Combining Mechanized Proofs and Model-Based Testing in the Formal Analysis of a Hypervisor

Virtualization engines play a critical role in many modern software products. In an effort to gain definitive confidence on critical components, our company has invested on the formal verification of the NOVA micro hypervisor, following recent advances in similar academic and industrial operating-system verification projects. There are inherent difficulties in applying formal methods to low-level implementations, and even more under specific constraints arising in commercial software development. In order to deal with these, the chosen approach consists in the splitting of the verification effort by combining the definition of an abstract model of NOVA, the verification of fundamental security properties over this model, and testing the conformance of the model w.r.t. the NOVA implementation. This article reports on our experiences in applying formal methods to verify a hypervisor for commercial purposes. It describes the verification approach, and the security properties under consideration, and reports the results obtained.

[1]  Yu Guo,et al.  Certifying low-level programs with hardware interrupts and preemptive threads , 2008, PLDI '08.

[2]  Peter W. O'Hearn,et al.  Moving Fast with Software Verification , 2015, NFM.

[3]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[4]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[5]  Tao Liu,et al.  Case Study: Static Security Analysis of the Android Goldfish Kernel , 2015, FM.

[6]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[7]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[8]  Zhong Shao,et al.  Certified self-modifying code , 2007, PLDI '07.

[9]  Patrick Cousot,et al.  Static Analysis and Verification of Aerospace Software by Abstract Interpretation , 2010, Found. Trends Program. Lang..

[10]  Xavier Leroy,et al.  Formal verification of object layout for c++ multiple inheritance , 2011, POPL '11.

[11]  Zhong Shao Clean-Slate Development of Certified OS Kernels , 2015, CPP.

[12]  Temesghen Kahsai,et al.  Verifying the Safety of a Flight-Critical System , 2015, FM.

[13]  Gilles Barthe,et al.  Formally Verifying Isolation and Availability in an Idealized Model of Virtualization , 2011, FM.

[14]  Udo Steinberg,et al.  NOVA: a microhypervisor-based secure virtualization architecture , 2010, EuroSys '10.

[15]  Nikolai Kosmatov,et al.  A Case Study on Verification of a Cloud Hypervisor by Proof and Structural Testing , 2014, TAP@STAF.

[16]  Bin Gu,et al.  Formal Verification of a Descent Guidance Control Program of a Lunar Lander , 2014, FM.

[17]  Richard J. Lipton,et al.  A Linear Time Algorithm for Deciding Subject Security , 1977, JACM.

[18]  Sam Weber,et al.  Verifying the EROS confinement mechanism , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[19]  Achim D. Brucker,et al.  On theorem prover-based testing , 2012, Formal Aspects of Computing.

[20]  Gernot Heiser,et al.  From L3 to seL4 what have we learnt in 20 years of L4 microkernels? , 2013, SOSP.

[21]  Xavier Leroy,et al.  A mechanized semantics for C++ object construction and destruction, with applications to resource management , 2012, POPL '12.

[22]  Liang Gu,et al.  CertiKOS: a certified kernel for secure cloud computing , 2011, APSys.

[23]  Jochen Liedtke,et al.  Toward real microkernels , 1996, CACM.