Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Development of Certified OS Kernels DARPA CRASH Site Visit PIs: Zhong Shao & Bryan Ford (Yale University) October 5th, Friday, 2012, Room 307.

Published byMelvin Watts Modified over 8 years ago

Similar presentations

Presentation on theme: "Advanced Development of Certified OS Kernels DARPA CRASH Site Visit PIs: Zhong Shao & Bryan Ford (Yale University) October 5th, Friday, 2012, Room 307."— Presentation transcript:

1 Advanced Development of Certified OS Kernels DARPA CRASH Site Visit PIs: Zhong Shao & Bryan Ford (Yale University) October 5th, Friday, 2012, Room 307 Watson 09:15 – 10:15 Session 1 Project overview (Zhong Shao) Kernel design & application (Bryan Ford) Kernel implementation (Liang Gu) Kernel “specification” (Haozhong Zhang) 10:15 – 10:30 Break 10:30 – 11:30 Session 2 Compositional verification & compilation (Tahina Ramananandro) Virtual memory management (Alex Vaynberg) Concurrent interrupt & thread management (Zhong Shao) 11:30 – 11:45 Break 11:45 – 12:45 Session 3 Declarative DIFC (David Costanzo) Proving lock-freedom (Jan Hoffmann) VeriML design & implementation (Jan Hoffmann)

2 Advanced Development of Certified OS Kernels Project Overview Zhong Shao Yale University October 5, 2012 http://flint.cs.yale.edu/certikos

3 Team members Zhong Shao PI Bryan Ford Co-PI Tahina Ramananandro PostDoc Liang Gu PostDoc Jan Hoffmann PostDoc Bandan Das David Costanzo Antonis Stampoulis Alex Vaynberg Shu-Chun Weng Software Engineer PhD student PhD (10/2012) PhD (9/2012) PhD student Ronghui Gu Jinjiang Lei Michael Marmar Haozhong Zhang PhD Student PhD student (visiting) PhD student PhD student (visiting)

4 01011010101010101111100011001110110111 11110101010101010101010101011111111101 0101010101111000110001010101010101011 111100011001001111001111111100111111100 01111000101010101111110111001100111010 10101111111000111100 Application & other system SW Certified OS kernels Formal specs & proofs for resilience, extensibility, security? HW & Env Model Research tasks & key innovations: new OS kernels that can “crash-proof” the entire system & application SW new prog. languages & logics for writing certified kernel plug-ins new formal methods for automating proofs & specs

5 Main challenges OS kernel design & implementation – how to design a kernel that can crash-proof an entire system – clean-slate kernel vs. backward compatibility & tech-transfer path? OS kernel certification – a framework for certified linking of heterogeneous components – what to prove? safety, race-freedom, correctness, lock-freedom, …… – information flow control even under declassification (noninterference) Languages and logics for certified programming (over C & assembly) – Declarative IFC? what is virtualization? recursive virtualization? – non-blocking fine-grained concurrency & concurrent thread management – virtual memory manager & file systems & resource usages Automation support and formal methods – how to combine first-order provers with higher-order proof assistant? – support for writing large-scale proofs and proof scripts

6 Certified “hypervisor” kernel Problems w. existing platforms Attacks: Zero-Day Kernel Vulnerabilities (ZDKVs) & rogue driver certificates leads to rogue kernels leads to rogue WinCC/Step7 apps leads to rogue PLC firmeware firmware Rogue PC Rogue PLC WinCC & Step 7 rogue OS & its kernel Other Apps zero-day kernel vulnerabilities & fake/stolen driver certificates certified firmware Secure PC w. IFC labels Secure PLC WinCC & Step 7 certified kernel Other Apps COTS OS small mechanized proof checker New CRASH technologies A small certified “hypervisor” kernel provides a reliable ZDKV-free core to fall back on, even under attacks Information-Flow-Control to enforce security Mechanized proof certificates are unforgeable Protecting against Stuxnet attacks!

7 Expected deliverables Certified OS Kernels clean-slate design with end-to-end guarantees on extensibility, security, and resilience. No ZDKVs New PLs for writing certified C/assembly programs; OCAP w. certified linking; Domain-Specific Prog. Logics (DSPL) VeriML & Tools New formal methods for developing, checking, and automating specs/proofs. New language for certifying meta-programs based on PIOS explore different designs not certified initially new releases each year pick subset for certification based on VeriML [ICFP10] evolve its design & impl. scalable proof witnesses new releases each year automated prog. verifiers based on various CAPs need new OCAP/DSPLs initially done in Coq certified kernel modules transition to VeriML later

8 What we have done so far? (First two years of CRASH) A clean-slate CertiKOS hypervisor kernel –boot on stock AMD / Intel hardware –support multiple VM guests, hypercall, device pass-through A new compositional verification framework that extends OCAP with –cross-abstraction linking and certified separate compilation (compatible with CompCert) Compositional verification of virtual memory management –paper + PhD dissertation + Coq implementation (of certified VMM modules) New compositional program logics for certifying fine-grained concurrency –interrupt & thread management; trace-based CSL; proving lock freedom Declarative DIFC –rigorous definition & proof of “non-interference” even in the presence of declassification –new DIFC logics that work for low-level C-like languages (with mutable heaps / malloc / free) VeriML design & implementation & programming tool – papers + PhD dissertation + new VeriML compiler/interpreter

9 Kernel design & development Hardware Abstraction Layer (Device Drivers) SMP Management Physical Memory Allocator Page Map Interrupt Handle Virtualization Abstraction Process Management Spinlock Virtual Machine Management Master Master Syscall Slave Slave Syscall VMX Primitives VMX Primitives SVM Primitives SVM Primitives Virtual Devices Virtual Devices

10 compositional verification framework Kernel certification LnLn … L1L1 Mechanized meta-logic Formalized HW & env model … C1C1 CnCn C1C1 C1C1 CnCn … CertiKOS CnCn … C1C1 CnCn But this only addresses horizontal modularity!

11 Compositional co-development & verification & synthesis & linking Raw Machine / HW Spec kmod1.c CompCert abs-layer-1 spec kmod1.s high-level kernel spec abs-layer-k spec kmodk.s abs-layer-2 spec kmod2.s kmod2.c CompCert abs-layer-z spec kmodz.s kmodz.c CompCert ……………………… … abs-layer-x spec kmodx.s kmodx.c CompCert kmody.c CompCert kmody.s kmod3.c CompCert kmod3.s kmody.c CompCert kmody.s ……………………… … kinit.c Safety (never crash) Correctness Secure (no info leak) Liveness (resource usage)

12 Schedule 09:15 – 10:15 Session 1 Project overview (Zhong Shao) Kernel design & application (Bryan Ford) Kernel implementation (Liang Gu) Kernel “specification” (Haozhong Zhang) 10:15 – 10:30 Break 10:30 – 11:30 Session 2 Compositional verification & compilation (Tahina Ramananandro) Virtual memory management (Alex Vaynberg) Concurrent interrupt & thread management (Zhong Shao) 11:30 – 11:45 Break 11:45 – 12:45 Session 3 Declarative DIFC (David Costanzo) Proving lock-freedom (Jan Hoffmann) VeriML design & implementation (Jan Hoffmann)

Download ppt "Advanced Development of Certified OS Kernels DARPA CRASH Site Visit PIs: Zhong Shao & Bryan Ford (Yale University) October 5th, Friday, 2012, Room 307."

Similar presentations

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:

A Translation from Typed Assembly Language to Certified Assembly Programming Zhong Shao Yale University Joint work with Zhaozhong Ni Paper URL:
purpose Search : automation methods for device driver development in IP-based embedded systems in order to achieve high reliability, productivity, reusability.

purpose Search : automation methods for device driver development in IP-based embedded systems in order to achieve high reliability, productivity, reusability.
Content Overview Virtual Disk Port to Intel platform

Content Overview Virtual Disk Port to Intel platform
Threads, SMP, and Microkernels

Threads, SMP, and Microkernels
Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Department of Computer Science and Engineering University of Washington Brian N. Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.

Automated and Modular Refinement Reasoning for Concurrent Programs Collaborators: Chris Hawblitzel (Microsoft) Erez Petrank (Technion) Serdar Tasiran (Koc.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November 2010 Focus Areas: Operating Systems,

Advanced Development of Certified OS Kernels Zhong Shao Bryan Ford Yale University November Focus Areas: Operating Systems,
Operating System Structure

Operating System Structure
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.

New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-

Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)

VeriML: Revisiting the Foundations of Proof Assistants Zhong Shao Yale University MacQueen Fest May 13, 2012 (Joint work with Antonis Stampoulis)
Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.

Extensible Kernels Edgar Velázquez-Armendáriz September 24 th 2009.
Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.

Modular Verification of Concurrent Assembly Code with Dynamic Thread Creation and Termination Xinyu Feng Yale University Joint work with Zhong Shao.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, Marc E. Fiuczynski,
Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.

Certifying Low-Level Programs with Hardware Interrupts and Preemptive Threads Xinyu Feng Toyota Technological Institute at Chicago Joint work with Zhong.
1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.

1 Enforcing Confidentiality in Low-level Programs Andrew Myers Cornell University.
Systems with small trusted computing bases (TCBs) open possibility for automated security verification of systems Example: SecVisor - a 3kLOC security.

Systems with small trusted computing bases (TCBs) open possibility for automated security verification of systems Example: SecVisor - a 3kLOC security.
An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

An Open Framework for Foundational Proof-Carrying Code Xinyu Feng Yale University Joint work with Zhaozhong Ni (Yale, now at MSR), Zhong Shao (Yale) and.

Similar presentations

Ads by Google