lecture 23 verified systems
play

Lecture 23 Verified Systems Software Infrastructure is Shaky - PowerPoint PPT Presentation

Software Infrastructure Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky Software Infrastructure is Shaky When exhaustive testing is impossible, our trust can only be based on proof. Edsger W.


  1. Software Infrastructure Lecture 23 Verified Systems Software Infrastructure is Shaky Software Infrastructure is Shaky

  2. Software Infrastructure is Shaky When exhaustive testing is impossible, our trust can only be based on proof. Edsger W. Dijkstra prog Under the Spell of Leibniz's Dream error ⇒ ∞ proofs won’t happen patch ... not just a dream ! Proof Assistant Based Verification Proof Assistant Based Verification Verified Compiler: CompCert [ Leroy POPL 06 ] Code in language suited for reasoning Compiler Bugs Found GCC 122 Develop correctness proof in synch LLVM 181 CompCert ? [ Yang et al. PLDI 11 ] Fully formal, machine checkable proof

  3. Proof Assistant Based Verification Proof Assistant Based Verification Verified Compiler: CompCert Verified Compiler: CompCert [ Leroy POPL 06 ] [ Leroy POPL 06 ] Compiler Bugs Found Compiler Bugs Found GCC 122 GCC 122 no prog LLVM 181 LLVM 181 Proof ⇒ errors CompCert 0 CompCert 0 [ Yang et al. PLDI 11 ] [ Yang et al. PLDI 11 ] [ Vu et al. PLDI 14 ] Verified OS kernel: seL4 [ Klein et al. SOSP 09 ] Verified OS kernel: seL4 [ Klein et al. SOSP 09 ] realistic implementation guaranteed bug free realistic implementation guaranteed bug free Promise Today Promise Proof Proof ⇒ ⇒ ⇒ no prog no prog prog patch error errors errors

  4. Today Promise Today Promise Proof Proof Proof Proof Burden Burden ⇒ ⇒ ⇒ ⇒ no prog no prog prog prog patch patch error error errors errors The Burden of Proof Mitigating the Burden of Proof 1. Initial proofs require heroic effort 1: Scaling proofs to critical infrastructure CompCert: 70% proof, vast majority of effort Formal shim verification for large apps seL4: 200,000 line proof for 9,000 lines of C Q UARK : browser with security guarantees 2. Code updates require re-proving 2: Evolving formally verified systems CompCert: adding opts [ Tristan POPL 08, PLDI 09, POPL 10 ] seL4: changing RPC took 17% of proof effort Reflex DSL exploits domain for proof auto

  5. Fully Formal Verification Fully Formal Verification Coq Theorem Prover Proof Assistant Fully Formal Verification Fully Formal Verification Code Code Proof Proof Assistant Assistant in language suited to Spec reasoning logical properties characterizing correctness

  6. Fully Formal Verification Fully Formal Verification Code Code Proof Proof ML x86 Assistant Assistant Spec Spec compile down to interactively show machine code code satisfies specification Grad Grad Fully Formal Verification Fully Formal Verification Code Proof ML x86 Assistant Spec Extremely strong guarantees about actual system! Grad

  7. Fully Formal Verification Fully Formal Verification program in a purely functional language specification characterizes desired behavior Fully Formal Verification Fully Formal Verification claim program satisfies spec construct proof interactively

  8. Fully Formal Verification Fully Formal Verification browsers don’t look like factorial Scrap existing code, rewrite browsers don’t have simple specs Invest decades of person-years Intractable for large-scale apps even easy proofs grow quickly and become opaque Formally Verify a Browser?! Formally Verify a Browser?! Millions of LOC W e b B r o w s e r

  9. Formally Verify a Browser?! Formally Verify a Browser?! Resources Millions of LOC Millions of LOC High performance High performance JavaScript JavaScript Loose access policy J P E G J P E G HTML HTML Formally Verify a Browser?! Formally Verify a Browser?! Resources Resources Millions of LOC Isolate sandbox untrusted code High performance JavaScript JavaScript Loose access policy J P E G J P E G Constant evolution HTML HTML

  10. Formally Verify a Browser?! Formally Verify a Browser?! Resources Resources Isolate Isolate sandbox untrusted code sandbox untrusted code ✔ Shim Shim Implement shim Implement shim JavaScript JavaScript guards resource access guards resource access J P E G J P E G Verify shim prove security policy HTML HTML Formal Shim Verification Formal Shim Verification Resources Resources Isolate Isolate Implement shim ✔ sandbox untrusted code ✔ Shim Shim Verify shim Implement shim Sandbox Applies when: JavaScript JavaScript guards resource access 1. sys fits architecture U n t r u s t e d J P E G J P E G Verify shim 2. policy over resources C o d e prove security policy browser, httpd, sshd, ... HTML HTML

  11. Formal Shim Verification Mitigating the Burden of Proof Resources 1: Scaling proofs to critical infrastructure Key Insight: Focus Effort Isolate ✔ Implement shim Formal shim verification for large apps Shim Guarantee sec props for entire system Verify shim Q UARK : browser with security guarantees Sandbox Only implement and prove small shim JavaScript Applies when: 2: Evolving formally verified systems 1. sys decomposable Radically ease verification burden U n t r u s t e d J P E G 2. policy over resources Reflex DSL exploits domain for proof auto C o d e Prove actual code correct HTML browser, httpd, sshd, ... Mitigating the Burden of Proof Browsers: Critical Infrastructure 1: Scaling proofs to critical infrastructure Formal shim verification for large apps Q UARK : browser with security guarantees 2: Evolving formally verified systems Reflex DSL exploits domain for proof auto

  12. Browsers: Vulnerable Quark: Verified Browser Defenses / Policies: Resources [ Jang et al. W2SP ] [ Stamm et al. WWW ] ✔ [ Jackson et al. W2SP ] Shim [ Barth et al. CCS ] [ Singh et al. OAKLAND ] Sandbox.. ... Untrusted Complex + Code Implementation Bugs Quark: Verified Browser Quark: Verified Browser Resources Resources Net network persistent storage ✔ ✔ Shim Shim user interface Sandbox.. Sandbox.. Untrusted Untrusted Code Code

  13. Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Net Net Quark browser kernel ✔ Quark Kernel ✔ ✔ Shim code, spec, proof in Coq Sandbox.. Sandbox.. Untrusted Untrusted Code Code Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Shim Net Net Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ browser components run as separate procs Sandbox.. Sandbox.. strictly sandboxed Untrusted Untrusted Code Code

  14. Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Shim Net Net Untrusted Code Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ browser components two component types run as separate procs Sandbox.. Sandbox.. strictly sandboxed Untrusted Untrusted Code Code talk to kernel over pipe Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Shim Net Net Untrusted Code Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ two component types two component types WebKit WebKit modified WebKit, Tab Tab intercept accesses

  15. Quark: Verified Browser Quark: Verified Browser Resources Resources Shim Shim Net Net Untrusted Code Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ two component types two component types WebKit tabs written in Python, WebKit cookie managers Cookie WebKit Cookie manages single domain Tab Manager Tab Manager Quark: Verified Browser Quark: Verified Browser Resources Shim Net Net Untrusted Code Quark Kernel ✔ ✔ Quark Kernel ✔ ✔ two component types WebKit tabs cookie managers WebKit Cookie WebKit Cookie WebKit Cookie WebKit Cookie WebKit WebKit Tab Manager Tab Manager Tab Manager Tab Manager Tab Tab several instances each

  16. Quark: Verified Browser Quark Kernel Quark Kernel ✔ Quark Kernel ✔ Quark Kernel: Code, Spec, Proof Quark Kernel: Code , Spec, Proof Quark Kernel ✔ Quark Kernel ✔

  17. Quark Kernel: Code , Spec, Proof Quark Kernel: Code , Spec, Proof Definition kstep ... Quark Kernel: Code , Spec, Proof Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := Definition kstep(focused_tab, tabs) := ... f <- select(stdin, tabs); ... kernel state Unix-style select to find a component pipe ready to read

  18. Quark Kernel: Code , Spec, Proof Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); f <- select(stdin, tabs); match f with match f with case: f is user input | Stdin => | Stdin => ... cmd <- read_cmd(stdin); | Tab t => ... case: f is tab pipe ... read command from user over stdin | Tab t => ... Quark Kernel: Code , Spec, Proof Quark Kernel: Code , Spec, Proof Definition kstep(focused_tab, tabs) := Definition kstep(focused_tab, tabs) := f <- select(stdin, tabs); f <- select(stdin, tabs); match f with match f with | Stdin => | Stdin => cmd <- read_cmd(stdin); cmd <- read_cmd(stdin); match cmd with match cmd with | AddTab => | AddTab => ... t <- mk_tab(); ... user wants to create create a new tab and focus a new tab | ... | ... | Tab t => | Tab t => ... ...

Recommend


More recommend