EECS 262a Advanced Topics in Computer Systems Lecture 26 seL4 Kernel verification December 3rd, 2014 John Kubiatowicz Electrical Engineering and Computer.

Slides:



Advertisements
Similar presentations
Operating Systems Components of OS
Advertisements

An Overview Of Virtual Machine Architectures Ross Rosemark.
Threads, SMP, and Microkernels
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Microkernels How to build a dependable, modular and secure operating system?
Chapter 4 Threads, SMP, and Microkernels Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.
Computer Systems/Operating Systems - Class 8
1/21/2008CSCI 315 Operating Systems Design1 Operating System Structures Notice: The slides for this lecture have been largely based on those accompanying.
Dawson R. Engler, M. Frans Kaashoek, and James O'Tool Jr.
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Improving IPC by Kernel Design Jochen Liedtke Shane Matthews Portland State University.
1/28/2004CSCI 315 Operating Systems Design1 Operating System Structures & Processes Notice: The slides for this lecture have been largely based on those.
Microkernels: Mach and L4
Figure 1.1 Interaction between applications and the operating system.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Elements of Computing Systems, Nisan & Schocken, MIT Press, Chapter 6: Assembler slide 1www.idc.ac.il/tecs Assembler Elements of Computing.
IT253: Computer Organization Lecture 4: Instruction Set Architecture Tonga Institute of Higher Education.
Gary MarsdenSlide 1University of Cape Town Principles of programming language design Gary Marsden Semester 2 – 2001.
Virtualization Concepts Presented by: Mariano Diaz.
Measures to Improve Security in a Microkernel Operating System Wasim Al-Hamdani Durga Vemuri Kentucky State University Kentucky State University
Presentation of Singularity OS Seminar, winter 2005 by Jacob Munk-Stander November 23 rd, 2005.
Chapter 2: Operating-System Structures. 2.2 Silberschatz, Galvin and Gagne ©2005 Operating System Concepts – 7 th Edition, Jan 14, 2005 Operating System.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Chapter 4 Threads, SMP, and Microkernels Patricia Roy Manatee Community College, Venice, FL ©2008, Prentice Hall Operating Systems: Internals and Design.
CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.
CPRG 215 Introduction to Object-Oriented Programming with Java Module 1-Introduction to Java Topic 1.1 Basics of Java Produced by Harvey Peters, 2008 Copyright.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 2: Operating-System Structures.
Formally Verified Operating Systems SINGULARITY AND SEL4.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Operating Systems Overview Part 2: History (continued)
The Performance of Microkernel-Based Systems
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
Processes Introduction to Operating Systems: Module 3.
Operating Systems Structure what is the organizational principle?
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM
1 Threads, SMP, and Microkernels Chapter Multithreading Operating system supports multiple threads of execution within a single process MS-DOS.
CS 346 – Chapter 2 OS services –OS user interface –System calls –System programs How to make an OS –Implementation –Structure –Virtual machines Commitment.
CS533 - Concepts of Operating Systems 1 The Mach System Presented by Catherine Vilhauer.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
MK++ A High Assurance Operating System Kernel Shai Guday David Black.
1.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Lecture 2: OS Structures (Chapter 2.7)
M. Accetta, R. Baron, W. Bolosky, D. Golub, R. Rashid, A. Tevanian, and M. Young MACH: A New Kernel Foundation for UNIX Development Presenter: Wei-Lwun.
MIDORI The Windows Killer!! by- Sagar R. Yeole Under the guidance of- Prof. T. A. Chavan.
Operating-System Structures
Lecture 4 Mechanisms & Kernel for NOSs. Mechanisms for Network Operating Systems  Network operating systems provide three basic mechanisms that support.
Hardware process When the computer is powered up, it begins to execute fetch-execute cycle for the program that is stored in memory at the boot strap entry.
2.1 Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition System Programs (p73) System programs provide a convenient environment.
What is a Process ? A program in execution.
Efficient Software-Based Fault Isolation Authors: Robert Wahbe Steven Lucco Thomas E. Anderson Susan L. Graham Presenter: Gregory Netland.
CS533 Concepts of Operating Systems Jonathan Walpole.
1 Asstt. Prof Navjot Kaur Computer Dept PRESENTED BY.
Language Based Operating Systems by Sean Olson What is a virtual machine? What is managed code? Kernels. Memory and security models. What is a language.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
1.3 Operating system services An operating system provide services to programs and to the users of the program. It provides an environment for the execution.
EECS 262a Advanced Topics in Computer Systems Lecture 26 seL4 Kernel verification April 27 th, 2016 John Kubiatowicz Electrical Engineering and Computer.
Computer System Structures
Operating System Structures
Zuse’s Plankalkül – 1945 Never implemented Problems Zuse Solved
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
Operating System Structure
Chapter 2: System Structures
Outline Chapter 2 (cont) OS Design OS structure
System calls….. C-program->POSIX call
John Kubiatowicz (With slides from Ion Stoica and Ali Ghodsi)
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
Presentation transcript:

EECS 262a Advanced Topics in Computer Systems Lecture 26 seL4 Kernel verification December 3rd, 2014 John Kubiatowicz Electrical Engineering and Computer Sciences University of California, Berkeley

12/3/20142cs262a-F14 Lecture-26 Today’s Paper seL4: Formal Verification of an OS Kernel, Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, Simon Winwood. Appeared in Proceedings of the ACM Symposium on Operating Systems Principles, 2009 Thoughts?

12/3/20143cs262a-F14 Lecture-26 Microkernel Structure Moves as much from the kernel into “user” space –Small core OS running at kernel level –OS Services built from many independent user-level processes –Communication between modules with message passing Benefits: –Easier to extend a microkernel –Easier to port OS to new architectures –More reliable (less code is running in kernel mode) –Fault Isolation (parts of kernel protected from other parts) –More secure Detriments: –Performance overhead severe for naïve implementation Figure ©Wikipedia Monolithic Kernel Microkernel

12/3/20144cs262a-F14 Lecture-26 L4 MicroKernel Original L4 kernel: Jochen Liedtke –Derived from L3 kernel –Developed at GMD (Germany) –Designed to have fast IPC, better memory management, Picked up in several commercial usages

12/3/20145cs262a-F14 Lecture-26 Layers of Proof Techniques Results (including follow-on results) –Functional correctness verification in Isabelle/HOL framework –Functional correctness for hand-optimized IPC –Correctness of access-control enforcement –Automatic poof of refinement between compiled binary and C implementation –Automatic static analysis of worst-case execution time for sys calls

12/3/20146cs262a-F14 Lecture-26 In a nutshell Apply automatic techniques for “proof” of correctness –Series of refinements from Abstract Specification  Executable Specification  C implementation –Utilized Isabelle/HOL theorem prover Three different implementations –Spanning “obvious to humans” and “efficient”

12/3/20147cs262a-F14 Lecture-26 Three Implementations Abstract Specification: Isabelle/HOL code –Describes what system does without saying how it is done –Written as series of assertions about what should be true Executable Specification: Haskel –Fill in details left open at abstract level –Specify how the kernel works (as opposed to what I does) –Deterministic execution (except for underlying machine) –Data structures have explicit data types –Controlled subset of Haskel The Detailed Implementation: C –Translation from C into Isabelle requires controlled subset of C99 »No address-of operator & on local (stack) variables »Only 1 function call in expressions or need proof of side-effect freedom »No function calls through pointers »No goto, switch statements with fall-through Machine model: need model of how hardware behaves

12/3/20148cs262a-F14 Lecture-26 Challenges Smaller Kernel  Increased Interdependence of components –Radical size reduction in microkernel leads to high degree of dependence of remaining components –Proof techniques still possible Design special versions of each of the languages Design multiple implementations each in different languages Huge number of invariants is moving from Abstract specification to Executable specification –Low-level memory invariants –Typing invariants –Data structure Invariants –Algorithmic Invariants

12/3/20149cs262a-F14 Lecture-26 Experience and Lessons Learnt Performance –Optimized IPC path is well performing (via micro-benchmarks) –Other performance not characterized in this paper Verification effort: extremely high! –Three phases, each with non-trivial effort –Overall size of proof (including automatically generated proofs): 200,000 lines of Isabelle script –Abstract Spec: 4 person months (4 pm) –Haskell prototype: 2 person years (2 py) –Executable spec translated from Haskel prototype: 3 pm –Initial C translation+implementation: 2pm –Cost of the proof: 20py (seL4 specific, 11py) What about future: 8py for new kernel from scratch! Cost of change –Simple or independent small features not huge, say 1 person week –Cost to add new features can be very large: up to 2py!

12/3/201410cs262a-F14 Lecture-26 Is this a good paper? What were the authors’ goals? What about the evaluation/metrics? Did they convince you that this was a good system/approach? Were there any red-flags? What mistakes did they make? Does the system/approach meet the “Test of Time” challenge? How would you review this paper today?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.