applications of formal verification for secure cloud
play

Applications of formal verification for secure Cloud environments at - PowerPoint PPT Presentation

Apr 08, 2024 •208 likes •597 views

Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov joint work with A.Blanchard, F.Bobot, M.Lemerre,. . . SEC2, Lille, June 30 th , 2015 N. Kosmatov (CEA LIST) Formal Verification for secure Cloud

  1. Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov joint work with A.Blanchard, F.Bobot, M.Lemerre,. . . SEC2, Lille, June 30 th , 2015 N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 1 / 28

  2. Outline Frama-C, a platform for analysis of C code Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Formal Verification Results and discussion Verification of a sandbox The ZeroVM sandbox solution Formal verification Results Conclusion N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 2 / 28

  3. Frama-C, a platform for analysis of C code Outline Frama-C, a platform for analysis of C code Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Formal Verification Results and discussion Verification of a sandbox The ZeroVM sandbox solution Formal verification Results Conclusion N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 3 / 28

  4. Frama-C, a platform for analysis of C code Frama-C, a brief history ◮ 90’s: CAVEAT, Hoare logic-based tool for C code at CEA ◮ 2000’s: CAVEAT used by Airbus during certification process of the A380 (DO-178 level A qualification) ◮ 2008: First public release of Frama-C (Hydrogen) ◮ 2012: New Hoare-logic based plugin WP developed at CEA LIST ◮ Today: Frama-C Sodium (v.11) ◮ Multiple projects around the platform ◮ A growing community of users. . . ◮ and of plugin developers N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 4 / 28

  5. Frama-C, a platform for analysis of C code Frama-C at a glance ◮ A Framework for Modular Analysis of C code ◮ Developed at CEA LIST and INRIA Saclay ◮ Released under LGPL license ◮ Kernel based on CIL [Necula et al. (Berkeley), CC 2002] ◮ ACSL annotation language ◮ Extensible plugin oriented platform ◮ Collaboration of analyses over same code ◮ Inter plugin communication through ACSL formulas ◮ Adding specialized plugins is easy ◮ http://frama-c.com/ [Cuoq et al. SEFM 2012, FAC 2015] N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 5 / 28

  6. Frama-C, a platform for analysis of C code ACSL: ANSI/ISO C Specification Language ◮ Based on the notion of contract, like in Eiffel, JML ◮ Allows users to specify functional properties of programs ◮ Allows communication between various plugins ◮ Independent from a particular analysis ◮ Manual at http://frama-c.com/acsl Basic Components ◮ First-order logic ◮ Pure C expressions ◮ C types + Z (integer) and R (real) ◮ Built-in predicates and logic functions N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 6 / 28

  7. Frama-C, a platform for analysis of C code Example: a C program annotated in ACSL / ∗ @ r e q u i r e s n > =0 && \ v a l i d ( t +(0.. n − 1)); a s s i g n s \ nothing ; \ r e s u l t != 0 < == ensures > ( \ f o r a l l i n t e g e r j ; 0 < = j < n == > t [ j ] == 0 ) ; ∗ / i n t a l l z e r o s ( i n t t [ ] , i n t n ) { i n t k ; / ∗ @ loop i n v a r i a n t 0 < = k < = n ; loop i n v a r i a n t \ f o r a l l i n t e g e r j ; 0 < =j < k == > t [ j ]==0; k ; loop a s s i g n s loop v a r i a n t n − k ; ∗ / f o r ( k = 0 ; k < n ; k++) ( t [ k ] != 0) i f return 0; 1; Can be proven return } in Frama-C/WP N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 7 / 28

  8. Frama-C, a platform for analysis of C code Main Frama-C plugins VALUE Jessie WP Aora¨ ı Agen Specification Generation Mthread Abstract Interpretation Deductive Verification Concurrency Formal Methods E-ACSL PathCrawler Frama-C Plugins Code Transformation Dynamic Analysis STADY Spare code LTEST Semantic constant folding SANTE Browsing of unfamiliar code Slicing Scope & Data-flow browsing Metrics computation Variable occurrences Impact Analysis N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 8 / 28

  9. Frama-C, a platform for analysis of C code Plugin WP for deductive verification ◮ Based on Weakest Precondition calculus [Dijkstra, 1976] ◮ Proves that a given program respects its specification ◮ Relies on ◮ automatic provers (Alt-Ergo, CVC4, Z3, . . . ) ◮ when necessary, interactive proof assistants (Coq) N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 9 / 28

  10. Verification of a Cloud hypervisor Outline Frama-C, a platform for analysis of C code Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Formal Verification Results and discussion Verification of a sandbox The ZeroVM sandbox solution Formal verification Results Conclusion N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 10 / 28

  11. Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Anaxagoros Microkernel ◮ Clouds mutualize physical resources between users ◮ Safety and security are crucial N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 11 / 28

  12. Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Anaxagoros Microkernel ◮ Clouds mutualize physical resources between users ◮ Safety and security are crucial N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 11 / 28

  13. Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Anaxagoros Microkernel ◮ Clouds mutualize physical resources between users ◮ Safety and security are crucial ◮ Anaxagoros ◮ Secure microkernel hypervisor ◮ Developped at CEA LIST by Matthieu Lemerre ◮ Designed for resource isolation and protection ◮ Virtual memory system is a key module to ensure isolation N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 11 / 28

  14. Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Virtual Memory Subsystem ◮ Organizes program address spaces ◮ Creates a hierarchy of pages ◮ Allows sharing when needed ◮ Controls accesses and modifications to the pages ◮ Only owners can access their pages ◮ Types of the pages limit possible actions ◮ Counts mappings, references, to each page N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 12 / 28

  15. Verification of a Cloud hypervisor Formal Verification Memory invariant for sequential version ◮ Maintain the counters of mappings to pages: ◮ The counter mappings [ e ] must be equal to the real number of mappings to the page e ◮ Let Occ e be the number of mappings, i.e. occurrences of e in all pagetables ◮ We want ot prove: ∀ e , validpage ( e ) ⇒ Occ e = mappings [ e ] ≤ MAX N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 13 / 28

  16. Verification of a Cloud hypervisor Formal Verification Memory invariant for concurrent version Concurrency issues ◮ Pages might be modified by different processes simultaneously ◮ That creates a gap between the actual number of mappings and the counter New invariant : ∀ e , validpage ( e ) ⇒ Occ e ≤ mappings [ e ] ≤ MAX and more precisely, ∀ e , validpage ( e ) ⇒ ∃ k . k ≥ 0 ∧ Occ e + k = mappings [ e ] ≤ MAX Here k is the number of threads that have introduced a difference in the counter, difference of at most 1. N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 14 / 28

  17. Verification of a Cloud hypervisor Formal Verification Simulation of the concurrency ◮ To model the execution context, we introduce for each thread : ◮ global arrays representing the value of each local variable ◮ a global array representing its position in the execution ◮ We simulate every atomic step with a function that performs this step for one thread ◮ We create an infinite loop that randomly chooses a thread and makes it perform a step of execution according to its current position N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 15 / 28

  18. Verification of a Cloud hypervisor Results and discussion Verification results ◮ Partial verification of a critical module of Anaxagoros hypervisor ◮ For low-level functions, we conducted a “classic” verification ◮ Specification with ACSL ◮ Automatic proof with Frama-C/WP and SMT Solvers (CVC4, Z3) ◮ For the concurrent function used to change pagetables : ◮ First specification and proof for sequential version ◮ Weakening of the invariant for concurrency ◮ Specification and proof of the simulated version ◮ Only a few properties could not be proved automatically ◮ their proof is done in Coq by extracting them from WP N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 16 / 28

  19. Verification of a Cloud hypervisor Results and discussion Lessons Learned, Limitations and Benefits ◮ Ability to treat concurrent programs ◮ With a tool that originally does not handle parallelism ◮ Proof done mostly automatically ◮ Verification of properties in isolation ◮ Scalability ◮ By-hand simulation is tedious and error prone ◮ Could perfectly be automized ◮ Need for specification mean for concurrent behaviors N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 17 / 28

Recommend

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim

Towards Formal Verification in Cryptographic Web Applications A Three Year Evolution Nadim Kobeissi PROSECCO: Pro gramming Sec urely with C rypt o graphy. Team at INRIA Paris specializing in applied cryptography and formal verification.

357 views • 14 slides
Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu

Formal Verification of an Open-Source Secure Enclave Pranav Gaddamadugu pranavsaig@berkeley.edu Problem Definition Verifying hyperproperties about the Keystone Security monitor Secure Remote Execution (SRE) : a 2-safety hyperproperty

446 views • 10 slides
SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications

SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications

SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications Hella Seebach , Florian Nafz and Wolfgang Reif Motivation and goals Software &amp; Verification Co Design for highly reliable Organic Computing

402 views • 27 slides
Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply

Model-Checking Acknowledgment Formal Verification Formal verification means to apply mathematical arguments to prove the correctness of systems Systems have bugs Formal verification aims to find and correct such bugs Why? Computer systems

1.42k views • 122 slides
Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for

Formal Verification and Computer Architecture A Validated Formal Model of the x86 ISA for Analyzing Computing Systems Shilpi Goel shilpi@centtech.com Formal Verification Engineer Centaur Technology, Inc. Software and Reliability Can we rely

1.14k views • 78 slides
Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim

Formal Hardware Verification: getting started Mary Sheeran Making Formal Verification work Aim for automation (bit level) Find niches where formal methods work well Use assertions/ properties first in sim. and then in FV (the acronym is ABV,

1.14k views • 65 slides
Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal

Formal Verification in Industry 1 Formal Verification in Industry John Harrison Intel Corporation The cost of bugs Formal verification Machine-checked proof Automatic and interactive approaches HOL Light Floating point

366 views • 25 slides
SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications

SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications

SAVE ORCA Formal Modeling, Safety Analysis, and Verification of Organic Computing Applications Hella Seebach , Florian Nafz and Wolfgang Reif What has happend in the last months? Software Engineering Guideline for Resource-Flow Systems

828 views • 29 slides
Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification

Symbolic verification of cryptographic protocols using Tamarin Part 2 : Symbolic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems &amp; Applications Nancy France August 2018 Outline 1 Formal Models 2

1.01k views • 81 slides
Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal

Formal Verification of Floating-Point Arithmetic 1 Formal Verification of Floating-Point Arithmetic John Harrison Intel Corporation Formal verification Machine-checked proof Automatic and interactive approaches HOL Light

539 views • 19 slides
seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010 . . . . . . seL4: Formal Verification of an OS Kernel About seL4 What is seL4? Secure

169 views • 16 slides
Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of

Formal Verification of Mathematical Algorithms 1 Formal Verification of Mathematical Algorithms John Harrison Intel Corporation The cost of bugs Formal verification Levels of verification HOL Light Formalizing mathematics

353 views • 19 slides
Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA

Formal Verification of RISC-V cores with riscv-formal Clifford Wolf CTO, Symbiotic EDA http://www.clifford.at/papers/2018/riscv-formal/ About assertion based formal verification (formal ABV) Assertion based verification (ABV) Uses

781 views • 39 slides
Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal

Formal Verification with Yosys-SMTBMC Clifford Wolf Yosys Flows Synthesis Formal Verification Yosys-STMBMC iCE40 FPGAs Bounded Model Checking (Project IceStorm) Using any SMT-LIB2 solver (using QF_AUFBV logic) Xilinx

707 views • 56 slides
Enterprise 2.0 Secure Cloud Mail and Content Collaboration

Enterprise 2.0 Secure Cloud Mail and Content Collaboration

Use Case Sharing: Enterprise 2.0 Secure Cloud Mail and Content Collaboration Market Development Director / Andy Lin Secure Mail &amp; Collaboration Solution Provider 4 5 On-Premise Cloud OEM Cloud

657 views • 32 slides
Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA),

Formal verification of privacy (for RFID protocols) Stphanie Delaune quipe EMSEC (IRISA), CNRS, France Tuesday, September 13th, 2016 Security protocols everywhere ! Cryptographic protocols small programs designed to secure

923 views • 56 slides
SAT Solvers: Theory and Practice Clark Barrett barrett@cs.nyu.edu New York University Summer

SAT Solvers: Theory and Practice Clark Barrett barrett@cs.nyu.edu New York University Summer

SAT Solvers: Theory and Practice Clark Barrett barrett@cs.nyu.edu New York University Summer School on Verification Technology, Systems &amp; Applications, September 17, 2008 p. 1/98 Formal Verification [Formal] software verification

2.41k views • 193 slides
Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica

Formal Specification and Verification Formal specification (2) 29.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification 2 Formal

627 views • 19 slides
Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica

Formal Specification and Verification Formal specification (2) 6.12.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Until now Logic Formal specification (generalities) Algebraic specification Transition systems 2

798 views • 62 slides
Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

Formal Verification and Testing for Formal Verification and Testing for Reactive Systems

ARTIST2 - ARTIST2 - MOTIVES MOTIVES Trento - - Italy, February 19 Italy, February 19- -23, 2007 23, 2007 Trento Session: Testing and Runtime Verification Formal Verification and Testing for Formal Verification and Testing for Reactive

881 views • 31 slides
Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies

Machine Learning in Formal Verification Manish Pandey, PhD Chief Architect, New Technologies Synopsys, Inc. June 18, 2017 1 Build Better Formal Verification Tools? CAR BICYCLE DOG S oftware that learns from experience and enables

767 views • 40 slides
Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA

Formal Verification with SymbiYosys and Yosys-SMTBMC Clifford Wolf Availability of various EDA tools for students, hobbyists, enthusiasts FPGA Synthesis Formal Verification Free to use: Free to use: Xilinx Vivado WebPack,

819 views • 49 slides
Formal Verification via MCMAS &amp; PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS &amp; PRISM Hongyang Qu University of Sheffield 1 December 2015

Formal Verification via MCMAS &amp; PRISM Hongyang Qu University of Sheffield 1 December 2015 Outline Motivation for Formal Verification Overview of MCMAS Overview of PRISM Formal verification It is a systematic way to check

461 views • 34 slides
Formal Specification and Verification 8.11.2016 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 8.11.2016 Viorica Sofronie-Stokkermans e-mail:

Formal Specification and Verification 8.11.2016 Viorica Sofronie-Stokkermans e-mail: sofronie@uni-koblenz.de 1 Mathematical foundations Formal logic: Syntax: a formal language (formula expressing facts) Semantics: to define the meaning

740 views • 54 slides

More recommend