The Muen Separation Kernel

4,671 views

Published on

Writing large error-free software is extremely challenging or even infeasible. In order to be able to assure critical security properties it is therefore necessary to decompose the system into small security critical subjects whose correctness has to be shown and other large uncritical parts which cannot endanger security. A separation kernel can be used to assure the independent execution of multiple subjects and the enforcement of pre-defined communication channels between subjects. The correctness of the separation kernel is therefore essential for overall security.

In this talk we describe the design and implementation of the Muen separation kernel which uses the SPARK language to enable light-weight formal methods for assurance. Besides a discussion of x86 virtualization, system integration, as well as present and planned verification we demonstrate how Muen enables the construction of high security systems on x86 hardware.

Published in: Software
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,671
On SlideShare
0
From Embeds
0
Number of Embeds
2,531
Actions
Shares
0
Downloads
49
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The Muen Separation Kernel

  1. 1. . secunet Security Networks AG . . The Muen Separation Kernel .. Robert Dorn Reto Buerki Adrian Rueegsegger HSR University of Applied Sciences Rapperswil 23.10.2014
  2. 2. . About secunet Germany's leading provider of IT security Security partner of the Federal Republic of Germany More than 340 employees Robert Dorn, Senior Consultant at secunet Responsible for design & development of Separation Kernel based systems www.secunet.com Page 2 23.10.2014 The Muen Separation Kernel
  3. 3. . About HSR University of Applied Sciences with around 1500 students Located in Rapperswil, Switzerland Reto Buerki & Adrian-Ken Rueegsegger, researchers @ Institute for Internet Technologies and Applications Core developers of Muen www.hsr.ch Page 3 23.10.2014 The Muen Separation Kernel
  4. 4. . Security of Complex Software P(Program_Correct) = P (Line_Correct)SLOC Page 4 23.10.2014 The Muen Separation Kernel
  5. 5. . Security of Complex Software 100% 10% 1% 10 1 0.1 1 10 100 1 000 10 000 100 000 P(Defective Program) kSLOC defects/kSLOC 0.1 Page 5 23.10.2014 The Muen Separation Kernel
  6. 6. . Security of Complex Software 100% 10% 1% Assumptions (e.g.): 10% security defects, 20% exploitable 10 1 0.1 1 10 100 1 000 10 000 100 000 P (Exploitable Program) kSLOC defects/kSLOC 0.1 Page 6 23.10.2014 The Muen Separation Kernel
  7. 7. . Secure Software Tiny size Very low defect rate Low security defect ratio Page 7 23.10.2014 The Muen Separation Kernel
  8. 8. . Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
  9. 9. . Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
  10. 10. . Reducing Complexity of Trusted Code . untrusted trusted Proper Interface Page 8 23.10.2014 The Muen Separation Kernel
  11. 11. . Reducing Complexity of Trusted Code . untrusted trusted Isolation Proper Interface Partitioning Page 8 23.10.2014 The Muen Separation Kernel
  12. 12. . Reducing Complexity of Trusted Code . trusted Separation Kernel untrusted trusted Page 8 23.10.2014 The Muen Separation Kernel
  13. 13. . Architecting Secure Systems . Open Network Linux Encryption Key Management Decryption Protected Network Separation Kernel ESP IKE ESP TS TS Page 9 23.10.2014 The Muen Separation Kernel
  14. 14. . Architecting Secure Systems . Session 1 Session 2 Session 3 Session 4 UI Multiplexer Network Linux Network Page 10 23.10.2014 The Muen Separation Kernel
  15. 15. . Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 11 23.10.2014 The Muen Separation Kernel
  16. 16. . Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 12 23.10.2014 The Muen Separation Kernel
  17. 17. . Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 13 23.10.2014 The Muen Separation Kernel
  18. 18. . Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 14 23.10.2014 The Muen Separation Kernel
  19. 19. . Deterministic Behaviour No long-running code paths No preemption necessary Fixed cyclic scheduling Avoidance of Covert Channels Page 15 23.10.2014 The Muen Separation Kernel
  20. 20. . Features Multicore support Fixed cyclic scheduling PCI device passthrough using Intel VT-d Support for 64-bit native and 32/64-bit Linux Event mechanism Shared memory channels for inter-subject communication Minimal Zero-Footprint Run-Time (RTS) Full availability of source code and documentation Page 16 23.10.2014 The Muen Separation Kernel
  21. 21. . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Page 17 23.10.2014 The Muen Separation Kernel
  22. 22. . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts Page 17 23.10.2014 The Muen Separation Kernel
  23. 23. . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts ! Greatly simplified verification Page 17 23.10.2014 The Muen Separation Kernel
  24. 24. . Lean verification Proof annotations are part of the language Implicit generation of VCs for integrity preservation (Absence of runtime errors) Most ARTE VCs proven automatically1 Integration of theorem provers possible when needed Speed allows proofs to be part of build process 1With current wavefront, except "properties of constant records" Page 18 23.10.2014 The Muen Separation Kernel
  25. 25. . Modelling the System ASM Init . .. Initialize VMX Enter Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
  26. 26. . Modelling the System ASM Init . .. Initialize VMX Handler VMX Enter Subject Subject Subject VMX Exit Page 19 23.10.2014 The Muen Separation Kernel
  27. 27. . Modelling the System . Initialize VMX Handler Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
  28. 28. . Modelling the System . Initialize VMX Handler Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
  29. 29. . Modelling the System Initial Inv. . .. Loop Inv. Initialize VMX Handler Inv. + Env. Model Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
  30. 30. . Future verification options Proof of complex properties Interaction with theorem provers Interface modelling (ghost state) Soundness of memory layout … Page 20 23.10.2014 The Muen Separation Kernel
  31. 31. . Demo This presentation is given on a system running on Muen Page 21 23.10.2014 The Muen Separation Kernel
  32. 32. . Current / Future Work Short-term Prove additional properties PCI-Configspace emulation Time Virtualization Long-term Functional correctness proofs Windows Virtualization Dynamic resource management Page 22 23.10.2014 The Muen Separation Kernel
  33. 33. . Summary Secure software is limited in complexity Separation of untrusted components essential Muen provides a solid foundation for high assurance systems Muen is the base of complex high security solutions in development SPARK 2014 enables lean verification Formal verification can be done under commercial constraints Page 23 23.10.2014 The Muen Separation Kernel
  34. 34. . Q & A Discussion Get Muen at http://muen.sk/ Page 24 23.10.2014 The Muen Separation Kernel
  35. 35. . Intel Virtualization Technology VT-x is Intel's virtualization technology for the x86 platform Virtual Machine state is saved in control structure (VMCS) Introduction of VMX root and non-root modes New processor instructions (VMX) to switch modes and manage VMCS Hardware-assisted virtualization drastically reduces complexity of VMM Page 25 23.10.2014 The Muen Separation Kernel
  36. 36. . Modelling the System . Initialize VMX Handler Exception Handler STOP ASM Init .. VMX Enter VMX Exit VMX Enter Interrupt Subject Subject Subject Page 26 23.10.2014 The Muen Separation Kernel
  37. 37. . Example property: Correct VMCS Address Environment.Initialize; SK.Kernel.Initialize (Subject_Registers ); loop pragma Loop_Invariant (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )); Environment.Vmx_Run (Subject_Registers ); SK.Scheduler.Handle_VMX_Exit (Subject_Registers ); end loop; Page 27 23.10.2014 The Muen Separation Kernel
  38. 38. . Example property: Correct VMCS Address procedure Handle_VMX_Exit (Subject_Registers : in out CPU_Regs_Type) with Global => [...] , Depends => [...] , Pre => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Post => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Export , Convention => C, Link_Name => "handle_vmx_exit"; Page 28 23.10.2014 The Muen Separation Kernel

×