Verification of a Separation Kernel Inzemamul Haque Indian - PowerPoint PPT Presentation

Introduction Muen Intel Virtualization Support Challenges Approach Verification of a Separation Kernel Inzemamul Haque Indian Institute of Science, Bangalore 17 July 2017

Introduction Muen Intel Virtualization Support Challenges Approach Outline Introduction 1 Muen 2 Intel Virtualization Support 3 Challenges 4 Approach 5

Introduction Muen Intel Virtualization Support Challenges Approach Motivation Defense and aerospace applications need to run security-critical programs along with untrusted programs, on the same machine. Commercial O/Ss have many vulnerabilities which make them unsuitable for this task. A Separation Kernel provides such a solution. Would like to prove certain security properties of a separation kernel. Formal verification gives highest level of assurance that a system satisfies a required property.

Introduction Muen Intel Virtualization Support Challenges Approach Separation Kernel Security−Critical l Security−Critical l a a c c i i t App App t i i App App r r C C − − y y t t i i r r u u Guest OS Guest OS c c e e S S Linux Kernel Separation Kernel Processor / Hardware Processor / Hardware

Introduction Muen Intel Virtualization Support Challenges Approach Objective Goal To give a machine-checked proof of correctness of a separation ker- nel. How does it address the security concern? Security is part of the abstract model.

Introduction Muen Intel Virtualization Support Challenges Approach Methodology Abstract . . . Define an abstract model which captures the correct behaviour of the Concrete . . . separation kernel. init init init init Abstract To show that for every execution in = ⇒ ρ the concrete there is a corresponding init init Concrete execution in the abstract. Abstract Inductive proof by defining an = ⇒ ρ ρ ρ abstraction relation. Concrete

Introduction Muen Intel Virtualization Support Challenges Approach Muen Separation Kernel Muen Policy File Shared (in XML) Subject 1 Subject 2 Subject 3 Resources Build Muen Separation Kernel Muen Tool−chain Intel VT−x EPT Intel VT−d Processor Other normal processor features

Introduction Muen Intel Virtualization Support Challenges Approach Example Policy File

Introduction Muen Intel Virtualization Support Challenges Approach Intel VT-x Ring 3 Ring 3 (User applications) (User applications) Ring 2 Ring 2 Ring 1 Ring 1 VMX Ring 0 non−root mode Ring 0 (Operating System) (Operating System) Privilege Rings VMX root mode (VMM)

Introduction Muen Intel Virtualization Support Challenges Approach Life-cycle of a VMM

Introduction Muen Intel Virtualization Support Challenges Approach Life-cycle of a VMM How to manage states during VM-entry and VM-exit?

Introduction Muen Intel Virtualization Support Challenges Approach Virtual Machine Control Structure (VMCS)

Introduction Muen Intel Virtualization Support Challenges Approach VMCS Data Fields in VMCS can be classified as following: Guest state area - mainly register state of the guest Host state area - processor state to be loaded at VM exits VM-execution control fields - fields like external interrupt exiting, CR3 load exiting, etc. VM-entry control fields - fields which tell what to be saved during VM entry. VM-exit control fields - fields which tell what to be saved during VM exit. VM-exit information fields

Introduction Muen Intel Virtualization Support Challenges Approach Causes of VM-Exit Instructions causing unconditional exits INVD, CPUID, etc. Instructions causing conditional exits HLT, if HLT-exiting field is set Mov from CR3, if CR3-exiting field is set External interrupts if external interrupt exiting field is set. VMX preemption timer counts to zero.

Introduction Muen Intel Virtualization Support Challenges Approach Extended Page Tables

Introduction Muen Intel Virtualization Support Challenges Approach Extended Page Tables

Introduction Muen Intel Virtualization Support Challenges Approach Muen Separation Kernel Processor reset BIOS VM−exit Bootloader handler VM−exit VM−entry VM Subject Initialize Launcher running

Introduction Muen Intel Virtualization Support Challenges Approach Challenges Dealing with the mixture of assembly and Ada. Proof for a general policy Reasoning about the invariants involved

Introduction Muen Intel Virtualization Support Challenges Approach Abstract Model Our model is a state transition system. Policy also specifies number of CPUs and order of execution of subjects. Every subject runs on a standalone machine according to the schedule specified in the policy.

Introduction Muen Intel Virtualization Support Challenges Approach Abstract Model S0 S1 S2 S3 S4 S5 S6 S7 CPU 0 CPU 1 CPU 2 CPU 3 S0 S5 S7 S2 S1 S4 S6 Time S3 end of major frame S5 S0 S3 S7 S4 S1 S2 S6 end of major frame

Introduction Muen Intel Virtualization Support Challenges Approach State in the Model

Introduction Muen Intel Virtualization Support Challenges Approach Transitions in the Model Tick Local operation - memory accessed by the subjects External interrupt Events Read channel Write channel

Introduction Muen Intel Virtualization Support Challenges Approach AdaCore SPARK Tool to prove certain properties of Ada programs like satisfiability of pre- and post-conditions for a program. checking assertions at certain points in the program. absence of run-time errors like division by zero, dangling pointers. Carried out small exercise to verify virtual memory translator.

Introduction Muen Intel Virtualization Support Challenges Approach Dealing with mixture of assembly and Ada code Writing the assembly instructions as Ada functions. e.g. a 64-bit register as a 64-bit modular datatype in Ada

Introduction Muen Intel Virtualization Support Challenges Approach Conclusion Giving a machine checked proof of correctness of a separation kernel We have modelled the Muen separation kernel Focusing on correctness of initialization part of the kernel as of now. Initially working on a fixed policy