from to - tu dortmund€¦ · • l4.verified project: ... – no heap, slab .. (no hidden...
TRANSCRIPT
![Page 1: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/1.jpg)
From imagination to impact
![Page 2: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/2.jpg)
Dhammika ElkaduwePhilip DerrinKevin Elphinstone
Kernel Design for Isolation and Assurance of Physical Memory
![Page 3: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/3.jpg)
Embedded Systems
• Increasing functionality
• Increasing software complexity – Millions of lines of code– Mutually untrusted SW vendors
• Consolidate functionalityConnectivity
– Attacks from outside
• No longer close systems– Download SW
IIES08/seL4 1
![Page 4: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/4.jpg)
Embedded Systems
• Diverse applications – Realtime Vs. best effort
• Tight resource budgets • Mission/life critical applications
• Sensitive information
Reliability is paramount
IIES08/seL4 2
![Page 5: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/5.jpg)
Small Kernel Approach
Supervisor OS
LinuxServer
DeviceDriver
TrustedService Device
Driver
LegacyApp.Legacy
App.LegacyApp.Legacy
App.
TrustedServiceTrustedServiceTrustedService
DeviceDriver
SensitiveApp.SensitiveApp.SensitiveApp.SensitiveApp.
Hardware
Untrusted Trusted
Small kernel (e.g. Microkernel)
• Smaller, more trustworthy foundation– Hypervisor, microkernel,
isolation kernel, …..• Facilitate controlled integration and
isolation– Isolate: fault isolation, diversity– Integrate: performance
IIES08/seL4 3A
![Page 6: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/6.jpg)
Small Kernel Approach
• Smaller, more trustworthy foundation– Hypervisor, microkernel,
isolation kernel, …..• Facilitate controlled integration and
isolation– Isolate: fault isolation, diversity– Integrate: performance
IIES08/seL4 3B
• Microkernel should:• Provide sufficient API• Correct realisation of API• Adhere to isolation/integration requirements of the system
Supervisor OS
LinuxServer
DeviceDriver
TrustedService Device
Driver
LegacyApp.Legacy
App.LegacyApp.Legacy
App.
TrustedServiceTrustedServiceTrustedService
DeviceDriver
SensitiveApp.SensitiveApp.SensitiveApp.SensitiveApp.
Hardware
Small kernel (e.g. Microkernel)
Untrusted Trusted
![Page 7: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/7.jpg)
Issue• Kernel consumes resources
– Machine cycles– Physical memory (kernel metadata)Example: – threads – thread control block,– address space – pagetables– bookkeeping to reclaim memory
Supervisor OS
LinuxServer
DeviceDriver
TrustedService Device
Driver
LegacyApp.Legacy
App.LegacyApp.Legacy
App.
TrustedServiceTrustedServiceTrustedService
DeviceDriver
SensitiveApp.SensitiveApp.SensitiveApp.SensitiveApp.
Untrusted Trusted
Microkernel
TCB TCBPT PT
IIES08/seL4 4
![Page 8: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/8.jpg)
Possible ApproachesHow do we manage kernel
metadata?• Cache like behaviour [EROS,Cache
kernel, HiStart..] – No predictability, limited RT applicability
• Static allocations – Works for static systems – Dynamic systems: overcommit or fail
under heavy load
• Domain specific kernel modifications?
Supervisor OS
LinuxServer
DeviceDriver
TrustedService Device
Driver
LegacyApp.Legacy
App.LegacyApp.Legacy
App.
TrustedServiceTrustedServiceTrustedService
DeviceDriver
SensitiveApp.SensitiveApp.SensitiveApp.SensitiveApp.
Untrusted Trusted
Microkernel
TCB TCBPT PT
IIES08/seL4 5
![Page 9: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/9.jpg)
Modified ≠ Verified
• L4.Verified project:Formally verify the implementation correctness of the kernel
● Properties:– Isolation, information flow ...
• Formal refinement – Formally connect the properties with the
kernel implementation
Abstract Model
C Code HW
Property preserving refinement
Mathematically proven
properties
IIES08/seL4 6A
![Page 10: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/10.jpg)
Modified ≠ Verified
• L4.Verified project:Formally verify the implementation correctness of the kernel
● Properties:– Isolation, information flow ...
• Formal refinement – Formally connect the properties with the
kernel implementation
Abstract Model
C Code HW
Property preserving refinement
Mathematically proven
properties
IIES08/seL4 6B
![Page 11: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/11.jpg)
Modified ≠ Verified
• L4.Verified project:Formally verify the implementation correctness of the kernel
● Properties:– Isolation, information flow ...
• Formal refinement – Formally connect the properties with the
kernel implementation– Modifications invalidate refinement – Verification is labour intensive
• 10K Clines = 100K proof lines (1st refinement) • Memory management is core functionality
Abstract Model
C Code HW
Property preserving refinement
Mathematically proven
properties
IIES08/seL4 6C
![Page 12: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/12.jpg)
Approach in a nutshell• No implicit allocations within
the kernel– No heap, no slab allocation etc..
• All abstractions are provided by firstclass kernel objects– Threads – TCB object– Address space – Page table
objects
• All objects are created upon explicit user request
IIES08/seL4 7
supervisory OS
seL4 Microkernel
Trusted OS
server
Legacy OS server
....
Kernel heap
![Page 13: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/13.jpg)
Memory Management Model
supervisory OS
seL4 Microkernel
Trusted OS
server
Legacy OS server
....
Kernel Code
untypedobject1
untypedobject2
untypedobject n
..
● No implicit allocations within the kernel
● Physical memory is divided into untyped objects ● Authority conferred via capabilities ● Untyped capability is sufficient
authority to allocate kernel objects● All abstractions are provided via first
class kernel objects● Allocate on explicit user request
● Creator gets the full authority ● Distribute capabilities to allow other
access the service
IIES08/seL4 8A
![Page 14: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/14.jpg)
Memory Management Model
supervisory OS
seL4 Microkernel
Trusted OS
server
Legacy OS server
....
Kernel Code TCB
untypedobject2
untypedobject n
..TCB
● Kernel objects ➔ Untyped ➔ TCB (Thread Control Blocks)➔ Capability tables (CT) ➔ Comm. ports ....
IIES08/seL4 8B
● No implicit allocations within the kernel
● Physical memory is divided into untyped objects ● Authority conferred via capabilities ● Untyped capability is sufficient
authority to allocate kernel objects● All abstractions are provided via first
class kernel objects● Allocate on explicit user request
● Creator gets the full authority ● Distribute capabilities to allow other
access the service
![Page 15: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/15.jpg)
Memory Management Model
supervisory OS
seL4 Microkernel
Trusted OS
server
Legacy OS server
....
Kernel Code TCB
untypedobject n
..TCB
● Kernel objects ➔ Untyped ➔ TCB (Thread Control Blocks)➔ Capability tables (CT) ➔ Comm. ports ....
➔ Objects are managed by userlevelIIES08/seL4 8C
● No implicit allocations within the kernel
● Physical memory is divided into untyped objects ● Authority conferred via capabilities ● Untyped capability is sufficient
authority to allocate kernel objects● All abstractions are provided via first
class kernel objects● Allocate on explicit user request
● Creator gets the full authority ● Distribute capabilities to allow other
access the service
PT PT
![Page 16: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/16.jpg)
Memory Management Model ...
● Delegate authority ● Allow others to obtain services● Delegate resource management
● Memory management policy is completely in userspace
● Isolation of physical memory = Isolation of authority (capabilities)● Capability dissemination is controlled
by a “TakeGrant” like protection model
supervisory OS
Microkernel
Trusted OS
server
Legacy OS server
....
Kernel Code TCB
untypedobject2
untypedobject n
..TCB
IIES08/seL4 8D
![Page 17: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/17.jpg)
Memory Management Model ...● Deallocation upon explicit user
request● Call revoke on the Untyped capability● Memory can be reused
● Kernel tracks capability derivations● Recorded in capability derivation tree
(CDT)● Need bookkeeping✔ Doublylinked list through
capabilities✔ Space allocated with capability
tables
supervisory OS
seL4 Microkernel
Trusted OS
server
Legacy OS server
....
Kernel Code TCB
untypedobject2
untypedobject n
..TCB
untypedcap 1
TCB TCB
TCB copy
CDT
IIES08/seL4 9
![Page 18: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/18.jpg)
Capability Derivation Tree● For allocation:
● The untyped capability should not have any CDT children ➔ Guarantees that there are no
previously allocated objects● Size of the object(s) must be small
or equal to untyped object
supervisory OS
seL4 Microkernel
Trusted OS
server
Legacy OS server
....
Kernel Code TCB
untypedobject2
untpedobject n
..TCB
untypedcap 1
TCB TCB
TCB copy
CDT
IIES08/seL4 10
![Page 19: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/19.jpg)
Evaluation
● Formal properties:● Formalised the protection model in Isabelle/HOL
● Machine checked, abstract model of the kernel ● Formal, machine checked proof that mechanisms are sufficient for
enforcing isolation● Proof also identify the invariants the “supervisory OS” needs to
enforce for isolation to hold
supervisory OS
....
seL4 Microkernel
IIES08/seL4 11A
![Page 20: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/20.jpg)
Evaluation
● Formal properties:● Formalised the protection model in Isabelle/HOL
● Machine checked, abstract model of the kernel ● Formal, machine checked proof that mechanisms are sufficient for
enforcing isolation● Proof also identify the invariants the “supervisory OS” needs to
enforce for isolation to hold
supervisory OS
....
seL4 Microkernel
IIES08/seL4 11B
• Can not share modifiable page/capability tables
• Can not share thread control blocks• Can not have communication
channels that allow capability propagation
![Page 21: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/21.jpg)
Evaluation ...
● Performance ● Used paravirtualised Linux as an
example ● Compared with L4/Wombat (Linux) for
running LMBench
supervisory OS
Linux....
seL4 Microkernel
Drivers
Iguana
Linux(Wombat)
....
L4 Microkernel
Drivers
Bench mark Gain(%)fork 4570 3083 32.5exec 5022 3440 31.5shell 29729 19999 32.7page faults 34 18.7 45.4Null Syscall 3.4 2.9 11ctx 10.7 9.3 7.6
L4 (s) seL4(s)
Proxy via Iguana
IIES08/seL4 12
![Page 22: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/22.jpg)
Status• Empirical work
– Runs on ARM11– Investigate performance as a
virtualisation platform
• Formal work – Information flow properties
(example: ClarkWilson)– Formal refinement work in
progress
Abstract Model
C Code HW
Property preserving refinement
Mathematically proven
properties
IIES08/seL4 13
Performance
![Page 23: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/23.jpg)
Conclusion
• No implicit allocations within the kernel
– Users explicitly allocate kernel objects– No heap, slab .. (no hidden bookkeeping)– Authority confinement guarantees control of kernel memory
• All kernel memory management policy is outside the kernel– Different isolation/integration configurations– Support diverse, co-existing policies– No modification to the kernel (remains verified)
• Hard guarantees on kernel memory consumption– Facilitate formal reasoning of physical memory consumption
• Improve performance by controlled delegation – Similar performance in other case
IIES08/seL4 14
![Page 24: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/24.jpg)
Questions?
![Page 25: From to - TU Dortmund€¦ · • L4.Verified project: ... – No heap, slab .. (no hidden bookkeeping) – Authority confinement guarantees control of kernel memory • All kernel](https://reader033.vdocument.in/reader033/viewer/2022060220/5f06f7bc7e708231d41aa239/html5/thumbnails/25.jpg)
From imagination to impact