Towards High-Assurance Hypervisors Jason Franklin Joint with Anupam Datta, Sagar Chaki, Ning Qu, Arvind Seshadri.

Slides:



Advertisements
Similar presentations
虛擬化技術 Virtualization Technique
Advertisements

Trusted System Elements and Examples CS461/ECE422 Fall 2011.
CS533 Concepts of Operating Systems Class 14 Virtualization and Exokernels.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Hierarchical Cache Coherence Protocol Verification One Level at a Time through Assume Guarantee Xiaofang Chen, Yu Yang, Michael Delisi, Ganesh Gopalakrishnan.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Chapter 6 Security Kernels.
A Logic of Secure Systems and its Application to Trusted Computing Anupam Datta, Jason Franklin, Deepak Garg, and Dilsun Kaynar Carnegie Mellon University.
Software Fault Injection for Survivability Jeffrey M. Voas & Anup K. Ghosh Presented by Alison Teoh.
Background information Formal verification methods based on theorem proving techniques and model­checking –to prove the absence of errors (in the formal.
New Direction for Software Protection in Embedded Systems Department of EECS University of Michigan Feb 22, 2007 Kang G. Shin.
Jason Franklin with Sagar Chaki, Anupam Datta, Jonathan M. McCune, Arvind Seshadri, and Amit Vasudevan 1 Parametric Verification of Address Space Separation.
Scalable Parametric Verification of Secure Systems: How to Verify Reference Monitors without Worrying about Data Structure Size Jason Franklin, Sagar Chaki,
Systems with small trusted computing bases (TCBs) open possibility for automated security verification of systems Example: SecVisor - a 3kLOC security.
1 Modeling and Analysis of Networked Secure Systems with Application to Trusted Computing Jason Franklin Joint work with Deepak Garg, Dilsun Kaynar, and.
Early OS security Overview by: Greg Morrisett Cornell University, Edited (by permission) for CSUS CSc250 by Bill Mitchell.
虛擬化技術 Virtualization and Virtual Machines
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
Virtualization Technology Prof D M Dhamdhere CSE Department IIT Bombay Moving towards Virtualization… Department of Computer Science and Engineering, IIT.
Formal Methods 1. Software Engineering and Formal Methods  Every software engineering methodology is based on a recommended development process  proceeding.
Computer Science and Engineering Computer System Security CSE 5339/7339 Session 20 October 28, 2004.
1 UCR Firmware Attacks and Security introduction.
Disco : Running commodity operating system on scalable multiprocessor Edouard et al. Presented by Jonathan Walpole (based on a slide set from Vidhya Sivasankaran)
Kenichi Kourai (Kyushu Institute of Technology) Takuya Nagata (Kyushu Institute of Technology) A Secure Framework for Monitoring Operating Systems Using.
Secure Operating Systems Lesson B: Let’s go break something.
Xen I/O Overview. Xen is a popular open-source x86 virtual machine monitor – full-virtualization – para-virtualization para-virtualization as a more efficient.
Three fundamental concepts in computer security: Reference Monitors: An access control concept that refers to an abstract machine that mediates all accesses.
Architecture Support for OS CSCI 444/544 Operating Systems Fall 2008.
Proof Carrying Code Zhiwei Lin. Outline Proof-Carrying Code The Design and Implementation of a Certifying Compiler A Proof – Carrying Code Architecture.
Outline Basic VM Concepts Formal Definitions Virtualization Theorems
CS533 Concepts of Operating Systems Jonathan Walpole.
Computers Operating System Essentials. Operating Systems PROGRAM HARDWARE OPERATING SYSTEM.
Ihr Logo Operating Systems Internals & Design Principles Fifth Edition William Stallings Chapter 2 (Part II) Operating System Overview.
Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard et al. Madhura S Rama.
G53SEC 1 Reference Monitors Enforcement of Access Control.
TEST-1 6. Testing & Refactoring. TEST-2 How we create classes? We think about what a class must do We focus on its implementation We write fields We write.
Page 1 Advanced Technology Center HCSS 03 – April 2003 vFaat: von Neumann Formal Analysis and Annotation Tool David Greve Dr. Matthew Wilding Rockwell.
Midterm Meeting Pete Bohman, Adam Kunk, Erik Shaw.
1 CSE451 Architectural Supports for Operating Systems Autumn 2002 Gary Kimura Lecture #2 October 2, 2002.
Improving Xen Security through Disaggregation Derek MurrayGrzegorz MilosSteven Hand.
Security Architecture and Design Chapter 4 Part 1 Pages 297 to 319.
Operating Systems Security
PRESENTER PRIYANKA GUPTA.  Testing the complete system with respect to requirements.  In System testing, the functionalities of the system are tested.
Processes and Virtual Memory
Protection of Processes Security and privacy of data is challenging currently. Protecting information – Not limited to hardware. – Depends on innovation.
Formal Verification. Background Information Formal verification methods based on theorem proving techniques and model­checking –To prove the absence of.
Program Correctness. The designer of a distributed system has the responsibility of certifying the correctness of the system before users start using.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Finding Security Vulnerabilities in a Network Protocol Using Formal Verification Methods Orna Grumberg Technion, Israel Joint work with Adi Sosnovich and.
Lecture 4 Page 1 CS 111 Online Modularity and Memory Clearly, programs must have access to memory We need abstractions that give them the required access.
Virtualization.
Virtual Machine Monitors
CSCE 548 Secure Software Development Risk-Based Security Testing
CE 454 Computer Architecture
Modularity and Memory Clearly, programs must have access to memory
OS Virtualization.
Chapter 27 Security Engineering
Towards End-to-End Security Analysis of Networked Systems
CSE 451: Operating Systems Autumn Module 24 Virtual Machine Monitors
Sai Krishna Deepak Maram, CS 6410
O/S Organization © 2004, D. J. Foreman.
Verification with Small and Short Worlds Rohit Sinha, Cynthia Sturton, Petros Maniatis, Sanjit A. Seshia, David Wagner Introduction Verification of large.
O/S Organization © 2004, D. J. Foreman.
Carmine Abate Rob Blanco Deepak Garg Cătălin Hrițcu Jérémy Thibault
Border Control: Sandboxing Accelerators
2019 2학기 고급운영체제론 ZebRAM: Comprehensive and Compatible Software Protection Against Rowhammer Attacks 3 # 단국대학교 컴퓨터학과 # 남혜민 # 발표자.
Presentation transcript:

Towards High-Assurance Hypervisors Jason Franklin Joint with Anupam Datta, Sagar Chaki, Ning Qu, Arvind Seshadri

Overview Goal: Develop techniques to reason about assurance level of secure systems Security mechanisms include: –Memory protection and cryptographic protocols Security properties include code or data integrity –Safety properties Examples: OSes, hypervisors, and VMMs

Analysis of Secure Systems Design level analysis Pros: Before implementation of possibly insecure design Cons: May miss attacks in implementation –Techniques: Logics and model checking Implementation level analysis Pros: Source code is closer to what is actually run Cons: Much more complicated –Techniques: Software model checking

Hypervisor-Protected Systems Traditional System Architecture Hardware OS App. … Hypervisor-Protected System Architecture Hardware Protected OS App. … Tiny security hypervisor provides additional layer of protection, if hypervisor is secure

Hypervisor Security Hypothesis Claim: Hypervisors are easier to secure than traditional operating systems for two reasons: –Hypervisors can be written in few lines of code They’re small. Hypervisors expose a narrow interface They’re simple. Let’s test this hypothesis…

Case Study: SecVisor Hypervisor SecVisor security hypervisor (3K loc, 2 calls) –Only approved code executes with kernel privilege Hardware State Mode = {Kernel, User} Program Counter (IP) Physical Memory Device Exclusion Vector R RW User Mode RWX Kernel Mode RX RW Memory Protection User Mem. Kernel Code Kernel Data

Outline We model and analyze SecVisor’s design Find and repair vulnerabilities Verify security of repaired design Extend verification to arbitrarily large model

How SecVisor Works Hardware State Mode = {Kernel, User} Program Counter (IP) Physical Memory Device Exclusion Vector R RW User Mode RWX Kernel Mode RX RW Memory Protection User Mem. Kernel Code Kernel Data

Modeling State in Murphi hardware_platform_t: record phy_mem : phy_mem_t; mode: bit; IP: word; DEV: dev_t; end; Hardware State Mode = {Kernel, User} Program Counter (IP) Physical Memory Device Exclusion Vector mode = K; IP = KC; State 1

Modeling Transitions in Murphi rule “Kernel Exit” hw.mode = KERNEL_MODE ==> setIP(USER_MEM); end; rule “Kernel Entry” hw.mode = USER_MODE ==> secvisor_kernel_entry(); end; mode = K; IP = KC; State 1 mode = K; IP = UM; State 2 Kernel Exit Kernel Entry

SecVisor + Environment Adv IOMMU Kernel SecVisor KPT SPT Phy. Mem. MMU DEV Data Code Key Adversary

Operational Behavior Kernel SecVisor KPT SPT Phy. Mem. MMU Write(0x00, “hello”); RW01 X10 RW00 00: 01: 10: 0x01 = VA_to_HPA(0x00) RW01 X10 RW00 00: 01: 10: Synch(KPT, SPT) Write(0x01, “hello”); “hello”

Verification Specify security property as invariant (holds in all states): –Let property P = (Mode = K  IP = KC) Verify (Model M, State S, Property P) –Check property in state S If property does not hold, then print counter-example and exit –If (more neighbors exist) – Verify (M, Neighbors(S), P) –else return VERIFIED mode = K; IP = KC; State 1 mode = K; IP = UM; State 2 Attacker Step

Results of Verification Initial verification failed: –Counterexamples identified two vulnerabilities: Writable virtual alias attack Approved page remapping attack Adv SecVisor KPTSPT Phy. Mem MMU W, A->KC Synch(KPT, SPT) Kernel Write (A, mal.code) Mal. Code

Successful Verification After adding checks in synchronization code, verification succeeded –No property violations found in small models Model SizeStatesTransitionsTimeMemoryResult 3 PTEs, 3 Mem. ~55,000~2,000, Sec.8MBSuccess 4 PTEs, 3 Mem. ~1,700,000~88,000, Mins.256MBSuccess >4PTE, >3 Mem. ????Unknown

Limitations of Small Models We ran out of memory after 3 PTEs and 3 memory pages –Memory requirements grow exponentially (state explosion) Do attacks exist when system has many more PTEs and memory pages? Murphi can’t check realistically sized machine models –E.g., 2^20 memory pages and 2^20 PTEs in both KPT and SPT Even if it could, what if attacker has 2^20 + 1?

To infinity and beyond! (sorta) We prove SecVisor is secure with an arbitrarily large but finite number of PTEs and physical memory pages Let’s look at SecVisor from different perspective Adv Kernel SecVisor KPT SPT Phy. Mem. MMU KPT PTE X, KCR, KC Process Template

Translation to Small Model Translate functional model to parameterized model –Mem. pages and PTEs become duplicated homogeneous processes Prove template model is reducible to small model KPT PTE Functional Model … X, KCR, KC Process Template X, KCR, KC Process Template X, KCR, KC Process Template Translate … Process Model X, KCR, KC Process Template Reduce to Small Model Kernel

Extending Small World Verification Small World Theorem: If security property P is violated in process model with arbitrarily large (but finite) number of processes then it will be violated in small model. –It is sufficient to model check only small model (completeness) X, KCR, KC Process Template X, KCR, KC Process Template KPT PTE X, KCR, KC Process Template Translate Functional Model Reduce to … … Process ModelSmall Model Successful Verification S. W. Thm Successful Verification Simulation Theorem Successful Verification

Automatic Small World Verification Process of small world verification: –Translation to process model is manual –Application of small world theorem is manual Inspection of every state transition –Proving simulation theorem is manual Currently automating small world verification in Murphi –Verification will return both VERIFIED and proof of S.W. theorem X, KCR, KC Process Template X, KCR, KC Process Template KPT PTE X, KCR, KC Process Template Translate Functional Model Reduce to … Process Model Small Model Successful Verification S. W. Thm Successful Verification Simulation Theorem Successful Verification

Conclusion We employed model checking to increase assurance level of SecVisor hypervisor Found and repaired vulnerabilities in SecVisor’s design and implementation Verified repaired design model up to 3 PTEs Extended verification result to large model –Using small world theorem and simulation Currently automating application of small world theorem

How is verification for security different? Limitations of related work in verification: –No adversary –Focus on checking correctness of security critical code rather than security (i.e., correctness in presence of adversary) –Correct system components do not imply secure system mode = K; IP = KC; State 1 mode = U; IP = UM; State 2 Kernel Exit Kernel Entry New State Adversary Action

References [SecVisor] Seshadri et al. “SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity”, SOSP ’07. [TCG]

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.