sel4: from Security to Safety Gernot Heiser, Anna Lyons NICTA and UNSW Australia 1
OS Trade-Offs Usability Minix Android Linux Trustworthiness Minix Android L4 sel4 Performance Linux L4 sel4 2015 Gernot Heiser, NICTA 2 2
Trustworthy Systems Vision Suitable for real-world systems We will change the practice of designing and implementing critical systems, using rigorous approaches to achieve true trustworthiness Hard roadmap: High-level guarantees 1. Build components on safety/ 2. Build systems security/ 3. Deploy reliability 2015 Gernot Heiser, NICTA 33
sel4: Verification of Security C Implementation Confidentiality Availability Integrity Translation correctness [PLDI 13] Timeliness [RTSS 11] Proof Proof Proof Abstract Model Binary code 2015 Gernot Heiser, NICTA 4 4 Functional correctness [SOSP 09] Isolation properties [ITP 11, S&P 13] Exclusions (at present): Initialisation Assembler, TLB, caches Multicore Covert timing channels
Example: Unmanned Aerial Vehicle (UAV) DARPA HACMS Program: Provable vehicle safety Red Team must not be able to divert vehicle Boeing Unmanned Little Bird (AH-6) Deployment Vehicle SMACCMcopter Research Vehicle 2015 Gernot Heiser, NICTA 5 5
SMACCM Research Vehicle Architecture CONTROL BOARD MISSION BOARD SOFTWARE Control Mission Plan Sensor Filtering echronos Monitor CAN bus SOFTWARE Command & Control Task Image Processing (Payload) Ethernet Driver Unverified Linux Kernel untrusted HARDWARE Sensors Radio Modem Microcontroller Radio Control Speed Controller Radio Rxer HARDWARE ARM A15 processor sel4 Unverified C&C Radio COTS Network Camera trusted CAN Bus 2015 Gernot Heiser, NICTA 6 6
sel4 Now: Strong Security, Insufficient Safety C Implementation Confidentiality Availability Proof Proof Proof Abstract Model Binary code Integrity Very strong spatial isolation Insufficient temporal isolation 2015 Gernot Heiser, NICTA 7 7
Temporal Isolation Issues: Scheduler Priorities 0 1 2 3... 253 254 255 t1 100% 2015 Gernot Heiser, NICTA 8
Temporal Isolation Issues: Scheduler Priorities 0 1 2 3... 253 254 255 t1 50% t2 50% 2015 Gernot Heiser, NICTA 9
Temporal Isolation Issues: Scheduler Priorities 0 1 2 3... 253 254 255 t1 33.33% t2 33.33% t3 33.33% 2015 Gernot Heiser, NICTA 10 10
Temporal Isolation Issues: Scheduler Priorities 0 1 2 3... 253 254 255 t4 0? t1 33.33% Impossible to: 1. Limit high time 2. Guarantee low time High is trusted! t2 33.33% t3 33.33% 2015 Gernot Heiser, NICTA 11 11
Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 Wait 2015 Gernot Heiser, NICTA 12 12
Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 Call e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 Wait 2015 Gernot Heiser, NICTA 13 13
Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 4 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 14 14
Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 1 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 15 15
Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 16 16
Temporal Isolation Issues: IPC Current Thread Reply B Prio: 7 Timeslice: 5 e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 17 17
Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 18 18
Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 19 19
Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 Call e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 20 20
Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 Can effectively DoS same-prio threads! 2015 Gernot Heiser, NICTA 21 21
Modern RT Systems: Mixed Criticality CATASTROPHIC Criticality, development, assurance cost HAZARDOUS MAJOR Design Assurance Levels (DO-178B) MINOR No Effect 2015 Gernot Heiser, NICTA 22 22
SMACCM Mission Board Timeliness Most Critical!? khz 100 khz 10 Hz CAN driver Command & Control Task Image Processing (Payload) Ethernet Driver Unverified Linux Kernel 10 khz sel4 2015 Gernot Heiser, NICTA 23 23
Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses No hierarchical scheduling 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 24 24
Learn from Resource Kernels [Rajkumar 01] Principles: Timeliness through reservations Efficient resource utilisation Enforcement and protection Missing: 1. Shared resources 2. Mixed criticality Resource Kernel mechanisms: Scheduling Policy doesn t Enforcement belong in Accounting microkernel! Admission 2015 Gernot Heiser, NICTA 25 25
Learn from sel4 s Spatial Isolation Model Design for isolation: No memory allocation in the kernel Resources fully delegated, allows autonomous operation Addr Space RM Data RM Addr Space Strong isolation, No shared kernel resources Addr Space Addr Space RM Data Resource Manager RM Data Resource Manager Global Resource Manager RAM Kernel Data GRM Data 2015 Gernot Heiser, NICTA 26 26
sel4 Memory Management 100% Retype (Untyped, 2 1 ) 50% 50% Retype (Frame, 2 2 ) Retype (Untyped, 2 1 ) r,w r,w r,w r,w 25% 25% Mint (r) Retype (CNode, 2 m, 2 n ) Retype (TCB, 2 n ) r Revoke() F 0 F 1 UT 1 F 2 F 3 UT 0 UT 3 UT 2 UT 4 2015 Gernot Heiser, NICTA 27 27
sel4 Time Management? 100% Split(Reservation, 40%) 40% 60% Split(Reservation, 50%) 30% 30% 40% UT 1 UT 0 30% UT 2 30% 2015 Gernot Heiser, NICTA 28 28
Idea: Separate Scheduling Context from Thread Old Thread attributes Priority Not runnable Time slice if null New Thread Attributes Priority Scheduling context capability Upper bound! Scheduling context object p: period e: budget ( p) e = 2 p = 3 e = 250 p = 1000 2015 Gernot Heiser, NICTA 29 29
Full Budgets 0 1 2 3... 253 254 255 e = 4 p = 4 t1 Round-robin, 4/5/4 shares e = 5 p = 5 t2 e = 4 p = 4 t3 2015 Gernot Heiser, NICTA 30 30
General Budgets e = 1 p = 2 t1 Release Queue 0 1 2 3... 253 254 255 e = 8 p = 8 t3 e = 4 p = 4 t2 t1 e = 1 p = 2 Runs in slack time Might be trusted not to use budget, except in emergencies 2015 Gernot Heiser, NICTA 31 31
Task model aka I m done for now while (1) { /* job release */ } dojob(); /* job completion */ sel4_wait(trigger); Kernel signals to release On overrun: Optional exception Else rate limit Per-thread semaphore (aka async endpoint ) 2015 Gernot Heiser, NICTA 32 32
Admission New capability: SchedControl Anyone (with access to Untyped) can create scheduling contexts Only holder of SchedControl cap can populate scheduling contexts Trusted to implement policy Admission Policy sel4 2015 Gernot Heiser, NICTA 33 33
Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 34 34
Criticality Old Thread attributes Priority Time slice System criticality New Thread Attributes Priority Scheduling context capability Trigger endpoint Time exception handler Criticality Only schedule threads with at least that criticality SchedControl holder can change (on time exeption) 2015 Gernot Heiser, NICTA 35 35
Asymmetric Protection Low Criticality High Criticality 0 1 2 3... 252 253 254 255 t0 t4 t3 t2 t1 t5 e = 100 p = 100 e = 4 p = 19 e = 3 p = 20 e = 1 p = 5 e = 2 p = 10 e = 100 p = 100 SchedControl_SetCriticality() 2015 Gernot Heiser, NICTA 36 36
Asymmetric Protection Low Criticality High Criticality 0 1 2 3... 252 253 254 255 t0 t3 t1 t5 e = 100 p = 100 e = 3 p = 20 e = 52 p = 10 e = 100 p = 100 Restores low criticality SchedControl_Extend() 2015 Gernot Heiser, NICTA 37 37
Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 38 38
Active Servers sel4_wait B e Server A 2015 Gernot Heiser, NICTA 39 39
Active Servers sel4_call B e Server A 2015 Gernot Heiser, NICTA 40 40
Active Servers sel4_replywait B e Server A 2015 Gernot Heiser, NICTA 41 41
Active Servers B e Server No temporal isolation Must trust server A 2015 Gernot Heiser, NICTA 42 42
Passive Server: Scheduling Context Transfer sel4_wait B e Server A 2015 Gernot Heiser, NICTA 43 43
Passive Server: Scheduling Context Transfer sel4_call B e Server A 2015 Gernot Heiser, NICTA 44 44
Passive Server: Scheduling Context Transfer B e Server A 2015 Gernot Heiser, NICTA 45 45
Passive Server: Scheduling Context Transfer sel4_replywait B e Server Budget expiry? Client budget pays for server time A 2015 Gernot Heiser, NICTA 46 46
Budget Expiry Options Multi-threaded servers (COMPOSITE [Parmer 10]) Model allows this Forcing all servers to be thread-safe is policy Bandwidth inheritance with helping (Fiasco [Stenberg 10]) Ugly dependency chains Use temporal Exceptions to trigger one of: Provide emergency budget Cancel operation & roll-back server Change criticality 2015 Gernot Heiser, NICTA 47 47
Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 48 48
Summary We may have cracked time (the final Frontier) we as in Anna Presently evaluating SMACCMcopter etc Can we integrate this with confidentiality-oriented isolation? 2015 Gernot Heiser, NICTA 49 49