Ik-Soon Kim December 18, 2010 Embedded Software Platform Team Safe system software Ik-Soon Kim December 18, 2010 Embedded Software Platform Team

Software bugs Software bug Means an error, failure or fault in a program or system Causes a program or system to behave in unintended ways Mostly arises from mistakes and errors made by people We hope to remove software bugs automatically Based on our approach, I implemented a prototype system by modifying the Linux kernel on IA thirty two. The prototype system provides two important facilities. The first facility is to execute user programs in kernel mode. And the second facility is to invoke system calls from kernel mode. I’ll explain how I implemented these two facilities briefly.

Case 1: The European Ariane5 (June 4, 1996) Explodes 40s into its maiden flight due to a software bug Development period : about 10 years Development cost : $7 billon Cargo value : $500 million

Case 2: In the Mars Mars Rover loses contact in 1997 Mars Climate Orbiter is lost in 1999 Mars Polar Lander is lost in 1999 Mars Rover freezes in 2004

Case 3: Malaysia Airlines jetliner (August 2005) Suddenly zoomed upward and was jerked into a steep dive A defective software program had provided incorrect data about the aircraft’s speed and acceleration, confusing flight computers

Goal Guaranteeing a Linux kernel module is secure Our strategy: Checks the C programs statically Based on formal program analysis Reports the analysis results Warns of all suspicious locations If no warning messages, no bugs A warning message does not always mean a bug Inserts the guard code at reported suspicious locations Suspicious locations are checked at runtime

System software Modern operating systems support two execution modes: User mode: Most applications on OS run in user mode Some dangerous operations are forbidden in user mode Restricted, slow, but safe mode Kernel mode: OS itself and its modules run in kernel mode Any operations are permitted in kernel mode Almighty, fast, but dangerous mode OS kernel is getting bigger More functions are added to OS kernel System software tends to evolve into kernel software for speedup Network module in linux, Commercial web server in redhat

Expensive system calls System calls are slow Data copies between user and kernel spaces Context switches between user and kernel modes Interrruptions Slow ! Context switch Data Copy Program Service System call One of the problems of traditional operating systems is that system calls are slow. In traditional operating systems, user programs and an operating system kernel are totally separated by the privilege level facility of CPU. User programs are in user mode and a kernel is in kernel mode. So, to invoke system calls, we need very inefficient operations such as context switches or software interruptions. Interruption User mode Kernel mode

Executing arbitrary programs in kernel mode In kernel mode, programs can Access arbitrary memory Execute arbitrary code Dangerous ! Bad program Crash hard disk execute Attack other programs It’s very dangerous to execute arbitrary user programs in kernel mode. In kernel mode, programs can access arbitrary memory and execute arbitrary code. So, if a bad program is executed in kernel mode, it may crash our hard disk or attack other programs. Kernel mode

Eliminating the overhead of system calls Execute programs in kernel mode directly System calls become mere function calls Fast ! Program Service System call The most naïve solution for this problem is to execute user programs in kernel mode. Then we can invoke system calls very fast because system calls become merely function calls. We need neither heavy context switches nor software interruptions. But, off course, we cannot take this solution easily, because… Kernel mode

Safe ! Our goal (2/2) Safely execute programs in kernel mode Prevent illegal memory access Prevent illegal control changes Safe ! Bad program Crash hard disk execute Attack other programs So, our goal is to safely execute user programs in kernel mode. We ensure the safety by preventing illegal memory access and code execution with type system. For this goal, we use Typed Assembly Language. Kernel mode

Our goal (1/2) Our goal is to guarantee that our kernel module is secure: Memory safety Our module never reads and writes in a forbidden area Control flow safety Our module never jumps into a permitted code area We’d like to guarantee that Our module always changes the execution control within the safe area Our module always uses the memory safely in the permitted area We can’t avoid restricting something above in reality: setjmp, longjmp, computed goto, inlined assembly code

Static analyzer in 2009 (1/3) Detects buffer overrun errors and stack vulnerability in C programs Based on abstract interpretation and constraint solving: Reporting false errors Doing “sound” static analysis : Finding all existent bugs (sound) Not executing target programs for analysis (static) C programs : ANSI C + a portion of GCC GCC supports too many extensions (ex. nested functions) GCC is changing rapidly Our frontend should be rapidly updated too

Static analyzer in 2009 (2/3) i = 3 i  [3,3] if(…) i = 7 i  [7,7] Range analysis Computes the range of possible values for variables if(…) i = 3 i = 7 a[i] = 0 i  [3,3] i  [7,7] i  [3,7] true “Array subscript analysis”? poss values of Index variables

Static analyzer in 2009 (3/3) i = 3; if(...){ i  [3,3] i = 7; } Range analysis: Can eliminate unnecessary bounds checks Can detect potential out-of-bounds errors char a[12]; int i; i = 3; if(...){ i = 7; } a[i] = 0; i  [3,3] i  [7,7] i  [3,7] (in bounds)

Code rewriter Inserts guard code at suspicious locations: Analyzer can report suspicious points which can be bugs or not A module is guaranteed to be safe if no bugs are found The module can be safe or dangerous if some suspicious positions are found Insert dynamic check code at the suspicious positions Guard code can cause the runtime overhead Code rewriter tries to insert the least guard code for performance If some software is developed from scratch using a good static analyzer, code rewriter would be unnecessary

Constraint Extraction Verification Process Bug Platform Source Code Secure source code Syntax Analysis (GCC 구문 확장) Semantic Analysis (GCC 확장, 포인터 분석) Dead Code Elimination (GCC 확장) Analysis Language Constraint Extraction Constraint Solver Insert Guard code Pointer analysis Checks whether a null pointer is dereferenced Checks whether a pointer address is in safe range

Progress We are building Extending C parser Static analyzer Conforms to C99 standard Supports many GNU C extensions Static analyzer Range analysis (implemented in 2009) Pointer analysis Code rewriter Inserts dynamic check code at suspicious locations Will be expanded to support pointer analysis and extended C parser

Conclusion Safe Linux kernel modules never execute the dangerous operations Safe and efficient system software Efficient kernel mode software Speedup is achievable by running system software in kernel mode Safe system software By using formal verification, we can guarantee our system software won’t do harm to the overall system Our system software never causes the system crash