seL4: Verified Operating System for the Real World Gernot Heiser [email protected] @GernotHeiser Born August 2009 1 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 What is seL4? seL4 is an open source, high-assurance, high-performance operating system microkernel World’s most comprehensive Available on GitHub World’s fastest Piece of software that mathematical proofs of under GPLv2 license microkernel runs at the heart of any correctness and security system and controls all accesses to resources software attack critical non-critical, untrusted s hardware 2 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 What is seL4? seL4 is the most trustworthy foundation for safety- and security-critical systems Already in use across many domains: automotive, aviation, space, defence, critical infrastructure, cyber-physical systems, IoT, industry 4.0, certified security... 3 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 The Performance Benchmark Latency (in cycles) of a round-trip cross-address-space IPC on x64 Source seL4 Fisco.OC Zircon Mi et al, 2019 986 2717 8157 World’s fastest microkernel! Gu et al, 2020 1450 3057 8151 seL4.systems, Nov’20 797 N/A N/A Temporary performance regression in Dec’19 Sources: • Zeyu Mi, Dingji Li, Zihan Yang, Xinran Wang, Haibo Chen: “SkyBridge: Fast and Secure Inter-Process Communication for Microkernels”, EuroSys, April 2020 • Jinyu Gu, Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, Haibo Chen: “Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication”, Usenix ATC, June 2020 • seL4 Performance, https://sel4.systems/About/Performance/, accessed 2020-11-08 4 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Proofs • Interactive theorem proving Confidentiality Integrity Availability • Shows kernel can guarantee Proof Security security properties Proof Proof Enforcement Abstract Model Functional • Interactive theorem proving Proof Correctness Still only capaBility-based • Shows C code correctly OS kernel with functional C Imple- implements specification correctness proof mentation Translation Proof Correctness Binary code • Automated tool chain • Shows binary is correct translation of C 5 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Functional Correctness Summary Can prove further Kinds of properties proved properties on • Behaviour of C code is fully captured by abstract model abstract level! • Behaviour of C code is fully captured by executable model • Kernel never fails, behaviour is always well-defined Bugs found: • assertions never fail • 16 in (shallow) testing • will never de-reference null pointer • 460 in verification • will never access array out of bounds • 160 in C, • cannot be subverted by misformed input • 150 in design, • All syscalls terminate, reclaiming memory is safe, ... • 150 in spec • Well typed references, aligned objects, kernel always mapped… • Access control is decidable 6 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Verification Assumptions Confidentiality Integrity Availability Proof Proof 1. Hardware behaves as expected Proof Abstract Model • Formalised hardware-software contract (ISA) • Hardware implementation free of bugs, Trojans, … Proof C Implementation 2. Spec matches expectations Proof • Can only prove “security” if specify what “security” means Binary code • Spec may not be what we think it is 3. Proof checker is correct • Isabel/HOL checking core that validates proofs against logic With binary verification do not need to trust C compiler! 7 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Verification Cost in Context $400 Green Hills INTEGRITY $1000 Fast! Slow! Assurance L4 Pistachio $100–150 100 250 500 750 1000 Cost ($/SLOC) 8 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Real-World Use 9 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 DARPA HACMS Retrofit Autonomous trucks existing system! Unmanned Little Bird (ULB) Develop Off-the-shelf technology GVR-Bot Drone airframe 10 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 ULB Architecture Ground Mission GPS Station Link Computer Camera Network Flight Sensors Motors Computer 11 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Incremental Cyber Retrofit Original Trusted Mission Trusted GS Lk Computer Mission Manager Miss Trusted Crypto Camera Mgr Mission Manager Local NW GPS Crypto Cam- era Crypto Camera Ground Stn Link GPS Local NW GPS Linux Linux Linux Local Ground Stn Link Virt-Mach Monitor NW VMM VMM Linux 12 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Incremental Cyber Retrofit Original Mission Trusted GS Lk Computer Miss Trusted Mgr Mission Manager Crypto Cam- Cam- era era Crypto Camera GPS Trusted Linux Crypto Mission Linux Local NW GPS Linux Mngr Local Local Ground Stn Link NW VMM VMM NW Comms GPS VMM Linux 13 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Incremental Cyber Retrofit Original [Klein et al, CACM, Oct’18] Mission Computer Cyber-secure Mission Trusted Computer Mission Manager Cam- era Crypto Camera Trusted Crypto Mission Linux Local NW GPS Mngr Local Ground Stn Link NW Comms GPS VMM Linux 14 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Issue: seL4 Objects are Low-Level A A BB Thread-Object CSpace CSpace VSpace A Thread-ObjectB CNode EP A1 CNodeB1 PDA PTA1 FRAME CNodeA2 Send ... CONTEXT CONTEXT Send ... Receive ... FRAME ... ... ... Receive VSpace >50 capabilities for trivial program! 15 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Simple But Non-Trivial System 16 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Component Middleware: CAmkES Higher-level abstractions of low-level seL4 constructs Interface Comp A Comp B RPC Component Connector Shared memory Semaphore Comp C 17 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 HACMS UAV Architecture Security enforcement: Linux only sees encrypted data Radio Driver Data Link Uncritical/ untrusted, contained Wifi Crypto Camera Linux CAN Driver 18 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Enforcing the Architecture Radio Driver Data Link Uncritical/ CAmkES untrusted, Wifi contained Architecture Crypto component + Camera A B code specification CAN Driver Linux language LowcapDL-level access rights A B + proof glue Thread CSpace CSpace Thread code Object Object glue.c driver.c VMM.c CNode EP CNode + proof Send CONTEXT CONTEXT ... Receive ... VSpace VSpace Compiler/ Conditions Linker apply initialised systeminit.c+ proof binary 19 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Military-Grade Security Cross-Domain Desktop Compositor Multi-level secure terminal • Successful trials in AU, US, UK, CA • Commercialisation in progress Secure communication device in use in AU, UK defence forces 20 | seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020 Real-World Use Courtesy Boeing, DARPA 21 seL4 – CODE Workshop – Munich – Nov'20 © Gernot Heiser 2020.