the muen separation kernel
DESCRIPTION
Writing large error-free software is extremely challenging or even infeasible. In order to be able to assure critical security properties it is therefore necessary to decompose the system into small security critical subjects whose correctness has to be shown and other large uncritical parts which cannot endanger security. A separation kernel can be used to assure the independent execution of multiple subjects and the enforcement of pre-defined communication channels between subjects. The correctness of the separation kernel is therefore essential for overall security. In this talk we describe the design and implementation of the Muen separation kernel which uses the SPARK language to enable light-weight formal methods for assurance. Besides a discussion of x86 virtualization, system integration, as well as present and planned verification we demonstrate how Muen enables the construction of high security systems on x86 hardware.TRANSCRIPT
.
.
..
..
The Muen Separation Kernel. Robert Dorn.
Reto Buerki.
Adrian Rueegsegger
.
Applied Sciences Rapperswil
.HSR University of
. secunet Security Networks AG.
23.10.2014
...
About secunet
Germany's leading provider of IT securitySecurity partner of the Federal Republic of GermanyMore than 340 employeesRobert Dorn, Senior Consultant at secunetResponsible for design & development of SeparationKernel based systemswww.secunet.com
Page 2 23.10.2014 The Muen Separation Kernel
...
About HSR
University of Applied Sciences witharound 1500 studentsLocated in Rapperswil, SwitzerlandReto Buerki & Adrian-KenRueegsegger, researchers @Institute for Internet Technologiesand ApplicationsCore developers of Muenwww.hsr.ch
Page 3 23.10.2014 The Muen Separation Kernel
...
Security of Complex Software
P(Program_Correct) = P (Line_Correct)SLOC
Page 4 23.10.2014 The Muen Separation Kernel
...
Security of Complex Software
1%
10%
100%
0.1 1 10 100 1 000 10 000 100 000
P(D
efe
ctiv
e P
rog
ram
)
kSLOC
defects/kSLOC
0.11
10
Page 5 23.10.2014 The Muen Separation Kernel
...
Security of Complex Software
1%
10%
100%
0.1 1 10 100 1 000 10 000 100 000
P (
Exp
loit
ab
le P
rog
ram
)
kSLOC
defects/kSLOC
0.11
10
Assumptions (e.g.):10% security defects,20% exploitable
Page 6 23.10.2014 The Muen Separation Kernel
...
Secure Software
Tiny sizeVery low defect rateLow security defect ratio
Page 7 23.10.2014 The Muen Separation Kernel
...
Reducing Complexity of Trusted Code
.
.
Separation
Kernel
.
trusted
..trusted
..untrusted
..
trusted
....
Page 8 23.10.2014 The Muen Separation Kernel
...
Reducing Complexity of Trusted Code
.
.
Separation
Kernel
.
trusted
..trusted
.
..untrusted
..
trusted
....
Page 8 23.10.2014 The Muen Separation Kernel
...
Reducing Complexity of Trusted Code
.
.
Separation
Kernel
.
trusted
..untrusted
..
trusted
..
Proper Interface
..
Page 8 23.10.2014 The Muen Separation Kernel
...
Reducing Complexity of Trusted Code
.
.
Separation
Kernel
.
trusted
..untrusted
..
trusted
..
Proper Interface
.
Isolation.
Partitioning
Page 8 23.10.2014 The Muen Separation Kernel
...
Reducing Complexity of Trusted Code
..
Separation
Kernel
.
trusted
..untrusted
..
trusted
....
Page 8 23.10.2014 The Muen Separation Kernel
...
Architecting Secure Systems
..OpenNetworkLinux
.
Key Management
.Encryption
.
Decryption
.
ProtectedNetwork
.
Separation Kernel
.
IKE
.
ESP
.ESP
.
TS
.TS
Page 9 23.10.2014 The Muen Separation Kernel
...
Architecting Secure Systems
..Session 1
.
Session 2
.
Session 3
.
Session 4
.
UIM
ultiplexer
.....
NetworkLinux
.
Network
Page 10 23.10.2014 The Muen Separation Kernel
...
Low Kernel Complexity
....
Init
..
Signaling
..
Scheduler
..PageTables
..Caps/Perms
..VT-xVT-d
..MessagePassing
..SchedulePlanning
..MemoryAllocator
..DeviceAllocator
..
DeviceDrivers
..
UserInterface
..
FileSystem
..
VMMonitor
..
PosixInterface
Page 11 23.10.2014 The Muen Separation Kernel
...
Low Kernel Complexity
....
Init
..
Signaling
..
Scheduler
..PageTables
..Caps/Perms
..VT-xVT-d
..MessagePassing
..SchedulePlanning
..MemoryAllocator
..DeviceAllocator
.
..
DeviceDrivers
..
UserInterface
..
FileSystem
..
VMMonitor
..
PosixInterface
Page 12 23.10.2014 The Muen Separation Kernel
...
Static Resource Allocation
....
Init
..
Signaling
..
Scheduler
..PageTables
..Caps/Perms
..VT-xVT-d
..MessagePassing
..SchedulePlanning
..MemoryAllocator
..DeviceAllocator
.
..
DeviceDrivers
..
UserInterface
..
FileSystem
..
VMMonitor
..
PosixInterface
Page 13 23.10.2014 The Muen Separation Kernel
...
Static Resource Allocation
....
Init
..
Signaling
..
Scheduler
..PageTables
..Caps/Perms
..VT-xVT-d
. ..SchedulePlanning
..MemoryAllocator
..DeviceAllocator
.
..
DeviceDrivers
..
UserInterface
..
FileSystem
..
VMMonitor
..
PosixInterface
Page 14 23.10.2014 The Muen Separation Kernel
...
Deterministic Behaviour
No long-running code pathsNo preemption necessaryFixed cyclic schedulingAvoidance of Covert Channels
Page 15 23.10.2014 The Muen Separation Kernel
...
Features
Multicore supportFixed cyclic schedulingPCI device passthrough using Intel VT-dSupport for 64-bit native and 32/64-bit LinuxEvent mechanismShared memory channels for inter-subjectcommunicationMinimal Zero-Footprint Run-Time (RTS)Full availability of source code and documentation
Page 16 23.10.2014 The Muen Separation Kernel
...
SPARK 2014 for Operating Systems
No pointersNo dynamicmemory allocationNo concurrency
Fixed structuresStatic resourceallocationOne kernel instance / CPUAbort on host interrupts
→ Greatly simplified verification
Page 17 23.10.2014 The Muen Separation Kernel
...
SPARK 2014 for Operating Systems
No pointersNo dynamicmemory allocationNo concurrency
Fixed structuresStatic resourceallocationOne kernel instance / CPUAbort on host interrupts
→ Greatly simplified verification
Page 17 23.10.2014 The Muen Separation Kernel
...
SPARK 2014 for Operating Systems
No pointersNo dynamicmemory allocationNo concurrency
Fixed structuresStatic resourceallocationOne kernel instance / CPUAbort on host interrupts
→ Greatly simplified verification
Page 17 23.10.2014 The Muen Separation Kernel
...
Lean verification
Proof annotations are part of the languageImplicit generation of VCs for integrity preservation(Absence of runtime errors)Most ARTE VCs proven automatically1
Integration of theorem provers possible when neededSpeed allows proofs to be part of build process
1With current wavefront, except "properties of constant records"
Page 18 23.10.2014 The Muen Separation Kernel
...
Modelling the System
..Initialize
.
VMX Handler
.ASM Init .
VMX Enter
.
Subject
.
Subject
.
Subject
..
EnvironmentRun
.EnvironmentInitialize
Page 19 23.10.2014 The Muen Separation Kernel
...
Modelling the System
..Initialize
.
VMX Handler
.ASM Init .
VMX Enter
.
Subject
.
Subject
.
Subject
.
VMX Exit
.
EnvironmentRun
.EnvironmentInitialize
Page 19 23.10.2014 The Muen Separation Kernel
...
Modelling the System
..Initialize
.
VMX Handler
...
Subject
.
Subject
.
Subject
.
.
EnvironmentRun
.EnvironmentInitialize
Page 19 23.10.2014 The Muen Separation Kernel
...
Modelling the System
..Initialize
.
VMX Handler
...
Subject
.
Subject
.
Subject
.
....
EnvironmentRun
.EnvironmentInitialize
Page 19 23.10.2014 The Muen Separation Kernel
...
Modelling the System
..Initialize
.
VMX Handler
...
Subject
.
Subject
.
Subject
.
.Initial Inv. .
Loop Inv.
.
Inv. + Env. Model
.
EnvironmentRun
.EnvironmentInitialize
Page 19 23.10.2014 The Muen Separation Kernel
...
Future verification options
Proof of complex propertiesInteraction with theorem proversInterface modelling (ghost state)Soundness of memory layout…
Page 20 23.10.2014 The Muen Separation Kernel
...
Demo
This presentation is given on a system running onMuen
Page 21 23.10.2014 The Muen Separation Kernel
...
Current / Future Work
Short-termProve additional propertiesPCI-Configspace emulationTime Virtualization
Long-termFunctional correctness proofsWindows VirtualizationDynamic resource management
Page 22 23.10.2014 The Muen Separation Kernel
...
Summary
Secure software is limited in complexitySeparation of untrusted components essential
Muen provides a solid foundation for high assurancesystemsMuen is the base of complex high security solutionsin development
SPARK 2014 enables lean verificationFormal verification can be done under commercialconstraints
Page 23 23.10.2014 The Muen Separation Kernel
...
Q & A
Discussion
Get Muen at
http://muen.sk/
Page 24 23.10.2014 The Muen Separation Kernel
...
Intel Virtualization Technology
VT-x is Intel's virtualization technology for the x86platformVirtual Machine state is saved in control structure(VMCS)Introduction of VMX root and non-root modesNew processor instructions (VMX) to switch modesand manage VMCSHardware-assisted virtualization drastically reducescomplexity of VMM
Page 25 23.10.2014 The Muen Separation Kernel
...
Modelling the System
..Initialize
.
VMX Handler
.
Exception Handler
.
STOP
.ASM Init .
VMX Enter
.
VMX Exit
.
VMX Enter
.
Interrupt
.
Subject
.
Subject
.
Subject
Page 26 23.10.2014 The Muen Separation Kernel
...
Example property: Correct VMCS Address
Environment.Initialize;SK.Kernel.Initialize (Subject_Registers);loop
pragma Loop_Invariant(X86_64.Prf_VMPTR =
Policy.Get_VMCS_Address(Get_Current_Minor_Frame.Subject_Id));
Environment.Vmx_Run (Subject_Registers);
SK.Scheduler.Handle_VMX_Exit(Subject_Registers);
end loop;
Page 27 23.10.2014 The Muen Separation Kernel
...
Example property: Correct VMCS Address
procedure Handle_VMX_Exit(Subject_Registers : in out CPU_Regs_Type)
withGlobal => [...],Depends => [...],Pre => (X86_64.Prf_VMPTR =
Policy.Get_VMCS_Address(Get_Current_Minor_Frame.Subject_Id)),
Post => (X86_64.Prf_VMPTR =Policy.Get_VMCS_Address
(Get_Current_Minor_Frame.Subject_Id)),Export , Convention => C,Link_Name => "handle_vmx_exit";
Page 28 23.10.2014 The Muen Separation Kernel