provably trustworthy systems
play

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal - PowerPoint PPT Presentation

Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified trustworthy software systems April 2016 data61.csiro.au Formal verification of real systems is happening! Formal verification of real systems


  1. Provably Trustworthy Systems seL4 and beyond Gerwin Klein Royal Society Meeting on Verified trustworthy software systems April 2016 data61.csiro.au

  2. Formal verification 
 of real systems is happening!

  3. Formal verification of real systems ‣ Increasingly many examples: 3 Proof Engineering | Gerwin Klein

  4. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation 3 Proof Engineering | Gerwin Klein

  5. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation 3 Proof Engineering | Gerwin Klein

  6. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system 3 Proof Engineering | Gerwin Klein

  7. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML 3 Proof Engineering | Gerwin Klein

  8. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • Candle – verified interactive HOL theorem prover implementation 3 Proof Engineering | Gerwin Klein

  9. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle – verified interactive HOL theorem prover implementation 3 Proof Engineering | Gerwin Klein

  10. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle • CoCon – verified interactive HOL theorem prover – verified conference system implementation 3 Proof Engineering | Gerwin Klein

  11. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle • CoCon – verified interactive HOL theorem prover – verified conference system implementation 3 Proof Engineering | Gerwin Klein

  12. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle • CoCon – verified interactive HOL theorem prover – verified conference system implementation • OpenSSL HMAC – verified crypto implementation 3 Proof Engineering | Gerwin Klein

  13. Formal verification of real systems ‣ Increasingly many examples: • seL4 – verified OS kernel implementation • CompCert – verified compiler implementation • Ironfleet and Ironclad – verified distributed system • CakeML • PolarSSL – verified SSL implementation • Candle • CoCon – verified interactive HOL theorem prover – verified conference system implementation • FSCQ • OpenSSL HMAC – verified crash resistance file system – verified crypto implementation 3 Proof Engineering | Gerwin Klein

  14. But: Still far from mainstream

  15. Too Expensive ‣ Such projects are still big research results • Often break new ground • Multiple person years or person decades • Real, binary-level results still rare • Hard to maintain over long periods 5 Proof Engineering | Gerwin Klein

  16. Too Expensive ‣ Such projects are still big research results • Often break new ground • Multiple person years or person decades • Real, binary-level results still rare • Hard to maintain over long periods ‣ Still too expensive • But not that far off: – cheaper than traditional high-assurance dev – factor 2-3 over high-quality traditional embedded systems dev 5 Proof Engineering | Gerwin Klein

  17. What can be done?

  18. Better, cheaper, faster. ‣ Just needs to be cheaper: • economic pressure wins over time • everything else follows 7 Proof Engineering | Gerwin Klein

  19. Better, cheaper, faster. ‣ Just needs to be cheaper: • economic pressure wins over time • everything else follows ‣ Proof Productivity: • Tools – more automation, deeper automation, built for scale • Proof Engineering – predictability, estimation, scale • Languages – design for verification, increase verification productivity • … 7 Proof Engineering | Gerwin Klein

  20. The rest of this talk ‣ seL4 ‣ Scale ‣ Proof Engineering ‣ Proof Effort ‣ Future 8 Proof Engineering | Gerwin Klein

  21. seL4

  22. seL4: Isolation Untrusted Trusted Trustworthy Computing Base • message passing Legacy App. • virtual memory Legacy Legacy App. Sensitive Apps • interrupt handling App • access control Applications Trusted Linux • fault isolation Server Service • fault identification • IP protection • modularity Trusted next to Untrusted Hardware 10 Proof Engineering | Gerwin Klein

  23. seL4: Isolation Untrusted Trusted Trustworthy Computing Base • message passing Legacy App. • virtual memory Legacy Legacy App. Sensitive Apps • interrupt handling App • access control Applications Trusted Linux • fault isolation Server Service • fault identification • IP protection • modularity seL4 Trusted next to Untrusted Hardware 10 Proof Engineering | Gerwin Klein

  24. Functional Correctness Specification Proof Code 11 Proof Engineering | Gerwin Klein

  25. Functional Correctness definition schedule :: unit s_monad where schedule � do threads ⇥ allActiveTCBs; thread ⇥ select threads; What switch_to_thread thread od OR switch_to_idle_thread Specification Proof Code 11 Proof Engineering | Gerwin Klein

  26. Functional Correctness definition schedule :: unit s_monad where schedule � do threads ⇥ allActiveTCBs; thread ⇥ select threads; What switch_to_thread thread od OR switch_to_idle_thread Specification Proof Code How 11 Proof Engineering | Gerwin Klein

  27. *conditions apply Specification Proof Code 12 Proof Engineering | Gerwin Klein

  28. *conditions apply Expectation Specification Proof Code Assumptions 12 Proof Engineering | Gerwin Klein

  29. *conditions apply Assume correct: - compiler + linker (wrt. C op-sem) - assembly code (600 loc) Expectation - hardware (ARMv6) - cache and TLB management Specification - boot code (1,200 loc) Proof Code Assumptions 12 Proof Engineering | Gerwin Klein

  30. Proof Architecture Now Confidentiality Availability Integrity Isabelle Isabelle Specification Isabelle Design Haskell Prototype Isabelle C Code Semantics C Code Isabelle/SMT/HOL4 Binary Code Binary Code Semantics WCET Analysis 13 Proof Engineering | Gerwin Klein

  31. Proof Architecture Now High-level properties: Confidentiality Availability Integrity - functional correctness - integrity Isabelle Isabelle - authority confinement Specification - non-interference Isabelle - termination - user-level system initialisation Design Haskell Prototype - verified component platform Isabelle - worst-case execution time 
 C Code Semantics C Code (by static analysis) Roadmap: Isabelle/SMT/HOL4 - verified x64 version Binary Code Binary Code Semantics - virtualisation extensions - mixed-criticality real-time - timing side-channel elimination WCET Analysis 13 Proof Engineering | Gerwin Klein

  32. Proof Architecture Now High-level properties: Confidentiality Availability Integrity - functional correctness - integrity Isabelle Isabelle - authority confinement Specification - non-interference Open Source Isabelle - termination - user-level system initialisation Design Haskell Prototype http://seL4.systems - verified component platform https://github.com/seL4/ Isabelle - worst-case execution time 
 C Code Semantics C Code (by static analysis) Roadmap: Isabelle/SMT/HOL4 - verified x64 version Binary Code Binary Code Semantics - virtualisation extensions - mixed-criticality real-time - timing side-channel elimination WCET Analysis 13 Proof Engineering | Gerwin Klein

  33. As Real as it Gets ‣ Autonomous in 14 Proof Engineering | Gerwin Klein

  34. As Real as it Gets ‣ Autonomous in 3, 2, 1.. 14 Proof Engineering | Gerwin Klein

  35. Scale

  36. Scale Archive of Formal Proofs size of AFP entries by submission date 16 Proof Engineering | Gerwin Klein

  37. Scale size of AFP entries by submission date with Four-Colour theorem, Odd-Order theorem, Verisoft, seL4 17 Proof Engineering | Gerwin Klein

  38. Proof Introspection ‣ 500 files ‣ 22,000 lemmas stated ‣ 95,000 lemmas proved 18 Proof Engineering | Gerwin Klein

Recommend


More recommend