Formal Reasoning Under Cached Address Translation

Operating system (OS) kernels achieve isolation between user-level processes using hardware features such as multi-level page tables and translation lookaside buffers (TLBs). The TLB caches address translation, and therefore correctly controlling the TLB is a fundamental security property of OS kernels—yet all large-scale formal OS verification projects we are aware of leave the correct functionality of TLB as an assumption. In this paper, we present a verified sound abstraction of a detailed concrete model of the memory management unit (MMU) of the ARMv7-A architecture. This MMU abstraction revamps our previous address space specific MMU abstraction to include new software-visible TLB features such as caching of globally-mapped and partial translation entries in a two-stage TLB. We use this abstraction as the underlying model to develop a logic for reasoning about low-level programs in the presence of cached address translation. We extract invariants and necessary conditions for correct TLB operation that mirrors the informal reasoning of OS engineers. We systematically show how these invariants adapt to global and partial translation entries. We show that our program logic reduces to a standard logic for user-level reasoning, reduces to side-condition checks for kernel-level reasoning, and can handle typical OS kernel tasks such as context switching.

[1]  Rafal Kolanski A Logic for Virtual Memory , 2008, Electron. Notes Theor. Comput. Sci..

[2]  RICHARD J. FEIERTAG,et al.  The foundations of a provably secure operating system (PSOS) , 1979, 1979 International Workshop on Managing Requirements Knowledge (MARK).

[3]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[4]  Petro Lutsyk Correctness of multi-core processors with operating system support , 2018 .

[5]  Gerwin Klein,et al.  Program Verification in the Presence of Cached Address Translation , 2018, ITP.

[6]  Tobias Nipkow,et al.  A Proof Assistant for Higher-Order Logic , 2002 .

[7]  Wolfgang J. Paul,et al.  Verification of TLB Virtualization Implemented in C , 2012, VSTTE.

[8]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[9]  Mikhail Kovalev,et al.  TLB virtualization in the context of hypervisor verification , 2013 .

[10]  Wolfgang Naraschewski,et al.  Object-Oriented Verification Based on Record Subtyping in Higher-Order Logic , 1998, TPHOLs.

[11]  Gerwin Klein,et al.  Concerned with the unprivileged: user programs in kernel refinement , 2014, Formal Aspects of Computing.

[12]  Timothy Roscoe,et al.  Physical Addressing on Real Hardware in Isabelle/HOL , 2018, ITP.

[13]  Roberto Guanciale,et al.  Trustworthy Virtualization of the ARMv7 Memory Subsystem , 2015, SOFSEM.

[14]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[15]  Michael Norrish,et al.  A Brief Overview of HOL4 , 2008, TPHOLs.

[16]  Michael Hamburg,et al.  Meltdown: Reading Kernel Memory from User Space , 2018, USENIX Security Symposium.

[17]  Rafal Kolanski,et al.  Types, Maps and Separation Logic , 2009, TPHOLs.

[18]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[19]  Gerwin Klein,et al.  Reasoning about Translation Lookaside Buffers , 2017, LPAR.

[20]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[21]  Roberto Guanciale,et al.  Trustworthy Memory Isolation of Linux on Embedded Devices , 2015, TRUST.

[22]  Rafal Kolanski Verification of programs in virtual memory using separation logic , 2011 .

[23]  Magnus O. Myreen,et al.  A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture , 2010, ITP.