sel4: from Security to Safety Gernot Heiser, Anna Lyons NICTA and UNSW Australia



Similar documents
From L3 to sel4: What Have We Learnt in 20 Years of L4 Microkernels?

POSIX. RTOSes Part I. POSIX Versions. POSIX Versions (2)

I/O. Input/Output. Types of devices. Interface. Computer hardware

Thomas Fahrig Senior Developer Hypervisor Team. Hypervisor Architecture Terminology Goals Basics Details

Chapter 2: OS Overview

Operating Systems Concepts: Chapter 7: Scheduling Strategies

Android Operating System

Achieving Nanosecond Latency Between Applications with IPC Shared Memory Messaging

Intel DPDK Boosts Server Appliance Performance White Paper

COS 318: Operating Systems. Virtual Machine Monitors

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Predictable response times in event-driven real-time systems

W4118 Operating Systems. Instructor: Junfeng Yang

Process Scheduling CS 241. February 24, Copyright University of Illinois CS 241 Staff

ELEC 377. Operating Systems. Week 1 Class 3

Leveraging Thin Hypervisors for Security on Embedded Systems

Microkernels, virtualization, exokernels. Tutorial 1 CSC469

Lecture 25 Symbian OS

Rackspace Cloud Databases and Container-based Virtualization

CS161: Operating Systems

IoT Security Platform

ISOLATING UNTRUSTED SOFTWARE ON SECURE SYSTEMS HYPERVISOR CASE STUDY

PikeOS: Multi-Core RTOS for IMA. Dr. Sergey Tverdyshev SYSGO AG , Moscow

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

Real-Time Scheduling 1 / 39

Road Map. Scheduling. Types of Scheduling. Scheduling. CPU Scheduling. Job Scheduling. Dickinson College Computer Science 354 Spring 2010.

Operating Systems. 05. Threads. Paul Krzyzanowski. Rutgers University. Spring 2015

Memory Access Control in Multiprocessor for Real-time Systems with Mixed Criticality

Development of Type-2 Hypervisor for MIPS64 Based Systems

Module 8. Industrial Embedded and Communication Systems. Version 2 EE IIT, Kharagpur 1

Novel Systems. Extensible Networks

Embedded Systems. 6. Real-Time Operating Systems

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

Basics of VTune Performance Analyzer. Intel Software College. Objectives. VTune Performance Analyzer. Agenda

Process Description and Control william stallings, maurizio pizzonia - sistemi operativi

Real-time Operating Systems. VO Embedded Systems Engineering Armin Wasicek

CHANCES AND RISKS FOR SECURITY IN MULTICORE PROCESSORS

CSC 2405: Computer Systems II

Run-Time Scheduling Support for Hybrid CPU/FPGA SoCs

Virtual Machines. COMP 3361: Operating Systems I Winter

Operating System Structures

An Easier Way for Cross-Platform Data Acquisition Application Development

SYSTEM ecos Embedded Configurable Operating System

CPU Scheduling Outline

A Look through the Android Stack

Example of Standard API

Chapter 5 Cloud Resource Virtualization

An Embedded Based Web Server Using ARM 9 with SMS Alert System

Introduction to Operating Systems. Perspective of the Computer. System Software. Indiana University Chen Yu

Operating Systems. III. Scheduling.

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

ARINC 653. An Avionics Standard for Safe, Partitioned Systems

Scheduling. Scheduling. Scheduling levels. Decision to switch the running process can take place under the following circumstances:

What s New in Mike Bailey LabVIEW Technical Evangelist. uk.ni.com

theguard! ApplicationManager System Windows Data Collector

Operating System Organization. Purpose of an OS

EECS 750: Advanced Operating Systems. 01/28 /2015 Heechul Yun

Windows Server 2008 R2 Hyper V. Public FAQ

Operating System Resource Management. Burton Smith Technical Fellow Microsoft Corporation

Real- Time Mul,- Core Virtual Machine Scheduling in Xen

Chapter 11 I/O Management and Disk Scheduling

A Data Centric Approach for Modular Assurance. Workshop on Real-time, Embedded and Enterprise-Scale Time-Critical Systems 23 March 2011

Kernel. What is an Operating System? Systems Software and Application Software. The core of an OS is called kernel, which. Module 9: Operating Systems

CPU Scheduling. Core Definitions

Post-Class Quiz: Software Development Security Domain

Design and Implementation of the Heterogeneous Multikernel Operating System

Page 1 of 5. IS 335: Information Technology in Business Lecture Outline Operating Systems

Multiprogramming. IT 3123 Hardware and Software Concepts. Program Dispatching. Multiprogramming. Program Dispatching. Program Dispatching

Readings for this topic: Silberschatz/Galvin/Gagne Chapter 5

Advanced Operating Systems (M) Dr Colin Perkins School of Computing Science University of Glasgow

Introduction to the NI Real-Time Hypervisor

Overview of the Linux Scheduler Framework

The MILS Component Integration Approach To Secure Information Sharing

IaaS Cloud Architectures: Virtualized Data Centers to Federated Cloud Infrastructures

Deciding which process to run. (Deciding which thread to run) Deciding how long the chosen process can run

CHAPTER 1 INTRODUCTION

Kernel Types System Calls. Operating Systems. Autumn 2013 CS4023

A Standards-Based Integration Platform for Reconfigurable Unmanned Aircraft Systems

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Kernel Optimizations for KVM. Rik van Riel Senior Software Engineer, Red Hat June

Software Engineering for Real- Time Systems.

6.828 Operating System Engineering: Fall Quiz II Solutions THIS IS AN OPEN BOOK, OPEN NOTES QUIZ.

Real-Time Operating Systems.

Advanced topics: reentrant function

Hard Real-Time Linux

Multiprocessor Scheduling and Scheduling in Linux Kernel 2.6

COS 318: Operating Systems

Trustworthy Software Systems

Linux scheduler history. We will be talking about the O(1) scheduler

Compromise-as-a-Service

How To Write A Windows Operating System (Windows) (For Linux) (Windows 2) (Programming) (Operating System) (Permanent) (Powerbook) (Unix) (Amd64) (Win2) (X

Solid State Storage in Massive Data Environments Erik Eyberg

Security Overview of the Integrity Virtual Machines Architecture

PERFORMANCE TUNING ORACLE RAC ON LINUX

A Survey of Fitting Device-Driver Implementations into Real-Time Theoretical Schedulability Analysis

System Software Integration: An Expansive View. Overview

How To Write A Canopen Program For A Network (Auv) With A Network And Data Communication (Can) On A Computer (Canopen) (Canconnect) (Aui) (Cannopen) And A Network) (

Quality of Service su Linux: Passato Presente e Futuro

High-Density Network Flow Monitoring

CIS 551 / TCOM 401 Computer and Network Security

Transcription:

sel4: from Security to Safety Gernot Heiser, Anna Lyons NICTA and UNSW Australia 1

OS Trade-Offs Usability Minix Android Linux Trustworthiness Minix Android L4 sel4 Performance Linux L4 sel4 2015 Gernot Heiser, NICTA 2 2

Trustworthy Systems Vision Suitable for real-world systems We will change the practice of designing and implementing critical systems, using rigorous approaches to achieve true trustworthiness Hard roadmap: High-level guarantees 1. Build components on safety/ 2. Build systems security/ 3. Deploy reliability 2015 Gernot Heiser, NICTA 33

sel4: Verification of Security C Implementation Confidentiality Availability Integrity Translation correctness [PLDI 13] Timeliness [RTSS 11] Proof Proof Proof Abstract Model Binary code 2015 Gernot Heiser, NICTA 4 4 Functional correctness [SOSP 09] Isolation properties [ITP 11, S&P 13] Exclusions (at present): Initialisation Assembler, TLB, caches Multicore Covert timing channels

Example: Unmanned Aerial Vehicle (UAV) DARPA HACMS Program: Provable vehicle safety Red Team must not be able to divert vehicle Boeing Unmanned Little Bird (AH-6) Deployment Vehicle SMACCMcopter Research Vehicle 2015 Gernot Heiser, NICTA 5 5

SMACCM Research Vehicle Architecture CONTROL BOARD MISSION BOARD SOFTWARE Control Mission Plan Sensor Filtering echronos Monitor CAN bus SOFTWARE Command & Control Task Image Processing (Payload) Ethernet Driver Unverified Linux Kernel untrusted HARDWARE Sensors Radio Modem Microcontroller Radio Control Speed Controller Radio Rxer HARDWARE ARM A15 processor sel4 Unverified C&C Radio COTS Network Camera trusted CAN Bus 2015 Gernot Heiser, NICTA 6 6

sel4 Now: Strong Security, Insufficient Safety C Implementation Confidentiality Availability Proof Proof Proof Abstract Model Binary code Integrity Very strong spatial isolation Insufficient temporal isolation 2015 Gernot Heiser, NICTA 7 7

Temporal Isolation Issues: Scheduler Priorities 0 1 2 3... 253 254 255 t1 100% 2015 Gernot Heiser, NICTA 8

Temporal Isolation Issues: Scheduler Priorities 0 1 2 3... 253 254 255 t1 50% t2 50% 2015 Gernot Heiser, NICTA 9

Temporal Isolation Issues: Scheduler Priorities 0 1 2 3... 253 254 255 t1 33.33% t2 33.33% t3 33.33% 2015 Gernot Heiser, NICTA 10 10

Temporal Isolation Issues: Scheduler Priorities 0 1 2 3... 253 254 255 t4 0? t1 33.33% Impossible to: 1. Limit high time 2. Guarantee low time High is trusted! t2 33.33% t3 33.33% 2015 Gernot Heiser, NICTA 11 11

Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 Wait 2015 Gernot Heiser, NICTA 12 12

Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 Call e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 Wait 2015 Gernot Heiser, NICTA 13 13

Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 4 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 14 14

Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 1 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 15 15

Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 5 e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 16 16

Temporal Isolation Issues: IPC Current Thread Reply B Prio: 7 Timeslice: 5 e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 17 17

Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 18 18

Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 19 19

Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 Call e Wait Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 2015 Gernot Heiser, NICTA 20 20

Temporal Isolation Issues: IPC Current Thread B Prio: 7 Timeslice: 4 e Server Prio: 9 Timeslice: 5 A Prio: 7 Timeslice: 5 Can effectively DoS same-prio threads! 2015 Gernot Heiser, NICTA 21 21

Modern RT Systems: Mixed Criticality CATASTROPHIC Criticality, development, assurance cost HAZARDOUS MAJOR Design Assurance Levels (DO-178B) MINOR No Effect 2015 Gernot Heiser, NICTA 22 22

SMACCM Mission Board Timeliness Most Critical!? khz 100 khz 10 Hz CAN driver Command & Control Task Image Processing (Payload) Ethernet Driver Unverified Linux Kernel 10 khz sel4 2015 Gernot Heiser, NICTA 23 23

Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses No hierarchical scheduling 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 24 24

Learn from Resource Kernels [Rajkumar 01] Principles: Timeliness through reservations Efficient resource utilisation Enforcement and protection Missing: 1. Shared resources 2. Mixed criticality Resource Kernel mechanisms: Scheduling Policy doesn t Enforcement belong in Accounting microkernel! Admission 2015 Gernot Heiser, NICTA 25 25

Learn from sel4 s Spatial Isolation Model Design for isolation: No memory allocation in the kernel Resources fully delegated, allows autonomous operation Addr Space RM Data RM Addr Space Strong isolation, No shared kernel resources Addr Space Addr Space RM Data Resource Manager RM Data Resource Manager Global Resource Manager RAM Kernel Data GRM Data 2015 Gernot Heiser, NICTA 26 26

sel4 Memory Management 100% Retype (Untyped, 2 1 ) 50% 50% Retype (Frame, 2 2 ) Retype (Untyped, 2 1 ) r,w r,w r,w r,w 25% 25% Mint (r) Retype (CNode, 2 m, 2 n ) Retype (TCB, 2 n ) r Revoke() F 0 F 1 UT 1 F 2 F 3 UT 0 UT 3 UT 2 UT 4 2015 Gernot Heiser, NICTA 27 27

sel4 Time Management? 100% Split(Reservation, 40%) 40% 60% Split(Reservation, 50%) 30% 30% 40% UT 1 UT 0 30% UT 2 30% 2015 Gernot Heiser, NICTA 28 28

Idea: Separate Scheduling Context from Thread Old Thread attributes Priority Not runnable Time slice if null New Thread Attributes Priority Scheduling context capability Upper bound! Scheduling context object p: period e: budget ( p) e = 2 p = 3 e = 250 p = 1000 2015 Gernot Heiser, NICTA 29 29

Full Budgets 0 1 2 3... 253 254 255 e = 4 p = 4 t1 Round-robin, 4/5/4 shares e = 5 p = 5 t2 e = 4 p = 4 t3 2015 Gernot Heiser, NICTA 30 30

General Budgets e = 1 p = 2 t1 Release Queue 0 1 2 3... 253 254 255 e = 8 p = 8 t3 e = 4 p = 4 t2 t1 e = 1 p = 2 Runs in slack time Might be trusted not to use budget, except in emergencies 2015 Gernot Heiser, NICTA 31 31

Task model aka I m done for now while (1) { /* job release */ } dojob(); /* job completion */ sel4_wait(trigger); Kernel signals to release On overrun: Optional exception Else rate limit Per-thread semaphore (aka async endpoint ) 2015 Gernot Heiser, NICTA 32 32

Admission New capability: SchedControl Anyone (with access to Untyped) can create scheduling contexts Only holder of SchedControl cap can populate scheduling contexts Trusted to implement policy Admission Policy sel4 2015 Gernot Heiser, NICTA 33 33

Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 34 34

Criticality Old Thread attributes Priority Time slice System criticality New Thread Attributes Priority Scheduling context capability Trigger endpoint Time exception handler Criticality Only schedule threads with at least that criticality SchedControl holder can change (on time exeption) 2015 Gernot Heiser, NICTA 35 35

Asymmetric Protection Low Criticality High Criticality 0 1 2 3... 252 253 254 255 t0 t4 t3 t2 t1 t5 e = 100 p = 100 e = 4 p = 19 e = 3 p = 20 e = 1 p = 5 e = 2 p = 10 e = 100 p = 100 SchedControl_SetCriticality() 2015 Gernot Heiser, NICTA 36 36

Asymmetric Protection Low Criticality High Criticality 0 1 2 3... 252 253 254 255 t0 t3 t1 t5 e = 100 p = 100 e = 3 p = 20 e = 52 p = 10 e = 100 p = 100 Restores low criticality SchedControl_Extend() 2015 Gernot Heiser, NICTA 37 37

Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 38 38

Active Servers sel4_wait B e Server A 2015 Gernot Heiser, NICTA 39 39

Active Servers sel4_call B e Server A 2015 Gernot Heiser, NICTA 40 40

Active Servers sel4_replywait B e Server A 2015 Gernot Heiser, NICTA 41 41

Active Servers B e Server No temporal isolation Must trust server A 2015 Gernot Heiser, NICTA 42 42

Passive Server: Scheduling Context Transfer sel4_wait B e Server A 2015 Gernot Heiser, NICTA 43 43

Passive Server: Scheduling Context Transfer sel4_call B e Server A 2015 Gernot Heiser, NICTA 44 44

Passive Server: Scheduling Context Transfer B e Server A 2015 Gernot Heiser, NICTA 45 45

Passive Server: Scheduling Context Transfer sel4_replywait B e Server Budget expiry? Client budget pays for server time A 2015 Gernot Heiser, NICTA 46 46

Budget Expiry Options Multi-threaded servers (COMPOSITE [Parmer 10]) Model allows this Forcing all servers to be thread-safe is policy Bandwidth inheritance with helping (Fiasco [Stenberg 10]) Ugly dependency chains Use temporal Exceptions to trigger one of: Provide emergency budget Cancel operation & roll-back server Change criticality 2015 Gernot Heiser, NICTA 47 47

Temporal Isolation Requirements 1. Bandwidth enforcement: Enforced limits on CPU time consumption 2. Support for mixed criticality: Priority orthogonal to criticality Asymmetric temporal isolation: controlled overrun by high-crit 3. Support for shared resources: Server time charged to client Sharing across priorities and criticalities 4. Efficient Minimal overheads and algorithmic losses 5. Policy-free mechanisms 2015 Gernot Heiser, NICTA 48 48

Summary We may have cracked time (the final Frontier) we as in Anna Presently evaluating SMACCMcopter etc Can we integrate this with confidentiality-oriented isolation? 2015 Gernot Heiser, NICTA 49 49

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information