hyperkernel push button verification of an os kernel
play

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, - PowerPoint PPT Presentation

Jun 26, 2023 •297 likes •871 views

Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang The OS Kernel is a critical component Essential for application correctness and

  1. Hyperkernel: Push-Button Verification of an OS Kernel Luke Nelson, Helgi Sigurbjarnarson , Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang

  2. The OS Kernel is a critical component • Essential for application correctness and security • Kernel bugs can compromise the entire system App App App Kernel

  5. Formal verification: high correctness assurance • Write a spec of expected behavior • Prove that implementation matches the spec IronClad • Goal: How much can we minimize the proof burden

  6. Formal verification: high correctness assurance • Write a spec of expected behavior • Prove that implementation matches the spec IronClad Proof effort: 11 person years • Goal: How much can we minimize the proof burden

  7. Our result: Hyperkernel • Unix-like OS kernel: based on xv6 • Fully automated verification using the Z3 solver • Functional correctness of system calls • Crosscutting properties (e.g., process isolation) • Limitations: • Uniprocessor • Initialization & glue code unverified

  8. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user and kernel spaces & reason about identity mapping for the kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  9. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user and kernel spaces & reason about identity mapping for the kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  10. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user/kernel spaces and reason about use identity mapping for kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  11. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user/kernel spaces and reason about use identity mapping for kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  12. Designing Hyperkernel for proof automation Hyperkernel Xv6 • Syscall semantics are loop-y and • Finite interface require writing loop invariants • Kernel pointers difficult to • Separate user/kernel spaces and reason about use identity mapping for kernel • C is difficult to model • Verify LLVM intermediate representation (IR)

  13. Outline • Verification workflow • Finite interface design • Demo • Evaluation & lessons learned

  14. Outline • Verification workflow • Finite interface design • Demo • Evaluation & lessons learned

  15. Overview of verification workflow Syscall Implementation

  16. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  17. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  18. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  19. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  20. Overview of verification workflow State Machine Specification pre old new Syscall Implementation

  21. Overview of verification workflow State Machine Specification pre Verifier old new Syscall Implementation LLVM

  22. Overview of verification workflow Counterexample old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  23. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  24. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  25. Declarative Specification Cross-cutting properties: Counterexample P • Correctness of reference counters • Scheduler safety property old • Process Isolation State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  26. Declarative Specification Cross-cutting properties: Counterexample P • Correctness of reference counters • Scheduler safety property old • Process Isolation State Machine Specification Bug pre For any virtual address in a process p, Verifier old new if the virtual address maps to a page the page must be exclusively owned by p. Syscall Implementation LLVM

  27. Declarative Specification Cross-cutting properties: Counterexample P • Correctness of reference counters • Scheduler safety property old • Process Isolation State Machine Specification Bug pre For any virtual address in a process p, Verifier old new if the virtual address maps to a page the page must be exclusively owned by p. Syscall Implementation LLVM

  28. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation LLVM

  29. Declarative Specification Counterexample P old State Machine Specification Bug pre Verifier old new Syscall Implementation OK LLVM Kernel Image

  30. Outline • Verification workflow • Finite interface design • Demo • Evaluation & lessons learned

  31. Verification through symbolic execution • Goal: Minimize proof burden • No manual proofs or code annotations • Symbolic execution • Fully automated technique, used in bug-finding • Full functional verification if program is free of loops and state is finite • Feasible when units of work sufficiently small for solving • Hyperkernel approach: Finite interface design

  32. Overview of techniques • Safely push loops into user space • Explicit resource management • Decompose complex syscalls • Validate linked data structures • Smart SMT encodings

  33. Overview of techniques • Safely push loops into user space • Explicit resource management • Decompose complex syscalls • Validate linked data structures • Smart SMT encodings

  34. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space brk

  35. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space increments the programs data space by increment bytes increment brk

  36. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space increments the programs data space by increment bytes brk

  37. The sbrk() system call User space void *sbrk(intptr_t increment) virtual address space increments the programs data space by increment bytes brk Goal: Redesign sbrk(); ensuring process isolation.

  38. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment)

  39. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment )

  40. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment ) page table root entry 4K page

  41. The sbrk() system call: Dealing with loops void *sbrk(intptr_t increment) void * sbrk_one_page () page table root entry 4K page

  42. The sbrk() system call: Decomposition void *sbrk_one_page() page table root entry 4K page

  43. The sbrk() system call: Decomposition void *sbrk_one_page() page directory page directory page table PML4 table page table entry entry entry entry 4K page

  44. The sbrk() system call: Decomposition void *sbrk_one_page() alloc_pd (…) alloc_pdpt (…) alloc_pt (…) alloc_frame (…) page directory page directory page table PML4 table page table entry entry entry entry 4K page

  45. The sbrk() system call: Decomposition void *sbrk_one_page() alloc_pd (…) alloc_pdpt (…) alloc_pt (…) alloc_frame (…) page directory page directory page table PML4 table page table entry entry entry entry 4K page

  46. The sbrk() system call: Decomposition int alloc_pdpt (int pml4, size_t index) int alloc_pd (int pdpt, size_t index) int alloc_pt (int pd, size_t index) int alloc_frame (int pt, size_t index)

  47. The sbrk() system call: Explicit allocation 2 Search for 1 free page alloc App Kernel page# 3

  48. The sbrk() system call: Explicit allocation • Kernel keeps track of per-page metadata: owner/type • User space searches for free page; kernel validates alloc, page# App Kernel success/fail

  49. The sbrk() system call: Finite Interface int alloc_pdpt(int pml4, size_t index, int free_pn ) int alloc_pd(int pdpt, size_t index, int free_pn ) int alloc_pt(int pd, size_t index, int free_pn ) int alloc_frame(int pt, size_t index, int free_pn ) • Any composition of these system calls maintains isolation For any virtual address in a process p, if the virtual address maps to a page the page must be exclusively owned by p.

  50. Implementation Component Lines Languages Kernel implementation 7,616 C, assembly State-machine specification 804 Python Declarative specification 263 Python Verifier 2,878 C++, Python User-space implementation 10,025 C, assembly

Recommend

Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson , James

Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson , James

Push-Button Verification of File Systems via Crash Refinement Helgi Sigurbjarnarson , James Bornholt, Emina Torlak, Xi Wang University of Washington 1 / 24 File systems are hard to get right Complex hierarchical on-disk data structures

799 views • 43 slides
Designing Systems for Push-Button Verification Luke Nelson Joint work with James Bornholt, Dylan

Designing Systems for Push-Button Verification Luke Nelson Joint work with James Bornholt, Dylan

Designing Systems for Push-Button Verification Luke Nelson Joint work with James Bornholt, Dylan Johnson, Helgi Sigurbjarnarson, Emina Torlak, Xi Wang, Kaiyuan Zhang OSes are everywhere OSes (& bugs) are everywhere Goals Develop

289 views • 15 slides
Controlling 280 Turnout Servos Using Small Push-Button Fascia Panels By Bob Judge and Al

Controlling 280 Turnout Servos Using Small Push-Button Fascia Panels By Bob Judge and Al

Controlling 280 Turnout Servos Using Small Push-Button Fascia Panels By Bob Judge and Al Zimmerschied NMRA 2015 National Convention Portland Oregon August 23-29, 2015 1 Forced to move, the Boeing Employees Model Railroad Club (BEMRRC)

656 views • 43 slides
push button, send product - Configuration, Version, and Release Management Sommerville,

push button, send product - Configuration, Version, and Release Management Sommerville,

push button, send product - Configuration, Version, and Release Management Sommerville, Chapter 29 Instructor: Peter Baumann email: p.baumann@jacobs-university.de tel: -3178 "Good, Fast, Cheap: office: room 88, Research 1

363 views • 20 slides
Push Button A or is it B? Alarming design Real consequences for real people If you are

Push Button A or is it B? Alarming design Real consequences for real people If you are

Push Button A or is it B? Alarming design Real consequences for real people If you are delivering a system or product, you should set up a register of hazards containing information about each hazard. 16.2.2 a Can we find some hazards?

769 views • 66 slides
Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal

Towards Fast Interactive Verification through Strong Higher-Order Automation Jasmin Blanchette Pascal Fontaine Stephan Schulz Uwe Waldmann Vision: Take the Hard Labor out of Vision: Interactive Verification Push button automation for

263 views • 14 slides
Uber Virginia Disruptive Technologies for Tomorrow April 2016 Push a Button, Get a Ride More

Uber Virginia Disruptive Technologies for Tomorrow April 2016 Push a Button, Get a Ride More

Uber Virginia Disruptive Technologies for Tomorrow April 2016 Push a Button, Get a Ride More Choice = Good Thing A Complement to Public Transit UBER + PSTA Pinellas Suncoast Transit Authority pays half the cost of any trip (up to $6) to or

354 views • 7 slides
Computing Power at the push of a button: Dynamic Services for Infrastructure. TERENA TF-Storage,

Computing Power at the push of a button: Dynamic Services for Infrastructure. TERENA TF-Storage,

Computing Power at the push of a button: Dynamic Services for Infrastructure. TERENA TF-Storage, February 21, 2012 - Public - Dynamic Services for Infrastructure, Version 2.0 July, 2011 1 The cloud is out there. But what's inside?

516 views • 22 slides
Leica Sprinter 50 / 150 / 150M / 250M Push the Button Leica Sprinter 50 / 150 Construction

Leica Sprinter 50 / 150 / 150M / 250M Push the Button Leica Sprinter 50 / 150 Construction

Leica Sprinter 50 / 150 / 150M / 250M Push the Button Leica Sprinter 50 / 150 Construction Levels Product Offering Sprinter 50 (Standard / US) Sprinter 150 Art. No. 762628 / 764686 Art. No. 762629 Sprinter 50, 2.0 mm,

249 views • 11 slides
SoCGen: A Push Button Idea to GDS2 SoC Design Flow Habiba Gamal, Amr Gouhar, Mohamed Shalan What

SoCGen: A Push Button Idea to GDS2 SoC Design Flow Habiba Gamal, Amr Gouhar, Mohamed Shalan What

SoCGen: A Push Button Idea to GDS2 SoC Design Flow Habiba Gamal, Amr Gouhar, Mohamed Shalan What is SoCGen? - System on Chip (SoC) design automation tool Motivation - Facilitate SoC design - Reduce time-to-fabrication - Making use of the

563 views • 22 slides
Button Click Many ways use Button in Android SetOnClickListener (just click button)

Button Click Many ways use Button in Android SetOnClickListener (just click button)

Button Click Many ways use Button in Android SetOnClickListener (just click button) SetOnLongClickListener (on long press) SetOnTouchListener (until button is pressed) OnClick (simple click using XML) Many other ways

470 views • 30 slides
SI232 push(2) SlideSet #4: Procedures push(1) (more Chapter 2) pop() pop() push(6) pop()

SI232 push(2) SlideSet #4: Procedures push(1) (more Chapter 2) pop() pop() push(6) pop()

Stack Example Action Stack Output push(3) SI232 push(2) SlideSet #4: Procedures push(1) (more Chapter 2) pop() pop() push(6) pop() pop() pop() Procedure Example & Terminology Big Picture Steps for Executing a Procedure 1.

244 views • 12 slides
seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010

seL4: Formal Verification of an OS Kernel . seL4: Formal Verification of an OS Kernel . Marek.Sapota@students.mimuw.edu.pl December 15, 2010 . . . . . . seL4: Formal Verification of an OS Kernel About seL4 What is seL4? Secure

169 views • 16 slides
HV302 Hands-on Training HV302 Controls Scan Button Rotation Button Scan Button Rotation Button

HV302 Hands-on Training HV302 Controls Scan Button Rotation Button Scan Button Rotation Button

January 2015 HV302 Hands-on Training HV302 Controls Scan Button Rotation Button Scan Button Rotation Button Slope/Alignment Buttons HI-/Manual- Standby - LED Level-LED Battery Status LED Power Button Manual/Single Slope Mode/ Standby

612 views • 38 slides
1 Push-down Automata A push-down automaton is a finite automaton with an additional last-in

1 Push-down Automata A push-down automaton is a finite automaton with an additional last-in

1 Push-down Automata A push-down automaton is a finite automaton with an additional last-in first-out push-down stack; anything read from the stack is immediately de- stroyed. Push-down automata are partway to a Turing machine. Push-down

428 views • 4 slides
Eliminating bugs in BPF JITs using automated formal verification Luke Nelson with Jacob van Ge

Eliminating bugs in BPF JITs using automated formal verification Luke Nelson with Jacob van Ge

Eliminating bugs in BPF JITs using automated formal verification Luke Nelson with Jacob van Ge ff en, Emina Torlak, and Xi Wang BPF is used throughout the kernel Many uses for BPF: tracing, networking, security, etc. In-kernel JIT

849 views • 48 slides
Automated Verification of RISC-V Kernel Code Antoine Kaufmann Big Picture Micro/exokernels

Automated Verification of RISC-V Kernel Code Antoine Kaufmann Big Picture Micro/exokernels

Automated Verification of RISC-V Kernel Code Antoine Kaufmann Big Picture Micro/exokernels can be viewed as event-driven Initialize, enter application, get interrupt/syscall, repeat Interrupt/syscall handlers are bounded Most

505 views • 11 slides
PUSH DOWN/PUSH UP: LANDLORD & TENANT COLLABORATION CHALLENGES AND SUCCESSES IN ACHIEVING A

PUSH DOWN/PUSH UP: LANDLORD & TENANT COLLABORATION CHALLENGES AND SUCCESSES IN ACHIEVING A

Session B2: 10:55AM PUSH DOWN/PUSH UP: LANDLORD & TENANT COLLABORATION CHALLENGES AND SUCCESSES IN ACHIEVING A SUSTAINABLE BUILDING Moderator: Max Collett , Partner, Real Estate & Environmental Law, Bull, Housser & Tupper LLP

384 views • 27 slides
1 Micro SIMs s are use sed in Tabs 2 3 Press the button again Press the button and hold

1 Micro SIMs s are use sed in Tabs 2 3 Press the button again Press the button and hold

1 Micro SIMs s are use sed in Tabs 2 3 Press the button again Press the button and hold Swipe the Screen once slightly to lock the until tablet starts screen 4 Battery level with percentage Mobile data signal strength {H+ (100%) / H

1.03k views • 30 slides
How we scaled push messaging for millions of Netflix devices Susheel Aroskar Cloud Gateway

How we scaled push messaging for millions of Netflix devices Susheel Aroskar Cloud Gateway

How we scaled push messaging for millions of Netflix devices Susheel Aroskar Cloud Gateway Why do we need push? How I spend my time in Netflix application... What is push? What is push? How you can build it What is push?

965 views • 83 slides
Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel

Tight Kernel Query Complexity of Kernel Ridge Regression and Kernel -means Clustering Manuel Fernndez V, David P. Woodruff, Taisuke Yasuda Kernel Method Many machine learning tasks can be expressed as a function of the inner product

389 views • 22 slides
+ Projects: Developing an OS Kernel for x86 Introduction + The boot process ! After the power

+ Projects: Developing an OS Kernel for x86 Introduction + The boot process ! After the power

CPSC 410/611: Operating Systems Projects, Introduction + Projects: Developing an OS Kernel for x86 Introduction + The boot process ! After the power button has been pressed ! Power supply certifies that can supply the correct amount of

349 views • 6 slides
1 Kernel methods & optimization One example of a kernel that is frequently used in practice

1 Kernel methods & optimization One example of a kernel that is frequently used in practice

Machine Learning Class Notes 9-25-12 Prof. David Sontag 1 Kernel methods & optimization One example of a kernel that is frequently used in practice and which allows for highly non-linear discriminant functions is the Gaussian kernel,

241 views • 5 slides
Science/Technology Push Technological Development Science Push Market Pull Incremental

Science/Technology Push Technological Development Science Push Market Pull Incremental

Science/Technology Push Technological Development Science Push Market Pull Incremental Technological Improvement Market Pull Science-Push Innovation Manufacturing Marketing Basic Design & Sales science Engineering Demand-Pull

957 views • 28 slides

More recommend