the muen separation kernel

.

.

..

..

The Muen Separation Kernel. Robert Dorn.

Reto Buerki.

Adrian Rueegsegger

.

Applied Sciences Rapperswil

.HSR University of

. secunet Security Networks AG.

23.10.2014

...

About secunet

Germany's leading provider of IT securitySecurity partner of the Federal Republic of GermanyMore than 340 employeesRobert Dorn, Senior Consultant at secunetResponsible for design & development of SeparationKernel based systemswww.secunet.com

23.10.2014 The Muen Separation Kernel

www.secunet.com

...

About HSR

University of Applied Sciences witharound 1500 studentsLocated in Rapperswil, SwitzerlandReto Buerki & Adrian-KenRueegsegger, researchers @Institute for Internet Technologiesand ApplicationsCore developers of Muenwww.hsr.ch


www.hsr.ch

...

Security of Complex Software

P(Program_Correct) = P (Line_Correct)SLOC


...


1%

10%

100%

0.1 1 10 100 1 000 10 000 100 000

P(D

efe

ctiv

e P

rog

ram

)

kSLOC

defects/kSLOC

0.11

10


...


1%

10%

100%

0.1 1 10 100 1 000 10 000 100 000

P (

Exp

loit

ab

le P

rog

ram

)

kSLOC

defects/kSLOC

0.11

10

Assumptions (e.g.):10% security defects,20% exploitable


...

Secure Software

Tiny sizeVery low defect rateLow security defect ratio


...

Reducing Complexity of Trusted Code

.

.

Separation

Kernel

.

trusted

..trusted

..untrusted

..

trusted

....


...


.

.

Separation

Kernel

.

trusted

..trusted

.

..untrusted

..

trusted

....

Page 8 23.10.2014 The Muen Separation Kernel

...


.

.

Separation

Kernel

.

trusted

..untrusted

..

trusted

..

Proper Interface

..


...


.

.

Separation

Kernel

.

trusted

..untrusted

..

trusted

..

Proper Interface

.

Isolation.

Partitioning


...


..

Separation

Kernel

.

trusted

..untrusted

..

trusted

....


...

Architecting Secure Systems

..OpenNetworkLinux

.

Key Management

.Encryption

.

Decryption

.

ProtectedNetwork

.

Separation Kernel

.

IKE

.

ESP

.ESP

.

TS

.TS


...

Architecting Secure Systems

..Session 1

.

Session 2

.

Session 3

.

Session 4

.

UIM

ultiplexer

.....

NetworkLinux

.

Network


...

Low Kernel Complexity

....

Init

..

Signaling

..

Scheduler

..PageTables

..Caps/Perms

..VT-xVT-d

..MessagePassing

..SchedulePlanning

..MemoryAllocator

..DeviceAllocator

..

DeviceDrivers

..

UserInterface

..

FileSystem

..

VMMonitor

..

PosixInterface


...

Low Kernel Complexity

....

Init

..

Signaling

..

Scheduler

..PageTables

..Caps/Perms

..VT-xVT-d

..MessagePassing

..SchedulePlanning

..MemoryAllocator

..DeviceAllocator

.

..

DeviceDrivers

..

UserInterface

..

FileSystem

..

VMMonitor

..

PosixInterface


...

Static Resource Allocation

....

Init

..

Signaling

..

Scheduler

..PageTables

..Caps/Perms

..VT-xVT-d

..MessagePassing

..SchedulePlanning

..MemoryAllocator

..DeviceAllocator

.

..

DeviceDrivers

..

UserInterface

..

FileSystem

..

VMMonitor

..

PosixInterface


...

Static Resource Allocation

....

Init

..

Signaling

..

Scheduler

..PageTables

..Caps/Perms

..VT-xVT-d

. ..SchedulePlanning

..MemoryAllocator

..DeviceAllocator

.

..

DeviceDrivers

..

UserInterface

..

FileSystem

..

VMMonitor

..

PosixInterface


...

Deterministic Behaviour

No long-running code pathsNo preemption necessaryFixed cyclic schedulingAvoidance of Covert Channels


...

Features

Multicore supportFixed cyclic schedulingPCI device passthrough using Intel VT-dSupport for 64-bit native and 32/64-bit LinuxEvent mechanismShared memory channels for inter-subjectcommunicationMinimal Zero-Footprint Run-Time (RTS)Full availability of source code and documentation


...

SPARK 2014 for Operating Systems

No pointersNo dynamicmemory allocationNo concurrency

Fixed structuresStatic resourceallocationOne kernel instance / CPUAbort on host interrupts

→ Greatly simplified verification


...

Lean verification

Proof annotations are part of the languageImplicit generation of VCs for integrity preservation(Absence of runtime errors)Most ARTE VCs proven automatically1

Integration of theorem provers possible when neededSpeed allows proofs to be part of build process

1With current wavefront, except "properties of constant records"


...

Modelling the System

..Initialize

.

VMX Handler

.ASM Init .

VMX Enter

.

Subject

.

Subject

.

Subject

..

EnvironmentRun

.EnvironmentInitialize


...


..Initialize

.

VMX Handler

.ASM Init .

VMX Enter

.

Subject

.

Subject

.

Subject

.

VMX Exit

.

EnvironmentRun



...


..Initialize

.

VMX Handler

...

Subject

.

Subject

.

Subject

.

.

EnvironmentRun



...


..Initialize

.

VMX Handler

...

Subject

.

Subject

.

Subject

.

....

EnvironmentRun



...


..Initialize

.

VMX Handler

...

Subject

.

Subject

.

Subject

.

.Initial Inv. .

Loop Inv.

.

Inv. + Env. Model

.

EnvironmentRun



...

Future verification options

Proof of complex propertiesInteraction with theorem proversInterface modelling (ghost state)Soundness of memory layout…


...

Demo

This presentation is given on a system running onMuen


...

Current / Future Work

Short-termProve additional propertiesPCI-Configspace emulationTime Virtualization

Long-termFunctional correctness proofsWindows VirtualizationDynamic resource management


...

Summary

Secure software is limited in complexitySeparation of untrusted components essential

Muen provides a solid foundation for high assurancesystemsMuen is the base of complex high security solutionsin development

SPARK 2014 enables lean verificationFormal verification can be done under commercialconstraints


...

Q & A

Discussion

Get Muen at

http://muen.sk/


http://muen.sk/

...

Intel Virtualization Technology

VT-x is Intel's virtualization technology for the x86platformVirtual Machine state is saved in control structure(VMCS)Introduction of VMX root and non-root modesNew processor instructions (VMX) to switch modesand manage VMCSHardware-assisted virtualization drastically reducescomplexity of VMM


...


..Initialize

.

VMX Handler

.

Exception Handler

.

STOP

.ASM Init .

VMX Enter

.

VMX Exit

.

VMX Enter

.

Interrupt

.

Subject

.

Subject

.

Subject


...

Example property: Correct VMCS Address

Environment.Initialize;SK.Kernel.Initialize (Subject_Registers);loop

pragma Loop_Invariant(X86_64.Prf_VMPTR =

Policy.Get_VMCS_Address(Get_Current_Minor_Frame.Subject_Id));

Environment.Vmx_Run (Subject_Registers);

SK.Scheduler.Handle_VMX_Exit(Subject_Registers);

end loop;


...

Example property: Correct VMCS Address

procedure Handle_VMX_Exit(Subject_Registers : in out CPU_Regs_Type)

withGlobal => [...],Depends => [...],Pre => (X86_64.Prf_VMPTR =

Policy.Get_VMCS_Address(Get_Current_Minor_Frame.Subject_Id)),

Post => (X86_64.Prf_VMPTR =Policy.Get_VMCS_Address

(Get_Current_Minor_Frame.Subject_Id)),Export , Convention => C,Link_Name => "handle_vmx_exit";


the muen separation kernel

Software

muen separation kernel

low kernel complexity

complexity of trusted

security defects

secunet security networks

architecting secure

intel vtdsupport

systemasm init