[フレーム]
7,444 views

The Muen Separation Kernel

This document discusses the Muen Separation Kernel developed by secunet Security Networks AG and researchers at HSR University of Applied Sciences Rapperswil. It describes how Muen uses a separation kernel to isolate untrusted components and reduce complexity in the trusted computing base. Formal verification with SPARK 2014 helps prove properties like correct VMCS addressing and ensures the integrity of the kernel.

Downloaded 82 times
. secunet Security Networks AG . . The Muen Separation Kernel .. Robert Dorn Reto Buerki Adrian Rueegsegger HSR University of Applied Sciences Rapperswil 23.10.2014
. About secunet Germany's leading provider of IT security Security partner of the Federal Republic of Germany More than 340 employees Robert Dorn, Senior Consultant at secunet Responsible for design & development of Separation Kernel based systems www.secunet.com Page 2 23.10.2014 The Muen Separation Kernel
. About HSR University of Applied Sciences with around 1500 students Located in Rapperswil, Switzerland Reto Buerki & Adrian-Ken Rueegsegger, researchers @ Institute for Internet Technologies and Applications Core developers of Muen www.hsr.ch Page 3 23.10.2014 The Muen Separation Kernel
. Security of Complex Software P(Program_Correct) = P (Line_Correct)SLOC Page 4 23.10.2014 The Muen Separation Kernel
. Security of Complex Software 100% 10% 1% 10 1 0.1 1 10 100 1 000 10 000 100 000 P(Defective Program) kSLOC defects/kSLOC 0.1 Page 5 23.10.2014 The Muen Separation Kernel
. Security of Complex Software 100% 10% 1% Assumptions (e.g.): 10% security defects, 20% exploitable 10 1 0.1 1 10 100 1 000 10 000 100 000 P (Exploitable Program) kSLOC defects/kSLOC 0.1 Page 6 23.10.2014 The Muen Separation Kernel
. Secure Software Tiny size Very low defect rate Low security defect ratio Page 7 23.10.2014 The Muen Separation Kernel
. Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
. Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
. Reducing Complexity of Trusted Code . untrusted trusted Proper Interface Page 8 23.10.2014 The Muen Separation Kernel
. Reducing Complexity of Trusted Code . untrusted trusted Isolation Proper Interface Partitioning Page 8 23.10.2014 The Muen Separation Kernel
. Reducing Complexity of Trusted Code . trusted Separation Kernel untrusted trusted Page 8 23.10.2014 The Muen Separation Kernel
. Architecting Secure Systems . Open Network Linux Encryption Key Management Decryption Protected Network Separation Kernel ESP IKE ESP TS TS Page 9 23.10.2014 The Muen Separation Kernel
. Architecting Secure Systems . Session 1 Session 2 Session 3 Session 4 UI Multiplexer Network Linux Network Page 10 23.10.2014 The Muen Separation Kernel
. Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 11 23.10.2014 The Muen Separation Kernel
. Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 12 23.10.2014 The Muen Separation Kernel
. Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 13 23.10.2014 The Muen Separation Kernel
. Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 14 23.10.2014 The Muen Separation Kernel
. Deterministic Behaviour No long-running code paths No preemption necessary Fixed cyclic scheduling Avoidance of Covert Channels Page 15 23.10.2014 The Muen Separation Kernel
. Features Multicore support Fixed cyclic scheduling PCI device passthrough using Intel VT-d Support for 64-bit native and 32/64-bit Linux Event mechanism Shared memory channels for inter-subject communication Minimal Zero-Footprint Run-Time (RTS) Full availability of source code and documentation Page 16 23.10.2014 The Muen Separation Kernel
. SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Page 17 23.10.2014 The Muen Separation Kernel
. SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts Page 17 23.10.2014 The Muen Separation Kernel
. SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts ! Greatly simplified verification Page 17 23.10.2014 The Muen Separation Kernel
. Lean verification Proof annotations are part of the language Implicit generation of VCs for integrity preservation (Absence of runtime errors) Most ARTE VCs proven automatically1 Integration of theorem provers possible when needed Speed allows proofs to be part of build process 1With current wavefront, except "properties of constant records" Page 18 23.10.2014 The Muen Separation Kernel
. Modelling the System ASM Init . .. Initialize VMX Enter Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
. Modelling the System ASM Init . .. Initialize VMX Handler VMX Enter Subject Subject Subject VMX Exit Page 19 23.10.2014 The Muen Separation Kernel
. Modelling the System . Initialize VMX Handler Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
. Modelling the System . Initialize VMX Handler Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
. Modelling the System Initial Inv. . .. Loop Inv. Initialize VMX Handler Inv. + Env. Model Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
. Future verification options Proof of complex properties Interaction with theorem provers Interface modelling (ghost state) Soundness of memory layout ... Page 20 23.10.2014 The Muen Separation Kernel
. Demo This presentation is given on a system running on Muen Page 21 23.10.2014 The Muen Separation Kernel
. Current / Future Work Short-term Prove additional properties PCI-Configspace emulation Time Virtualization Long-term Functional correctness proofs Windows Virtualization Dynamic resource management Page 22 23.10.2014 The Muen Separation Kernel
. Summary Secure software is limited in complexity Separation of untrusted components essential Muen provides a solid foundation for high assurance systems Muen is the base of complex high security solutions in development SPARK 2014 enables lean verification Formal verification can be done under commercial constraints Page 23 23.10.2014 The Muen Separation Kernel
. Q & A Discussion Get Muen at http://muen.sk/ Page 24 23.10.2014 The Muen Separation Kernel
. Intel Virtualization Technology VT-x is Intel's virtualization technology for the x86 platform Virtual Machine state is saved in control structure (VMCS) Introduction of VMX root and non-root modes New processor instructions (VMX) to switch modes and manage VMCS Hardware-assisted virtualization drastically reduces complexity of VMM Page 25 23.10.2014 The Muen Separation Kernel
. Modelling the System . Initialize VMX Handler Exception Handler STOP ASM Init .. VMX Enter VMX Exit VMX Enter Interrupt Subject Subject Subject Page 26 23.10.2014 The Muen Separation Kernel
. Example property: Correct VMCS Address Environment.Initialize; SK.Kernel.Initialize (Subject_Registers ); loop pragma Loop_Invariant (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )); Environment.Vmx_Run (Subject_Registers ); SK.Scheduler.Handle_VMX_Exit (Subject_Registers ); end loop; Page 27 23.10.2014 The Muen Separation Kernel
. Example property: Correct VMCS Address procedure Handle_VMX_Exit (Subject_Registers : in out CPU_Regs_Type) with Global => [...] , Depends => [...] , Pre => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Post => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Export , Convention => C, Link_Name => "handle_vmx_exit"; Page 28 23.10.2014 The Muen Separation Kernel

More Related Content

Linux Initialization Process (2)
PPTX
Linux Initialization Process (2)
Disk and File System Management in Linux
PPTX
Disk and File System Management in Linux
Installation Zimbra.pdf
PDF
Installation Zimbra.pdf
Basic Linux Internals
PPT
Basic Linux Internals
LVM "Linux "
PPTX
LVM "Linux "
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Job
PDF
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Job
Chapter 9: SCSI Drives and File Systems
PPT
Chapter 9: SCSI Drives and File Systems
Xen Debugging
PDF
Xen Debugging
Linux Initialization Process (2)
Linux Initialization Process (2)
Disk and File System Management in Linux
Disk and File System Management in Linux
Installation Zimbra.pdf
Installation Zimbra.pdf
Basic Linux Internals
Basic Linux Internals
LVM "Linux "
LVM "Linux "
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Job
Luca Ceresoli - Buildroot vs Yocto: Differences for Your Daily Job
Chapter 9: SCSI Drives and File Systems
Chapter 9: SCSI Drives and File Systems
Xen Debugging
Xen Debugging

What's hot

Cours linux complet
PDF
Cours linux complet
Embedded Hypervisor for ARM
PDF
Embedded Hypervisor for ARM
Linux kernel Architecture and Properties
PDF
Linux kernel Architecture and Properties
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
PDF
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
A practical guide to buildroot
PDF
A practical guide to buildroot
Généralités sur le routeur
PDF
Généralités sur le routeur
Jagan Teki - U-boot from scratch
PDF
Jagan Teki - U-boot from scratch
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
PPTX
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
Presentation kernel - Kernel Linux - Configuration – Compilation & installation
PPTX
Presentation kernel - Kernel Linux - Configuration – Compilation & installation
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
PDF
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
Trends in next-generation data center interconnects (DCI)
PDF
Trends in next-generation data center interconnects (DCI)
byADVA
High Availability With DRBD & Heartbeat
PDF
High Availability With DRBD & Heartbeat
Openstack Summit Vancouver 2018 - Multicloud Networking
PDF
Openstack Summit Vancouver 2018 - Multicloud Networking
Linux administration
PPTX
Linux administration
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
PDF
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Windows Kernel-
PPT
Windows Kernel-
VMware Log Insight
PPTX
VMware Log Insight
Linux on ARM 64-bit Architecture
PDF
Linux on ARM 64-bit Architecture
Linux IO
PPTX
Linux IO
MemVerge: The Software Stack for CXL Environments
PPTX
MemVerge: The Software Stack for CXL Environments
Cours linux complet
Cours linux complet
Embedded Hypervisor for ARM
Embedded Hypervisor for ARM
Linux kernel Architecture and Properties
Linux kernel Architecture and Properties
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
XPDS13: Xen in OSS based In–Vehicle Infotainment Systems - Artem Mygaiev, Glo...
A practical guide to buildroot
A practical guide to buildroot
Généralités sur le routeur
Généralités sur le routeur
Jagan Teki - U-boot from scratch
Jagan Teki - U-boot from scratch
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
Zero Trust Run-time Kubernetes Security made easy with AccuKnox
Presentation kernel - Kernel Linux - Configuration – Compilation & installation
Presentation kernel - Kernel Linux - Configuration – Compilation & installation
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
XPDDS19 Keynote: Xen Dom0-less - Stefano Stabellini, Principal Engineer, Xilinx
Trends in next-generation data center interconnects (DCI)
Trends in next-generation data center interconnects (DCI)
byADVA
High Availability With DRBD & Heartbeat
High Availability With DRBD & Heartbeat
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
Linux administration
Linux administration
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Windows Kernel-
Windows Kernel-
VMware Log Insight
VMware Log Insight
Linux on ARM 64-bit Architecture
Linux on ARM 64-bit Architecture
Linux IO
Linux IO
MemVerge: The Software Stack for CXL Environments
MemVerge: The Software Stack for CXL Environments

Viewers also liked

Mind your language(s), A Discussion about Languages and Security
PDF
Mind your language(s), A Discussion about Languages and Security
Mixed Criticality Systems and Many-Core Platforms
PDF
Mixed Criticality Systems and Many-Core Platforms
How should we build that? Evolving a development environment that's suitable ...
PDF
How should we build that? Evolving a development environment that's suitable ...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
PDF
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
PDF
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS Conf 2014: An Insight into MISRA-C
PDF
HIS Conf 2014: An Insight into MISRA-C
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
PDF
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
PDF
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
Practical Application of Agile Techniques in Developing Safety Related Systems
PDF
Practical Application of Agile Techniques in Developing Safety Related Systems
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
PDF
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
PDF
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
A Computer Vision Application for In Vitro Diagnostics Devices
PDF
A Computer Vision Application for In Vitro Diagnostics Devices
Ada 202x A broad overview of relevant news
PDF
Ada 202x A broad overview of relevant news
An Alternative Approach to DO-178B
PDF
An Alternative Approach to DO-178B
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
PDF
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
PDF
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
MISRA C – Recent developments and a road map to the future
PDF
MISRA C – Recent developments and a road map to the future
The Application of Formal Methods to Railway Signalling Software
PDF
The Application of Formal Methods to Railway Signalling Software
Bounded Model Checking for C Programs in an Enterprise Environment
PDF
Bounded Model Checking for C Programs in an Enterprise Environment
Multi-Core (MC) Processor Qualification for Safety Critical Systems
PDF
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Mind your language(s), A Discussion about Languages and Security
Mind your language(s), A Discussion about Languages and Security
Mixed Criticality Systems and Many-Core Platforms
Mixed Criticality Systems and Many-Core Platforms
How should we build that? Evolving a development environment that's suitable ...
How should we build that? Evolving a development environment that's suitable ...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS 2015: Prof. Mark Little - Open Source Challenges in the Enterprise
HIS Conf 2014: An Insight into MISRA-C
HIS Conf 2014: An Insight into MISRA-C
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Prof. Ian Phillips - Stronger than its weakest link
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
HIS 2015: Neil White - Advances in Practical Techniques for Critical Developm...
Practical Application of Agile Techniques in Developing Safety Related Systems
Practical Application of Agile Techniques in Developing Safety Related Systems
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Tom Chothia - Formal Security of Critical Infrastructure
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
HIS 2015: Ivan Ellis - VISIUMCORE A High Integrity Processor for Safety Criti...
A Computer Vision Application for In Vitro Diagnostics Devices
A Computer Vision Application for In Vitro Diagnostics Devices
Ada 202x A broad overview of relevant news
Ada 202x A broad overview of relevant news
An Alternative Approach to DO-178B
An Alternative Approach to DO-178B
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
HIS 2015: Prof. Phil Koopman - A Case Study of Toyota Unintended Acceleration...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
MISRA C – Recent developments and a road map to the future
MISRA C – Recent developments and a road map to the future
The Application of Formal Methods to Railway Signalling Software
The Application of Formal Methods to Railway Signalling Software
Bounded Model Checking for C Programs in an Enterprise Environment
Bounded Model Checking for C Programs in an Enterprise Environment
Multi-Core (MC) Processor Qualification for Safety Critical Systems
Multi-Core (MC) Processor Qualification for Safety Critical Systems

Similar to The Muen Separation Kernel

CC CLOUD RESOURCE VIRTUALIZATION PPT TO REFER
PPTX
CC CLOUD RESOURCE VIRTUALIZATION PPT TO REFER
virtualization.pptx
PPTX
virtualization.pptx
IaaS - Virtualization_Cambridge.pdf
PDF
IaaS - Virtualization_Cambridge.pdf
VM Forking and Hypervisor-based fuzzing
PPTX
VM Forking and Hypervisor-based fuzzing
VIRTUALIZATION STRUCTURES TOOLS.docx
DOCX
VIRTUALIZATION STRUCTURES TOOLS.docx
Studies
PPT
Xen and the art of virtualization
PPTX
Xen and the art of virtualization
KERNEL.pptx
PPTX
KERNEL.pptx
Walking around linux kernel
PDF
Walking around linux kernel
virtualization (1).pdf bbbbbbbnnnnnjnjjjjj
PDF
virtualization (1).pdf bbbbbbbnnnnnjnjjjjj
Virtualization-Presentation-with-History
PPTX
Virtualization-Presentation-with-History
31c3 Presentation - Virtual Machine Introspection
PDF
31c3 Presentation - Virtual Machine Introspection
Unit II.ppt
PPT
Unit II.ppt
Operating system Virtualization_NEW.pptx
PPTX
Operating system Virtualization_NEW.pptx
CSC_406_5_Virtualization - Case Study, it's base on virtualization
PPTX
CSC_406_5_Virtualization - Case Study, it's base on virtualization
Introduction to Operating system and graduate
PPTX
Introduction to Operating system and graduate
Linux kernel architecture
PDF
Linux kernel architecture
En
PDF
Xen
PDF
l1.pptxsdswdfswdswdwsdwsdswdwsdwdwdwdwddw
PPTX
l1.pptxsdswdfswdswdwsdwsdswdwsdwdwdwdwddw
CC CLOUD RESOURCE VIRTUALIZATION PPT TO REFER
CC CLOUD RESOURCE VIRTUALIZATION PPT TO REFER
virtualization.pptx
virtualization.pptx
IaaS - Virtualization_Cambridge.pdf
IaaS - Virtualization_Cambridge.pdf
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
VIRTUALIZATION STRUCTURES TOOLS.docx
VIRTUALIZATION STRUCTURES TOOLS.docx
Studies
Xen and the art of virtualization
Xen and the art of virtualization
KERNEL.pptx
KERNEL.pptx
Walking around linux kernel
Walking around linux kernel
virtualization (1).pdf bbbbbbbnnnnnjnjjjjj
virtualization (1).pdf bbbbbbbnnnnnjnjjjjj
Virtualization-Presentation-with-History
Virtualization-Presentation-with-History
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
Unit II.ppt
Unit II.ppt
Operating system Virtualization_NEW.pptx
Operating system Virtualization_NEW.pptx
CSC_406_5_Virtualization - Case Study, it's base on virtualization
CSC_406_5_Virtualization - Case Study, it's base on virtualization
Introduction to Operating system and graduate
Introduction to Operating system and graduate
Linux kernel architecture
Linux kernel architecture
Xen
l1.pptxsdswdfswdswdwsdwsdswdwsdwdwdwdwddw
l1.pptxsdswdfswdswdwsdwsdswdwsdwdwdwdwddw

More from AdaCore

RCA OCORA: Safe Computing Platform using open standards
PDF
RCA OCORA: Safe Computing Platform using open standards
Have we a Human Ecosystem?
PDF
Have we a Human Ecosystem?
Rust and the coming age of high integrity languages
PDF
Rust and the coming age of high integrity languages
SPARKNaCl: A verified, fast cryptographic library
PDF
SPARKNaCl: A verified, fast cryptographic library
Developing Future High Integrity Processing Solutions
PDF
Developing Future High Integrity Processing Solutions
Taming event-driven software via formal verification
PDF
Taming event-driven software via formal verification
Pushing the Boundary of Mostly Automatic Program Proof
PDF
Pushing the Boundary of Mostly Automatic Program Proof
RCA OCORA: Safe Computing Platform using open standards
PDF
RCA OCORA: Safe Computing Platform using open standards
Product Lines and Ecosystems: from customization to configuration
PDF
Product Lines and Ecosystems: from customization to configuration
Securing the Future of Safety and Security of Embedded Software
PDF
Securing the Future of Safety and Security of Embedded Software
Spark / Ada for Safe and Secure Firmware Development
PDF
Spark / Ada for Safe and Secure Firmware Development
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
PDF
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
The Future of Aerospace – More Software Please!
PDF
The Future of Aerospace – More Software Please!
Adaptive AUTOSAR - The New AUTOSAR Architecture
PDF
Adaptive AUTOSAR - The New AUTOSAR Architecture
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the "Wheel of...
PDF
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the "Wheel of...
Software Engineering for Robotics - The RoboStar Technology
PDF
Software Engineering for Robotics - The RoboStar Technology
MISRA C in an ISO 26262 context
PDF
MISRA C in an ISO 26262 context
Application of theorem proving for safety-critical vehicle software
PPTX
Application of theorem proving for safety-critical vehicle software
Verification and Validation of Robotic Assistants
PDF
Verification and Validation of Robotic Assistants
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
Have we a Human Ecosystem?
Have we a Human Ecosystem?
Rust and the coming age of high integrity languages
Rust and the coming age of high integrity languages
SPARKNaCl: A verified, fast cryptographic library
SPARKNaCl: A verified, fast cryptographic library
Developing Future High Integrity Processing Solutions
Developing Future High Integrity Processing Solutions
Taming event-driven software via formal verification
Taming event-driven software via formal verification
Pushing the Boundary of Mostly Automatic Program Proof
Pushing the Boundary of Mostly Automatic Program Proof
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
Product Lines and Ecosystems: from customization to configuration
Product Lines and Ecosystems: from customization to configuration
Securing the Future of Safety and Security of Embedded Software
Securing the Future of Safety and Security of Embedded Software
Spark / Ada for Safe and Secure Firmware Development
Spark / Ada for Safe and Secure Firmware Development
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
Introducing the HICLASS Research Programme - Enabling Development of Complex ...
The Future of Aerospace – More Software Please!
The Future of Aerospace – More Software Please!
Adaptive AUTOSAR - The New AUTOSAR Architecture
Adaptive AUTOSAR - The New AUTOSAR Architecture
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the "Wheel of...
Using Tiers of Assurance Evidence to Reduce the Tears! Adopting the "Wheel of...
Software Engineering for Robotics - The RoboStar Technology
Software Engineering for Robotics - The RoboStar Technology
MISRA C in an ISO 26262 context
MISRA C in an ISO 26262 context
Application of theorem proving for safety-critical vehicle software
Application of theorem proving for safety-critical vehicle software
Verification and Validation of Robotic Assistants
Verification and Validation of Robotic Assistants

Recently uploaded

Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
PDF
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
PDF
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
Making sense of AWS Serverless operations- AWS Community Day CEE 2025
PDF
Making sense of AWS Serverless operations- AWS Community Day CEE 2025
Systems Programming Lecture Compute.pptx
PPTX
Systems Programming Lecture Compute.pptx
Lexical and Syntax Analysis top down parsers
PPT
Lexical and Syntax Analysis top down parsers
Domain Centered Architecture for complex business domains
PPSX
Domain Centered Architecture for complex business domains
Declarative Process Mining with MINERful, Reloaded
PPTX
Declarative Process Mining with MINERful, Reloaded
Ensuring Regulatory Excellence with Insurance Compliance Software
PDF
Ensuring Regulatory Excellence with Insurance Compliance Software
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
PPTX
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
Dreamforce 2025: Welcome to the Agentic Enterprise
PDF
Dreamforce 2025: Welcome to the Agentic Enterprise
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
PPTX
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
Financial Literacy for Software Developers
PPTX
Financial Literacy for Software Developers
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
PDF
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
PPTX
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
What Is the Best BI Software Other Than Tableau.docx
DOCX
What Is the Best BI Software Other Than Tableau.docx
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
PDF
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
PDF
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
SAP & CTRM Testing Like Never Before
PDF
SAP & CTRM Testing Like Never Before
Zoho Vani AI-Powered Collaboration Platform to Rival Google Workspace & Micro...
PDF
Zoho Vani AI-Powered Collaboration Platform to Rival Google Workspace & Micro...
The new Volto Form Block, Plone Conference 2025
PDF
The new Volto Form Block, Plone Conference 2025
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
Scraping Amazon Prime Watchlist Data for Viewing Patterns.pdf
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
VADY Smart Data Flow – Automated Data Insights for Scalable Enterprise Decisions
Making sense of AWS Serverless operations- AWS Community Day CEE 2025
Making sense of AWS Serverless operations- AWS Community Day CEE 2025
Systems Programming Lecture Compute.pptx
Systems Programming Lecture Compute.pptx
Lexical and Syntax Analysis top down parsers
Lexical and Syntax Analysis top down parsers
Domain Centered Architecture for complex business domains
Domain Centered Architecture for complex business domains
Declarative Process Mining with MINERful, Reloaded
Declarative Process Mining with MINERful, Reloaded
Ensuring Regulatory Excellence with Insurance Compliance Software
Ensuring Regulatory Excellence with Insurance Compliance Software
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
Safe Confined Space Entry Monitoring_ Singapore Experts.pptx
Dreamforce 2025: Welcome to the Agentic Enterprise
Dreamforce 2025: Welcome to the Agentic Enterprise
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
Moving Plone Blob Storage to S3 Object Storage - Plone Conference 2025
Financial Literacy for Software Developers
Financial Literacy for Software Developers
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
Safe Confined Space Entry Monitoring_ Singapore Experts.pdf
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
Oracle_AWS_Azure_GCP_Comparison_ModernTech.pptx
What Is the Best BI Software Other Than Tableau.docx
What Is the Best BI Software Other Than Tableau.docx
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
Practical Performance Tuning for Serverless Java on AWS- InfoQ Dev Summit
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
VADY GenAI – Enterprise AI Solutions with Complete Data Control and Smart Dec...
SAP & CTRM Testing Like Never Before
SAP & CTRM Testing Like Never Before
Zoho Vani AI-Powered Collaboration Platform to Rival Google Workspace & Micro...
Zoho Vani AI-Powered Collaboration Platform to Rival Google Workspace & Micro...
The new Volto Form Block, Plone Conference 2025
The new Volto Form Block, Plone Conference 2025

The Muen Separation Kernel

  • 1.
    . secunet Security Networks AG . . The Muen Separation Kernel .. Robert Dorn Reto Buerki Adrian Rueegsegger HSR University of Applied Sciences Rapperswil 23.10.2014
  • 2.
    . About secunet Germany's leading provider of IT security Security partner of the Federal Republic of Germany More than 340 employees Robert Dorn, Senior Consultant at secunet Responsible for design & development of Separation Kernel based systems www.secunet.com Page 2 23.10.2014 The Muen Separation Kernel
  • 3.
    . About HSR University of Applied Sciences with around 1500 students Located in Rapperswil, Switzerland Reto Buerki & Adrian-Ken Rueegsegger, researchers @ Institute for Internet Technologies and Applications Core developers of Muen www.hsr.ch Page 3 23.10.2014 The Muen Separation Kernel
  • 4.
    . Security of Complex Software P(Program_Correct) = P (Line_Correct)SLOC Page 4 23.10.2014 The Muen Separation Kernel
  • 5.
    . Security of Complex Software 100% 10% 1% 10 1 0.1 1 10 100 1 000 10 000 100 000 P(Defective Program) kSLOC defects/kSLOC 0.1 Page 5 23.10.2014 The Muen Separation Kernel
  • 6.
    . Security of Complex Software 100% 10% 1% Assumptions (e.g.): 10% security defects, 20% exploitable 10 1 0.1 1 10 100 1 000 10 000 100 000 P (Exploitable Program) kSLOC defects/kSLOC 0.1 Page 6 23.10.2014 The Muen Separation Kernel
  • 7.
    . Secure Software Tiny size Very low defect rate Low security defect ratio Page 7 23.10.2014 The Muen Separation Kernel
  • 8.
    . Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
  • 9.
    . Reducing Complexity of Trusted Code . trusted Page 8 23.10.2014 The Muen Separation Kernel
  • 10.
    . Reducing Complexity of Trusted Code . untrusted trusted Proper Interface Page 8 23.10.2014 The Muen Separation Kernel
  • 11.
    . Reducing Complexity of Trusted Code . untrusted trusted Isolation Proper Interface Partitioning Page 8 23.10.2014 The Muen Separation Kernel
  • 12.
    . Reducing Complexity of Trusted Code . trusted Separation Kernel untrusted trusted Page 8 23.10.2014 The Muen Separation Kernel
  • 13.
    . Architecting Secure Systems . Open Network Linux Encryption Key Management Decryption Protected Network Separation Kernel ESP IKE ESP TS TS Page 9 23.10.2014 The Muen Separation Kernel
  • 14.
    . Architecting Secure Systems . Session 1 Session 2 Session 3 Session 4 UI Multiplexer Network Linux Network Page 10 23.10.2014 The Muen Separation Kernel
  • 15.
    . Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 11 23.10.2014 The Muen Separation Kernel
  • 16.
    . Low Kernel Complexity . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 12 23.10.2014 The Muen Separation Kernel
  • 17.
    . Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . Message Passing . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 13 23.10.2014 The Muen Separation Kernel
  • 18.
    . Static Resource Allocation . . . . Init Signaling Scheduler . Page Tables . Caps/ Perms . VT-x VT-d . . Schedule Planning . Memory Allocator . Device Allocator . Device Drivers . User Interface . File System . VM Monitor . Posix Interface Page 14 23.10.2014 The Muen Separation Kernel
  • 19.
    . Deterministic Behaviour No long-running code paths No preemption necessary Fixed cyclic scheduling Avoidance of Covert Channels Page 15 23.10.2014 The Muen Separation Kernel
  • 20.
    . Features Multicore support Fixed cyclic scheduling PCI device passthrough using Intel VT-d Support for 64-bit native and 32/64-bit Linux Event mechanism Shared memory channels for inter-subject communication Minimal Zero-Footprint Run-Time (RTS) Full availability of source code and documentation Page 16 23.10.2014 The Muen Separation Kernel
  • 21.
    . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Page 17 23.10.2014 The Muen Separation Kernel
  • 22.
    . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts Page 17 23.10.2014 The Muen Separation Kernel
  • 23.
    . SPARK 2014 for Operating Systems No pointers No dynamic memory allocation No concurrency Fixed structures Static resource allocation One kernel instance / CPU Abort on host interrupts ! Greatly simplified verification Page 17 23.10.2014 The Muen Separation Kernel
  • 24.
    . Lean verification Proof annotations are part of the language Implicit generation of VCs for integrity preservation (Absence of runtime errors) Most ARTE VCs proven automatically1 Integration of theorem provers possible when needed Speed allows proofs to be part of build process 1With current wavefront, except "properties of constant records" Page 18 23.10.2014 The Muen Separation Kernel
  • 25.
    . Modelling the System ASM Init . .. Initialize VMX Enter Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
  • 26.
    . Modelling the System ASM Init . .. Initialize VMX Handler VMX Enter Subject Subject Subject VMX Exit Page 19 23.10.2014 The Muen Separation Kernel
  • 27.
    . Modelling the System . Initialize VMX Handler Subject Subject Subject Page 19 23.10.2014 The Muen Separation Kernel
  • 28.
    . Modelling the System . Initialize VMX Handler Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
  • 29.
    . Modelling the System Initial Inv. . .. Loop Inv. Initialize VMX Handler Inv. + Env. Model Environment Initialize Environment Run Page 19 23.10.2014 The Muen Separation Kernel
  • 30.
    . Future verification options Proof of complex properties Interaction with theorem provers Interface modelling (ghost state) Soundness of memory layout ... Page 20 23.10.2014 The Muen Separation Kernel
  • 31.
    . Demo This presentation is given on a system running on Muen Page 21 23.10.2014 The Muen Separation Kernel
  • 32.
    . Current / Future Work Short-term Prove additional properties PCI-Configspace emulation Time Virtualization Long-term Functional correctness proofs Windows Virtualization Dynamic resource management Page 22 23.10.2014 The Muen Separation Kernel
  • 33.
    . Summary Secure software is limited in complexity Separation of untrusted components essential Muen provides a solid foundation for high assurance systems Muen is the base of complex high security solutions in development SPARK 2014 enables lean verification Formal verification can be done under commercial constraints Page 23 23.10.2014 The Muen Separation Kernel
  • 34.
    . Q & A Discussion Get Muen at http://muen.sk/ Page 24 23.10.2014 The Muen Separation Kernel
  • 35.
    . Intel Virtualization Technology VT-x is Intel's virtualization technology for the x86 platform Virtual Machine state is saved in control structure (VMCS) Introduction of VMX root and non-root modes New processor instructions (VMX) to switch modes and manage VMCS Hardware-assisted virtualization drastically reduces complexity of VMM Page 25 23.10.2014 The Muen Separation Kernel
  • 36.
    . Modelling the System . Initialize VMX Handler Exception Handler STOP ASM Init .. VMX Enter VMX Exit VMX Enter Interrupt Subject Subject Subject Page 26 23.10.2014 The Muen Separation Kernel
  • 37.
    . Example property: Correct VMCS Address Environment.Initialize; SK.Kernel.Initialize (Subject_Registers ); loop pragma Loop_Invariant (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )); Environment.Vmx_Run (Subject_Registers ); SK.Scheduler.Handle_VMX_Exit (Subject_Registers ); end loop; Page 27 23.10.2014 The Muen Separation Kernel
  • 38.
    . Example property: Correct VMCS Address procedure Handle_VMX_Exit (Subject_Registers : in out CPU_Regs_Type) with Global => [...] , Depends => [...] , Pre => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Post => (X86_64.Prf_VMPTR = Policy.Get_VMCS_Address (Get_Current_Minor_Frame.Subject_Id )), Export , Convention => C, Link_Name => "handle_vmx_exit"; Page 28 23.10.2014 The Muen Separation Kernel

AltStyle によって変換されたページ (->オリジナル) /