Advertisement
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel
The Muen Separation Kernel

Check these out next

Xen Hypervisor
Xen Hypervisor
Susheel Thakur
What you need to know about ceph
What you need to know about ceph
Emma Haruka Iwao
Qemu
Qemu
Koganti Ravikumar
Cloud computing hybrid architecture
Cloud computing hybrid architecture
Abhijeet Singh
What is the Citrix?
What is the Citrix?
Izaak Salman
Keystone at openstack multi sites
Keystone at openstack multi sites
Vietnam Open Infrastructure User Group
DevOps with Ansible
DevOps with Ansible
Swapnil Jain
Cloud Computing Using OpenStack
Cloud Computing Using OpenStack
Bangladesh Network Operators Group
1 of 38

The Muen Separation Kernel

Nov. 10, 2014
Download to read offline
Software

Writing large error-free software is extremely challenging or even infeasible. In order to be able to assure critical security properties it is therefore necessary to decompose the system into small security critical subjects whose correctness has to be shown and other large uncritical parts which cannot endanger security. A separation kernel can be used to assure the independent execution of multiple subjects and the enforcement of pre-defined communication channels between subjects. The correctness of the separation kernel is therefore essential for overall security. In this talk we describe the design and implementation of the Muen separation kernel which uses the SPARK language to enable light-weight formal methods for assurance. Besides a discussion of x86 virtualization, system integration, as well as present and planned verification we demonstrate how Muen enables the construction of high security systems on x86 hardware.

AdaCore
AdaCore
Advertisement
Advertisement
Advertisement

Recommended

Proxmox for DevOpsProxmox for DevOps
Proxmox for DevOpsJorge Moratilla Porras7.5K views13 slides
VirtualizationVirtualization
VirtualizationChandan Varadaraj1.1K views36 slides
Xen & virtualizationXen & virtualization
Xen & virtualizationSusheel Thakur2.7K views16 slides
Ceph with CloudStackCeph with CloudStack
Ceph with CloudStackShapeBlue697 views29 slides
AnsibleAnsible
AnsibleRahul Bajaj716 views31 slides
Cloud & GCP 101Cloud & GCP 101
Cloud & GCP 101Runcy Oommen262 views40 slides

More Related Content

Slideshows for you(20)

Xen HypervisorXen Hypervisor
Xen Hypervisor
Susheel Thakur6.4K views
What you need to know about cephWhat you need to know about ceph
What you need to know about ceph
Emma Haruka Iwao11.5K views
QemuQemu
Qemu
Koganti Ravikumar2.4K views
Cloud computing hybrid architectureCloud computing hybrid architecture
Cloud computing hybrid architecture
Abhijeet Singh1.9K views
What is the Citrix?What is the Citrix?
What is the Citrix?
Izaak Salman1.6K views
Keystone at openstack multi sitesKeystone at openstack multi sites
Keystone at openstack multi sites
Vietnam Open Infrastructure User Group482 views
DevOps with AnsibleDevOps with Ansible
DevOps with Ansible
Swapnil Jain1.7K views
Cloud Computing Using OpenStack Cloud Computing Using OpenStack
Cloud Computing Using OpenStack
Bangladesh Network Operators Group7.9K views
Chips alliance omni xtend overviewChips alliance omni xtend overview
Chips alliance omni xtend overview
RISC-V International107 views
VmwareVmware
Vmware
gotita19921.5K views
HypervisorHypervisor
Hypervisor
kalpita surve2.3K views
Accelerating with AnsibleAccelerating with Ansible
Accelerating with Ansible
Global Knowledge Training1.6K views
VMWARE ESXVMWARE ESX
VMWARE ESX
Yogeshwaran R1.2K views
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-inNews And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
News And Development Update Of The CloudStack Tungsten Fabric SDN Plug-in
ShapeBlue444 views
Issues of OpenStack multi-region modeIssues of OpenStack multi-region mode
Issues of OpenStack multi-region mode
Joe Huang8.2K views
Azure Security OverviewAzure Security Overview
Azure Security Overview
Allen Brokken1.5K views
WebAssembly FundamentalsWebAssembly Fundamentals
WebAssembly Fundamentals
Knoldus Inc.349 views
What is Virtualization and its types & Techniques.What is hypervisor and its ...What is Virtualization and its types & Techniques.What is hypervisor and its ...
What is Virtualization and its types & Techniques.What is hypervisor and its ...
Shashi soni8.7K views
Virtualization Technology OverviewVirtualization Technology Overview
Virtualization Technology Overview
OpenCity Community7.6K views
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İncelemeBilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
Bilişim Sistemlerinde Adli Bilişim Analizi ve Bilgisayar Olayları İnceleme
BGA Cyber Security32.7K views

Viewers also liked(20)

Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and Security
AdaCore5.1K views
Mixed Criticality Systems and Many-Core PlatformsMixed Criticality Systems and Many-Core Platforms
Mixed Criticality Systems and Many-Core Platforms
AdaCore4.5K views
How should we build that? Evolving a development environment that's suitable ...How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...
AdaCore3.9K views
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
AdaCore3K views
HIS 2015: Prof. Mark Little - Open Source Challenges in the EnterpriseHIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
AdaCore2.6K views
HIS Conf 2014: An Insight into MISRA-CHIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-C
AdaCore4.8K views
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkHIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
AdaCore2.9K views
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
AdaCore3K views
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related Systems
AdaCore4.7K views
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
AdaCore2.8K views
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
AdaCore4.7K views
A Computer Vision Application for In Vitro Diagnostics DevicesA Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics Devices
AdaCore3.9K views
Ada 202x A broad overview of relevant newsAda 202x A broad overview of relevant news
Ada 202x A broad overview of relevant news
AdaCore2.5K views
An Alternative Approach to DO-178BAn Alternative Approach to DO-178B
An Alternative Approach to DO-178B
AdaCore2.3K views
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
AdaCore4.5K views
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
AdaCore2.4K views
MISRA C – Recent developments and a road map to the futureMISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the future
AdaCore2.6K views
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
AdaCore1.6K views
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
AdaCore1.1K views
Multi-Core (MC) Processor Qualification for Safety Critical SystemsMulti-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical Systems
AdaCore1.4K views
Advertisement

Similar to The Muen Separation Kernel(20)

The lies we tell our code, LinuxCon/CloudOpen 2015-08-18The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
Casey Bisson627 views
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
The Linux Foundation6.6K views
Running IBM MQ in the CloudRunning IBM MQ in the Cloud
Running IBM MQ in the Cloud
Robert Parker498 views
Cloud Foundry Platform as a Service on Vblock SystemCloud Foundry Platform as a Service on Vblock System
Cloud Foundry Platform as a Service on Vblock System
EMC1.3K views
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
Aditya K Sood4.6K views
The weather ahead: CloudsThe weather ahead: Clouds
The weather ahead: Clouds
zoopster407 views
Event driven microservices with vertx and kubernetesEvent driven microservices with vertx and kubernetes
Event driven microservices with vertx and kubernetes
Andy Moncsek1.8K views
4 implementation4 implementation
4 implementation
hanmya403 views
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsXPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
The Linux Foundation1.2K views
kata-containers-onboarding-deck.pptxkata-containers-onboarding-deck.pptx
kata-containers-onboarding-deck.pptx
QforQA9 views
LOAD 2014-Prezentare BitDefenderLOAD 2014-Prezentare BitDefender
LOAD 2014-Prezentare BitDefender
Silviu Cojocaru358 views
Running IBM MQ in ContainersRunning IBM MQ in Containers
Running IBM MQ in Containers
Robert Parker583 views
vProtect - enterprise-grade Nutanix backup & recoveryvProtect - enterprise-grade Nutanix backup & recovery
vProtect - enterprise-grade Nutanix backup & recovery
Pawel Maczka311 views
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
The Linux Foundation565 views
Secure and power the intelligent edge with Azure SphereSecure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure Sphere
Microsoft Tech Community557 views
Docker en kernel securityDocker en kernel security
Docker en kernel security
smart_bit1.2K views
Linux container & dockerLinux container & docker
Linux container & docker
ejlp121.4K views
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
EMC2.6K views
IBM MQ in containers MQTC 2017IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017
Robert Parker1.9K views
Azure Sphere - GAB 2019Azure Sphere - GAB 2019
Azure Sphere - GAB 2019
Mirco Vanini108 views

More from AdaCore(19)

RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
AdaCore152 views
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
AdaCore29 views
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
AdaCore60 views
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
AdaCore36 views
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
AdaCore78 views
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
AdaCore48 views
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
AdaCore22 views
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
AdaCore16 views
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
AdaCore56 views
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
AdaCore2.3K views
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
AdaCore359 views
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
AdaCore980 views
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
AdaCore364 views
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
AdaCore3.4K views
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
AdaCore383 views
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
AdaCore312 views
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
AdaCore2.5K views
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
AdaCore422 views
Verification and Validation of Robotic AssistantsVerification and Validation of Robotic Assistants
Verification and Validation of Robotic Assistants
AdaCore1.1K views
Advertisement

Recently uploaded(20)

We support Windows related issues.pdfWe support Windows related issues.pdf
We support Windows related issues.pdf
Tanyalucy3 views
Clinic Management System Clinic Management System
Clinic Management System
Geminate Consultancy Services2 views
Making the Shift Left - Bringing Ops to Dev before bringing applications to p...Making the Shift Left - Bringing Ops to Dev before bringing applications to p...
Making the Shift Left - Bringing Ops to Dev before bringing applications to p...
Lucas Jellema0 views
Saturn - UCSD CNS Research ReviewSaturn - UCSD CNS Research Review
Saturn - UCSD CNS Research Review
KabirNagrecha0 views
Agile Maturity AssessmentsAgile Maturity Assessments
Agile Maturity Assessments
David Hanson5 views
SQL Structure and Parts.pptxSQL Structure and Parts.pptx
SQL Structure and Parts.pptx
HafizSaifullah40 views
如何办理一份高仿德保尔大学毕业证成绩单?如何办理一份高仿德保尔大学毕业证成绩单?
如何办理一份高仿德保尔大学毕业证成绩单?
aazepp3 views
【本科生、研究生】新加坡新加坡管理大学毕业证文凭购买指南【本科生、研究生】新加坡新加坡管理大学毕业证文凭购买指南
【本科生、研究生】新加坡新加坡管理大学毕业证文凭购买指南
foxupud0 views
【本科生、研究生】加拿大乔治亚学院毕业证文凭购买指南【本科生、研究生】加拿大乔治亚学院毕业证文凭购买指南
【本科生、研究生】加拿大乔治亚学院毕业证文凭购买指南
akuufux3 views
【本科生、研究生】德国纽伦堡大学毕业证文凭购买指南【本科生、研究生】德国纽伦堡大学毕业证文凭购买指南
【本科生、研究生】德国纽伦堡大学毕业证文凭购买指南
sutseu3 views
【本科生、研究生】加拿大康考迪亚大学毕业证文凭购买指南【本科生、研究生】加拿大康考迪亚大学毕业证文凭购买指南
【本科生、研究生】加拿大康考迪亚大学毕业证文凭购买指南
akuufux0 views
【本科生、研究生】美国亨德森州立大学毕业证文凭购买指南【本科生、研究生】美国亨德森州立大学毕业证文凭购买指南
【本科生、研究生】美国亨德森州立大学毕业证文凭购买指南
sutseu4 views
【本科生、研究生】美国阿德非大学毕业证文凭购买指南【本科生、研究生】美国阿德非大学毕业证文凭购买指南
【本科生、研究生】美国阿德非大学毕业证文凭购买指南
akuufux0 views
【本科生、研究生】加拿大温尼伯技术学院毕业证文凭购买指南【本科生、研究生】加拿大温尼伯技术学院毕业证文凭购买指南
【本科生、研究生】加拿大温尼伯技术学院毕业证文凭购买指南
sutseu3 views
Stacks.pptStacks.ppt
Stacks.ppt
Waf12310 views
API.pptxAPI.pptx
API.pptx
Hasmudinraja3 views
Laravel.pptxLaravel.pptx
Laravel.pptx
KaustubhBhandari61 view
Lec-7-dns.pptxLec-7-dns.pptx
Lec-7-dns.pptx
Syed Ejaz0 views
Open Ai pptOpen Ai ppt
Open Ai ppt
Hasmudinraja3 views
Exploring Generative AI with GAN ModelsExploring Generative AI with GAN Models
Exploring Generative AI with GAN Models
KonfHubTechConferenc81 views

The Muen Separation Kernel

  1. . secunet Security Networks AG . . The Muen Separation Kernel .. Robert Dorn Reto Buerki Adrian Rueegsegger HSR University of Applied Sciences Rapperswil 23.10.2014
  2. . About secunet Germany's leading provider of IT security Security partner of the Federal Republic of Germany More than 340 employees Robert Dorn, Senior Consultant at secunet Responsible for design & development of Separation Kernel based systems www.secunet.com Page 2 23.10.2014 The Muen Separation Kernel
  3. . About HSR University of Applied Sciences with around 1500 students Located in Rapperswil, Switzerland Reto Buerki & Adrian-Ken Rueegsegger, researchers @ Institute for Internet Technologies and Applications Core developers of Muen www.hsr.ch Page 3 23.10.2014 The Muen Separation Kernel
  4. . Security of Complex Software P(Program_Correct) = P (Line_Correct)SLOC Page 4 23.10.2014 The Muen Separation Kernel
  5. . Security of Complex Software 100% 10% 1% 10 1 0.1 1 10 100 1 000 10 000 100 000 P(Defective Program) kSLOC defects/kSLOC 0.1 Page 5 23.10.2014 The Muen Separation Kernel
  6. . Security of Complex Software 100% 10% 1% Assumptions (e.g.): 10% security defects, 20% exploitable 10 1 0.1 1 10 100 1 000 10 000 100 000 P (Exploitable Program) kSLOC defects/kSLOC 0.1 Page 6 23.10.2014 The Muen Separation Kernel
  7. . Secure Software Tiny size Very low defect rate Low security defect ratio Page 7 23.10.2014 The Muen Separation Kernel
  8. . Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
  9. . Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
  10. . Reducing Complexity of Trusted Code . untrusted trusted Proper Interface Page 8 23.10.2014 The Muen Separation Kernel
  11. . Reducing Complexity of Trusted Code . untrusted trusted Isolation Proper Interface Partitioning Page 8 23.10.2014 The Muen Separation Kernel
  12. . Reducing Complexity of Trusted Code . trusted Separation Kernel untrusted trusted Page 8 23.10.2014 The Muen Separation Kernel
  13. . Architecting Secure Systems . Open Network Linux Encryption Key Management Decryption Protected Network Separation Kernel ESP IKE ESP TS TS Page 9 23.10.2014 The Muen Separation Kernel
  14. . Architecting Secure Systems . Session 1 Session 2 Session 3 Session 4 UI Multiplexer Network Linux Network Page 10 23.10.2014 The Muen Separation Kernel
  15. . Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 11 23.10.2014 The Muen Separation Kernel
  16. . Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 12 23.10.2014 The Muen Separation Kernel
  17. . Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 13 23.10.2014 The Muen Separation Kernel
  18. . Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 14 23.10.2014 The Muen Separation Kernel
  19. . Deterministic Behaviour No long-running code paths No preemption necessary Fixed cyclic scheduling Avoidance of Covert Channels Page 15 23.10.2014 The Muen Separation Kernel
  20. . Features Multicore support Fixed cyclic scheduling PCI device passthrough using Intel VT-d Support for 64-bit native and 32/64-bit Linux Event mechanism Shared memory channels for inter-subject communication Minimal Zero-Footprint Run-Time (RTS) Full availability of source code and documentation Page 16 23.10.2014 The Muen Separation Kernel
  21. . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Page 17 23.10.2014 The Muen Separation Kernel
  22. . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts Page 17 23.10.2014 The Muen Separation Kernel
  23. . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts ! Greatly simplified verification Page 17 23.10.2014 The Muen Separation Kernel
  24. . Lean verification Proof annotations are part of the language Implicit generation of VCs for integrity preservation (Absence of runtime errors) Most ARTE VCs proven automatically1 Integration of theorem provers possible when needed Speed allows proofs to be part of build process 1With current wavefront, except "properties of constant records" Page 18 23.10.2014 The Muen Separation Kernel
  25. . Modelling the System ASM Init . .. Initialize VMX Enter Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
  26. . Modelling the System ASM Init . .. Initialize VMX Handler VMX Enter Subject Subject Subject VMX Exit Page 19 23.10.2014 The Muen Separation Kernel
  27. . Modelling the System . Initialize VMX Handler Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
  28. . Modelling the System . Initialize VMX Handler Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
  29. . Modelling the System Initial Inv. . .. Loop Inv. Initialize VMX Handler Inv. + Env. Model Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
  30. . Future verification options Proof of complex properties Interaction with theorem provers Interface modelling (ghost state) Soundness of memory layout … Page 20 23.10.2014 The Muen Separation Kernel
  31. . Demo This presentation is given on a system running on Muen Page 21 23.10.2014 The Muen Separation Kernel
  32. . Current / Future Work Short-term Prove additional properties PCI-Configspace emulation Time Virtualization Long-term Functional correctness proofs Windows Virtualization Dynamic resource management Page 22 23.10.2014 The Muen Separation Kernel
  33. . Summary Secure software is limited in complexity Separation of untrusted components essential Muen provides a solid foundation for high assurance systems Muen is the base of complex high security solutions in development SPARK 2014 enables lean verification Formal verification can be done under commercial constraints Page 23 23.10.2014 The Muen Separation Kernel
  34. . Q & A Discussion Get Muen at http://muen.sk/ Page 24 23.10.2014 The Muen Separation Kernel
  35. . Intel Virtualization Technology VT-x is Intel's virtualization technology for the x86 platform Virtual Machine state is saved in control structure (VMCS) Introduction of VMX root and non-root modes New processor instructions (VMX) to switch modes and manage VMCS Hardware-assisted virtualization drastically reduces complexity of VMM Page 25 23.10.2014 The Muen Separation Kernel
  36. . Modelling the System . Initialize VMX Handler Exception Handler STOP ASM Init .. VMX Enter VMX Exit VMX Enter Interrupt Subject Subject Subject Page 26 23.10.2014 The Muen Separation Kernel
  37. . Example property: Correct VMCS Address Environment.Initialize; SK.Kernel.Initialize (Subject_Registers ); loop pragma Loop_Invariant (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )); Environment.Vmx_Run (Subject_Registers ); SK.Scheduler.Handle_VMX_Exit (Subject_Registers ); end loop; Page 27 23.10.2014 The Muen Separation Kernel
  38. . Example property: Correct VMCS Address procedure Handle_VMX_Exit (Subject_Registers : in out CPU_Regs_Type) with Global => [...] , Depends => [...] , Pre => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Post => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Export , Convention => C, Link_Name => "handle_vmx_exit"; Page 28 23.10.2014 The Muen Separation Kernel
Advertisement