Introduction Muen Intel Virtualization Support Challenges Approach

Verification of a Separation Kernel

Inzemamul Haque

Indian Institute of Science, Bangalore

17 July 2017 Introduction Muen Intel Virtualization Support Challenges Approach

Outline

1 Introduction

2 Muen

3 Intel Virtualization Support

4 Challenges

5 Approach Introduction Muen Intel Virtualization Support Challenges Approach

Motivation

Defense and aerospace applications need to run security-critical programs along with untrusted programs, on the same machine. Commercial O/Ss have many vulnerabilities which make them unsuitable for this task. A Separation Kernel provides such a solution. Would like to prove certain security properties of a separation kernel. Formal verification gives highest level of assurance that a system satisfies a required property. Introduction Muen Intel Virtualization Support Challenges Approach

Separation Kernel

App App App App

Guest OS Guest OS

Security−Critical Security−Critical Security−Critical Security−Critical

Linux Kernel Separation Kernel

Processor / Hardware Processor / Hardware Introduction Muen Intel Virtualization Support Challenges Approach

Objective

Goal To give a machine-checked proof of correctness of a separation ker- nel.

How does it address the security concern? Security is part of the abstract model. Introduction Muen Intel Virtualization Support Challenges Approach

Methodology

Abstract ...

Define an abstract model which captures the correct behaviour of the Concrete ...

initinit initinit separation kernel. Abstract

=⇒ To show that for every execution in ρ

the concrete there is a corresponding init init Concrete execution in the abstract. Abstract Inductive proof by defining an ρ =⇒ ρρ abstraction relation.

Concrete Introduction Muen Intel Virtualization Support Challenges Approach

Muen Separation Kernel

Muen Policy File (in XML) Shared Subject 1 Subject 2 Subject 3 Resources

Build Muen Muen Separation Kernel Tool−chain

Intel VT−x EPT Intel VT−d Processor Other normal processor features Introduction Muen Intel Virtualization Support Challenges Approach

Example Policy File Introduction Muen Intel Virtualization Support Challenges Approach

Intel VT-x

Ring 3 Ring 3 (User applications) (User applications) Ring 2 Ring 2

Ring 1 Ring 1 VMX Ring 0 non−root mode Ring 0 (Operating System) (Operating System)

Privilege Rings VMX root mode (VMM) How to manage states during VM-entry and VM-exit?

Introduction Muen Intel Virtualization Support Challenges Approach

Life-cycle of a VMM Introduction Muen Intel Virtualization Support Challenges Approach

Life-cycle of a VMM

How to manage states during VM-entry and VM-exit? Introduction Muen Intel Virtualization Support Challenges Approach

Virtual Machine Control Structure (VMCS) Introduction Muen Intel Virtualization Support Challenges Approach

VMCS Data

Fields in VMCS can be classified as following: Guest state area - mainly register state of the guest Host state area - processor state to be loaded at VM exits VM-execution control fields - fields like external interrupt exiting, CR3 load exiting, etc. VM-entry control fields - fields which tell what to be saved during VM entry. VM-exit control fields - fields which tell what to be saved during VM exit. VM-exit information fields Introduction Muen Intel Virtualization Support Challenges Approach

Causes of VM-Exit

Instructions causing unconditional exits INVD, CPUID, etc. Instructions causing conditional exits HLT, if HLT-exiting field is set Mov from CR3, if CR3-exiting field is set External interrupts if external interrupt exiting field is set. VMX preemption timer counts to zero. Introduction Muen Intel Virtualization Support Challenges Approach

Extended Page Tables Introduction Muen Intel Virtualization Support Challenges Approach

Extended Page Tables Introduction Muen Intel Virtualization Support Challenges Approach

Muen Separation Kernel

Processor reset

BIOS

VM−exit Bootloader handler

VM−exit

VM VM−entry Subject Initialize Launcher running Introduction Muen Intel Virtualization Support Challenges Approach

Challenges

Dealing with the mixture of assembly and Ada. Proof for a general policy Reasoning about the invariants involved Introduction Muen Intel Virtualization Support Challenges Approach

Abstract Model

Our model is a state transition system. Policy also specifies number of CPUs and order of execution of subjects. Every subject runs on a standalone machine according to the schedule specified in the policy. Introduction Muen Intel Virtualization Support Challenges Approach

Abstract Model

S0 S1 S2S3 S4 S5 S6 S7

CPU 0CPU 1 CPU 2 CPU 3

S0 S5 S7 S2

S1 S4 Time S3 S6 end of major frame

S0 S5 S3 S7

S1 S4 S2 S6 end of major frame Introduction Muen Intel Virtualization Support Challenges Approach

State in the Model Introduction Muen Intel Virtualization Support Challenges Approach

Transitions in the Model

Tick Local operation - memory accessed by the subjects External interrupt Events Read channel Write channel Introduction Muen Intel Virtualization Support Challenges Approach

AdaCore SPARK

Tool to prove certain properties of Ada programs like satisfiability of pre- and post-conditions for a program. checking assertions at certain points in the program. absence of run-time errors like division by zero, dangling pointers. Carried out small exercise to verify virtual memory translator. Introduction Muen Intel Virtualization Support Challenges Approach

Dealing with mixture of assembly and Ada code

Writing the assembly instructions as Ada functions. e.g. a 64-bit register as a 64-bit modular datatype in Ada Introduction Muen Intel Virtualization Support Challenges Approach

Conclusion

Giving a machine checked proof of correctness of a separation kernel We have modelled the Muen separation kernel Focusing on correctness of initialization part of the kernel as of now. Initially working on a fixed policy