Advanced Development of Certified OS Kernels DARPA CRASH Site Visit PIs: Zhong Shao & Bryan Ford (Yale University) October 5th, Friday, 2012, Room 307.

Slides:



Advertisements
Similar presentations
A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:
Advertisements

purpose Search : automation methods for device driver development in IP-based embedded systems in order to achieve high reliability, productivity, reusability.
Content Overview Virtual Disk Port to Intel platform
Threads, SMP, and Microkernels
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.
Chapter 6 Security Kernels.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November Focus Areas: Operating Systems,
Operating System Structure
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)
Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Systems with small trusted computing bases (TCBs) open possibility for automated security verification of systems Example: SecVisor - a 3kLOC security.
An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.
Modular Verification of Assembly Code with Stack-Based Control Abstractions Xinyu Feng Yale University Joint work with Zhong Shao, Alexander Vaynberg,
On the Relationship Between Concurrent Separation Logic and Assume-Guarantee Reasoning Xinyu Feng Yale University Joint work with Rodrigo Ferreira and.
Exokernel: An Operating System Architecture for Application-Level Resource Management Dawson R. Engler, M. Frans Kaashoek, and James O’Toole Jr. M.I.T.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Ceng Operating Systems
VeriML DARPA CRASH Project Progress Report Antonis Stampoulis October 5 th, 2012 A language-based, dependently-typed, user-extensible approach to proof.
Compositional Verification of Termination-Preserving Refinement of Concurrent Programs Hongjin Liang Univ. of Science and Technology of China (USTC) Joint.
Microkernels, virtualization, exokernels Tutorial 1 – CSC469.
Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.
Intro to Architecture – Page 1 of 22CSCI 4717 – Computer Architecture CSCI 4717/5717 Computer Architecture Topic: Introduction Reading: Chapter 1.
Virtualization: Not Just For Servers Hollis Blanchard PowerPC kernel hacker.
Introduction 1-1 Introduction to Virtual Machines From “Virtual Machines” Smith and Nair Chapter 1.
INTRODUCTION SOFTWARE HARDWARE DIFFERENCE BETWEEN THE S/W AND H/W.
© 2012 xtUML.org Bill Chown – Mentor Graphics Model Driven Engineering.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
CE Operating Systems Lecture 3 Overview of OS functions and structure.
An overview of Coq Xinyu Feng USTC Erasmus Mundus NordSecMob Scholar at DTU.
Ihr Logo Operating Systems Internals & Design Principles Fifth Edition William Stallings Chapter 2 (Part II) Operating System Overview.
 Virtual machine systems: simulators for multiple copies of a machine on itself.  Virtual machine (VM): the simulated machine.  Virtual machine monitor.
Writing Systems Software in a Functional Language An Experience Report Iavor Diatchki, Thomas Hallgren, Mark Jones, Rebekah Leslie, Andrew Tolmach.
OSes: 3. OS Structs 1 Operating Systems v Objectives –summarise OSes from several perspectives Certificate Program in Software Development CSE-TC and CSIM,
A down-to-earth look at the cloud host OS Malte SchwarzkopfSteven Hand.
Harmony: A Run-Time for Managing Accelerators Sponsor: LogicBlox Inc. Gregory Diamos and Sudhakar Yalamanchili.
System Components ● There are three main protected modules of the System  The Hardware Abstraction Layer ● A virtual machine to configure all devices.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 19 October 26, 2004.
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
Full and Para Virtualization
DATA COMPROMISE Controlling the flow of sensitive electronic information remains a major challenge, ranging from theft to accidental violation of policies.
Operating-System Structures
COT 4600 Operating Systems Fall 2009 Dan C. Marinescu Office: HEC 439 B Office hours: Tu-Th 3:00-4:00 PM.
CS533 Concepts of Operating Systems Jonathan Walpole.
CS533 Concepts of Operating Systems Jonathan Walpole.
Threads, SMP, and Microkernels Chapter 4. Processes and Threads Operating systems use processes for two purposes - Resource allocation and resource ownership.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
SDN challenges Deployment challenges
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
CS490 Windows Internals Quiz 2 09/27/2013.
Hierarchical Architecture
KERNEL ARCHITECTURE.
Virtualization Techniques
An overview of Coq Xinyu Feng USTC.
Lecture 4- Threads, SMP, and Microkernels
B.Ramamurthy Chapter 2 : Appendix
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
Rich Model Toolkit – An Infrastructure for Reliable Computer Systems
An overview of Coq.
Presentation transcript:

Advanced Development of Certified OS Kernels DARPA CRASH Site Visit PIs: Zhong Shao & Bryan Ford (Yale University) October 5th, Friday, 2012, Room 307 Watson 09:15 – 10:15 Session 1 Project overview (Zhong Shao) Kernel design & application (Bryan Ford) Kernel implementation (Liang Gu) Kernel “specification” (Haozhong Zhang) 10:15 – 10:30 Break 10:30 – 11:30 Session 2 Compositional verification & compilation (Tahina Ramananandro) Virtual memory management (Alex Vaynberg) Concurrent interrupt & thread management (Zhong Shao) 11:30 – 11:45 Break 11:45 – 12:45 Session 3 Declarative DIFC (David Costanzo) Proving lock-freedom (Jan Hoffmann) VeriML design & implementation (Jan Hoffmann)

Advanced Development of Certified OS Kernels Project Overview Zhong Shao Yale University October 5,

Team members Zhong Shao PI Bryan Ford Co-PI Tahina Ramananandro PostDoc Liang Gu PostDoc Jan Hoffmann PostDoc Bandan Das David Costanzo Antonis Stampoulis Alex Vaynberg Shu-Chun Weng Software Engineer PhD student PhD (10/2012) PhD (9/2012) PhD student Ronghui Gu Jinjiang Lei Michael Marmar Haozhong Zhang PhD Student PhD student (visiting) PhD student PhD student (visiting)

Application & other system SW Certified OS kernels Formal specs & proofs for resilience, extensibility, security? HW & Env Model Research tasks & key innovations: new OS kernels that can “crash-proof” the entire system & application SW new prog. languages & logics for writing certified kernel plug-ins new formal methods for automating proofs & specs

Main challenges OS kernel design & implementation – how to design a kernel that can crash-proof an entire system – clean-slate kernel vs. backward compatibility & tech-transfer path? OS kernel certification – a framework for certified linking of heterogeneous components – what to prove? safety, race-freedom, correctness, lock-freedom, …… – information flow control even under declassification (noninterference) Languages and logics for certified programming (over C & assembly) – Declarative IFC? what is virtualization? recursive virtualization? – non-blocking fine-grained concurrency & concurrent thread management – virtual memory manager & file systems & resource usages Automation support and formal methods – how to combine first-order provers with higher-order proof assistant? – support for writing large-scale proofs and proof scripts

Certified “hypervisor” kernel Problems w. existing platforms Attacks: Zero-Day Kernel Vulnerabilities (ZDKVs) & rogue driver certificates leads to rogue kernels leads to rogue WinCC/Step7 apps leads to rogue PLC firmeware firmware Rogue PC Rogue PLC WinCC & Step 7 rogue OS & its kernel Other Apps zero-day kernel vulnerabilities & fake/stolen driver certificates certified firmware Secure PC w. IFC labels Secure PLC WinCC & Step 7 certified kernel Other Apps COTS OS small mechanized proof checker New CRASH technologies A small certified “hypervisor” kernel provides a reliable ZDKV-free core to fall back on, even under attacks Information-Flow-Control to enforce security Mechanized proof certificates are unforgeable Protecting against Stuxnet attacks!

Expected deliverables Certified OS Kernels clean-slate design with end-to-end guarantees on extensibility, security, and resilience. No ZDKVs New PLs for writing certified C/assembly programs; OCAP w. certified linking; Domain-Specific Prog. Logics (DSPL) VeriML & Tools New formal methods for developing, checking, and automating specs/proofs. New language for certifying meta-programs based on PIOS explore different designs not certified initially new releases each year pick subset for certification based on VeriML [ICFP10] evolve its design & impl. scalable proof witnesses new releases each year automated prog. verifiers based on various CAPs need new OCAP/DSPLs initially done in Coq certified kernel modules transition to VeriML later

What we have done so far? (First two years of CRASH) A clean-slate CertiKOS hypervisor kernel –boot on stock AMD / Intel hardware –support multiple VM guests, hypercall, device pass-through A new compositional verification framework that extends OCAP with –cross-abstraction linking and certified separate compilation (compatible with CompCert) Compositional verification of virtual memory management –paper + PhD dissertation + Coq implementation (of certified VMM modules) New compositional program logics for certifying fine-grained concurrency –interrupt & thread management; trace-based CSL; proving lock freedom Declarative DIFC –rigorous definition & proof of “non-interference” even in the presence of declassification –new DIFC logics that work for low-level C-like languages (with mutable heaps / malloc / free) VeriML design & implementation & programming tool – papers + PhD dissertation + new VeriML compiler/interpreter

Kernel design & development Hardware Abstraction Layer (Device Drivers) SMP Management Physical Memory Allocator Page Map Interrupt Handle Virtualization Abstraction Process Management Spinlock Virtual Machine Management Master Master Syscall Slave Slave Syscall VMX Primitives VMX Primitives SVM Primitives SVM Primitives Virtual Devices Virtual Devices

compositional verification framework Kernel certification LnLn … L1L1 Mechanized meta-logic Formalized HW & env model … C1C1 CnCn C1C1 C1C1 CnCn … CertiKOS CnCn … C1C1 CnCn But this only addresses horizontal modularity!

Compositional co-development & verification & synthesis & linking Raw Machine / HW Spec kmod1.c CompCert abs-layer-1 spec kmod1.s high-level kernel spec abs-layer-k spec kmodk.s abs-layer-2 spec kmod2.s kmod2.c CompCert abs-layer-z spec kmodz.s kmodz.c CompCert ……………………… … abs-layer-x spec kmodx.s kmodx.c CompCert kmody.c CompCert kmody.s kmod3.c CompCert kmod3.s kmody.c CompCert kmody.s ……………………… … kinit.c Safety (never crash) Correctness Secure (no info leak) Liveness (resource usage)

Schedule 09:15 – 10:15 Session 1 Project overview (Zhong Shao) Kernel design & application (Bryan Ford) Kernel implementation (Liang Gu) Kernel “specification” (Haozhong Zhang) 10:15 – 10:30 Break 10:30 – 11:30 Session 2 Compositional verification & compilation (Tahina Ramananandro) Virtual memory management (Alex Vaynberg) Concurrent interrupt & thread management (Zhong Shao) 11:30 – 11:45 Break 11:45 – 12:45 Session 3 Declarative DIFC (David Costanzo) Proving lock-freedom (Jan Hoffmann) VeriML design & implementation (Jan Hoffmann)