Download This Presentation

Reimplement? Reuse? Both! Trustworthy Systems with Genode and SPARK

Alexander Senier Sound Static Analysis for Security Workshop Gaithersburg, MD, June 27th, 2018 About Componolit

06/27/2018 2 What is SPARK? Language and toolset

■ Programming language and tool set ■ Different levels of assurance ■ Adapt at your discretion

06/27/2018 3 What is SPARK? Stone level

■ No side-effects in functions ■ No parameter aliasing ■ No pointers ■ Fewer dangerous constructs

06/27/2018 4 What is SPARK? Higher assurance

■ Bronze level: Correct initialization and data flow ■ Silver level: Absence of runtime errors ■ Gold level: Proof key (integrity) properties ■ Platinum level: Functional correctness

06/27/2018 5 What is SPARK? You may know this: Jet engines

■ fsdfsd Tony Hisgett Tony

©

06/27/2018 6 What is SPARK? And this: Vermont Lunar CubeSat

06/27/2018 7 What is SPARK? And this: Tokeneer

06/27/2018 8 What is SPARK? And this: Muen Separation Kernel

■

© William Christen

06/27/2018 9 What is SPARK? But how about this?

SPARK for the Web!

06/27/2018 10 Demo #1 Plain Web application

© © Karsten Würth 06/27/2018 11 Web application Security

■ No authentication – bad idea! ■ Options ▪ Passwords ▪ Client certificates ▪ Authentication tokens © © Karsten Würth 06/27/2018 12 Web application Token-based authentication

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd WIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9 lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF 2QT4fwpMeJf36POk6yJV_adQssw5c

Web Authentication Service Provider

{ "alg": "HS256", (2) "typ": "JWT" (3) Service Authentication } Request Response

{ "sub": "1234567890", Client "name": "John Doe", (4) (1) "iat": 1516239022 Response Authentication } Request © © Karsten Würth 06/27/2018 13 Token-based authentication The monolithic approach

Web App JWT

Services ■ A lot to trust! HTTP Server (systemd, cron, ssh, Python syslog, dbus, ...) ■ How likely is no critical bug within Libc... Libc... decades? ■ Millions of lines of code TCP/IP Drivers Linux ... ■ Formally verifying all those components? Good luck! © © Karsten Würth 06/27/2018 14 We still want trustworthy authentication for our wind turbine! Alternatives?

06/27/2018 15 Interlude The Genode OS Framework*

■ Hierarchical System ■ Recursive system structure Architecture ▪ Root: Microkernel ▪ Parent: Responsibility + control ▪ Isolation is default ▪ Strict communication policy ■ Everything is a user-process ▪ Application ▪ File systems ▪ Drivers, Network stacks

06/27/2018 *) https://genode.org 16 Interlude Minimal Trusted Computing Base

■ Per-application TCB ■ Trusted Computing Base (TCB) ▪ Software required for security ▪ Parents in tree ▪ Services used ■ TCB reduction ▪ Application-specific ▪ Example: File system ■ Sessions

06/27/2018 17 Architecture for Trustworthy Systems Strategy #1: Policy Objects

■ Policy objects ■ Can’t reimplement everything ■ Solution: software reuse Protocol validator ▪ Untrusted software (gray) (e.g. TLS) ▪ Policy object (green) ▪ Client software (orange) ■ Policy object Network Web ▪ Establishes assumptions of client Stack browser ▪ Sanitizes ▪ Enforces additional policies

06/27/2018 18 Architecture for Trustworthy Systems Strategy #2: Trusted Wrappers

■ Trusted wrapper ■ Untrusted software (gray) ▪ E.g. disk, file system, cloud VPN ■ Trusted wrapper Component ▪ Mandatory encryption ■ Client software (orange) ▪ No direct interaction with Network Web untrusted components Stack Browser ▪ Minimal attack surface

06/27/2018 19 Architecture for Trustworthy Systems Strategy #3: Transient components

■ Transient component ■ Untrusted software ▪ E.g. Media decoder Controller ▪ No chance to get this right! ■ Transient component ▪ Temporarily instantiate untrusted

software for single file/stream read-only simple ▪ Expose only simple interfaces Network Decoder Audio Player (e.g. PCM audio) ▪ Cleanup on completion

06/27/2018 20 Let’s put it together.

06/27/2018 21 Token-based authentication First component-based attempt

Nic Session

Virtual Box init, JWT (Linux Nic timer Validator + Web Server) TCP/IP, libc, ...

Microkernel & Core © © Karsten Würth 06/27/2018 22 Token-based authentication Second component-based attempt

Terminal Session Nic Session

Virtual Box init, JWT (Linux Downlink Uplink Nic timer Validator + Web Server) TCP/IP, TCP/IP, libc, ... libc, ...

Microkernel & Core © © Karsten Würth 06/27/2018 23 Demo #2 Minimal JWT Validator

© Gustavo Gustavo Quepón © © © Karsten Würth 06/27/2018 24 Component-based architecture Disclaimer

■ Never show your authentication tokens in presentations ;-) ■ Proof-of-Concept ▪ No TLS in this demo! ▪ Only symmetric crypto for validating JWTs for now (HMAC-SHA256) ▪ Only “stone” level right now (proving absence of runtime errors TBD) ■ Not a solution for availability!

06/27/2018 25 Component-based architecture Trusted computing base

■ The TLS validator has 3618 SLOC*: ▪ Ada: 2836 (78.39%) ▪ Cpp: 782 (21.61%) ■ The overall Trusted Computing Base is ~37000 SLOC*: ▪ Components: validator, microkernel, core, init, dynamic linker, RTC driver ▪ cpp: 33318 (91.27%) ▪ ada: 2836 (7.77%) ▪ asm: 352 (0.96%)

*) generated using 'SLOCCount' by David A. Wheeler.

06/27/2018 26 Component-based architecture But, performance?

fdd

06/27/2018 27 Performance Evaluation Setup

■ Client ▪ Intel Core i5-M520, 2.4 GHz ■ Evaluation Setup ▪ Intel 82577LM GiB Ethernet 1. Internet ▪ Debian 9.4, x86_64 2. Local webserver ▪ Lighttpd 1.4.45-1 3. Local webserver through ■ ab (Apache Benchmark) passthrough JWT validator ▪ version 2.4.25-3+deb9u4 4. Local webserver through real ▪ 6 concurrent requests JWT validator ▪ 1000 requests 1k, 10k, 100k, 1M

06/27/2018 28 Performance Evaluation Results

1k 10k 100k 1M 1k 10k 100k 1M 100 2.5

2 10

1.5 1 1

0.1 0.5

0.01 0 Internet Local Passthrough Validated Local Passthrough Validated

Mean latency between request [ms]

06/27/2018 29 Component-based architecture Reimplement? Reuse? Both!

■ Component-based systems and program verification fit together very well! ■ Confidentiality & integrity ▪ No need to verify large code bases ▪ Reuse of large parts of the architecture ▪ Minimal trusted computing base ▪ Performance: Promising, but needs evaluation in realistic setup

06/27/2018 30 Component-based architecture What else?

■ Everything you saw is open source – try it! ■ JWX library for parsing JWTs (and more) ▪ https://github.com/Componolit/jwx ■ Demo ▪ examples/authproxy.adb (in JWT repository) ■ Libsparkcrypto ▪ https://github.com/Componolit/libsparkcrypto ■ Genode OS Framework ▪ https://github.com/genodelabs/genode ■ SPARK ▪ https://www.adacore.com/download

06/27/2018 31 Questions?

Alexander Senier Managing Director [email protected]

@Componolit · componolit.com · github.com/Componolit

06/27/2018 32