The Role of Language Technology in Trustworthy Operating Systems Gernot Heiser NICTA and University of New South Wales Sydney, Australia
PLOS'11 Keynote LANGUAGES AS TOOLS
©2011 Gernot Heiser NICTA 2 PLOS'11 Keynote seL4 Aim: Formal Verification
Design & Formal ??? Specify Model Proof Proof
High-Performance Safety C implementation Theorem
©2011 Gernot Heiser NICTA 3 COMP9242 S2/2011 W11 Clash of Mentalities
Formal Methods Practitioner Kernel Hacker
©2011 Gernot Heiser NICTA 4 COMP9242 S2/2011 W11 Standard Kernel Design
Kernel Hacker View White- board Step 2 Design & Specify Formal Model
High-Performance C implementation Proof Proof
Prototype on Safety Real Hardware Theorem
©2011 Gernot Heiser NICTA 5 COMP9242 S2/2011 W11 Formal Design
Formal Methods View Design in Theorem Prover
Design & Formal Specify Model
High-Performance Safety C implementation Step 2 Theorem
©2011 Gernot Heiser NICTA 6 COMP9242 S2/2011 W11 Haskell as Lingua Franca
Produc- Iterative Design tivity Design & Specify
Haskell Formal Safety Proof Model Model Theorem
Inspired by existing code
High-Performance C implementation
©2011 Gernot Heiser NICTA 7 COMP9242 S2/2011 W11 Haskell Model as Executable Prototype
Built with Standard Toolchain Test App Binary
Execute
Syscall Haskell QEMU Model Return
Custom Interface
©2011 Gernot Heiser NICTA 8 PLOS'11 Keynote Haskell Model as Intermediate Refinement
Safety Theorem
Abstract Haskell Formalization Nice Model Spec . Impl Proof Proof
Executable Formalization Haskell Model Model Ugly
Proof Proof Low-level Data-struct. C Imple- & Algorithms mentation
©2011 Gernot Heiser NICTA 9 COMP9242 S2/2011 W11 LANGUAGES FOR TRUSTWORTHINESS
©2011 Gernot Heiser NICTA 10 PLOS'11 Keynote Trustworthiness
Trustworthiness
Security Safety Reliability
These are full-system properties!
©2011 Gernot Heiser NICTA 11 PLOS'11 Keynote Real-World Trustworthiness
Isolation Untrustworthy Non-critical Critical Legacy Code Complex Simple GUIs etc Control
Controlled communication
Prerequisites: Isolation, communication and legacy support!
©2011 Gernot Heiser NICTA 12 Imperial, Oct'11 Two Approaches to Isolation
MMU-enforced protection Type Safety • Kernel: • Language runtime – controls HW – controls HW – IPC for communication – manages memory – Address spaces for isolation – …?
App App App App
Trusted Userland Language runtime support Garbage Kernel Addr- H/W Stuff H/W IPC TCB Collector Spaces control control
Hardware Hardware
©2011 Gernot Heiser NICTA 13 PLOS'11 Keynote Representative Systems
MMU-protected: L4 Type-safe: Singularity • State-of-the-art microkernels • Most complete recent system – for 18 years • Some published performance • IPC performance still unbeaten – Surprisingly no L4 – lots of published data comparison! • Widely deployed: – OKL4 on 1.2 billion devices
App App App App
Trusted Userland Language runtime support Garbage Kernel Addr- H/W Stuff H/W IPC TCB Collector Spaces control control
Hardware Hardware
©2011 Gernot Heiser NICTA 14 PLOS'11 Keynote Cost of Isolation
MMU-enforced protection Type Safety • Context switching • Run-time bounds checks – thread context • Garbage collection – protection context • Switching is just function call – IPC semantics Small continuous overhead • Other execution at full speed Large per-switch overhead
App App App App
Trusted Userland Language runtime support Garbage Kernel Addr- H/W Stuff H/W IPC TCB Collector Spaces control control
Hardware Hardware
©2011 Gernot Heiser NICTA 15 PLOS'11 Keynote Performance: Intra-Domain Execution L4 WINNER Singularity Direct overhead: zero Bounds-check overhead: 4.7% [Hunt & Larus, OSR’07] • Any code runs at native speed Type-safe system incurs Indirect overheads: TLB reloads sameDoes O/H not when include: supporting • Dependent on program size • Costlegacy of software! garbage collector • Mostly low, can be 10s of % • Optimization opportunity
App App App App
Trusted Userland Language runtime support Garbage Kernel Addr- H/W Stuff H/W IPC TCB Collector Spaces control control
Hardware Hardware
©2011 Gernot Heiser NICTA 16 PLOS'11 Keynote Performance: Cross-Domain IPC L4 WINNER Singularity AMD-64 @ 1.6 GHz: AMD-64 @ 2.0 GHz • 230 cycles for 0–24 bytes • 803 cycles for 1 byte [http://www.l4ka.org/126.php] • 933 cycles for 4 bytes [Hunt & al, EuroSys’07]
App App App App
Trusted Userland Language runtime support Garbage Kernel Addr- H/W Stuff H/W IPC TCB Collector Spaces control control
Hardware Hardware
©2011 Gernot Heiser NICTA 17 PLOS'11 Keynote TCB Size L4 WINNER Singularity Kernel code: ! 10 kLOC No published data, but • seL4 on ARM: 9 kLOC • ”probably bigger than L4” Userland: depends Other systems similar Formally verified ⇒ • seL4: as small as 1.5 kLOC size• … no or longer incomplete matters! functionality, for real-world systems e.g. no legacy support
App App App App
Trusted Userland Language runtime support Garbage Kernel Addr- H/W Stuff H/W IPC TCB Collector Spaces control control
Hardware Hardware
©2011 Gernot Heiser NICTA 18 PLOS'11 Keynote Summary
MMU-enforced protection Type Safety • Faster • ??? • Probably smaller TCB • Functionally-correct
App App App App
Trusted Userland Language runtime support Garbage Kernel Addr- H/W Stuff H/W IPC TCB Collector Spaces control control
Hardware Hardware
©2011 Gernot Heiser NICTA 19 PLOS'11 Keynote Does Memory-Safety Help Safety or Security?
• It’s better than nothing – … but on its own it doesn’t help much in proving safety • Type safety doesn’t stop: – your garbage collector being buggy • possibly destroying type safety – your scheduler being buggy • leading to unsafe thread execution order • leaks information through scheduling decisions – your IPC primitive having unsafe side effects • affecting or leaking data to third threads
©2011 Gernot Heiser NICTA 20 PLOS'11 Keynote Safety and Security
Safety Security Availability
Functional Timeliness Correctness Confident. / Info Flow
Termination Memory Safety
Integrity
©2011 Gernot Heiser NICTA 21 PLOS'11 Keynote The seL4 Experience
Confiden- Availability Integrity tiality
Abstract 0 py Model 1 py By construction 4 months Proof Proof
30–35 py Executable 4.5 years Model 2 py,1 year Mostly for tools Proof Proof
C Imple- WCET mentation Analysis
©2011 Gernot Heiser NICTA 22 COMP9242 S2/2011 W11 seL4: Next 12 Months
Confiden- Availability Integrity tiality
Abstract Model
Timing- Proof Proof Channel Mitigation Executable Model Non-Inter- ference Proof Proof
C Imple- WCET mentation Analysis
©2011 Gernot Heiser NICTA 23 COMP9242 S2/2011 W11 seL4 for Safety and Security
Safety Security Availability 䘠
Functional 䘠 Timeliness 䘠 Correctness Confident. / Info Flow
Termination 䘠 Memory Safety 䘠
Integrity䘠
©2011 Gernot Heiser NICTA 24 PLOS'11 Keynote seL4 Summary
• First (and still only) general-purpose OS kernel with – Functional correctness proof – Integrity proof – Complete, sound WCET analysis • Yet, performance at par with any comparable system! – 200 cycle IPC on ARM11
• Likely to be the first kernel with – Confidentiality proof – Non-interference proof – Sound covert-channel mitigation
©2011 Gernot Heiser NICTA 25 PLOS'11 Keynote Let’s Stop Kidding Ourselves
… and the people who trust our expertise!
• By implying that type-safe = safe – Type-safe ≪ safe; type-safe ≪ secure – … and there’s no easy way to get there • By implying that a system where all code is managed is practicable – Nothing will be used if it can’t provide legacy support – Test: Can it run Linux?
Trustworthiness is best achieved through functional correctness! • Excellent basis for showing integrity and confidentiality
©2011 Gernot Heiser NICTA 26 PLOS'11 Keynote Our View of Implementation Languages
Managed App App Managed Your choice! runtime (… but managed Linux Other is clearly better) GC Stuff App
Trusted Userland DSL/C Formal Kernel Addr- H/W C + IPC Verification Spaces control asm
Hardware
mailto:gernot@nicta.com.au Google: “ertos”
©2011 Gernot Heiser NICTA 27 PLOS'11 Keynote