Introduction Muen Intel Virtualization Support Challenges Approach
Verification of a Separation Kernel
Inzemamul Haque
Indian Institute of Science, Bangalore
17 July 2017 Introduction Muen Intel Virtualization Support Challenges Approach
Outline
1 Introduction
2 Muen
3 Intel Virtualization Support
4 Challenges
5 Approach Introduction Muen Intel Virtualization Support Challenges Approach
Motivation
Defense and aerospace applications need to run security-critical programs along with untrusted programs, on the same machine. Commercial O/Ss have many vulnerabilities which make them unsuitable for this task. A Separation Kernel provides such a solution. Would like to prove certain security properties of a separation kernel. Formal verification gives highest level of assurance that a system satisfies a required property. Introduction Muen Intel Virtualization Support Challenges Approach
Separation Kernel
App App App App
Guest OS Guest OS
Security−Critical Security−Critical Security−Critical Security−Critical
Linux Kernel Separation Kernel
Processor / Hardware Processor / Hardware Introduction Muen Intel Virtualization Support Challenges Approach
Objective
Goal To give a machine-checked proof of correctness of a separation ker- nel.
How does it address the security concern? Security is part of the abstract model. Introduction Muen Intel Virtualization Support Challenges Approach
Methodology
Abstract ...
Define an abstract model which captures the correct behaviour of the Concrete ...
initinit initinit separation kernel. Abstract
=⇒ To show that for every execution in ρ
the concrete there is a corresponding init init Concrete execution in the abstract. Abstract Inductive proof by defining an ρ =⇒ ρρ abstraction relation.
Concrete Introduction Muen Intel Virtualization Support Challenges Approach
Muen Separation Kernel
Muen Policy File (in XML) Shared Subject 1 Subject 2 Subject 3 Resources
Build Muen Muen Separation Kernel Tool−chain
Intel VT−x EPT Intel VT−d Processor Other normal processor features Introduction Muen Intel Virtualization Support Challenges Approach
Example Policy File Introduction Muen Intel Virtualization Support Challenges Approach
Intel VT-x
Ring 3 Ring 3 (User applications) (User applications) Ring 2 Ring 2
Ring 1 Ring 1 VMX Ring 0 non−root mode Ring 0 (Operating System) (Operating System)
Privilege Rings VMX root mode (VMM) How to manage states during VM-entry and VM-exit?
Introduction Muen Intel Virtualization Support Challenges Approach
Life-cycle of a VMM Introduction Muen Intel Virtualization Support Challenges Approach
Life-cycle of a VMM
How to manage states during VM-entry and VM-exit? Introduction Muen Intel Virtualization Support Challenges Approach
Virtual Machine Control Structure (VMCS) Introduction Muen Intel Virtualization Support Challenges Approach
VMCS Data
Fields in VMCS can be classified as following: Guest state area - mainly register state of the guest Host state area - processor state to be loaded at VM exits VM-execution control fields - fields like external interrupt exiting, CR3 load exiting, etc. VM-entry control fields - fields which tell what to be saved during VM entry. VM-exit control fields - fields which tell what to be saved during VM exit. VM-exit information fields Introduction Muen Intel Virtualization Support Challenges Approach
Causes of VM-Exit
Instructions causing unconditional exits INVD, CPUID, etc. Instructions causing conditional exits HLT, if HLT-exiting field is set Mov from CR3, if CR3-exiting field is set External interrupts if external interrupt exiting field is set. VMX preemption timer counts to zero. Introduction Muen Intel Virtualization Support Challenges Approach
Extended Page Tables Introduction Muen Intel Virtualization Support Challenges Approach
Extended Page Tables Introduction Muen Intel Virtualization Support Challenges Approach
Muen Separation Kernel
Processor reset
BIOS
VM−exit Bootloader handler
VM−exit
VM VM−entry Subject Initialize Launcher running Introduction Muen Intel Virtualization Support Challenges Approach
Challenges
Dealing with the mixture of assembly and Ada. Proof for a general policy Reasoning about the invariants involved Introduction Muen Intel Virtualization Support Challenges Approach
Abstract Model
Our model is a state transition system. Policy also specifies number of CPUs and order of execution of subjects. Every subject runs on a standalone machine according to the schedule specified in the policy. Introduction Muen Intel Virtualization Support Challenges Approach
Abstract Model
S0 S1 S2S3 S4 S5 S6 S7
CPU 0CPU 1 CPU 2 CPU 3
S0 S5 S7 S2
S1 S4 Time S3 S6 end of major frame
S0 S5 S3 S7
S1 S4 S2 S6 end of major frame Introduction Muen Intel Virtualization Support Challenges Approach
State in the Model Introduction Muen Intel Virtualization Support Challenges Approach
Transitions in the Model
Tick Local operation - memory accessed by the subjects External interrupt Events Read channel Write channel Introduction Muen Intel Virtualization Support Challenges Approach
AdaCore SPARK
Tool to prove certain properties of Ada programs like satisfiability of pre- and post-conditions for a program. checking assertions at certain points in the program. absence of run-time errors like division by zero, dangling pointers. Carried out small exercise to verify virtual memory translator. Introduction Muen Intel Virtualization Support Challenges Approach
Dealing with mixture of assembly and Ada code
Writing the assembly instructions as Ada functions. e.g. a 64-bit register as a 64-bit modular datatype in Ada Introduction Muen Intel Virtualization Support Challenges Approach
Conclusion
Giving a machine checked proof of correctness of a separation kernel We have modelled the Muen separation kernel Focusing on correctness of initialization part of the kernel as of now. Initially working on a fixed policy