hyperkernel push button verification of an os kernel
play

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, - PowerPoint PPT Presentation

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential for application correctness and


  1. Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang

  2. The OS Kernel is a critical component • Essential for application correctness and security • Kernel bugs can compromise the entire system App App App Kernel

  3. Formal verification: high correctness assurance • Write a spec of expected behavior • Prove that implementation matches the spec IronClad • Goal: How much can we minimize the proof burden

  4. Formal verification: high correctness assurance • Write a spec of expected behavior • Prove that implementation matches the spec IronClad Proof effort: 11 person years • Goal: How much can we minimize the proof burden

  5. Our result: Hyperkernel • Unix-like OS kernel: based on xv6 • Fully automated verification using the Z3 solver • Functional correctness of system calls • Crosscutting properties (e.g., process isolation) • Limitations: • Uniprocessor • Initialization & glue code unverified

  6. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user and kernel spaces & reason about identity mapping for the kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  7. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user and kernel spaces & reason about identity mapping for the kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  8. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user/kernel spaces and reason about use identity mapping for kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  9. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user/kernel spaces and reason about use identity mapping for kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  10. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user/kernel spaces and reason about use identity mapping for kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  11. Outline • Verification workflow • Finite interface design • Demo • Evaluation & lessons learned

  12. Outline • Verification workflow • Finite interface design • Demo • Evaluation & lessons learned

  13. Overview of verification workflow Syscall Implementation

  14. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  15. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  16. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  17. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  18. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  19. Overview of verification workflow State Machine Specification pre Verifier old new Syscall Implementation LLVM

  20. Overview of verification workflow Counterexample old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  21. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  22. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  23. Declarative Specification Cross-cutting properties: Counterexample P • Correctness of reference counters • Scheduler safety property old • Process Isolation State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  24. Declarative Specification Cross-cutting properties: Counterexample P • Correctness of reference counters • Scheduler safety property old • Process Isolation State Machine Specification Bug pre For any virtual address in a process p, Verifier old new if the virtual address maps to a page the page must be exclusively owned by p. Syscall Implementation LLVM

  25. Declarative Specification Cross-cutting properties: Counterexample P • Correctness of reference counters • Scheduler safety property old • Process Isolation State Machine Specification Bug pre For any virtual address in a process p, Verifier old new if the virtual address maps to a page the page must be exclusively owned by p. Syscall Implementation LLVM

  26. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  27. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation OK LLVM Kernel Image

  28. Outline • Verification workflow • Finite interface design • Demo • Evaluation & lessons learned

  29. Verification through symbolic execution • Goal: Minimize proof burden • No manual proofs or code annotations • Symbolic execution • Fully automated technique, used in bug-finding • Full functional verification if program is free of loops and state is finite • Feasible when units of work sufficiently small for solving • Hyperkernel approach: Finite interface design

  30. Overview of techniques • Safely push loops into user space • Explicit resource management • Decompose complex syscalls • Validate linked data structures • Smart SMT encodings

  31. Overview of techniques • Safely push loops into user space • Explicit resource management • Decompose complex syscalls • Validate linked data structures • Smart SMT encodings

  32. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space brk

  33. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space increments the programs data space by increment bytes increment brk

  34. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space increments the programs data space by increment bytes brk

  35. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space increments the programs data space by increment bytes brk Goal: Redesign sbrk(); ensuring process isolation.

  36. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment)

  37. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment )

  38. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment ) page table root entry 4K page

  39. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment) void * sbrk_one_page () page table root entry 4K page

  40. The sbrk() system call: Decomposition void *sbrk_one_page() page table root entry 4K page

  41. The sbrk() system call: Decomposition void *sbrk_one_page() page directory page directory page table PML4 table page table entry entry entry entry 4K page

  42. The sbrk() system call: Decomposition void *sbrk_one_page() alloc_pd (…) alloc_pdpt (…) alloc_pt (…) alloc_frame (…) page directory page directory page table PML4 table page table entry entry entry entry 4K page

  43. The sbrk() system call: Decomposition void *sbrk_one_page() alloc_pd (…) alloc_pdpt (…) alloc_pt (…) alloc_frame (…) page directory page directory page table PML4 table page table entry entry entry entry 4K page

  44. The sbrk() system call: Decomposition int alloc_pdpt (int pml4, size_t index) int alloc_pd (int pdpt, size_t index) int alloc_pt (int pd, size_t index) int alloc_frame (int pt, size_t index)

  45. The sbrk() system call: Explicit allocation 2 Search for 1 free page alloc App Kernel page# 3

  46. The sbrk() system call: Explicit allocation • Kernel keeps track of per-page metadata: owner/type • User space searches for free page; kernel validates alloc, page# App Kernel success/fail

  47. The sbrk() system call: Finite Interface int alloc_pdpt(int pml4, size_t index, int free_pn ) int alloc_pd(int pdpt, size_t index, int free_pn ) int alloc_pt(int pd, size_t index, int free_pn ) int alloc_frame(int pt, size_t index, int free_pn ) • Any composition of these system calls maintains isolation For any virtual address in a process p, if the virtual address maps to a page the page must be exclusively owned by p.

  48. Implementation Component Lines Languages Kernel implementation 7,616 C, assembly State-machine specification 804 Python Declarative specification 263 Python Verifier 2,878 C++, Python User-space implementation 10,025 C, assembly

Recommend


More recommend