The Formally Verified seL4 Microkernel High-Assurance Foundation for MCS Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser • RTCSA Keynote, Aug’20 https://trustworthy.systems
What Is Needed For Mixed-Criticality? During a review process, ca Aug’17: • [Gernot:] Temporal isolation is necessary for mixed criticality systems. • [Reviewer:] Wrong, temporal isolation is sufficient .
What Is a Mixed-Criticality System? “A mixed-critical system […] supports the execution of safety-critical, mission- critical, and non-critical software within a single, secure compute platform.” [Barhorst’09] Criticality of a component is defined by the impact of failure: • loss of life • injury • inconvenience Certification of critical component must not depend on behaviour of less critical components ⇒ must prevent any interference by less critical components!
Preventing Interference – The OS’s Job High Low Modify data criticality criticality Affect timing Operating System We need an OS that can guarantee the absence of interference! 4 | RTCSA Keynote, Aug'20
seL4: Provable Isolation
What is seL4? The world’s first operating- World’s most system kernel with provable advanced mixed- Open Source security enforcement criticality OS The world’s fastest The world’s only general-purpose protected-mode OS microkernel, designed with complete, sound for real-world use timeliness analysis 6 | RTCSA Keynote, Aug'20
A Microkernel is not an OS VM Device drivers, file systems, crypto, Strong power management, virtual-machine App App Isolation App monitor are all usermode processes Linux Device Device App Device Device Driver Driver App File NW Device Process Memory Driver Driver App System Stack Driver Mgmt Mgmt VMM IPC Hypervisor Microkernel = context-switching engine Microkernel Processor Controlled Communication 7 | RTCSA Keynote, Aug'20
Capability-Based Access Control Capability = Access Token: Eg. thread, address Prima-facie evidence of privilege Object space Obj reference Eg. read, Capabilities provide: Access rights write, send, • Fine-grained access execute… control • Reasoning about Any system call is invoking a capability: information flow err = method( cap, args ); 8 | RTCSA Keynote, Aug'20
Proved Spatial Isolation Confidentiality Integrity Availability P Proof Model enforces Proof r o o f isolation Abstract Functional correctness: Model C code only behaves Proof as specified Translation validation: Binary retains Limitations (work in progress): C Imple- C-code semantics • Kernel initialisation not yet verified mentation • MMU & caches modelled abstractly Proof • Multicore version not yet verified • Timing channels not ruled out Binary code 9 | RTCSA Keynote, Aug'20
Binary Code Verification Target of functional Proof correctness proof C Source Formalised C Formal C Semantics Proof Rewrite Rules Graph Graph Proof? Compiler Proof Language Language SMT Solver Proof De- compiler Symbol Tables Formalised Binary Code Binary Formal ISA Spec 10 RTCSA Keynote, Aug'20
Isolation by Architecture 11 | RTCSA Keynote, Aug'20
Issue: Capabilities are Low-Level A B A B CSpace CSpace Thread-ObjectA Thread-Object B VSpace EP CNode A1 CNode B1 PDA PT A1 Send Receive Receive CNode A2 CONTEXT CONTEXT Send FRAME ... ... ... ... FRAME ... VSpace ... >50 capabilities for trivial program! 12 | RTCSA Keynote, Aug'20
Simple But Non-Trivial System 13 | RTCSA Keynote, Aug'20
Component Middleware: CAmkES Higher-level abstractions of Interface low-level seL4 constructs Comp B Comp A RPC Component Connector Shared memory Semaphore Comp C 14 | RTCSA Keynote, Aug'20
Trivial System in CAmkES Comp B Comp A RPC 15 | RTCSA Keynote, Aug'20
HACMS UAV Architecture Security enforcement: Linux only sees encrypted data Data Radio Uncritical/ Link Driver untrusted, Wifi contained Crypto Camera CAN Linux Driver 16 | RTCSA Keynote, Aug'20
Enforcing the Architecture Radio Data Uncritical/ Driver Link Architecture untrusted, Wifi contained specification Crypto Camera language CAN Linux Driver Low-level access rights capDL + pr A B glue.c driver.c VMM.c Thread Thread CSpace CSpace Object Object CNode CNode EP CONTEXT CONTEXT Receive Send Compiler/ ... ... VSpace VSpace Conditions Linker apply binary init.c 17 | RTCSA Keynote, Aug'20
Military-Strength Security Autonomous trucks DARPA HACMS: DARPA HACMS: Retrofit existing Retrofit existing system! system! Unmanned Little Bird (ULB) Cross-Domain Secure Desktop Comms Compositor Dongle 18 | RTCSA Keynote, Aug'20
Temporal Isolation: WCET Analysis 19 | RTCSA Keynote, Aug'20
High-Assurance WCET Analysis Control Program Flow binary Graph Micro- Integer architecture linear WCET ILP solver Analysis tool model equations Loop Infeasible bounds path info Proved at C level, transferred to binary though translation- validation toolchain 20
Temporal Isolation: Controlling Time 21 | RTCSA Keynote, Aug'20
Mixed Criticality: Critical + Untrusted NW driver must preempt control loop • … to avoid packet loss • Driver must run at high prio • Driver must be trusted not to monopolise CPU Runs every 100 ms Runs frequently but for for few millisecods short time (order of µs) Critical: Untrusted: NW Sensor Control NW readings interrupts loop driver 22 | RTCSA Keynote, Aug'20
MCS Challenge: Sharing Vehicle control must see consistent state Less Critical Updates critical Vehicle Shared Navigation Control Data 23 | RTCSA Keynote, Aug'20
Sharing: Delegation to Resource Server Communication Single-threaded, endpoint (port) guarantees atomicity Control P 1 Server P S Navig. P 2 Implements immediate priority Who pays for ceiling protocol (IPCP) if P S ≥ max (P 1 , P 2 ) server time? 24 | RTCSA Keynote, Aug'20
Solution: Time Capabilities Classical thread attributes New thread attributes • Priority • Priority Not runnable Not runnable • Time slice • Scheduling context capability if null if null Limits CPU access – Capability Scheduling context object sporadic server for time • T: period • C: budget (≤ T) Enables reasoning about time and temporal isolation C = 2 for mixed-criticality systems T = 3 25 | RTCSA Keynote, Aug'20
MCS with Scheduling Contexts Runs every 100 ms Runs frequently but for for few millisecods short time (order of µs) Control NW Sensor NW loop driver readings interrupts P = low P = high C = 2 C = 25,000 T = 3 T = 100,000 Utilisation = 67% Utilisation = 25% 26 | RTCSA Keynote, Aug'20
Shared Server Time Charged to Client Running Client is Running charged for Client 1 server’s time P 1 Server P S Client 2 P 2 Server runs on client’s scheduling Timeout exception context to deal with budget exhaustion 27 | RTCSA Keynote, Aug'20
seL4 MCS Support • Time as a first-class resource: - Enforcement of delegatable time budgets - Suitable for formal reasoning - Verification to be completed this year • Status: - Functional correctness of MCS extensions presently being verified for Arm and RISC-V • To Do: - Proving scheduler properties - Formal framework for reasoning about timeliness of applications
Thank You! 29 | RTCSA Keynote, Aug'20
Recommend
More recommend