No Crash, No Exploit: Automated Verification of Embedded Kernels

The kernel is the most safety- and security-critical component of many computer systems, as the most severe bugs lead to complete system crash or exploit. It is thus desirable to guarantee that a kernel is free from these bugs using formal methods, but the high cost and expertise required to do so are deterrent to wide applicability. We propose a method that can verify both absence of runtime errors (i.e. crashes) and absence of privilege escalation (i.e. exploits) in embedded kernels from their binary executables. The method can verify the kernel runtime independently from the application, at the expense of only a few lines of simple annotations. When given a specific application, the method can verify simple kernels without any human intervention. We demonstrate our method on two different use cases: we use our tool to help the development of a new embedded realtime kernel, and we verify an existing industrial real-time kernel executable with no modification. Results show that the method is fast, simple to use, and can prevent real errors and security vulnerabilities.

[1]  Philippe Granger Static analysis of arithmetical congruences , 1989 .

[2]  Jean-Yves Marion,et al.  BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[3]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[4]  Frank Pfenning,et al.  Refinement types for ML , 1991, PLDI '91.

[5]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[6]  Amer Diwan,et al.  Type-based alias analysis , 1998, PLDI.

[7]  Wolfgang J. Paul,et al.  Completing the Automated Verification of a Small Hypervisor - Assembler Code Verification , 2012, SEFM.

[8]  Thomas W. Reps,et al.  There's Plenty of Room at the Bottom: Analyzing and Verifying Machine Code , 2010, CAV.

[9]  C. Hawblitzel,et al.  Safe to the last instruction , 2011, Commun. ACM.

[10]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[11]  Sagar Chaki,et al.  überSpark: Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor , 2016, USENIX Security Symposium.

[12]  Wolfram Schulte,et al.  A Precise Yet Efficient Memory Model For C , 2009, Electron. Notes Theor. Comput. Sci..

[13]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[14]  Antoine Miné,et al.  Symbolic Methods to Enhance the Precision of Numerical Abstract Domains , 2006, VMCAI.

[15]  Olivier Ly,et al.  The BINCOA Framework for Binary Code Analysis , 2011, CAV.

[16]  Roberto Guanciale,et al.  Machine code verification of a tiny ARM hypervisor , 2013, TrustED '13.

[17]  Helmut Veith,et al.  An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.

[18]  Xavier Leroy,et al.  A Formally-Verified C Static Analyzer , 2015, POPL.

[19]  Koushik Sen,et al.  Symbolic execution for software testing: three decades later , 2013, CACM.

[20]  Jan Nordholz Design of a symbolically executable embedded hypervisor , 2020, EuroSys.

[21]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[22]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[23]  Thierry Coquand,et al.  The Calculus of Constructions , 1988, Inf. Comput..

[24]  Patrice Godefroid,et al.  Automated Whitebox Fuzz Testing , 2008, NDSS.

[25]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[26]  Mark A. Hillebrand,et al.  Automated Verification of a Small Hypervisor , 2010, VSTTE.

[27]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[28]  Philippe Herrmann,et al.  Refinement-Based CFG Reconstruction from Unstructured Programs , 2011, VMCAI.

[29]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[30]  Antoine Miné Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics , 2006, LCTES '06.

[31]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[32]  Guillaume Brat,et al.  Precise and efficient static array bound checking for large embedded C programs , 2004, PLDI '04.

[33]  Xinyu Feng,et al.  A Practical Verification Framework for Preemptive OS Kernels , 2016, CAV.

[34]  Wolfgang Schröder-Preikschat,et al.  Proving Real-Time Capability of Generic Operating Systems by System-Aware Timing Analysis , 2019, 2019 IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS).

[35]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[36]  Emina Torlak,et al.  Scaling symbolic evaluation for automated verification of systems code with Serval , 2019, SOSP.

[37]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[38]  Jorge A. Navas,et al.  An Abstract Domain of Uninterpreted Functions , 2016, VMCAI.

[39]  Antoine Miné,et al.  Static Analysis of Run-Time Errors in Embedded Critical Parallel C Programs , 2011, ESOP.

[40]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[41]  Andrew Ferraiuolo,et al.  Komodo: Using verification to disentangle secure-enclave hardware from software , 2017, SOSP.

[42]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[43]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[44]  Lori A. Clarke,et al.  A System to Generate Test Data and Symbolically Execute Programs , 1976, IEEE Transactions on Software Engineering.

[45]  Bor-Yuh Evan Chang,et al.  Relational inductive shape analysis , 2008, POPL '08.

[46]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[47]  Mark Marron,et al.  Structural Analysis: Shape Information via Points-To Computation , 2012, ArXiv.

[48]  Isabelle Puaut,et al.  Worst-case execution time analysis of the RTEMS real-time operating system , 2001, Proceedings 13th Euromicro Conference on Real-Time Systems.

[49]  Jan Tobias Mühlberg,et al.  Verifying FreeRTOS: from requirements to binary code , 2011 .

[50]  Xuejun Yang,et al.  Finding and understanding bugs in C compilers , 2011, PLDI '11.

[51]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[52]  Krithi Ramamritham,et al.  Scheduling algorithms and operating systems support for real-time systems , 1994, Proc. IEEE.

[53]  Adel Djoudi,et al.  Recovering High-Level Conditions from Binary Programs , 2016, FM.