Verification of a Separation Kernel
Total Page:16
File Type:pdf, Size:1020Kb
Introduction Muen Intel Virtualization Support Challenges Approach Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17 July 2017 Introduction Muen Intel Virtualization Support Challenges Approach Outline 1 Introduction 2 Muen 3 Intel Virtualization Support 4 Challenges 5 Approach Introduction Muen Intel Virtualization Support Challenges Approach Motivation Defense and aerospace applications need to run security-critical programs along with untrusted programs, on the same machine. Commercial O/Ss have many vulnerabilities which make them unsuitable for this task. A Separation Kernel provides such a solution. Would like to prove certain security properties of a separation kernel. Formal verification gives highest level of assurance that a system satisfies a required property. Introduction Muen Intel Virtualization Support Challenges Approach Separation Kernel App App App App Guest OS Guest OS Security−Critical Security−Critical Security−Critical Security−Critical Linux Kernel Separation Kernel Processor / Hardware Processor / Hardware Introduction Muen Intel Virtualization Support Challenges Approach Objective Goal To give a machine-checked proof of correctness of a separation ker- nel. How does it address the security concern? Security is part of the abstract model. Introduction Muen Intel Virtualization Support Challenges Approach Methodology Abstract ::: Define an abstract model which captures the correct behaviour of the Concrete ::: initinit initinit separation kernel. Abstract =) To show that for every execution in ρ the concrete there is a corresponding init init Concrete execution in the abstract. Abstract Inductive proof by defining an ρ =) ρρ abstraction relation. Concrete Introduction Muen Intel Virtualization Support Challenges Approach Muen Separation Kernel Muen Policy File (in XML) Shared Subject 1 Subject 2 Subject 3 Resources Build Muen Muen Separation Kernel Tool−chain Intel VT−x EPT Intel VT−d Processor Other normal processor features Introduction Muen Intel Virtualization Support Challenges Approach Example Policy File Introduction Muen Intel Virtualization Support Challenges Approach Intel VT-x Ring 3 Ring 3 (User applications) (User applications) Ring 2 Ring 2 Ring 1 Ring 1 VMX Ring 0 non−root mode Ring 0 (Operating System) (Operating System) Privilege Rings VMX root mode (VMM) How to manage states during VM-entry and VM-exit? Introduction Muen Intel Virtualization Support Challenges Approach Life-cycle of a VMM Introduction Muen Intel Virtualization Support Challenges Approach Life-cycle of a VMM How to manage states during VM-entry and VM-exit? Introduction Muen Intel Virtualization Support Challenges Approach Virtual Machine Control Structure (VMCS) Introduction Muen Intel Virtualization Support Challenges Approach VMCS Data Fields in VMCS can be classified as following: Guest state area - mainly register state of the guest Host state area - processor state to be loaded at VM exits VM-execution control fields - fields like external interrupt exiting, CR3 load exiting, etc. VM-entry control fields - fields which tell what to be saved during VM entry. VM-exit control fields - fields which tell what to be saved during VM exit. VM-exit information fields Introduction Muen Intel Virtualization Support Challenges Approach Causes of VM-Exit Instructions causing unconditional exits INVD, CPUID, etc. Instructions causing conditional exits HLT, if HLT-exiting field is set Mov from CR3, if CR3-exiting field is set External interrupts if external interrupt exiting field is set. VMX preemption timer counts to zero. Introduction Muen Intel Virtualization Support Challenges Approach Extended Page Tables Introduction Muen Intel Virtualization Support Challenges Approach Extended Page Tables Introduction Muen Intel Virtualization Support Challenges Approach Muen Separation Kernel Processor reset BIOS VM−exit Bootloader handler VM−exit VM VM−entry Subject Initialize Launcher running Introduction Muen Intel Virtualization Support Challenges Approach Challenges Dealing with the mixture of assembly and Ada. Proof for a general policy Reasoning about the invariants involved Introduction Muen Intel Virtualization Support Challenges Approach Abstract Model Our model is a state transition system. Policy also specifies number of CPUs and order of execution of subjects. Every subject runs on a standalone machine according to the schedule specified in the policy. Introduction Muen Intel Virtualization Support Challenges Approach Abstract Model S0 S1 S2S3 S4 S5 S6 S7 CPU 0CPU 1 CPU 2 CPU 3 S0 S5 S7 S2 S1 S4 Time S3 S6 end of major frame S0 S5 S3 S7 S1 S4 S2 S6 end of major frame Introduction Muen Intel Virtualization Support Challenges Approach State in the Model Introduction Muen Intel Virtualization Support Challenges Approach Transitions in the Model Tick Local operation - memory accessed by the subjects External interrupt Events Read channel Write channel Introduction Muen Intel Virtualization Support Challenges Approach AdaCore SPARK Tool to prove certain properties of Ada programs like satisfiability of pre- and post-conditions for a program. checking assertions at certain points in the program. absence of run-time errors like division by zero, dangling pointers. Carried out small exercise to verify virtual memory translator. Introduction Muen Intel Virtualization Support Challenges Approach Dealing with mixture of assembly and Ada code Writing the assembly instructions as Ada functions. e.g. a 64-bit register as a 64-bit modular datatype in Ada Introduction Muen Intel Virtualization Support Challenges Approach Conclusion Giving a machine checked proof of correctness of a separation kernel We have modelled the Muen separation kernel Focusing on correctness of initialization part of the kernel as of now. Initially working on a fixed policy.