compositional verification of security properties for
play

Compositional Verification of Security Properties for Embedded - PowerPoint PPT Presentation

Sep 29, 2023 •251 likes •903 views

Compositional Verification of Security Properties for Embedded Execution Platforms Christoph Baumann , Oliver Schwarz , Mads Dam KTH Royal Institute of Technology, Stockholm, Sweden RISE.SICS, Kista, Sweden cbaumann@kth.se

  1. Compositional Verification of Security Properties for Embedded Execution Platforms Christoph Baumann ∗ , Oliver Schwarz ⋆ , Mads Dam ∗ ∗ KTH Royal Institute of Technology, Stockholm, Sweden ⋆ RISE.SICS, Kista, Sweden cbaumann@kth.se PROOFS, Taipei, 2017-09-29

  2. Low and High Level System Security Bugs Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 2 / 16

  3. Inter-guest communication (IGC) minimal COTS hypervisor for ARMv8: fixed #guests, fixed memory size cores and devices owned exclusively no device virtualization, except: GIC secure boot loader memory isolation through HW extensions & SMMUs communication only through pre-defined channels Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 3 / 16

  4. Inter-guest communication (IGC) minimal COTS hypervisor for ARMv8: fixed #guests, fixed memory size cores and devices owned exclusively no device virtualization, except: GIC secure boot loader memory isolation through HW extensions & SMMUs communication only through pre-defined channels Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 3 / 16

  5. Inter-guest communication (IGC) minimal COTS hypervisor for ARMv8: fixed #guests, fixed memory size cores and devices owned exclusively no device virtualization, except: GIC secure boot loader memory isolation through HW extensions & SMMUs communication only through pre-defined channels Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 3 / 16

  6. Goal: Bisimulation with Ideal Model R ⇔ ideal model: secure by construction bisimulation relation R : transfer information flow properties verification: focus on arbitrary guest steps here Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 4 / 16

  7. SoCs complex / formal verification expensive Decomposition: utilize HW-specific properties & features compositionality fixed communication channels Abstraction: lots of details irrelevant for security focus on communication hide internal state refine component models later Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 5 / 16

  8. SoCs complex / formal verification expensive Decomposition: utilize HW-specific properties & features compositionality fixed communication channels Abstraction: lots of details irrelevant for security focus on communication hide internal state refine component models later Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 5 / 16

  9. ARMv8 platform model Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  10. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  11. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  12. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Device: mostly uninterpreted, DMA enabled?, track communication Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  13. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Device: mostly uninterpreted, DMA enabled?, track communication Memory: flat map of contents, received requests, forwarded I/O Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  14. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Device: mostly uninterpreted, DMA enabled?, track communication Memory: flat map of contents, received requests, forwarded I/O GIC: hypervisor-accessed registers, abstract interrupt state Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  15. ARMv8 platform model (S)MMU: active?, page table base, current translations, mem requests Core: execution mode, some hypervisor registers relevant Device: mostly uninterpreted, DMA enabled?, track communication Memory: flat map of contents, received requests, forwarded I/O GIC: hypervisor-accessed registers, abstract interrupt state hypervisor: fine-grained LTS, communication with GIC Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 6 / 16

  16. Hypervisor LTS: IGC interrupt injection Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 7 / 16

  17. Hypervisor LTS: IGC interrupt injection Inject await cwait iwait deact rcv k C Inject Deact k A c h c e c e A r h r snd d k d c snd c c n C n k v v s s Deact entry inject check dwait snd D e a r c c v t Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 7 / 16

  18. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  19. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  20. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode (S)MMU: active after init, points to right page table Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  21. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode (S)MMU: active after init, points to right page table Device: inactive at boot Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  22. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode (S)MMU: active after init, points to right page table Device: inactive at boot Memory: correct page tables set up Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  23. Verification: Platform Invariants Component Constraints & HV configuration ⇒ Invariant Inv : Messages & interrupts: preserve guest separation Core: HV registers set up correctly, PC-safety in HV mode (S)MMU: active after init, points to right page table Device: inactive at boot Memory: correct page tables set up GIC: correct distributor configuration Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 8 / 16

  24. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  25. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  26. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts IGC shared memory duplicated and copied on write Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  27. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts IGC shared memory duplicated and copied on write ideal GIC: interrupt separation by construction Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  28. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts IGC shared memory duplicated and copied on write ideal GIC: interrupt separation by construction message buffers as placeholders for (S)MMUs Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  29. Verification: Ideal Model ideal core: HV invisible / atomic hypercall semantics buffer for outgoing IGC notification interrupts IGC shared memory duplicated and copied on write ideal GIC: interrupt separation by construction message buffers as placeholders for (S)MMUs memory: only guest portion, intermediate physical addresses Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 9 / 16

  30. Verification: Bisimulation Theorem ⇓ R R Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 10 / 16

  31. Verification: Bisimulation Theorem ⇓ R R Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 10 / 16

  32. Verification: Bisimulation Theorem ⇑ R R Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 10 / 16

  33. Verification: Bisimulation Theorem ⇑ R R Baumann, Schwarz, Dam Compositional Platform Verification PROOFS 2017 10 / 16

Recommend

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and

Symbolic verification of cryptographic protocols using Tamarin Part 3 : Security Properties and Algorithmic Verification David Basin ETH Zurich Summer School on Verification Technology, Systems & Applications Nancy France August 2018

1.23k views • 78 slides
Viktor Vafeiadis Software Analysis & Verification Full functional verification

Viktor Vafeiadis Software Analysis & Verification Full functional verification

Viktor Vafeiadis Software Analysis & Verification Full functional verification Compilers , concurrent programs , theorem provers Program equivalence / Compositional reasoning Compositional compiler verification

266 views • 3 slides
Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla

Understanding the Security Properties of Ballot-Based Verification Techniques Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 Understanding the Security Properties of Ballot-Based Verification 1 WARNING This talk contains no research content.

284 views • 15 slides
Compositional Verification of PLC Software using Horn Clauses and Mode Abstraction Dimitri

Compositional Verification of PLC Software using Horn Clauses and Mode Abstraction Dimitri

Compositional Verification of PLC Software using Horn Clauses and Mode Abstraction Dimitri Bohlender | Stefan Kowalewski WODES 2018, June 1, 2018 Introduction CHC-based Verification Conclusion Outline Introduction CHC-based Verification

1.75k views • 118 slides
COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction)

COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction)

COMPOSITIONAL APPROACH TO PROGRAM FORMALIZATION AND VERIFICATION (methodological introduction) Mykola (Nikolaj) S. Nikitchenko Taras Shevchenko National University of Kyiv Linz, JKU, November 08-19, 2012 1 Contents Introduction

783 views • 40 slides
Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo

Compositional Certification John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Compositional Certification: 1 Systems, Components, and Properties Security, for example, is a system property

522 views • 17 slides
Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng

Local State Space Construction for Compositional Verification of Concurrent Systems Hao Zheng Department of Computer Science and Engineering University of South Florida H. Zheng (CSE USF) Local State Space Construction for Compositional

1.12k views • 50 slides
Compositional Verification of Software Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash

Compositional Verification of Software Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash

Compositional Verification of Software Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard 2 1 Technische Universit at Braunschweig, Germany 2 Kungliga Tekniska H ogskolan, Stockholm, Sweden Deduction at Scale 2011 Schlo

662 views • 26 slides
Compositional Verification of Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard

Compositional Verification of Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard

Compositional Verification of Product Families Ina Schaefer 1 Dilian Gurov 2 Siavash Soleimanifard 2 1 Technische Universit at Braunschweig, Germany 2 Kungliga Tekniska H ogskolan, Stockholm, Sweden Formal Methods for Components and Objects

270 views • 25 slides
Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem

Modular, compositional and sound verification of the input/output behavior of programs Willem Penninckx, Bart Jacobs, Frank Piessens Department of Computer Science, KU Leuven, Belgium DRADS 2014 Table of Contents Introduction Requirements

660 views • 45 slides
Learning minimal separating DFA for Compositional Verification Karsten Fix February 23, 2017

Learning minimal separating DFA for Compositional Verification Karsten Fix February 23, 2017

Overview Definitions Algorithm References Learning minimal separating DFA for Compositional Verification Karsten Fix February 23, 2017 Karsten Fix Learning minimal separating DFA for Compositional Verification Overview Definitions

525 views • 35 slides
Compositional Verification of Events and Observers Cynthia Disenfeld and Shmuel Katz Technion -

Compositional Verification of Events and Observers Cynthia Disenfeld and Shmuel Katz Technion -

Compositional Verification of Events and Observers Cynthia Disenfeld and Shmuel Katz Technion - Israel Institute of Technology March 21, 2011 Standard Aspect Model Pointcuts determine the places where aspects should be woven. Aspect

464 views • 20 slides
Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search

Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search

Scalable Software Testing and Verification of Non-Functional Properties through Heuristic Search and Optimization Lionel Briand Interdisciplinary Centre for ICT Security, Reliability, and Trust (SnT) University of Luxembourg, Luxembourg ITEQS,

1.41k views • 113 slides
Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer

Compositional Security Evaluation: The MILS approach John Rushby and Rance DeLong Computer Science Laboratory SRI International Menlo Park CA USA Primary affiliation: LynuxWorks John Rushby, Rance DeLong, SR I Compositional Security

466 views • 25 slides
SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate

1 SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM Liu Yang, Associate Professor, NTU SG-CRC 2018 28 March 2018 2 Securify Approach Compositional Security Securify Architecture Reasoning with Untrusted Components

418 views • 13 slides
A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston

A Compositional Logic A Compositional Logic for Control Flow for Control Flow Gang Tan, Boston College g , g Andrew W. Appel, Princeton University Jan 8 2006 Jan 8, 2006 1 Mobile Code Security Protect trusted system against

561 views • 26 slides
Compositional Action System Derivation Introduction Using Enforced Properties Action systems

Compositional Action System Derivation Introduction Using Enforced Properties Action systems

Compositional Action System Derivation Using Enforced Properties Brijesh Dongol and Ian J. Hayes Compositional Action System Derivation Introduction Using Enforced Properties Action systems Enforced properties Example Brijesh Dongol

785 views • 45 slides
Compositional Security Modelling: Structure, Economics, and Behaviour Tristan Caulfield 1 David

Compositional Security Modelling: Structure, Economics, and Behaviour Tristan Caulfield 1 David

Compositional Security Modelling: Structure, Economics, and Behaviour Tristan Caulfield 1 David Pym 1 Julian Williams 2 1 Department of Computer Science, University College London 2 Business School, University of Durham 26th June 2014 Security

439 views • 10 slides
Security Biometric identification recognition and/or verification of a persons identity.

Security Biometric identification recognition and/or verification of a persons identity.

Biometric identification Use of a human anatomic or behavioural characteristic for automatic Security Biometric identification recognition and/or verification of a persons identity. Desired properties of this characteristic: Markus Kuhn

274 views • 5 slides
park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security

park ber Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor Amit Vasudevan (CyLab-CMU), Sagar Chaki (SEI-CMU), Petros Maniatis (Google Inc.), Limin Jia, Anupam Datta (ECE/CSD-CMU)

517 views • 24 slides
Outline Introduction Modeling Specifying properties and Verification An example

Outline Introduction Modeling Specifying properties and Verification An example

Outline Introduction Modeling Specifying properties and Verification An example Project assignment References, links Shangzhu Weng Labeled Transition System Analyzer (LTSA) Animate and check the behavior of the overall

928 views • 51 slides
Parameterised Verification of Strategic Properties in Probabilistic Multi-Agent Systems Alessio

Parameterised Verification of Strategic Properties in Probabilistic Multi-Agent Systems Alessio

Parameterised Verification of Strategic Properties in Probabilistic Multi-Agent Systems Alessio Lomuscio and Edoardo Pirovano Verification of Autonomous Systems Group Imperial College London, UK https://vas.doc.ic.ac.uk/ AAMAS 2020

289 views • 17 slides
Streaming Verification of Graph Properties Amirali Abdullah 1 Samira Daruki 2 Chitradeep Dutta Roy

Streaming Verification of Graph Properties Amirali Abdullah 1 Samira Daruki 2 Chitradeep Dutta Roy

Streaming Verification of Graph Properties Amirali Abdullah 1 Samira Daruki 2 Chitradeep Dutta Roy 2 Suresh Venkatasubramanian 2 December 11, 2016 1 Qualtrics 2 University of Utah 1 Streaming Verification of Graph Properties Amirali Abdullah 1

983 views • 72 slides
Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE

Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Comparison of Cryptographic Verification Tools Dealing with Algebraic Properties Pascal LAFOURCADE , Vanessa Terrade & Sylvain Vigier Universit e Joseph

1.01k views • 49 slides

More recommend