Download This Presentation
Reimplement? Reuse? Both! Trustworthy Systems with Genode and SPARK
Alexander Senier Sound Static Analysis for Security Workshop Gaithersburg, MD, June 27th, 2018 About Componolit
06/27/2018 2 What is SPARK? Language and toolset
■ Programming language and tool set ■ Different levels of assurance ■ Adapt at your discretion
06/27/2018 3 What is SPARK? Stone level
■ No side-effects in functions ■ No parameter aliasing ■ No pointers ■ Fewer dangerous constructs
06/27/2018 4 What is SPARK? Higher assurance
■ Bronze level: Correct initialization and data flow ■ Silver level: Absence of runtime errors ■ Gold level: Proof key (integrity) properties ■ Platinum level: Functional correctness
06/27/2018 5 What is SPARK? You may know this: Jet engines
■ fsdfsd Tony Hisgett Tony
©
06/27/2018 6 What is SPARK? And this: Vermont Lunar CubeSat
06/27/2018 7 What is SPARK? And this: Tokeneer
06/27/2018 8 What is SPARK? And this: Muen Separation Kernel
■
© William Christen
06/27/2018 9 What is SPARK? But how about this?
SPARK for the Web!
06/27/2018 10 Demo #1 Plain Web application
© © Karsten Würth 06/27/2018 11 Web application Security
■ No authentication – bad idea! ■ Options ▪ Passwords ▪ Client certificates ▪ Authentication tokens © © Karsten Würth 06/27/2018 12 Web application Token-based authentication
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzd WIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9 lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF 2QT4fwpMeJf36POk6yJV_adQssw5c
Web Authentication Service Provider
{ "alg": "HS256", (2) "typ": "JWT" (3) Service Authentication } Request Response
{ "sub": "1234567890", Client "name": "John Doe", (4) (1) "iat": 1516239022 Response Authentication } Request © © Karsten Würth 06/27/2018 13 Token-based authentication The monolithic approach
Web App JWT
Services ■ A lot to trust! HTTP Server (systemd, cron, ssh, Python syslog, dbus, ...) ■ How likely is no critical bug within Libc... Libc... decades? ■ Millions of lines of code TCP/IP Drivers Linux ... ■ Formally verifying all those components? Good luck! © © Karsten Würth 06/27/2018 14 We still want trustworthy authentication for our wind turbine! Alternatives?
06/27/2018 15 Interlude The Genode OS Framework*
■ Hierarchical System ■ Recursive system structure Architecture ▪ Root: Microkernel ▪ Parent: Responsibility + control ▪ Isolation is default ▪ Strict communication policy ■ Everything is a user-process ▪ Application ▪ File systems ▪ Drivers, Network stacks
06/27/2018 *) https://genode.org 16 Interlude Minimal Trusted Computing Base
■ Per-application TCB ■ Trusted Computing Base (TCB) ▪ Software required for security ▪ Parents in tree ▪ Services used ■ TCB reduction ▪ Application-specific ▪ Example: File system ■ Sessions
06/27/2018 17 Architecture for Trustworthy Systems Strategy #1: Policy Objects
■ Policy objects ■ Can’t reimplement everything ■ Solution: software reuse Protocol validator ▪ Untrusted software (gray) (e.g. TLS) ▪ Policy object (green) ▪ Client software (orange) ■ Policy object Network Web ▪ Establishes assumptions of client Stack browser ▪ Sanitizes ▪ Enforces additional policies
06/27/2018 18 Architecture for Trustworthy Systems Strategy #2: Trusted Wrappers
■ Trusted wrapper ■ Untrusted software (gray) ▪ E.g. disk, file system, cloud VPN ■ Trusted wrapper Component ▪ Mandatory encryption ■ Client software (orange) ▪ No direct interaction with Network Web untrusted components Stack Browser ▪ Minimal attack surface
06/27/2018 19 Architecture for Trustworthy Systems Strategy #3: Transient components
■ Transient component ■ Untrusted software ▪ E.g. Media decoder Controller ▪ No chance to get this right! ■ Transient component ▪ Temporarily instantiate untrusted
software for single file/stream read-only simple ▪ Expose only simple interfaces Network Decoder Audio Player (e.g. PCM audio) ▪ Cleanup on completion
06/27/2018 20 Let’s put it together.
06/27/2018 21 Token-based authentication First component-based attempt
Nic Session
Virtual Box init, JWT (Linux Nic timer Validator + Web Server) TCP/IP, libc, ...
Microkernel & Core © © Karsten Würth 06/27/2018 22 Token-based authentication Second component-based attempt
Terminal Session Nic Session
Virtual Box init, JWT (Linux Downlink Uplink Nic timer Validator + Web Server) TCP/IP, TCP/IP, libc, ... libc, ...
Microkernel & Core © © Karsten Würth 06/27/2018 23 Demo #2 Minimal JWT Validator
© Gustavo Gustavo Quepón © © © Karsten Würth 06/27/2018 24 Component-based architecture Disclaimer
■ Never show your authentication tokens in presentations ;-) ■ Proof-of-Concept ▪ No TLS in this demo! ▪ Only symmetric crypto for validating JWTs for now (HMAC-SHA256) ▪ Only “stone” level right now (proving absence of runtime errors TBD) ■ Not a solution for availability!
06/27/2018 25 Component-based architecture Trusted computing base
■ The TLS validator has 3618 SLOC*: ▪ Ada: 2836 (78.39%) ▪ Cpp: 782 (21.61%) ■ The overall Trusted Computing Base is ~37000 SLOC*: ▪ Components: validator, microkernel, core, init, dynamic linker, RTC driver ▪ cpp: 33318 (91.27%) ▪ ada: 2836 (7.77%) ▪ asm: 352 (0.96%)
*) generated using 'SLOCCount' by David A. Wheeler.
06/27/2018 26 Component-based architecture But, performance?
fdd
06/27/2018 27 Performance Evaluation Setup
■ Client ▪ Intel Core i5-M520, 2.4 GHz ■ Evaluation Setup ▪ Intel 82577LM GiB Ethernet 1. Internet ▪ Debian 9.4, x86_64 2. Local webserver ▪ Lighttpd 1.4.45-1 3. Local webserver through ■ ab (Apache Benchmark) passthrough JWT validator ▪ version 2.4.25-3+deb9u4 4. Local webserver through real ▪ 6 concurrent requests JWT validator ▪ 1000 requests 1k, 10k, 100k, 1M
06/27/2018 28 Performance Evaluation Results
1k 10k 100k 1M 1k 10k 100k 1M 100 2.5
2 10
1.5 1 1
0.1 0.5
0.01 0 Internet Local Passthrough Validated Local Passthrough Validated
Mean latency between request [ms]
06/27/2018 29 Component-based architecture Reimplement? Reuse? Both!
■ Component-based systems and program verification fit together very well! ■ Confidentiality & integrity ▪ No need to verify large code bases ▪ Reuse of large parts of the architecture ▪ Minimal trusted computing base ▪ Performance: Promising, but needs evaluation in realistic setup
06/27/2018 30 Component-based architecture What else?
■ Everything you saw is open source – try it! ■ JWX library for parsing JWTs (and more) ▪ https://github.com/Componolit/jwx ■ Demo ▪ examples/authproxy.adb (in JWT repository) ■ Libsparkcrypto ▪ https://github.com/Componolit/libsparkcrypto ■ Genode OS Framework ▪ https://github.com/genodelabs/genode ■ SPARK ▪ https://www.adacore.com/download
06/27/2018 31 Questions?
Alexander Senier Managing Director [email protected]
@Componolit · componolit.com · github.com/Componolit
06/27/2018 32