Clean-Slate Development of Certified OS Kernels

Zhong Shao
<span title="">2015</span> <i title="ACM Press"> <a target="_blank" rel="noopener" href="" style="color: black;">Proceedings of the 2015 Conference on Certified Programs and Proofs - CPP &#39;15</a> </i> &nbsp;
Operating System (OS) kernels form the bedrock of all system software-they can have the greatest impact on the resilience, extensibility, and security of today's computing hosts. A single kernel bug can easily wreck the entire system's integrity and protection. We propose to apply new advances in certified software [86] to the development of a novel OS kernel. Our certified kernel will offer safe and application-specific extensibility [8] , provable security properties with information flow
more &raquo; ... rol, and accountability and recovery from hardware or application failures. Our certified kernel builds on proof-carrying code concepts [74] , where a binary executable includes a rigorous machine-checkable proof that the software is free of bugs with respect to specific requirements. Unlike traditional verification systems, our certified software approach uses an expressive general-purpose meta-logic and machine-checkable proofs to support modular reasoning about sophisticated invariants. The rich meta-logic enables us to verify all kinds of low-level assembly and C code [10, 28, 31, 44, 68, 77, 98] and to establish dependability claims ranging from simple safety properties to advanced security, correctness, and liveness properties. We advocate a modular certification framework for kernel components, which mirrors and enhances the modularity of the kernel itself. Using this framework, we aim to create not just a "one-off" lump of verified kernel code, but a statically and dynamically extensible kernel that can be incrementally built and extended with individual certified modules, each of which will provably preserve the kernel's overall safety and security properties. In place of the rigid safety conditions used in traditional extension mechanisms (e.g., that kernel extensions must be type-safe), our approach will assure both the safety and semantic correctness of extensions with respect to appropriate specifications (e.g., that a file system extension behaves like a file system). Our certified kernel will use this flexibility, for example, to provide accountability and recovery mechanisms, formally guaranteeing that whenever an application fails, the system can always be rolled back to an earlier, consistent state. Our certified kernel will also provide information flow control [20,100] not only enforcing policies on user applications, but also guaranteeing that the security monitor itself and other kernel modules manipulate all security labels correctly. More specifically, we propose a new synergistic effort that combines novel advances in operating systems, programming languages, and formal methods to support advanced development of certified crash-proof kernels. Our work is divided into the following three areas: 1. Clean-slate design and development of crash-proof kernels. With certified components as building blocks, we propose to design and develop new kernel structures that generalize and unify traditional OS abstractions in microkernels, recursive virtual machines [41], and hypervisors. By replacing the traditional "red line" (between the kernel and user code) with customized safety policies, we show how to support different isolation and kernel extension mechanisms (e.g., type-safe languages, software-fault isolation, or address space protection) in a single framework. We will also show how to provide built-in accountability and recovery mechanisms from the very beginning and how to combine them with information flow control to enforce the integrity of security labels and capabilities. Our new kernel will not only provide certified guarantee about the soundness of its innate immunity mechanisms but also offer solid support for new adaptive immunity mechanisms. Programming languages for building end-to-end certified kernels. OS kernels must address a multitude of abstraction layers and programming concerns. We propose a new open framework for supporting certified low-level programming and cross-abstraction linking of heterogenous components. We will develop a set of domain-specific variants of assembly and C-like languages. Each such variant will be equipped with a specialized program logic or type system (i.e., DSL). We will apply them to certify different components at different abstraction layers (ranging from scheduler, interrupt handling, virtual memory manager, optimistic concurrency, file system, to information flow control), and then link everything together to build end-to-end certified systems. By imposing DSLs over familiar low-level constructs, we can program and verify kernel components at a higher abstraction level, yet without sacrificing code performance or precise control over hardware resources. Formal methods for automated analysis and proofs. To make our DSL-centric approach scalable, we propose to build a new integrated environment named VeriML [92] for combining automated provers and decision procedures (tailored to each DSL) with certified programming and proof development. Existing automated verifiers often depend on a rather restricted logic. Proof assistants with a richer meta logic (e.g., Coq [54]), however, provide poor support for automation. VeriML extends ML-style general-purpose programming with support for type-safe manipulation of arbitrary logical terms. Typed VeriML programs serve as excellent proof witnesses, since they are much smaller than proof objects (in the meta logic). We will build certifying static analysis and rewriting tools to synthesize program invariants automatically and to serve as generalized proof tactics. Because future computing hosts will almost certainly be multicore machines, as an option to our base effort, we propose to extend all three lines of our work to support the development of certified multicore kernels. Multicore machines will likely require multiple kernels running on different cores that still share memory-this creates new challenges for recovery and security. Certified kernels should offer a significant advantage over traditional ones because they have spelled out all of its formal invariants and abstraction layers, making it easier to identify orthogonal concerns and reason about sophisticated cross-core interaction. Under this option, we will also extend our formal specification and proof efforts to certify larger and more realistic kernels.
<span class="external-identifiers"> <a target="_blank" rel="external noopener noreferrer" href="">doi:10.1145/2676724.2693180</a> <a target="_blank" rel="external noopener" href="">dblp:conf/cpp/Shao15</a> <a target="_blank" rel="external noopener" href="">fatcat:ffiwrhqsdnbcflselj27eevbre</a> </span>
<a target="_blank" rel="noopener" href="" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener noreferrer" href=""> <button class="ui left aligned compact blue labeled icon button serp-button"> <i class="external alternate icon"></i> </button> </a>