certikos: a breakthrough toward hacker-resistant operating ... · certikos: a breakthrough toward...

CertiKOS: A Breakthrough toward Hacker-Resistant

Operating Systems

Zhong ShaoYale University

January 25, 2018

Acknowledgement: Ronghui Gu, Newman Wu, Hao Chen, Jieung Kim, Jeremie Koenig, Vilhelm Sjoberg, Mengqi Liu, Lionel Rieg, Quentin Carbonneaux, Unsung Lee, Jiyong Shin, David Costanzo, Tahina Ramananandro, Hernan Vanzetto, Shu-Chun Weng, Zefeng Zeng, Zhencao Zhang, Liang Gu, Jan Hoffmann, Joshua Lockerman, and Bryan Ford. This research is supported in part by DARPA CRASH and HACMS programs and NSF SaTC and Expeditions in Computing programs.

Computer System

Motivation

Transportation

Health

Aviation

Environment

Desktop

Mobile

Financial

Hardware

Applications

Computer System

Motivation

Accident

Environment

Mobile

Financial

Hardware

Applications

Motivation

System Software Runs Everywhere

Software errors

Untrusted No!?Test

$312B cost

Motivation

“”— Edsger Dijkstra

Program testing can be used to show the presence of bugs, but never to show their absence.

“ ”— seL4 [SOSP’09]

Complete formal verification is the only known way to guarantee that a system is free of programming errors.

Motivation

“”— NSF SFM Report[2016]

Formal methods are the only reliable way to achieve security and privacy in computer systems.

“ ”— seL4 [SOSP’09]

Complete formal verification is the only known way to guarantee that a system is free of programming errors.

Motivation

“”— NSF SFM Report[2016]

Formal methods are the only reliable way to achieve security and privacy in computer systems.

mathematically prove

under all inputsunder all execution

program meets specification

rule out entire classes of attacks

Formal Verification

Motivation

System Software Runs Everywhere

Software errors

Untrusted No!?Test

$312B cost

Challenges?

Formal Verification

seL4 [SOSP’09] C 7.5k LOC

Proof 11 py

Asm500 LOCunverified

C1.3k LOCunverified

Challenges: huge proof efforts

Challenges: Compositionality

Abstraction Gap

A Complex System

Verify

VerifyVerify

Verify

Verify Verify

A Complex System

Compiler

Verify

VerifyVerify

Verify

A Complex System

Compiler

Complete Verification

multiprocessor

I/O concurrencymulti-thread

fine-grained lock fine-grained lock

Challenges: Concurrency

1 0 1 18

Challenges: Concurrency

1 0 1 18

CPU i CPU j

fine-grained lock

Complete Verification

Challenges: New Domain

System Verification

Huge gap

Challenges: New Domain

System Verification

Huge gap

Contribution

aim to solve all these challenges

Certified Abstraction LayersCertiKOS

Contribution

Certified Abstraction Layers

1 0 1 18

CPU i CPU j

fine-grained lock

untangle

Contribution

verify existing systems

build the next generation sssssssssystem software designed to be reliable

and secure

Contribution

build the next generation sssssssssystem software certified

Contribution

System Verification

Huge gapbuild the next generation sssssssssystem software certified

Contribution

System Verification

Contribution

Certified System Software

Contribution

� M2

Contribution

� M2

CompCertX

� M2

Asm L0

M’0R’0

� M’2

L’2�

CompCertX

M’0R’0

� M’2

L’2�

Contribution

mC2 [OSDI’16]the first formally certified concurrent OS kernel with fine-grained locks6.5k C&Asm, 2 py

mCertiKOS [POPL’15]certified sequential OS kernels3k C&Asm, 1 py

Security [PLDI’16b] 0.5 py

Interrupt [PLDI’16a] 0.5 py Certified Abstraction

Layers[CCAL 2017]

Contribution

functional correctnessliveness

no stack/integer/buffer overflow

no race condition

Certified System

Software

ContributionmC2

VGA(Video)

Legend

Hardware

Driver

Kern. Module

Core 0LAPIC 0

Core 1LAPIC 1

Core 8LAPIC 8...

Memory

Ticket MCS Container

Alloc Tbl

SleepQPendQ

ELF Ldr

Trap & Syscall

Per Core

Scheduler

Thread

Cur TID PCPUPer T

k_stack

k_contextTSC

ProcessVM Monitor

Lib MemSync

CVFIFOBBQ ...

Page Map VMM

Serial

VideoConsole Buffer

Console

ContributionmC2

machine-checkable proof

C layers6.1k LOC

400 LOCCompCertX

Asm layers Asm layers�

ContributionmC2

machine-checkable proof

C layers6.1k LOC

400 LOCCompCertX

Asm layers Asm layers�

Proof AssistantACM Software System Award

Some of the significant results that were accomplished using Coq are proofs for the four color theorem, the development of CompCert (a fully verified compiler for C), the development at Harvard of a verified version of Google's software fault isolation, and most recent, the fully specified and verified hypervisor OS kernel CertiKOS.

”— ACM

Deployment

CertiKOS on Landshark, DARPA HACMS

Deployment

CertiKOS on Quadcopter

Build a Certified System

Spin-lock Module

Case Study

KeyboardDriver3

Thread Queue Module

Scheduling ModuleInter-Process Communication

Keyboard

User Application

SendCompiler

11certified objects

specification ofmodules to trust

Certified Sequential Layer [POPL’15]

11certified objects

abs-state

11certified objects

abs-state

primitives

memory

module

Certified Sequential Layer

implementation

specification

implementation

specification

implementation

Example: Thread Queue

typedef struct tcb { state s; tcb *prev, *next; } tcb;

tcb tcbp[1024];

typedef struct tdq { tcb *head, *tail; } tdq;

tdq* td_queue; C

tcbp[0] tcbp[1] tcbp[2]

implementation

tcb tcbp[1024];

tdq* td_queue; C

implementation

s0 s1 s2

tcb tcbp[1024];

tdq* td_queue; C

implementation

s0 s1 s2

head tail

tcb tcbp[1024];

tdq* td_queue; C

implementation

tcb* dequeue(tdq* q) { tcb *head, *next; tcb *i = null; if (!q) return i; head = q -> head; if (!head) return i; i = head; next = i -> next;

if (!next) { q -> head = null; q -> tail = null; } else { next -> prev = null; q -> head = next; } return i; }

s0 s1 s2

head tail

implementation

s0 s1 s2

head tail

implementation

s0 s1 s2

head tail

Definition tcbp := ZMap.t state. Definition td_queue := List Z.

specification3

specificationtcbp(0) tcbp(1) tcbp(2)

s0 s1 s2

specification

s0 s1 s2

tcbp(0) tcbp(1) tcbp(2)

td_queue

:: 0 2:: :: nil

Example: Thread Queue3

td_queue

:: 0 2:: :: nil

implementation

s0 s1 s2

head tail

s0 s1 s2

td_queue

:: 0 2:: :: nil

Function dequeue (q) := match q with | head :: q’ => (q’, Some head) | nil => (nil, None) end.

s0 s1 s2

td_queue

0 2:: :: nil

Function dequeue (q) := match q with | head :: q’ => (q’, Some head) | nil => (nil, None) end.

s0 s1 s2

executable

Program Context33

specification3

implementation

Simulation Proof

Deep SpecificationL2

Deep Specification [POPL’15]

Deep spec captures all we need to know about over

No need to look at again

Any property about can be proved using alone

kernel

seq machine

mCertiKOS

seq machine

kernelmCertiKOS

mem MM

memory management

seq machine

kernelmCertiKOS

thread

seq machine

kernelmCertiKOS

thread

certified sequential kernelMM

mCertiKOS

seq machine

mCertiKOS

thread

seq machine virt�

virt�

TrapmCertiKOS

thread

seq machine virt�

virt�VM

TrapmCertiKOS

thread

seq machine virt

certified hypervisor

mCertiKOS [POPL’15]

3k LOC1 person year

Can boot Linux as a guest

Concurrent Framework [OSDI’16]

thread

seq machine

multicore machine CPU3CPU2CPU1CPU0

certified sequential kernel

thread

seq machine

machine liftingcontribution

certifiedconcurrent layer

CPU-local machine CPU0 CPU1 CPU2 CPU3

thread

seq machine

spin-lock

contributionmachine lifting

certifiedconcurrent layer

thread

seq machine

spin-lock

CPU-local machine CPU0 CPU1 CPU2

thread-local machine

Certified Concurrent Layers

local certified objects

atomic objects

logical loga sequence of events

atomic objectsx

atomic objects

to share

fine-grained locking

Concurrent Framework

machine lifting

step 0: raw x86 multicore model

private

0.a 1.a

logical log

non-determinism

private

non-determinism

private

0 1 1 0

oracle

non-determinism

private

0 1 1 0

step 1: logical hardware scheduler

private

0.a 1.a0 1 1 0

logical log

step 2: push/pull memory model

Ehs machine with hardware scheduler

shared mem

shareCPU0

shared mem

logical copy

shareCPU0

shared mem

logical copy

shareCPU0 pull

shared mem

logical copy

shared mem

CPU1 pull

race condition

shareCPU0 pull

shared mem

logical copy

shareCPU0 pull push

shared mem

logical copy

machine with push/pull model

private

0 1 1 0

step 3: environment context model

private

1.a1 1 00E

environment context

step 4: remove unnecessary interleaving

CPU i machine CPU j machine

share privateatom pull push

shuffle

CPU-local machine CPU-local machine

0.a 1.a0 1 1 0logical log

seq machine seq machine

Machine Lifting

Spin-lock Module

Case Study

KeyboardDriver3 Thread Queue Module

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1

Case Study

KeyboardDriver3 Thread Queue Module

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1Spin-lock Module

Acquire Lock Specification

logical copy

safely pull

logical copy

safely pull

pull will eventually return

logical copy

mutual exclusion liveness

Example: Ticket Lock

mutual exclusion liveness+

void acq_lock (uint i) {

uint64 t = FAI_ticket (i);

while ( get_now (i) != t) { }

pull (i); }

u ll (i); }

FAI_ticket

get_now

FAIticket

u ll (i); }

FAI_ticket

FAIticket

get_now getnow

u ll (i); }

FAI_ticket

FAIticket

get_now getnow

getnow

u ll (i); }

FAI_ticket

FAIticket

get_now

getnow

u ll (i); }

FAI_ticket

FAIticket

get_now

getnow

getnow pull

liveness+

u ll (i); }

FAI_ticket

FAIticketget_now

getnow

getnow pull

unique t

#CPUs < 264

mutual exclusion

u ll (i); }

FAI_ticket

FAIticket

get_now

getnow

getnow pull}bounded

#CPUs is boundeda fair hardware schedulerlock holders will release lock

FAIticket

getnow

getnow pull

acq_lock acqlock

acq_lock

u ll (i); }

FAI_ticket

get_now < mutual exclusion will beviolated when there is an integer overflow for t

bug in the originalimplementation

Spin-lock Module

Case Study

KeyboardDriverThread Queue Module

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1

Case Study

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1

Spin-lock Module

Example: Shared Thread Queue

dequeue

local memory

dequeue

local memory

dequeue

shared memory

logicalcopy

acq lock

dequeue

shared memory

logicalcopy

acq lock

dequeue

shared memory

logicalcopy

acq lock

rel lock

dequeue

shared memory

logicalcopy

acq lock

rel lock

dequeue

shared memory

dequeue

shared memory

Spin-lock Module

Case Study

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1

Spin-lock Module

Case Study

Inter-Process Communication

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1

Scheduling Module

void yield () {

uint t = tid(); … (t, rdq());

uint s = (rdq()); … (t, s)

context_switch

Thread-Local Machine

yieldsleep wakeup

Software Scheduler

thread-local machine

[Operating SystemsPrinciples and Practice 2011]

Found hard bugs in the popularOS textbook

Spin-lock Module

Case Study

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1

Spin-lock Module

Case Study

Thread Queue Module

Keyboard

User Application

SendCompiler

CPU 0 CPU 1

KeyboardDriver

Security

Device Driver [PLDI16’a]

Device

0 0External events

Log 0 0 0

read/write

Raw Device ObjDriver Layers

Logical CPU

Interrupt iret0

Device Driver [PLDI16’a]

Device

0 0External events

Driver Layers

Logical CPU

Interrupt iret0

Log 0 0 0

read/write

Raw Device Obj

DriverCode

Abs-State

Abstract Device Obj

Spin-lock Module

Case Study

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1

Spin-lock Module

Case Study

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1

End-to-End Security [PLDI16’b]

thread

seq machine

OObservation functionspecify and prove general security policies with declassification

non-interferencefound security-bugs: spawn, palloc,…

security-preservation simulation

secure

Spin-lock Module

Case Study

Thread Queue Module

Keyboard

User Application

SendCompiler

Security

CPU 0 CPU 1

KeyboardDriver

Summary: Certified OS

CertiKOS is the first fully certified OS kernel that is done economically (< 3 person years), proves more properties, runs on concurrent HW, and is truly extensible

Still very high barriers of entry: (1) OS kernel development is very difficult(2) Formal specifications and proofs are hard to build(3) Need intimate programming language expertise to succeed• These are three completely different communities• Most people can only do one out of the above three. • The Yale team has been working on all three for >15 years

Summary: OS Landscape (Nov 2017)

Desktop: Linux, macOS, Windows, ChromeOS, freeBSD, …Hypervisor/Cloud: Linux KVM & Docker, VMWare, Xen, … Mobile: Android (Linux), iOS, …Embedded: Embedded Linux, VxWorks, QNX, LynxOS, …

• All of them are bloated, old, and contain many bugs• Urgently need new OSes for emerging platforms & apps

(IoTs, Drones, Self-Driving Cars, Cloud, NetworkOS, Blockchains, …)

OS evolution has reached an inflection point: Need a certified OS that provides security, extensibility, performance, and can work across multiple platforms.

certikos: a breakthrough toward hacker-resistant operating ... · certikos: a breakthrough toward...

Documents

breakthrough to world challenges breakthrough...

breakthrough to world challenges breakthrough...

agricultura hacker

certikos implementation progress liang gu yale university

testes de invasão serpro...

certified ethical hacker ethical hacker certified ethical...

hacker politics

cultura hacker

certikos: an extensible architecture for building certiﬁed...

certikos: an extensible architecture for building certified...

hxc1 hacker

hacker intelligence summary report – monitoring hacker...

tecnicas hacker

hacker organizations

hacker kültürü ve etik hacker - cehturkiye · “nasıl...

monitoring hacker forums - imperva, inc. · hacker...

breakthrough breakthrough - gnjumc.org

filosofía hacker

hacker araçları

martha hacker