Formal models and verification of memory management in a hypervisor. (Modèles formels et vérification de la gestion de la mémoire dans un hyperviseur)

A hypervisor is a software which virtualizes hardware resources, allowing several guest operating systems to run simultaneously on the same machine. Since the hypervisor manages the access to resources, a bug can be critical for the guest Oses. In this thesis, we focus on memory isolation properties of a type 1 hypervisor, which virtualizes memory using Shadow Page Tables. More precisely, we present a low-level and a high-level model of the hypervisor, and we formally prove that guest OSes cannot access or tamper with private data of other guests, unless they have the authorization to do so. We use the language and the proof assistant developed by Prove & Run. There are many optimizations in the low-level model, which makes the data structures and algorithms complexes. It is therefore difficult to reason on such a model. To circumvent this issue, we design an abstract model in which it is easier to reason. We prove properties on the abstract model, and we prove its correspondence with the low-level model, in such a way that properties proved on the abstract model also hold for the low-level model. The correspondence proof is valid only for low-level states which respect some properties. We prove that these properties are invariants of the low-level system. The proof can be divided into three parts : the proof of invariants preservation on the low-level, the proof of correspondence between abstract and low-level models, and proof of the security properties on the abstract level.

[1]  Hugo Herbelin,et al.  The Coq proof assistant : reference manual, version 6.1 , 1997 .

[2]  Mikhail Kovalev,et al.  TLB virtualization in the context of hypervisor verification , 2013 .

[3]  Gerwin Klein,et al.  Operating system verification—An overview , 2009 .

[4]  Bruno Dutertre,et al.  Yices 2.2 , 2014, CAV.

[5]  Wolfram Schulte,et al.  A Practical Verification Methodology for Concurrent Programs , 2009 .

[6]  David S. Hardin Design and Verification of Microprocessor Systems for High-Assurance Applications , 2010 .

[7]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[8]  Abraham Silberschatz,et al.  Operating System Concepts , 1983 .

[9]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[10]  Mark A. Hillebrand,et al.  Automated Verification of a Small Hypervisor , 2010, VSTTE.

[11]  Jorge Sousa Pinto,et al.  Rigorous Software Development - An Introduction to Program Verification , 2011, Undergraduate Topics in Computer Science.

[12]  Stéphane Lescuyer ProvenCore: Towards a Verified Isolation Micro-Kernel , 2015, MILS@HiPEAC.

[13]  Abraham Silberschatz,et al.  Operating System Concepts, 9/E. , 2016 .

[14]  Hendrik Tews,et al.  The VFiasco approach for a verified operating system , 2005 .

[15]  Gerwin Klein,et al.  Concerned with the unprivileged: user programs in kernel refinement , 2014, Formal Aspects of Computing.

[16]  Julian Vetter,et al.  Uncloaking Rootkits on Mobile Devices with a Hypervisor-Based Detector , 2015, ICISC.

[17]  Thomas Jensen,et al.  Modeling and Abstraction of Memory Management in a Hypervisor , 2016, FASE.

[18]  Frédéric Loulergue,et al.  A Case Study on Formal Verification of the Anaxagoros Hypervisor Paging System with Frama-C , 2015, FMICS.

[19]  Roberto Guanciale,et al.  Trustworthy Virtualization of the ARMv7 Memory Subsystem , 2015, SOFSEM.

[20]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[21]  David Chisnall,et al.  The Definitive Guide to the Xen Hypervisor , 2007 .

[22]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[24]  Gerwin Klein,et al.  Noninterference for Operating System Kernels , 2012, CPP.

[25]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[26]  Jochen Liedtke,et al.  On micro-kernel construction , 1995, SOSP.

[27]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[28]  Gerald J. Popek,et al.  UCLA Secure UNIX , 1899 .

[29]  Jason Nieh,et al.  KVM for ARM , 2010 .

[30]  Thomas Santen,et al.  Verifying the Microsoft Hyper-V Hypervisor with VCC , 2009, FM.

[31]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[32]  Wolfgang J. Paul,et al.  Verification of TLB Virtualization Implemented in C , 2012, VSTTE.

[33]  Xavier Leroy,et al.  A Formally Verified Compiler Back-end , 2009, Journal of Automated Reasoning.

[34]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[35]  Peter G. Neumann,et al.  PSOS revisited , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[36]  Stephen A. Jacklin Certification of Safety-Critical Software Under DO-178C and DO-278A , 2012, Infotech@Aerospace.

[37]  Yang Liu,et al.  Reasoning About Information Flow Security of Separation Kernels with Channel-Based Communication , 2016, TACAS.

[38]  Roberto Guanciale,et al.  Machine code verification of a tiny ARM hypervisor , 2013, TrustED '13.

[39]  Thorsten Bormer,et al.  Proving Memory Separation in a Microkernel by Code Level Verification , 2011, 2011 14th IEEE International Symposium on Object/Component/Service-Oriented Real-Time Distributed Computing Workshops.

[40]  Thorsten Bormer,et al.  Verifying the PikeOS Microkernel: First Results in the Verisoft XT Avionics Project , 2009 .

[41]  N. Lynch,et al.  Forward and backward simulations , 1993 .

[42]  Mark A. Hillebrand,et al.  VCC: A Practical System for Verifying Concurrent C , 2009, TPHOLs.

[43]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[44]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[45]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[46]  Gerald J. Popek,et al.  Formal requirements for virtualizable third generation architectures , 1974, SOSP '73.

[47]  Julian Vetter,et al.  XNPro: Low-Impact Hypervisor-Based Execution Prevention on ARM , 2015, TrustED@CCS.

[48]  Jonathan S. Shapiro,et al.  EROS: A Principle-Driven Operating System from the Ground Up , 2002, IEEE Softw..

[49]  Roberto Guanciale,et al.  Formal verification of information flow security for a simple arm-based separation kernel , 2013, CCS.

[50]  Thomas Jensen,et al.  Correlating Structured Inputs and Outputs in Functional Specifications , 2016, SEFM.

[51]  Mads Dam,et al.  Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties , 2013, CPP.

[52]  Remzi H. Arpaci-Dusseau Operating Systems: Three Easy Pieces , 2015, login Usenix Mag..

[53]  Roberto Guanciale,et al.  Trustworthy Memory Isolation of Linux on Embedded Devices , 2015, TRUST.