SlideShare a Scribd company logo
1 of 38
Download to read offline
. 
secunet Security Networks AG 
. 
. 
The Muen Separation Kernel 
.. Robert Dorn 
Reto Buerki 
Adrian Rueegsegger 
HSR University of 
Applied Sciences Rapperswil 
23.10.2014
. 
About secunet 
Germany's leading provider of IT security 
Security partner of the Federal Republic of Germany 
More than 340 employees 
Robert Dorn, Senior Consultant at secunet 
Responsible for design & development of Separation 
Kernel based systems 
www.secunet.com 
Page 2 23.10.2014 The Muen Separation Kernel
. 
About HSR 
University of Applied Sciences with 
around 1500 students 
Located in Rapperswil, Switzerland 
Reto Buerki & Adrian-Ken 
Rueegsegger, researchers @ 
Institute for Internet Technologies 
and Applications 
Core developers of Muen 
www.hsr.ch 
Page 3 23.10.2014 The Muen Separation Kernel
. 
Security of Complex Software 
P(Program_Correct) = P (Line_Correct)SLOC 
Page 4 23.10.2014 The Muen Separation Kernel
. 
Security of Complex Software 
100% 
10% 
1% 
10 
1 
0.1 1 10 100 1 000 10 000 100 000 
P(Defective Program) 
kSLOC 
defects/kSLOC 
0.1 
Page 5 23.10.2014 The Muen Separation Kernel
. 
Security of Complex Software 
100% 
10% 
1% 
Assumptions (e.g.): 
10% security defects, 
20% exploitable 
10 
1 
0.1 1 10 100 1 000 10 000 100 000 
P (Exploitable Program) 
kSLOC 
defects/kSLOC 
0.1 
Page 6 23.10.2014 The Muen Separation Kernel
. 
Secure Software 
Tiny size 
Very low defect rate 
Low security defect ratio 
Page 7 23.10.2014 The Muen Separation Kernel
. 
Reducing Complexity of Trusted Code 
. 
trusted 
Page 8 23.10.2014 The Muen Separation Kernel
. 
Reducing Complexity of Trusted Code 
. 
trusted 
Page 8 23.10.2014 The Muen Separation Kernel
. 
Reducing Complexity of Trusted Code 
. 
untrusted 
trusted 
Proper Interface 
Page 8 23.10.2014 The Muen Separation Kernel
. 
Reducing Complexity of Trusted Code 
. 
untrusted 
trusted 
Isolation 
Proper Interface 
Partitioning 
Page 8 23.10.2014 The Muen Separation Kernel
. 
Reducing Complexity of Trusted Code 
. 
trusted 
Separation Kernel 
untrusted 
trusted 
Page 8 23.10.2014 The Muen Separation Kernel
. 
Architecting Secure Systems 
. 
Open Network Linux 
Encryption 
Key Management 
Decryption 
Protected Network 
Separation Kernel 
ESP 
IKE 
ESP 
TS 
TS 
Page 9 23.10.2014 The Muen Separation Kernel
. 
Architecting Secure Systems 
. 
Session 1 
Session 2 
Session 3 
Session 4 
UI Multiplexer 
Network Linux 
Network 
Page 10 23.10.2014 The Muen Separation Kernel
. 
Low Kernel Complexity 
. . 
. 
. 
Init 
Signaling 
Scheduler 
. 
Page 
Tables 
. 
Caps/ 
Perms 
. 
VT-x 
VT-d 
. 
Message 
Passing 
. 
Schedule 
Planning 
. 
Memory 
Allocator 
. 
Device 
Allocator 
. 
Device 
Drivers 
. 
User 
Interface 
. 
File 
System 
. 
VM 
Monitor 
. 
Posix 
Interface 
Page 11 23.10.2014 The Muen Separation Kernel
. 
Low Kernel Complexity 
. . 
. 
. 
Init 
Signaling 
Scheduler 
. 
Page 
Tables 
. 
Caps/ 
Perms 
. 
VT-x 
VT-d 
. 
Message 
Passing 
. 
Schedule 
Planning 
. 
Memory 
Allocator 
. 
Device 
Allocator 
. 
Device 
Drivers 
. 
User 
Interface 
. 
File 
System 
. 
VM 
Monitor 
. 
Posix 
Interface 
Page 12 23.10.2014 The Muen Separation Kernel
. 
Static Resource Allocation 
. . 
. 
. 
Init 
Signaling 
Scheduler 
. 
Page 
Tables 
. 
Caps/ 
Perms 
. 
VT-x 
VT-d 
. 
Message 
Passing 
. 
Schedule 
Planning 
. 
Memory 
Allocator 
. 
Device 
Allocator 
. 
Device 
Drivers 
. 
User 
Interface 
. 
File 
System 
. 
VM 
Monitor 
. 
Posix 
Interface 
Page 13 23.10.2014 The Muen Separation Kernel
. 
Static Resource Allocation 
. . 
. 
. 
Init 
Signaling 
Scheduler 
. 
Page 
Tables 
. 
Caps/ 
Perms 
. 
VT-x 
VT-d 
. . 
Schedule 
Planning 
. 
Memory 
Allocator 
. 
Device 
Allocator 
. 
Device 
Drivers 
. 
User 
Interface 
. 
File 
System 
. 
VM 
Monitor 
. 
Posix 
Interface 
Page 14 23.10.2014 The Muen Separation Kernel
. 
Deterministic Behaviour 
No long-running code paths 
No preemption necessary 
Fixed cyclic scheduling 
Avoidance of Covert Channels 
Page 15 23.10.2014 The Muen Separation Kernel
. 
Features 
Multicore support 
Fixed cyclic scheduling 
PCI device passthrough using Intel VT-d 
Support for 64-bit native and 32/64-bit Linux 
Event mechanism 
Shared memory channels for inter-subject 
communication 
Minimal Zero-Footprint Run-Time (RTS) 
Full availability of source code and documentation 
Page 16 23.10.2014 The Muen Separation Kernel
. 
SPARK 2014 for Operating Systems 
No pointers 
No dynamic 
memory allocation 
No concurrency 
Page 17 23.10.2014 The Muen Separation Kernel
. 
SPARK 2014 for Operating Systems 
No pointers 
No dynamic 
memory allocation 
No concurrency 
Fixed structures 
Static resource 
allocation 
One kernel instance / CPU 
Abort on host interrupts 
Page 17 23.10.2014 The Muen Separation Kernel
. 
SPARK 2014 for Operating Systems 
No pointers 
No dynamic 
memory allocation 
No concurrency 
Fixed structures 
Static resource 
allocation 
One kernel instance / CPU 
Abort on host interrupts 
! Greatly simplified verification 
Page 17 23.10.2014 The Muen Separation Kernel
. 
Lean verification 
Proof annotations are part of the language 
Implicit generation of VCs for integrity preservation 
(Absence of runtime errors) 
Most ARTE VCs proven automatically1 
Integration of theorem provers possible when needed 
Speed allows proofs to be part of build process 
1With current wavefront, except "properties of constant records" 
Page 18 23.10.2014 The Muen Separation Kernel
. 
Modelling the System 
ASM Init . 
.. 
Initialize 
VMX Enter 
Subject 
Subject 
Subject 
Page 19 23.10.2014 The Muen Separation Kernel
. 
Modelling the System 
ASM Init . 
.. 
Initialize 
VMX Handler 
VMX Enter 
Subject 
Subject 
Subject 
VMX Exit 
Page 19 23.10.2014 The Muen Separation Kernel
. 
Modelling the System 
. 
Initialize 
VMX Handler 
Subject 
Subject 
Subject 
Page 19 23.10.2014 The Muen Separation Kernel
. 
Modelling the System 
. 
Initialize 
VMX Handler 
Environment 
Initialize 
Environment 
Run 
Page 19 23.10.2014 The Muen Separation Kernel
. 
Modelling the System 
Initial Inv. . 
.. 
Loop Inv. 
Initialize 
VMX Handler 
Inv. + Env. Model 
Environment 
Initialize 
Environment 
Run 
Page 19 23.10.2014 The Muen Separation Kernel
. 
Future verification options 
Proof of complex properties 
Interaction with theorem provers 
Interface modelling (ghost state) 
Soundness of memory layout 
… 
Page 20 23.10.2014 The Muen Separation Kernel
. 
Demo 
This presentation is given on a system running on 
Muen 
Page 21 23.10.2014 The Muen Separation Kernel
. 
Current / Future Work 
Short-term 
Prove additional properties 
PCI-Configspace emulation 
Time Virtualization 
Long-term 
Functional correctness proofs 
Windows Virtualization 
Dynamic resource management 
Page 22 23.10.2014 The Muen Separation Kernel
. 
Summary 
Secure software is limited in complexity 
Separation of untrusted components essential 
Muen provides a solid foundation for high assurance 
systems 
Muen is the base of complex high security solutions 
in development 
SPARK 2014 enables lean verification 
Formal verification can be done under commercial 
constraints 
Page 23 23.10.2014 The Muen Separation Kernel
. 
Q & A 
Discussion 
Get Muen at 
http://muen.sk/ 
Page 24 23.10.2014 The Muen Separation Kernel
. 
Intel Virtualization Technology 
VT-x is Intel's virtualization technology for the x86 
platform 
Virtual Machine state is saved in control structure 
(VMCS) 
Introduction of VMX root and non-root modes 
New processor instructions (VMX) to switch modes 
and manage VMCS 
Hardware-assisted virtualization drastically reduces 
complexity of VMM 
Page 25 23.10.2014 The Muen Separation Kernel
. 
Modelling the System 
. 
Initialize 
VMX Handler 
Exception Handler 
STOP 
ASM Init .. 
VMX Enter 
VMX Exit 
VMX Enter 
Interrupt 
Subject 
Subject 
Subject 
Page 26 23.10.2014 The Muen Separation Kernel
. 
Example property: Correct VMCS Address 
Environment.Initialize; 
SK.Kernel.Initialize (Subject_Registers ); 
loop 
pragma Loop_Invariant 
(X86_64.Prf_VMPTR = 
Policy.Get_VMCS_Address 
(Get_Current_Minor_Frame.Subject_Id )); 
Environment.Vmx_Run (Subject_Registers ); 
SK.Scheduler.Handle_VMX_Exit 
(Subject_Registers ); 
end loop; 
Page 27 23.10.2014 The Muen Separation Kernel
. 
Example property: Correct VMCS Address 
procedure Handle_VMX_Exit 
(Subject_Registers : in out CPU_Regs_Type) 
with 
Global => [...] , 
Depends => [...] , 
Pre => (X86_64.Prf_VMPTR = 
Policy.Get_VMCS_Address 
(Get_Current_Minor_Frame.Subject_Id )), 
Post => (X86_64.Prf_VMPTR = 
Policy.Get_VMCS_Address 
(Get_Current_Minor_Frame.Subject_Id )), 
Export , Convention => C, 
Link_Name => "handle_vmx_exit"; 
Page 28 23.10.2014 The Muen Separation Kernel

More Related Content

What's hot

SIGGRAPH Asia 2008 Modern OpenGL
SIGGRAPH Asia 2008 Modern OpenGLSIGGRAPH Asia 2008 Modern OpenGL
SIGGRAPH Asia 2008 Modern OpenGLMark Kilgard
 
2016 February - WebRTC Conference japan - English
2016 February - WebRTC Conference japan - English2016 February - WebRTC Conference japan - English
2016 February - WebRTC Conference japan - EnglishAlexandre Gouaillard
 
그래픽 최적화로 가...가버렷! (부제: 배치! 배칭을 보자!) , Batch! Let's take a look at Batching! -...
그래픽 최적화로 가...가버렷! (부제: 배치! 배칭을 보자!) , Batch! Let's take a look at Batching! -...그래픽 최적화로 가...가버렷! (부제: 배치! 배칭을 보자!) , Batch! Let's take a look at Batching! -...
그래픽 최적화로 가...가버렷! (부제: 배치! 배칭을 보자!) , Batch! Let's take a look at Batching! -...ozlael ozlael
 
FrameGraph: Extensible Rendering Architecture in Frostbite
FrameGraph: Extensible Rendering Architecture in FrostbiteFrameGraph: Extensible Rendering Architecture in Frostbite
FrameGraph: Extensible Rendering Architecture in FrostbiteElectronic Arts / DICE
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...The Linux Foundation
 
2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov UpdateThe Linux Foundation
 
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...Ajjay Kumar Gupta
 
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...The Linux Foundation
 
Cloud tpu jae_180814
Cloud tpu jae_180814Cloud tpu jae_180814
Cloud tpu jae_180814Jaewook. Kang
 
Mobile Performance Tuning: Poor Man's Tips And Tricks
Mobile Performance Tuning: Poor Man's Tips And TricksMobile Performance Tuning: Poor Man's Tips And Tricks
Mobile Performance Tuning: Poor Man's Tips And TricksValentin Simonov
 
BOSTIK - Adhesive Solutions for Flexible Packaging-Presentation version.pdf
BOSTIK - Adhesive Solutions for Flexible Packaging-Presentation version.pdfBOSTIK - Adhesive Solutions for Flexible Packaging-Presentation version.pdf
BOSTIK - Adhesive Solutions for Flexible Packaging-Presentation version.pdfSHRIPAD AMATE
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxThe Linux Foundation
 
BASICS ON COATINGS CHEMISTRY
BASICS ON COATINGS CHEMISTRYBASICS ON COATINGS CHEMISTRY
BASICS ON COATINGS CHEMISTRYReza Taryghat
 
Five Rendering Ideas from Battlefield 3 & Need For Speed: The Run
Five Rendering Ideas from Battlefield 3 & Need For Speed: The RunFive Rendering Ideas from Battlefield 3 & Need For Speed: The Run
Five Rendering Ideas from Battlefield 3 & Need For Speed: The RunElectronic Arts / DICE
 
ECS: Streaming and Serialization - Unite LA
ECS: Streaming and Serialization - Unite LAECS: Streaming and Serialization - Unite LA
ECS: Streaming and Serialization - Unite LAUnity Technologies
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchTe-Yen Liu
 
Anti-Aliasing Methods in CryENGINE 3
Anti-Aliasing Methods in CryENGINE 3Anti-Aliasing Methods in CryENGINE 3
Anti-Aliasing Methods in CryENGINE 3Tiago Sousa
 

What's hot (20)

SIGGRAPH Asia 2008 Modern OpenGL
SIGGRAPH Asia 2008 Modern OpenGLSIGGRAPH Asia 2008 Modern OpenGL
SIGGRAPH Asia 2008 Modern OpenGL
 
2016 February - WebRTC Conference japan - English
2016 February - WebRTC Conference japan - English2016 February - WebRTC Conference japan - English
2016 February - WebRTC Conference japan - English
 
그래픽 최적화로 가...가버렷! (부제: 배치! 배칭을 보자!) , Batch! Let's take a look at Batching! -...
그래픽 최적화로 가...가버렷! (부제: 배치! 배칭을 보자!) , Batch! Let's take a look at Batching! -...그래픽 최적화로 가...가버렷! (부제: 배치! 배칭을 보자!) , Batch! Let's take a look at Batching! -...
그래픽 최적화로 가...가버렷! (부제: 배치! 배칭을 보자!) , Batch! Let's take a look at Batching! -...
 
FrameGraph: Extensible Rendering Architecture in Frostbite
FrameGraph: Extensible Rendering Architecture in FrostbiteFrameGraph: Extensible Rendering Architecture in Frostbite
FrameGraph: Extensible Rendering Architecture in Frostbite
 
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...OSSJP/ALS19:  The Road to Safety Certification: Overcoming Community Challeng...
OSSJP/ALS19: The Road to Safety Certification: Overcoming Community Challeng...
 
2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update2018 Genivi Xen Overview Nov Update
2018 Genivi Xen Overview Nov Update
 
Cpp
CppCpp
Cpp
 
Linux Kernel Overview
Linux Kernel OverviewLinux Kernel Overview
Linux Kernel Overview
 
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
How to Manufacture Synthetic Resins (Actel Resins, Amino Resins, Casein Resin...
 
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...
XPDDS18: Design and Implementation of Automotive: Virtualization Based on Xen...
 
Cloud tpu jae_180814
Cloud tpu jae_180814Cloud tpu jae_180814
Cloud tpu jae_180814
 
Mobile Performance Tuning: Poor Man's Tips And Tricks
Mobile Performance Tuning: Poor Man's Tips And TricksMobile Performance Tuning: Poor Man's Tips And Tricks
Mobile Performance Tuning: Poor Man's Tips And Tricks
 
BOSTIK - Adhesive Solutions for Flexible Packaging-Presentation version.pdf
BOSTIK - Adhesive Solutions for Flexible Packaging-Presentation version.pdfBOSTIK - Adhesive Solutions for Flexible Packaging-Presentation version.pdf
BOSTIK - Adhesive Solutions for Flexible Packaging-Presentation version.pdf
 
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, XilinxXPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
 
BASICS ON COATINGS CHEMISTRY
BASICS ON COATINGS CHEMISTRYBASICS ON COATINGS CHEMISTRY
BASICS ON COATINGS CHEMISTRY
 
Five Rendering Ideas from Battlefield 3 & Need For Speed: The Run
Five Rendering Ideas from Battlefield 3 & Need For Speed: The RunFive Rendering Ideas from Battlefield 3 & Need For Speed: The Run
Five Rendering Ideas from Battlefield 3 & Need For Speed: The Run
 
ECS: Streaming and Serialization - Unite LA
ECS: Streaming and Serialization - Unite LAECS: Streaming and Serialization - Unite LA
ECS: Streaming and Serialization - Unite LA
 
The Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitchThe Basic Introduction of Open vSwitch
The Basic Introduction of Open vSwitch
 
Anti-Aliasing Methods in CryENGINE 3
Anti-Aliasing Methods in CryENGINE 3Anti-Aliasing Methods in CryENGINE 3
Anti-Aliasing Methods in CryENGINE 3
 

Viewers also liked

Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityAdaCore
 
Mixed Criticality Systems and Many-Core Platforms
Mixed Criticality Systems and Many-Core PlatformsMixed Criticality Systems and Many-Core Platforms
Mixed Criticality Systems and Many-Core PlatformsAdaCore
 
How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...AdaCore
 
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...AdaCore
 
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the EnterpriseHIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the EnterpriseAdaCore
 
HIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-CHIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-CAdaCore
 
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkHIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkAdaCore
 
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...AdaCore
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsAdaCore
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureAdaCore
 
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...AdaCore
 
A Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics DevicesA Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics DevicesAdaCore
 
Ada 202x A broad overview of relevant news
Ada 202x A broad overview of relevant newsAda 202x A broad overview of relevant news
Ada 202x A broad overview of relevant newsAdaCore
 
An Alternative Approach to DO-178B
An Alternative Approach to DO-178BAn Alternative Approach to DO-178B
An Alternative Approach to DO-178BAdaCore
 
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...AdaCore
 
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...AdaCore
 
MISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the futureMISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the futureAdaCore
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareAdaCore
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentAdaCore
 
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsMulti-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsAdaCore
 

Viewers also liked (20)

Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and SecurityMind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and Security
 
Mixed Criticality Systems and Many-Core Platforms
Mixed Criticality Systems and Many-Core PlatformsMixed Criticality Systems and Many-Core Platforms
Mixed Criticality Systems and Many-Core Platforms
 
How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...
 
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
 
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the EnterpriseHIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
 
HIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-CHIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-C
 
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest linkHIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
 
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
 
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related SystemsPractical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related Systems
 
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical InfrastructureHIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
 
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
 
A Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics DevicesA Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics Devices
 
Ada 202x A broad overview of relevant news
Ada 202x A broad overview of relevant newsAda 202x A broad overview of relevant news
Ada 202x A broad overview of relevant news
 
An Alternative Approach to DO-178B
An Alternative Approach to DO-178BAn Alternative Approach to DO-178B
An Alternative Approach to DO-178B
 
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
 
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
 
MISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the futureMISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the future
 
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling SoftwareThe Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
 
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise EnvironmentBounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
 
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical SystemsMulti-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical Systems
 

Similar to Muen Separation Kernel overview

The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18Casey Bisson
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
Running IBM MQ in the Cloud
Running IBM MQ in the CloudRunning IBM MQ in the Cloud
Running IBM MQ in the CloudRobert Parker
 
Cloud Foundry Platform as a Service on Vblock System
Cloud Foundry Platform as a Service on Vblock SystemCloud Foundry Platform as a Service on Vblock System
Cloud Foundry Platform as a Service on Vblock SystemEMC
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of  Testing)VxWorks - Holistic Security (Art of  Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
The weather ahead: Clouds
The weather ahead: CloudsThe weather ahead: Clouds
The weather ahead: Cloudszoopster
 
Event driven microservices with vertx and kubernetes
Event driven microservices with vertx and kubernetesEvent driven microservices with vertx and kubernetes
Event driven microservices with vertx and kubernetesAndy Moncsek
 
4 implementation
4 implementation4 implementation
4 implementationhanmya
 
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsXPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsThe Linux Foundation
 
kata-containers-onboarding-deck.pptx
kata-containers-onboarding-deck.pptxkata-containers-onboarding-deck.pptx
kata-containers-onboarding-deck.pptxQforQA
 
LOAD 2014-Prezentare BitDefender
LOAD 2014-Prezentare BitDefenderLOAD 2014-Prezentare BitDefender
LOAD 2014-Prezentare BitDefenderSilviu Cojocaru
 
Running IBM MQ in Containers
Running IBM MQ in ContainersRunning IBM MQ in Containers
Running IBM MQ in ContainersRobert Parker
 
vProtect - enterprise-grade Nutanix backup & recovery
vProtect - enterprise-grade Nutanix backup & recoveryvProtect - enterprise-grade Nutanix backup & recovery
vProtect - enterprise-grade Nutanix backup & recoveryPawel Maczka
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
 
Secure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure SphereSecure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure SphereMicrosoft Tech Community
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel securitysmart_bit
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC
 
IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017Robert Parker
 

Similar to Muen Separation Kernel overview (20)

The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
The lies we tell our code, LinuxCon/CloudOpen 2015-08-18
 
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
 
Running IBM MQ in the Cloud
Running IBM MQ in the CloudRunning IBM MQ in the Cloud
Running IBM MQ in the Cloud
 
Cloud Foundry Platform as a Service on Vblock System
Cloud Foundry Platform as a Service on Vblock SystemCloud Foundry Platform as a Service on Vblock System
Cloud Foundry Platform as a Service on Vblock System
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of  Testing)VxWorks - Holistic Security (Art of  Testing)
VxWorks - Holistic Security (Art of Testing)
 
The weather ahead: Clouds
The weather ahead: CloudsThe weather ahead: Clouds
The weather ahead: Clouds
 
Event driven microservices with vertx and kubernetes
Event driven microservices with vertx and kubernetesEvent driven microservices with vertx and kubernetes
Event driven microservices with vertx and kubernetes
 
4 implementation
4 implementation4 implementation
4 implementation
 
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsXPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
 
kata-containers-onboarding-deck.pptx
kata-containers-onboarding-deck.pptxkata-containers-onboarding-deck.pptx
kata-containers-onboarding-deck.pptx
 
LOAD 2014-Prezentare BitDefender
LOAD 2014-Prezentare BitDefenderLOAD 2014-Prezentare BitDefender
LOAD 2014-Prezentare BitDefender
 
Running IBM MQ in Containers
Running IBM MQ in ContainersRunning IBM MQ in Containers
Running IBM MQ in Containers
 
vProtect - enterprise-grade Nutanix backup & recovery
vProtect - enterprise-grade Nutanix backup & recoveryvProtect - enterprise-grade Nutanix backup & recovery
vProtect - enterprise-grade Nutanix backup & recovery
 
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixLCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, Citrix
 
Secure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure SphereSecure and power the intelligent edge with Azure Sphere
Secure and power the intelligent edge with Azure Sphere
 
Docker en kernel security
Docker en kernel securityDocker en kernel security
Docker en kernel security
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
EMC with Mirantis Openstack
EMC with Mirantis OpenstackEMC with Mirantis Openstack
EMC with Mirantis Openstack
 
cn-series-container-firewall.pdf
cn-series-container-firewall.pdfcn-series-container-firewall.pdf
cn-series-container-firewall.pdf
 
IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017
 

More from AdaCore

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?AdaCore
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesAdaCore
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsAdaCore
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verificationAdaCore
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofAdaCore
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationAdaCore
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareAdaCore
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentAdaCore
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...AdaCore
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!AdaCore
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaCore
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...AdaCore
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologyAdaCore
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextAdaCore
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareAdaCore
 
Verification and Validation of Robotic Assistants
Verification and Validation of Robotic AssistantsVerification and Validation of Robotic Assistants
Verification and Validation of Robotic AssistantsAdaCore
 

More from AdaCore (19)

RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Have we a Human Ecosystem?
Have we a Human Ecosystem?Have we a Human Ecosystem?
Have we a Human Ecosystem?
 
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languagesRust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
 
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic librarySPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
 
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing SolutionsDeveloping Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
 
Taming event-driven software via formal verification
Taming event-driven software via formal verificationTaming event-driven software via formal verification
Taming event-driven software via formal verification
 
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program ProofPushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configurationProduct Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
 
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded SoftwareSecuring the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
 
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware DevelopmentSpark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
 
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
 
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
 
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR ArchitectureAdaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
 
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the “Wheel of...
 
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar TechnologySoftware Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
 
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 contextMISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
 
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle softwareApplication of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
 
Verification and Validation of Robotic Assistants
Verification and Validation of Robotic AssistantsVerification and Validation of Robotic Assistants
Verification and Validation of Robotic Assistants
 

Recently uploaded

Understanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxUnderstanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxSasikiranMarri
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdfSteve Caron
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...OnePlan Solutions
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfmaor17
 
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...kalichargn70th171
 
Santander Stream Processing with Apache Flink
Santander Stream Processing with Apache FlinkSantander Stream Processing with Apache Flink
Santander Stream Processing with Apache Flinkconfluent
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorTier1 app
 
The State of the Green IT at the beginning of 2024
The State of the Green IT at the beginning of 2024The State of the Green IT at the beginning of 2024
The State of the Green IT at the beginning of 2024Artur Skowroński
 
oracle 23c new features for developer and dba
oracle 23c new features for developer and dbaoracle 23c new features for developer and dba
oracle 23c new features for developer and dbaRemote DBA Services
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolsosttopstonverter
 
logical backup of Oracle Datapump-detailed.pptx
logical backup of Oracle Datapump-detailed.pptxlogical backup of Oracle Datapump-detailed.pptx
logical backup of Oracle Datapump-detailed.pptxRemote DBA Services
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?Alexandre Beguel
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slidesvaideheekore1
 
Mastering Project Planning with Microsoft Project 2016.pptx
Mastering Project Planning with Microsoft Project 2016.pptxMastering Project Planning with Microsoft Project 2016.pptx
Mastering Project Planning with Microsoft Project 2016.pptxAS Design & AST.
 
What are the core components of Azure Data Engineer courses.docx
What are the core components of Azure Data Engineer courses.docxWhat are the core components of Azure Data Engineer courses.docx
What are the core components of Azure Data Engineer courses.docxkzayra69
 
Revolutionize Your Video Editing with InVideo.io: A Comprehensive Review
Revolutionize Your Video Editing with InVideo.io: A Comprehensive ReviewRevolutionize Your Video Editing with InVideo.io: A Comprehensive Review
Revolutionize Your Video Editing with InVideo.io: A Comprehensive Reviewjw364beach
 
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...OnePlan Solutions
 
full course of software engineering mid term.pdf
full course of software engineering mid term.pdffull course of software engineering mid term.pdf
full course of software engineering mid term.pdfAbdul salam
 
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfPros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfkalichargn70th171
 
What is Mendix and the concept of low-code development.docx
What is Mendix and the concept of low-code development.docxWhat is Mendix and the concept of low-code development.docx
What is Mendix and the concept of low-code development.docxTechnogeeks
 

Recently uploaded (20)

Understanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptxUnderstanding Plagiarism: Causes, Consequences and Prevention.pptx
Understanding Plagiarism: Causes, Consequences and Prevention.pptx
 
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
[ CNCF Q1 2024 ] Intro to Continuous Profiling and Grafana Pyroscope.pdf
 
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
Tech Tuesday Slides - Introduction to Project Management with OnePlan's Work ...
 
Zer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdfZer0con 2024 final share short version.pdf
Zer0con 2024 final share short version.pdf
 
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
The Ultimate Guide to Performance Testing in Low-Code, No-Code Environments (...
 
Santander Stream Processing with Apache Flink
Santander Stream Processing with Apache FlinkSantander Stream Processing with Apache Flink
Santander Stream Processing with Apache Flink
 
Effectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryErrorEffectively Troubleshoot 9 Types of OutOfMemoryError
Effectively Troubleshoot 9 Types of OutOfMemoryError
 
The State of the Green IT at the beginning of 2024
The State of the Green IT at the beginning of 2024The State of the Green IT at the beginning of 2024
The State of the Green IT at the beginning of 2024
 
oracle 23c new features for developer and dba
oracle 23c new features for developer and dbaoracle 23c new features for developer and dba
oracle 23c new features for developer and dba
 
eSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration toolseSoftTools IMAP Backup Software and migration tools
eSoftTools IMAP Backup Software and migration tools
 
logical backup of Oracle Datapump-detailed.pptx
logical backup of Oracle Datapump-detailed.pptxlogical backup of Oracle Datapump-detailed.pptx
logical backup of Oracle Datapump-detailed.pptx
 
SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?SAM Training Session - How to use EXCEL ?
SAM Training Session - How to use EXCEL ?
 
Introduction to Firebase Workshop Slides
Introduction to Firebase Workshop SlidesIntroduction to Firebase Workshop Slides
Introduction to Firebase Workshop Slides
 
Mastering Project Planning with Microsoft Project 2016.pptx
Mastering Project Planning with Microsoft Project 2016.pptxMastering Project Planning with Microsoft Project 2016.pptx
Mastering Project Planning with Microsoft Project 2016.pptx
 
What are the core components of Azure Data Engineer courses.docx
What are the core components of Azure Data Engineer courses.docxWhat are the core components of Azure Data Engineer courses.docx
What are the core components of Azure Data Engineer courses.docx
 
Revolutionize Your Video Editing with InVideo.io: A Comprehensive Review
Revolutionize Your Video Editing with InVideo.io: A Comprehensive ReviewRevolutionize Your Video Editing with InVideo.io: A Comprehensive Review
Revolutionize Your Video Editing with InVideo.io: A Comprehensive Review
 
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
Transform your Corporate Strategy Office - Harness OnePlan’s Strategic Portfo...
 
full course of software engineering mid term.pdf
full course of software engineering mid term.pdffull course of software engineering mid term.pdf
full course of software engineering mid term.pdf
 
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdfPros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
Pros and Cons of Selenium In Automation Testing_ A Comprehensive Assessment.pdf
 
What is Mendix and the concept of low-code development.docx
What is Mendix and the concept of low-code development.docxWhat is Mendix and the concept of low-code development.docx
What is Mendix and the concept of low-code development.docx
 

Muen Separation Kernel overview

  • 1. . secunet Security Networks AG . . The Muen Separation Kernel .. Robert Dorn Reto Buerki Adrian Rueegsegger HSR University of Applied Sciences Rapperswil 23.10.2014
  • 2. . About secunet Germany's leading provider of IT security Security partner of the Federal Republic of Germany More than 340 employees Robert Dorn, Senior Consultant at secunet Responsible for design & development of Separation Kernel based systems www.secunet.com Page 2 23.10.2014 The Muen Separation Kernel
  • 3. . About HSR University of Applied Sciences with around 1500 students Located in Rapperswil, Switzerland Reto Buerki & Adrian-Ken Rueegsegger, researchers @ Institute for Internet Technologies and Applications Core developers of Muen www.hsr.ch Page 3 23.10.2014 The Muen Separation Kernel
  • 4. . Security of Complex Software P(Program_Correct) = P (Line_Correct)SLOC Page 4 23.10.2014 The Muen Separation Kernel
  • 5. . Security of Complex Software 100% 10% 1% 10 1 0.1 1 10 100 1 000 10 000 100 000 P(Defective Program) kSLOC defects/kSLOC 0.1 Page 5 23.10.2014 The Muen Separation Kernel
  • 6. . Security of Complex Software 100% 10% 1% Assumptions (e.g.): 10% security defects, 20% exploitable 10 1 0.1 1 10 100 1 000 10 000 100 000 P (Exploitable Program) kSLOC defects/kSLOC 0.1 Page 6 23.10.2014 The Muen Separation Kernel
  • 7. . Secure Software Tiny size Very low defect rate Low security defect ratio Page 7 23.10.2014 The Muen Separation Kernel
  • 8. . Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
  • 9. . Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
  • 10. . Reducing Complexity of Trusted Code . untrusted trusted Proper Interface Page 8 23.10.2014 The Muen Separation Kernel
  • 11. . Reducing Complexity of Trusted Code . untrusted trusted Isolation Proper Interface Partitioning Page 8 23.10.2014 The Muen Separation Kernel
  • 12. . Reducing Complexity of Trusted Code . trusted Separation Kernel untrusted trusted Page 8 23.10.2014 The Muen Separation Kernel
  • 13. . Architecting Secure Systems . Open Network Linux Encryption Key Management Decryption Protected Network Separation Kernel ESP IKE ESP TS TS Page 9 23.10.2014 The Muen Separation Kernel
  • 14. . Architecting Secure Systems . Session 1 Session 2 Session 3 Session 4 UI Multiplexer Network Linux Network Page 10 23.10.2014 The Muen Separation Kernel
  • 15. . Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 11 23.10.2014 The Muen Separation Kernel
  • 16. . Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 12 23.10.2014 The Muen Separation Kernel
  • 17. . Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 13 23.10.2014 The Muen Separation Kernel
  • 18. . Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 14 23.10.2014 The Muen Separation Kernel
  • 19. . Deterministic Behaviour No long-running code paths No preemption necessary Fixed cyclic scheduling Avoidance of Covert Channels Page 15 23.10.2014 The Muen Separation Kernel
  • 20. . Features Multicore support Fixed cyclic scheduling PCI device passthrough using Intel VT-d Support for 64-bit native and 32/64-bit Linux Event mechanism Shared memory channels for inter-subject communication Minimal Zero-Footprint Run-Time (RTS) Full availability of source code and documentation Page 16 23.10.2014 The Muen Separation Kernel
  • 21. . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Page 17 23.10.2014 The Muen Separation Kernel
  • 22. . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts Page 17 23.10.2014 The Muen Separation Kernel
  • 23. . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts ! Greatly simplified verification Page 17 23.10.2014 The Muen Separation Kernel
  • 24. . Lean verification Proof annotations are part of the language Implicit generation of VCs for integrity preservation (Absence of runtime errors) Most ARTE VCs proven automatically1 Integration of theorem provers possible when needed Speed allows proofs to be part of build process 1With current wavefront, except "properties of constant records" Page 18 23.10.2014 The Muen Separation Kernel
  • 25. . Modelling the System ASM Init . .. Initialize VMX Enter Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
  • 26. . Modelling the System ASM Init . .. Initialize VMX Handler VMX Enter Subject Subject Subject VMX Exit Page 19 23.10.2014 The Muen Separation Kernel
  • 27. . Modelling the System . Initialize VMX Handler Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
  • 28. . Modelling the System . Initialize VMX Handler Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
  • 29. . Modelling the System Initial Inv. . .. Loop Inv. Initialize VMX Handler Inv. + Env. Model Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
  • 30. . Future verification options Proof of complex properties Interaction with theorem provers Interface modelling (ghost state) Soundness of memory layout … Page 20 23.10.2014 The Muen Separation Kernel
  • 31. . Demo This presentation is given on a system running on Muen Page 21 23.10.2014 The Muen Separation Kernel
  • 32. . Current / Future Work Short-term Prove additional properties PCI-Configspace emulation Time Virtualization Long-term Functional correctness proofs Windows Virtualization Dynamic resource management Page 22 23.10.2014 The Muen Separation Kernel
  • 33. . Summary Secure software is limited in complexity Separation of untrusted components essential Muen provides a solid foundation for high assurance systems Muen is the base of complex high security solutions in development SPARK 2014 enables lean verification Formal verification can be done under commercial constraints Page 23 23.10.2014 The Muen Separation Kernel
  • 34. . Q & A Discussion Get Muen at http://muen.sk/ Page 24 23.10.2014 The Muen Separation Kernel
  • 35. . Intel Virtualization Technology VT-x is Intel's virtualization technology for the x86 platform Virtual Machine state is saved in control structure (VMCS) Introduction of VMX root and non-root modes New processor instructions (VMX) to switch modes and manage VMCS Hardware-assisted virtualization drastically reduces complexity of VMM Page 25 23.10.2014 The Muen Separation Kernel
  • 36. . Modelling the System . Initialize VMX Handler Exception Handler STOP ASM Init .. VMX Enter VMX Exit VMX Enter Interrupt Subject Subject Subject Page 26 23.10.2014 The Muen Separation Kernel
  • 37. . Example property: Correct VMCS Address Environment.Initialize; SK.Kernel.Initialize (Subject_Registers ); loop pragma Loop_Invariant (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )); Environment.Vmx_Run (Subject_Registers ); SK.Scheduler.Handle_VMX_Exit (Subject_Registers ); end loop; Page 27 23.10.2014 The Muen Separation Kernel
  • 38. . Example property: Correct VMCS Address procedure Handle_VMX_Exit (Subject_Registers : in out CPU_Regs_Type) with Global => [...] , Depends => [...] , Pre => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Post => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Export , Convention => C, Link_Name => "handle_vmx_exit"; Page 28 23.10.2014 The Muen Separation Kernel