Formally Verified Implementation of an Idealized Model of Virtualization

VirtualCert is a machine-checked model of virtualization that can be used to reason about isolation between operating systems in presence of cache-based side-channels. In contrast to most prominent projects on operating systems verification, where such guarantees are proved directly on concrete implementations of hypervisors, VirtualCert abstracts away most implementations issues and specifies the effects of hypervisor actions axiomatically, in terms of preconditions and postconditions. Unfortunately, seemingly innocuous implementation issues are often relevant for security. Incorporating the treatment of errors into VirtualCert is therefore an important step towards strengthening the isolation theorems proved in earlier work. In this paper, we extend our earlier model with errors, and prove that isolation theorems still apply. In addition, we provide an executable specification of the hypervisor, and prove that it correctly implements the axiomatic model. The executable specification constitutes a first step towards a more realistic implementation of a hypervisor, and provides a useful tool for validating the axiomatic semantics developed in previous work.

[1]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[2]  June Andronick Modélisation et Vérification Formelles de Systèmes Embarqués dans les Cartes à Microprocesseur – Plate-Forme Java Card et Système d'Exploitation , 2006 .

[3]  Ernie Cohen,et al.  Validating the Microsoft Hypervisor , 2006, FM.

[4]  Gilles Barthe,et al.  Cache-Leakage Resilient OS Isolation in an Idealized Model of Virtualization , 2012, 2012 IEEE 25th Computer Security Foundations Symposium.

[5]  Gilles Barthe,et al.  Defining and Reasoning About Recursive Functions: A Practical Tool for the Coq Proof Assistant , 2006, FLOPS.

[6]  Christine Paulin-Mohring,et al.  The coq proof assistant reference manual , 2000 .

[7]  Thierry Coquand,et al.  Inductively defined types , 1988, Conference on Computer Logic.

[8]  Gerwin Klein,et al.  seL4 Enforces Integrity , 2011, ITP.

[9]  Gilles Barthe,et al.  Formally Verifying Isolation and Availability in an Idealized Model of Virtualization , 2011, FM.

[10]  David von Oheimb Information Flow Control Revisited: Noninfluence = Noninterference + Nonleakage , 2004, ESORICS.

[11]  Christine Paulin-Mohring,et al.  Inductive Definitions in the system Coq - Rules and Properties , 1993, TLCA.

[12]  Alexander Aiken,et al.  Secure Information Flow as a Safety Problem , 2005, SAS.

[13]  Adi Shamir,et al.  Efficient Cache Attacks on AES, and Countermeasures , 2010, Journal of Cryptology.

[14]  Yves Bertot,et al.  Fix-Point Equations for Well-Founded Recursion in Type Theory , 2000, TPHOLs.

[15]  Benjamin Grégoire,et al.  Formal certification of code-based cryptographic proofs , 2009, POPL '09.

[16]  Xavier Leroy,et al.  Formal verification of a realistic compiler , 2009, CACM.

[17]  Yves Bertot,et al.  Interactive Theorem Proving and Program Development: Coq'Art The Calculus of Inductive Constructions , 2010 .

[18]  Sang-Bum Suh,et al.  Xen on ARM: System Virtualization Using Xen Hypervisor for ARM-Based Secure Mobile Phones , 2008, 2008 5th IEEE Consumer Communications and Networking Conference.

[19]  Stefan Berghofer,et al.  Turning Inductive into Equational Specifications , 2009, TPHOLs.

[20]  David Delahaye,et al.  Producing Certified Functional Code from Inductive Specifications , 2012, CPP.

[21]  Volkmar Lotz,et al.  Analyzing SLE 88 memory management security using Interacting State Machines , 2005, International Journal of Information Security.

[22]  Timothy Bourke,et al.  seL4: From General Purpose to a Proof of Information Flow Enforcement , 2013, 2013 IEEE Symposium on Security and Privacy.

[23]  Zhong Shao Certified software , 2010, Commun. ACM.

[24]  Thomas Santen,et al.  Verifying the Microsoft Hyper-V Hypervisor with VCC , 2009, FM.

[25]  Pierre Letouzey,et al.  Programmation fonctionnelle certifiée : L'extraction de programmes dans l'assistant Coq. (Certified functional programming : Program extraction within Coq proof assistant) , 2004 .

[26]  Thierry Coquand,et al.  The Calculus of Constructions , 1988, Inf. Comput..

[27]  Silvio Micali,et al.  Physically Observable Cryptography (Extended Abstract) , 2004, TCC.