Applications of formal verification for secure Cloud environments at CEA LIST

Similar documents
FROM SAFETY TO SECURITY SOFTWARE ASSESSMENTS AND GUARANTEES FLORENT KIRCHNER (LIST)

LEVERAGING DEDUCTIVE VERIFICATION IN INDUSTRIAL CONTEXTS

How To Write A Program Verification And Programming Book

Rigorous Software Engineering Hoare Logic and Design by Contracts

Automated Theorem Proving - summary of lecture 1

Advances in Programming Languages

Virtual Machines. Virtualization

StaRVOOrS: A Tool for Combined Static and Runtime Verification of Java

Overview Motivating Examples Interleaving Model Semantics of Correctness Testing, Debugging, and Verification

Software Testing & Analysis (F22ST3): Static Analysis Techniques 2. Andrew Ireland

Specification and Analysis of Contracts Lecture 1 Introduction

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

x86 ISA Modifications to support Virtual Machines

Chapter 2: OS Overview

Formal Verification of Software

Rigorous Software Development CSCI-GA

ACSL By Example. Towards a Verified C Standard Library. Version for Frama-C Beryllium 2 April 2010

Towards practical reactive security audit using extended static checkers 1

Towards a Formally Verified Kernel Module

µz An Efficient Engine for Fixed points with Constraints

Rigorous Software Development CSCI-GA

Full System Emulation:

QUIRE: : Lightweight Provenance for Smart Phone Operating Systems

Introducing Formal Methods. Software Engineering and Formal Methods

The CompCert verified C compiler

Cloud Computing. Up until now

Unified Static and Runtime Verification of Object-Oriented Software

Run-Time Deep Virtual Machine Introspection & Its Applications

Combining Static Analysis and Test Generation for C Program Debugging

Static Analysis. Find the Bug! : Analysis of Software Artifacts. Jonathan Aldrich. disable interrupts. ERROR: returning with interrupts disabled

Chapter 3 Operating-System Structures

Model Checking: An Introduction

Static Program Transformations for Efficient Software Model Checking

Foundational Proof Certificates

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Trustworthy Software Systems

Software Verification and System Assurance

Regression Verification: Status Report

Sandy. The Malicious Exploit Analysis. Static Analysis and Dynamic exploit analysis. Garage4Hackers

GameTime: A Toolkit for Timing Analysis of Software

The Course.

Chair of Software Engineering. Software Verification. Assertion Inference. Carlo A. Furia

COS 318: Operating Systems. Virtual Machine Monitors

Static Analysis of Dynamic Properties - Automatic Program Verification to Prove the Absence of Dynamic Runtime Errors

Introduction to Static Analysis for Assurance

To Java SE 8, and Beyond (Plan B)

How To Write A Test Engine For A Microsoft Microsoft Web Browser (Php) For A Web Browser For A Non-Procedural Reason)

OPTIMIZE DMA CONFIGURATION IN ENCRYPTION USE CASE. Guillène Ribière, CEO, System Architect

Data Centers and Cloud Computing

Verifying Specifications with Proof Scores in CafeOBJ

Dynamic VM Monitoring using Hypervisor Probes

Concurrent Programming

Scalable Automated Symbolic Analysis of Administrative Role-Based Access Control Policies by SMT solving

Data Model Bugs. Ivan Bocić and Tevfik Bultan

Detecting Software Vulnerabilities Static Taint Analysis

Project No. 2: Process Scheduling in Linux Submission due: April 28, 2014, 11:59pm

Visualizing Information Flow through C Programs

System modeling. Budapest University of Technology and Economics Department of Measurement and Information Systems

The Plan Today... System Calls and API's Basics of OS design Virtual Machines

Weighted Total Mark. Weighted Exam Mark

Shared Address Space Computing: Programming

An Easier Way for Cross-Platform Data Acquisition Application Development

The Model Checker SPIN

Between Mutual Trust and Mutual Distrust: Practical Fine-grained Privilege Separation in Multithreaded Applications

IKOS: A Framework for Static Analysis based on Abstract Interpretation (Tool Paper)

Computer-Assisted Theorem Proving for Assuring the Correct Operation of Software

An Overview of JML Tools and Applications

Adversary Modelling 1

AURA: A language with authorization and audit

Multi-core Programming System Overview

Lecture 6: Semaphores and Monitors

NON-INTRUSIVE TRANSACTION MINING FRAMEWORK TO CAPTURE CHARACTERISTICS DURING ENTERPRISE MODERNIZATION ON CLOUD

Elemental functions: Writing data-parallel code in C/C++ using Intel Cilk Plus

INF5140: Specification and Verification of Parallel Systems

Constructing Contracts: Making Discrete Mathematics Relevant to Beginning Programmers

Technical Brief Distributed Trusted Computing

Homeland Security Red Teaming

COS 318: Operating Systems. Virtual Machine Monitors

Software Engineering using Formal Methods

Verification of Imperative Programs in Theorema

Research and Design of Universal and Open Software Development Platform for Digital Home

Fine-Grained User-Space Security Through Virtualization. Mathias Payer and Thomas R. Gross ETH Zurich

Operating System Components

Functional Programming in C++11

Compromise-as-a-Service

Experimental Comparison of Concolic and Random Testing for Java Card Applets

Evaluating HDFS I/O Performance on Virtualized Systems

Software Engineering

Transcription:

Applications of formal verification for secure Cloud environments at CEA LIST Nikolai Kosmatov joint work with A.Blanchard, F.Bobot, M.Lemerre,... SEC2, Lille, June 30 th, 2015 N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 1 / 28

Outline Frama-C, a platform for analysis of C code Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Formal Verification Results and discussion Verification of a sandbox The ZeroVM sandbox solution Formal verification Results Conclusion N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 2 / 28

Frama-C, a platform for analysis of C code Outline Frama-C, a platform for analysis of C code Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Formal Verification Results and discussion Verification of a sandbox The ZeroVM sandbox solution Formal verification Results Conclusion N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 3 / 28

Frama-C, a platform for analysis of C code Frama-C, a brief history 90 s: CAVEAT, Hoare logic-based tool for C code at CEA 2000 s: CAVEAT used by Airbus during certification process of the A380 (DO-178 level A qualification) 2008: First public release of Frama-C (Hydrogen) 2012: New Hoare-logic based plugin WP developed at CEA LIST Today: Frama-C Sodium (v.11) Multiple projects around the platform A growing community of users... and of plugin developers N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 4 / 28

Frama-C, a platform for analysis of C code Frama-C at a glance A Framework for Modular Analysis of C code Developed at CEA LIST and INRIA Saclay Released under LGPL license Kernel based on CIL [Necula et al. (Berkeley), CC 2002] ACSL annotation language Extensible plugin oriented platform Collaboration of analyses over same code Inter plugin communication through ACSL formulas Adding specialized plugins is easy http://frama-c.com/ [Cuoq et al. SEFM 2012, FAC 2015] N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 5 / 28

Frama-C, a platform for analysis of C code ACSL: ANSI/ISO C Specification Language Based on the notion of contract, like in Eiffel, JML Allows users to specify functional properties of programs Allows communication between various plugins Independent from a particular analysis Manual at http://frama-c.com/acsl Basic Components First-order logic Pure C expressions C types + Z (integer) and R (real) Built-in predicates and logic functions N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 6 / 28

Frama-C, a platform for analysis of C code Example: a C program annotated in ACSL / @ r e q u i r e s n>=0 && \ v a l i d ( t + ( 0.. n 1)); a s s i g n s \ n o t h i n g ; e n s u r e s \ r e s u l t!= 0 <==> ( \ f o r a l l i n t e g e r j ; 0 <= j < n ==> t [ j ] == 0 ) ; / i n t a l l z e r o s ( i n t t [ ], i n t n ) { i n t k ; / @ l o o p i n v a r i a n t 0 <= k <= n ; l o o p i n v a r i a n t \ f o r a l l i n t e g e r j ; 0<=j <k ==> t [ j ]==0; l o o p a s s i g n s k ; l o o p v a r i a n t n k ; / f o r ( k = 0 ; k < n ; k++) i f ( t [ k ]!= 0) r e t u r n 0 ; r e t u r n 1 ; } Can be proven in Frama-C/WP N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 7 / 28

Frama-C, a platform for analysis of C code Main Frama-C plugins VALUE Jessie WP Aoraï Agen Specification Generation Abstract Interpretation Deductive Verification Mthread Formal Methods Concurrency E-ACSL Code Transformation Frama-C Plugins Dynamic Analysis PathCrawler STADY Semantic constant folding Slicing Spare code Browsing of unfamiliar code SANTE Scope & Data-flow browsing LTEST Metrics computation Variable occurrences Impact Analysis N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 8 / 28

Frama-C, a platform for analysis of C code Plugin WP for deductive verification Based on Weakest Precondition calculus [Dijkstra, 1976] Proves that a given program respects its specification Relies on automatic provers (Alt-Ergo, CVC4, Z3,... ) when necessary, interactive proof assistants (Coq) N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 9 / 28

Verification of a Cloud hypervisor Outline Frama-C, a platform for analysis of C code Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Formal Verification Results and discussion Verification of a sandbox The ZeroVM sandbox solution Formal verification Results Conclusion N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 10 / 28

Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Anaxagoros Microkernel Clouds mutualize physical resources between users Safety and security are crucial N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 11 / 28

Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Anaxagoros Microkernel Clouds mutualize physical resources between users Safety and security are crucial N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 11 / 28

Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Anaxagoros Microkernel Clouds mutualize physical resources between users Safety and security are crucial Anaxagoros Secure microkernel hypervisor Developped at CEA LIST by Matthieu Lemerre Designed for resource isolation and protection Virtual memory system is a key module to ensure isolation N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 11 / 28

Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Virtual Memory Subsystem Organizes program address spaces Creates a hierarchy of pages Allows sharing when needed Controls accesses and modifications to the pages Only owners can access their pages Types of the pages limit possible actions Counts mappings, references, to each page N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 12 / 28

Verification of a Cloud hypervisor Formal Verification Memory invariant for sequential version Maintain the counters of mappings to pages: The counter mappings[e] must be equal to the real number of mappings to the page e Let Occ e be the number of mappings, i.e. occurrences of e in all pagetables We want ot prove: e, validpage(e) Occ e = mappings[e] MAX N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 13 / 28

Verification of a Cloud hypervisor Formal Verification Memory invariant for concurrent version Concurrency issues Pages might be modified by different processes simultaneously That creates a gap between the actual number of mappings and the counter New invariant : and more precisely, e, validpage(e) Occ e mappings[e] MAX e, validpage(e) k. k 0 Occ e + k = mappings[e] MAX Here k is the number of threads that have introduced a difference in the counter, difference of at most 1. N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 14 / 28

Verification of a Cloud hypervisor Formal Verification Simulation of the concurrency To model the execution context, we introduce for each thread : global arrays representing the value of each local variable a global array representing its position in the execution We simulate every atomic step with a function that performs this step for one thread We create an infinite loop that randomly chooses a thread and makes it perform a step of execution according to its current position N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 15 / 28

Verification of a Cloud hypervisor Results and discussion Verification results Partial verification of a critical module of Anaxagoros hypervisor For low-level functions, we conducted a classic verification Specification with ACSL Automatic proof with Frama-C/WP and SMT Solvers (CVC4, Z3) For the concurrent function used to change pagetables : First specification and proof for sequential version Weakening of the invariant for concurrency Specification and proof of the simulated version Only a few properties could not be proved automatically their proof is done in Coq by extracting them from WP N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 16 / 28

Verification of a Cloud hypervisor Results and discussion Lessons Learned, Limitations and Benefits Ability to treat concurrent programs With a tool that originally does not handle parallelism Proof done mostly automatically Verification of properties in isolation Scalability By-hand simulation is tedious and error prone Could perfectly be automized Need for specification mean for concurrent behaviors N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 17 / 28

Verification of a sandbox Outline Frama-C, a platform for analysis of C code Verification of a Cloud hypervisor Anaxagoros hypervisor and Virtual Memory Formal Verification Results and discussion Verification of a sandbox The ZeroVM sandbox solution Formal verification Results Conclusion N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 18 / 28

Verification of a sandbox The ZeroVM sandbox solution ZeroVM: History Developed by Google as a sandboxing technique for Chrome (2009) Native Client (NaCl) plugins use Chrome API ZeroVM: programs outside Chrome use ZeroVM syscalls (2011) N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 19 / 28

Verification of a sandbox The ZeroVM sandbox solution ZeroVM: Big picture OS untrusted N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 20 / 28

Verification of a sandbox The ZeroVM sandbox solution ZeroVM: Big picture untrusted OS Prevents privacy issues, privilege escalation, unauthorized device access... N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 20 / 28

Verification of a sandbox The ZeroVM sandbox solution ZeroVM: Big picture untrusted OS Prevents privacy issues, privilege escalation, unauthorized device access... Performs binary code validation before execution N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 20 / 28

Verification of a sandbox The ZeroVM sandbox solution ZeroVM: Big picture untrusted OS API Prevents privacy issues, privilege escalation, unauthorized device access... Performs binary code validation before execution N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 20 / 28

Verification of a sandbox The ZeroVM sandbox solution ZeroVM: Big picture OS untrusted checks API Prevents privacy issues, privilege escalation, unauthorized device access... Performs binary code validation before execution Checks API calls (used for syscall invocations) N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 20 / 28

Verification of a sandbox Formal verification Verification of ZeroVM Specificaton in ACSL and deductive verification with Frama-C/WP of API checks before syscall invocation: /*@ requires valid_nap ( nap ); ensures valid_nap ( nap ); @*/ int32_t TrapHandler ( struct NaClApp * nap, uint32_t * args ){... } N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 21 / 28

Verification of a sandbox Formal verification API handler for validation of Read operations static int32_t ZVMReadHandle ( struct NaClApp * nap, int ch, char * buffer, int32_t size, int64_t offset ){... } Checks performed by ZVMReadHandle: ch channel exists buffer is writable on size length [offset; offset+size] [0; channel->size] limits are not reached N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 22 / 28

Verification of a sandbox Formal verification API handler for validation of memory accesses /*@ requires valid_nap ( nap ); requires nap - > mem_start <= start ; assigns \nothing ; ensures \result == 0 == > prot == PROT_READ == > valid_read_segment ( start, start + size ); ensures \result == 0 == > prot == PROT_WRITE == > valid_segment ( start, start + size ); ensures \result == 0 \result == -1; @*/ static int CheckRAMAccess ( struct NaClApp * nap, NaClSysPtr start, uint32_t size, int prot ) N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 23 / 28

Verification of a sandbox Formal verification Issues detected by formal verification (1/3) before correction: int64_t size ; uintptr_t start, nap -> mem_map [i]. end ; size -= (nap -> mem_map [i]. end - start ); if( size <= 0) return 0; after correction: N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 24 / 28

Verification of a sandbox Formal verification Issues detected by formal verification (1/3) before correction: int64_t size ; uintptr_t start, nap -> mem_map [i]. end ; size -= (nap -> mem_map [i]. end - start ); if( size <= 0) return 0; after correction: if( size <= (nap -> mem_map [i]. end - start )) return 0; size -= nap -> mem_map [i]. end - start ; N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 24 / 28

Verification of a sandbox Formal verification Issues detected by formal verification (2/3) before correction: int32_t size, int64_t offset ; int64_t channel - > size ; /* prevent reading beyond the end of the channel */ size = MIN ( channel - > size - offset, size ); /* check arguments sanity */ if( size == 0) return 0; /* success. user has read 0 bytes */ if( size < 0) return - EFAULT ; if( offset < 0) return - EINVAL ; N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 25 / 28

Verification of a sandbox Formal verification Issues detected by formal verification (2/3) after correction: /* check offset sanity */ if( offset < 0 offset >= channel - > size ) return - EINVAL ; /* prevent reading beyond the end of the channel */ size = MIN ( channel - > size - offset, size ); /* check arguments sanity */ if( size == 0) return 0; /* success. user has read 0 bytes */ if( size < 0) return - EFAULT ; N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 25 / 28

Verification of a sandbox Formal verification Issues detected by formal verification (3/3) before correction: if( offset >= channel - > size + tail ) return - EINVAL ; after correction: N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 26 / 28

Verification of a sandbox Formal verification Issues detected by formal verification (3/3) before correction: if( offset >= channel - > size + tail ) return - EINVAL ; after correction: if( offset >= channel - > size && offset - channel - > size >= tail ) return - EINVAL ; N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 26 / 28

Verification of a sandbox Results Verification results Frama-C/WP automatically proves specified properties 64 proof obligations for functional properties 69 proof obligations to prevent runtime errors several issues and potential security flaws detected and reported to the development team a new version of ZeroVM fixed the issues N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 27 / 28

Conclusion Conclusion We performed deductive verification in Frama-C for a submodule of a Cloud hypervisor a sandbox for secure execution of user applications Results: a concurrent version verified via simulation a few potential errors and security flaws detected and reported Frama-C provides a rich and extensible framework for formal verification of C code Future work: apply Frama-C for formal verification of real-sized Cloud software N. Kosmatov (CEA LIST) Formal Verification for secure Cloud environments 2015-06-30 28 / 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information