sel4: from Security to Safety Gernot Heiser, Anna Lyons NICTA and UNSW Australia

Transcription

1 sel4: from Security to Safety Gernot Heiser, Anna Lyons NICTA and UNSW Australia 1

2 OS Trade-Offs Usability Minix Android Linux Trustworthiness Minix Android L4 sel4 Performance Linux L4 sel Gernot Heiser, NICTA 2 2

3 Trustworthy Systems Vision Suitable for real-world systems We will change the practice of designing and implementing critical systems, using rigorous approaches to achieve true trustworthiness Hard roadmap: High-level guarantees 1. Build components on safety/ 2. Build systems security/ 3. Deploy reliability 2015 Gernot Heiser, NICTA 33

4 sel4: Verification of Security C Implementation Confidentiality Availability Integrity Translation correctness [PLDI 13] Timeliness [RTSS 11] Proof Proof Proof Abstract Model Binary code 2015 Gernot Heiser, NICTA 4 4 Functional correctness [SOSP 09] Isolation properties [ITP 11, S&P 13] Exclusions (at present): Initialisation Assembler, TLB, caches Multicore Covert timing channels

5 Example: Unmanned Aerial Vehicle (UAV) DARPA HACMS Program: Provable vehicle safety Red Team must not be able to divert vehicle Boeing Unmanned Little Bird (AH-6) Deployment Vehicle SMACCMcopter Research Vehicle 2015 Gernot Heiser, NICTA 5 5

6 SMACCM Research Vehicle Architecture CONTROL BOARD MISSION BOARD SOFTWARE Control Mission Plan Sensor Filtering echronos Monitor CAN bus SOFTWARE Command & Control Task Image Processing (Payload) Ethernet Driver Unverified Linux Kernel untrusted HARDWARE Sensors Radio Modem Microcontroller Radio Control Speed Controller Radio Rxer HARDWARE ARM A15 processor sel4 Unverified C&C Radio COTS Network Camera trusted CAN Bus 2015 Gernot Heiser, NICTA 6 6

7 sel4 Now: Strong Security, Insufficient Safety C Implementation Confidentiality Availability Proof Proof Proof Abstract Model Binary code Integrity Very strong spatial isolation Insufficient temporal isolation 2015 Gernot Heiser, NICTA 7 7

8 Temporal Isolation Issues: Scheduler Priorities t1 100% 2015 Gernot Heiser, NICTA 8

9 Temporal Isolation Issues: Scheduler Priorities t1 50% t2 50% 2015 Gernot Heiser, NICTA 9

10 Temporal Isolation Issues: Scheduler Priorities t % t % t % 2015 Gernot Heiser, NICTA 10 10

11 Temporal Isolation Issues: Scheduler Priorities t4 0? t % Impossible to: 1. Limit high time 2. Guarantee low time High is trusted! t % t % 2015 Gernot Heiser, NICTA 11 11

12 Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 Wait 2015 Gernot Heiser, NICTA 12 12

13 Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 Call e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 Wait 2015 Gernot Heiser, NICTA 13 13

14 Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 4 A Prio: 7 Timeslice: Gernot Heiser, NICTA 14 14

15 Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 1 A Prio: 7 Timeslice: Gernot Heiser, NICTA 15 15

16 Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: Gernot Heiser, NICTA 16 16

17 Temporal Isolation Issues: IPC Current Thread Reply B Prio: 7 Timeslice: 5 e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: Gernot Heiser, NICTA 17 17

18 Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: Gernot Heiser, NICTA 18 18

19 Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: Gernot Heiser, NICTA 19 19

20 Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 Call e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: Gernot Heiser, NICTA 20 20

21 Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 Can effectively DoS same-prio threads! 2015 Gernot Heiser, NICTA 21 21

22 Modern RT Systems: Mixed Criticality CATASTROPHIC Criticality, development, assurance cost HAZARDOUS MAJOR Design Assurance Levels (DO-178B) MINOR No Effect 2015 Gernot Heiser, NICTA 22 22

23 SMACCM Mission Board Timeliness Most Critical!? khz 100 khz 10 Hz CAN driver Command & Control Task Image Processing (Payload) Ethernet Driver Unverified Linux Kernel 10 khz sel Gernot Heiser, NICTA 23 23

24 Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses No hierarchical scheduling 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 24 24

25 Learn from Resource Kernels [Rajkumar 01] Principles: Timeliness through reservations Efficient resource utilisation Enforcement and protection Missing: 1. Shared resources 2. Mixed criticality Resource Kernel mechanisms: Scheduling Policy doesn t Enforcement belong in Accounting microkernel! Admission 2015 Gernot Heiser, NICTA 25 25

26 Learn from sel4 s Spatial Isolation Model Design for isolation: No memory allocation in the kernel Resources fully delegated, allows autonomous operation Addr Space RM Data RM Addr Space Strong isolation, No shared kernel resources Addr Space Addr Space RM Data Resource Manager RM Data Resource Manager Global Resource Manager RAM Kernel Data GRM Data 2015 Gernot Heiser, NICTA 26 26

27 sel4 Memory Management 100% Retype (Untyped, 2 1 ) 50% 50% Retype (Frame, 2 2 ) Retype (Untyped, 2 1 ) r,w r,w r,w r,w 25% 25% Mint (r) Retype (CNode, 2 m, 2 n ) Retype (TCB, 2 n ) r Revoke() F 0 F 1 UT 1 F 2 F 3 UT 0 UT 3 UT 2 UT Gernot Heiser, NICTA 27 27

28 sel4 Time Management? 100% Split(Reservation, 40%) 40% 60% Split(Reservation, 50%) 30% 30% 40% UT 1 UT 0 30% UT 2 30% 2015 Gernot Heiser, NICTA 28 28

29 Idea: Separate Scheduling Context from Thread Old Thread attributes Priority Not runnable Time slice if null New Thread Attributes Priority Scheduling context capability Upper bound! Scheduling context object p: period e: budget ( p) e = 2 p = 3 e = 250 p = Gernot Heiser, NICTA 29 29

30 Full Budgets e = 4 p = 4 t1 Round-robin, 4/5/4 shares e = 5 p = 5 t2 e = 4 p = 4 t Gernot Heiser, NICTA 30 30

31 General Budgets e = 1 p = 2 t1 Release Queue e = 8 p = 8 t3 e = 4 p = 4 t2 t1 e = 1 p = 2 Runs in slack time Might be trusted not to use budget, except in emergencies 2015 Gernot Heiser, NICTA 31 31

32 Task model aka I m done for now while (1) { /* job release */ } dojob(); /* job completion */ sel4_wait(trigger); Kernel signals to release On overrun: Optional exception Else rate limit Per-thread semaphore (aka async endpoint ) 2015 Gernot Heiser, NICTA 32 32

33 Admission New capability: SchedControl Anyone (with access to Untyped) can create scheduling contexts Only holder of SchedControl cap can populate scheduling contexts Trusted to implement policy Admission Policy sel Gernot Heiser, NICTA 33 33

34 Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 34 34

35 Criticality Old Thread attributes Priority Time slice System criticality New Thread Attributes Priority Scheduling context capability Trigger endpoint Time exception handler Criticality Only schedule threads with at least that criticality SchedControl holder can change (on time exeption) 2015 Gernot Heiser, NICTA 35 35

36 Asymmetric Protection Low Criticality High Criticality t0 t4 t3 t2 t1 t5 e = 100 p = 100 e = 4 p = 19 e = 3 p = 20 e = 1 p = 5 e = 2 p = 10 e = 100 p = 100 SchedControl_SetCriticality() 2015 Gernot Heiser, NICTA 36 36

37 Asymmetric Protection Low Criticality High Criticality t0 t3 t1 t5 e = 100 p = 100 e = 3 p = 20 e = 52 p = 10 e = 100 p = 100 Restores low criticality SchedControl_Extend() 2015 Gernot Heiser, NICTA 37 37

38 Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 38 38

39 Active Servers sel4_wait B e Server A 2015 Gernot Heiser, NICTA 39 39

40 Active Servers sel4_call B e Server A 2015 Gernot Heiser, NICTA 40 40

41 Active Servers sel4_replywait B e Server A 2015 Gernot Heiser, NICTA 41 41

42 Active Servers B e Server No temporal isolation Must trust server A 2015 Gernot Heiser, NICTA 42 42

43 Passive Server: Scheduling Context Transfer sel4_wait B e Server A 2015 Gernot Heiser, NICTA 43 43

44 Passive Server: Scheduling Context Transfer sel4_call B e Server A 2015 Gernot Heiser, NICTA 44 44

45 Passive Server: Scheduling Context Transfer B e Server A 2015 Gernot Heiser, NICTA 45 45

46 Passive Server: Scheduling Context Transfer sel4_replywait B e Server Budget expiry? Client budget pays for server time A 2015 Gernot Heiser, NICTA 46 46

47 Budget Expiry Options Multi-threaded servers (COMPOSITE [Parmer 10]) Model allows this Forcing all servers to be thread-safe is policy Bandwidth inheritance with helping (Fiasco [Stenberg 10]) Ugly dependency chains Use temporal Exceptions to trigger one of: Provide emergency budget Cancel operation & roll-back server Change criticality 2015 Gernot Heiser, NICTA 47 47

48 Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 48 48

49 Summary We may have cracked time (the final Frontier) we as in Anna Presently evaluating SMACCMcopter etc Can we integrate this with confidentiality-oriented isolation? 2015 Gernot Heiser, NICTA 49 49