implementations of low-level function- and iterative developmentmethodology for both operating ality, in some cases changing high-level interfaces and system developers and formal methods practitioners. functionality to accommodate implementation constraints We espouse the use of functional programming lan- and performance goals. This is, unfortunately, in conflict guages as a medium for prototyping that is readily with formal methods, which typically work by top-down amenable to formalisation with a low barrier to entry for refining models of system properties, and rarely deal with kernel developers, and report early experience in the pro- low-level implementation features. cess of designing and building seL4: a new, practical, and This paper describes our approach to resolving this ten- formally verified microkernel. sion, and reports on our experience so far in applying it to seL4. We use a high-level language (Literate Haskell) to simultaneously develop a specification of the kernel and a 1 Introduction reference implementation for evaluation and testing. The implementation can be used in conjunction with a sim- We describe our approachto constructing seL4 — a useful ulator such as QEMU for running real application bina- yet formally verified operating system kernel, by means of ries, while the specification generates input to an interac- a novel development process which aims to reconcile the tive theorem prover (Isabelle) for formal proof of proper- conflicting methodologies of kernel developers and for- ties. -
Microkernel Vs
1 VIRTUALIZATION: IBM VM/370 AND XEN CS6410 Hakim Weatherspoon IBM VM/370 Robert Jay Creasy (1939-2005) Project leader of the first full virtualization hypervisor: IBM CP-40, a core component in the VM system The first VM system: VM/370 Virtual Machine: Origin 3 IBM CP/CMS CP-40 CP-67 VM/370 Why Virtualize 4 Underutilized machines Easier to debug and monitor OS Portability Isolation The cloud (e.g. Amazon EC2, Google Compute Engine, Microsoft Azure) IBM VM/370 Specialized Conversation Mainstream VM al Monitor OS (MVS, Another Virtual subsystem System DOS/VSE copy of VM machines (RSCS, RACF, (CMS) etc.) GCS) Hypervisor Control Program (CP) Hardware System/370 IBM VM/370 Technology: trap-and-emulate Problem Application Privileged Kernel Trap Emulate CP Classic Virtual Machine Monitor (VMM) 7 Virtualization: rejuvenation 1960’s: first track of virtualization Time and resource sharing on expensive mainframes IBM VM/370 Late 1970’s and early 1980’s: became unpopular Cheap hardware and multiprocessing OS Late 1990’s: became popular again Wide variety of OS and hardware configurations VMWare Since 2000: hot and important Cloud computing Docker containers Full Virtualization 9 Complete simulation of underlying hardware Unmodified guest OS Trap and simulate privileged instruction Was not supported by x86 (Not true anymore, Intel VT-x) Guest OS can’t see real resources Paravirtualization 10 Similar but not identical to hardware Modifications to guest OS Hypercall Guest OS registers handlers Improved performance VMware ESX Server 11 Full virtualization Dynamically rewrite privileged instructions Ballooning Content-based page sharing Denali 12 Paravirtualization 1000s of VMs Security & performance isolation Did not support mainstream OSes VM uses single-user single address space 13 Xen and the Art of Virtualization Xen 14 University of Cambridge, MS Research Cambridge XenSource, Inc. -
Verification of Sequential Imperative Programs in Isabelle/HOL
f f f f f f f f f f f f f f f f f f f f Verification of Sequential Imperative Programs in Isabelle/HOL Norbert Schirmer Lehrstuhl fur¨ Software & Systems Engineering Institut fur¨ Informatik Technische Universitat¨ Munchen¨ Lehrstuhl fur¨ Software & Systems Engineering Institut fur¨ Informatik Technische Universitat¨ Munchen¨ Verification of Sequential Imperative Programs in Isabelle/HOL Norbert Schirmer Vollstandiger¨ Abdruck der von der Fakultat¨ fur¨ Informatik der Technischen Universitat¨ Munchen¨ zur Erlangung des akademischen Grades eines Doktors der Naturwissenschaften (Dr. rer. nat.) genehmigten Dissertation. Vorsitzender: Univ.-Prof. Dr. Helmut Seidl Prufer¨ der Dissertation: 1. Univ.-Prof. Tobias Nipkow, Ph.D. 2. Univ.-Prof. Dr. Wolfgang J. Paul Universitat¨ des Saarlandes Die Dissertation wurde am 31.10.2005 bei der Technischen Universitat¨ Munchen¨ eingereicht und durch die Fakultat¨ fur¨ Informatik am 21.04.2006 angenommen. i Kurzfassung Ziel der Dissertation ist es, eine Verifikationsumgebung fur¨ sequentielle imperative Programme zu schaffen. Zunachst¨ wird unabhangig¨ von einer konkreten Program- miersprache ein allgemeines Sprachmodell entwickelt, das ausdrucksstark genug ist um alle gangigen¨ Programmiersprachkonzepte abzudecken: Gegenseitig rekur- sive Prozeduren, abrupte Terminierung und Ausnahmebehandlung, Laufzeitfeh- ler, lokale und globale Variablen, Zeiger und Halde, Ausdrucke¨ mit Seiteneffekten, Zeiger auf Prozeduren, partielle Applikation, dynamischer Methoden Aufruf und unbeschrankter¨ Indeterminismus. Fur¨ dieses Sprachmodell wird eine Hoare Logik sowohl fur¨ partielle alsauch fur¨ totale Korrektheit entwickelt. Darauf aufbauend wird ein Verifikations-Bedingungs- Generator implementiert. Die Hoare Logik erlaubt die Integration von statischer Programmanalyse und Software Model Checkern in die Verifikation. Desweiteren wird eine Teilsprache von C in die Verifikationsumgebung eingebet- tet, um die Durchgangigkeit¨ zu einer realen Programmiersprache zu demonstrieren. -
Operating Systems & Virtualisation Security Knowledge Area
Operating Systems & Virtualisation Security Knowledge Area Issue 1.0 Herbert Bos Vrije Universiteit Amsterdam EDITOR Andrew Martin Oxford University REVIEWERS Chris Dalton Hewlett Packard David Lie University of Toronto Gernot Heiser University of New South Wales Mathias Payer École Polytechnique Fédérale de Lausanne The Cyber Security Body Of Knowledge www.cybok.org COPYRIGHT © Crown Copyright, The National Cyber Security Centre 2019. This information is licensed under the Open Government Licence v3.0. To view this licence, visit: http://www.nationalarchives.gov.uk/doc/open-government-licence/ When you use this information under the Open Government Licence, you should include the following attribution: CyBOK © Crown Copyright, The National Cyber Security Centre 2018, li- censed under the Open Government Licence: http://www.nationalarchives.gov.uk/doc/open- government-licence/. The CyBOK project would like to understand how the CyBOK is being used and its uptake. The project would like organisations using, or intending to use, CyBOK for the purposes of education, training, course development, professional development etc. to contact it at con- [email protected] to let the project know how they are using CyBOK. Issue 1.0 is a stable public release of the Operating Systems & Virtualisation Security Knowl- edge Area. However, it should be noted that a fully-collated CyBOK document which includes all of the Knowledge Areas is anticipated to be released by the end of July 2019. This will likely include updated page layout and formatting of the individual Knowledge Areas KA Operating Systems & Virtualisation Security j October 2019 Page 1 The Cyber Security Body Of Knowledge www.cybok.org INTRODUCTION In this Knowledge Area, we introduce the principles, primitives and practices for ensuring se- curity at the operating system and hypervisor levels. -
Login Dec 07 Volume 33
COMPUTER SECURITY IS AN OLD problem which has lost none of its rele - GERNOT HEISER vance—as is evidenced by the annual Secu - rity issue of ;login: . The systems research community has increased its attention to security issues in recent years, as can be Your system is seen by an increasing number of security- related papers published in the mainstream secure? Prove it! systems conferences SOSP, OSDI, and Gernot Heiser is professor of operating systems at USENIX. However, the focus is primarily on the University of New South Wales (UNSW) in Sydney and leads the embedded operating-systems group at desktop and server systems. NICTA, Australia’s Centre of Excellence for research in information and communication technology. In 2006 he co-founded the startup company Open Kernel I argued two years ago in this place that security of Labs (OK), which is developing and marketing operat - embedded systems, whether mobile phones, smart ing-system and virtualization technology for embed - ded systems, based on the L4 microkernel. cards, or automobiles, is a looming problem of even bigger proportions, yet there does not seem to [email protected] be a great sense of urgency about it. Although there are embedded operating-system (OS) vendors NICTA is funded by the Australian government’s Backing Australia’s Ability initiative, in part working on certifying their offerings to some of the through the Australian Research Council. highest security standards, those systems do not seem to be aimed at, or even suitable for, mobile wireless devices. Establishing OS Security The accepted way to establish system security is through a process called assurance . -
Microkernel Construction Introduction
Microkernel Construction Introduction Nils Asmussen 04/06/2017 1 / 28 Outline Introduction Goals Administration Monolithic vs. Microkernel Overview About L4/NOVA 2 / 28 Goals 1 Provide deeper understanding of OS mechanisms 2 Look at the implementation details of microkernels 3 Make you become enthusiastic microkernel hackers 4 Propaganda for OS research at TU Dresden 3 / 28 Administration Thursday, 4th DS, 2 SWS Slides: www.tudos.org ! Teaching ! Microkernel Construction Subscribe to our mailing list: www.tudos.org/mailman/listinfo/mkc2017 In winter term: Microkernel-based operating systems (MOS) Various labs 4 / 28 Outline Introduction Monolithic vs. Microkernel Kernel design comparison Examples for microkernel-based systems Vision vs. Reality Challenges Overview About L4/NOVA 5 / 28 Monolithic Kernel System Design u s Application Application Application e r k Kernel e r File Network n e Systems Stacks l m Memory Process o Drivers Management Management d e Hardware 6 / 28 Monolithic Kernel OS (Propaganda) System components run in privileged mode No protection between system components Faulty driver can crash the whole system Malicious app could exploit bug in faulty driver More than 2=3 of today's OS code are drivers No need for good system design Direct access to data structures Undocumented and frequently changing interfaces Big and inflexible Difficult to replace system components Difficult to understand and maintain Why something different? ! Increasingly difficult to manage growing OS complexity 7 / 28 Microkernel System Design Application -
Hype and Virtue
Hype and Virtue Timothy Roscoe∗ Kevin Elphinstone† Gernot Heiser†‡ National ICT Australia Abstract a source of a new class of problem. We lay out some of these directions towards the end of this paper. In this paper, we question whether hypervisors are really A challenge with any technological development which acting as a disruptive force in OS research, instead argu- creates intense interest simultaneously in both academia ing that they have so far changed very little at a techni- and venture capital circles is separating the long-term sci- cal level. Essentially, we have retained the conventional entific and engineering questions traditionally relegated to Unix-like OS interface and added a new ABI based on PC academic research from the short-term issues closely tied hardware which is highly unsuitable for most purposes. to particular business models, contexts, and in some cases Despite commercial excitement, focus on hypervisor de- individual companies. sign may be leading OS research astray. However, adopt- This is an unashamedly academic paper, deliberately ing a different approach to virtualization and recognizing bracketing short-term commercial pressures to concen- its value to academic research holds the prospect of open- trate instead on longer-term research questions in OS de- ing up kernel research to new directions. sign. We do not wish to devalue short-term research strongly embedded in current products and markets, but we emphasize that it is not our concern here. 1 Introduction In the next section we compare hypervisors to other kernels from a long-term research perspective (rather than Are hypervisors really a disruptive technology? Both the focusing on their short-term applications) and in Section 3 IT industry and the academic OS research community critique the new system interface offered by hypervisors.