Automatically Proving Microkernels Free from Privilege Escalation from their Executable

Operating system kernels are the security keystone of most computer systems, as they provide the core protection mechanisms. Kernels are in particular responsible for their own security, i.e. they must prevent untrusted user tasks from reaching their level of privilege. We demonstrate that proving such absence of privilege escalation is a pre-requisite for any definitive security proof of the kernel. While prior OS kernel formal verifications were performed either on source code or crafted kernels, with manual or semi-automated methods requiring significant human efforts in annotations or proofs, we show that it is possible to compute such kernel security proofs using fully-automated methods and starting from the executable code of an existing microkernel with no modification, thus formally verifying absence of privilege escalation with high confidence for a low cost. We applied our method on two embedded microkernels, including the industrial kernel AnonymOS: with only 58 lines of annotation and less than 10 minutes of computation, our method finds a vulnerability in a first (buggy) version of AnonymOS and verifies absence of privilege escalation in a second (secure) version.

[1]  Gary A. Kildall,et al.  A unified approach to global program optimization , 1973, POPL.

[2]  Xinyu Feng,et al.  A Practical Verification Framework for Preemptive OS Kernels , 2016, CAV.

[3]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[4]  Jean-Yves Marion,et al.  BINSEC/SE: A Dynamic Symbolic Execution Toolkit for Binary-Level Analysis , 2016, 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER).

[5]  Adel Djoudi,et al.  BINSEC: Binary Code Analysis with Low-Level Regions , 2015, TACAS.

[6]  David E. Culler,et al.  TinyOS: An Operating System for Sensor Networks , 2005, Ambient Intelligence.

[7]  Patrice Godefroid,et al.  Billions and billions of constraints: Whitebox fuzz testing in production , 2013, 2013 35th International Conference on Software Engineering (ICSE).

[8]  Philippe Herrmann,et al.  OSMOSE: automatic structural testing of executables , 2011, Softw. Test. Verification Reliab..

[9]  Axel Simon,et al.  Precise Static Analysis of Binaries by Extracting Relational Information , 2011, 2011 18th Working Conference on Reverse Engineering.

[10]  Antoine Miné Field-sensitive value analysis of embedded C programs with union types and pointer arithmetics , 2006, LCTES '06.

[11]  Magnus O. Myreen,et al.  Translation validation for a verified OS kernel , 2013, PLDI.

[12]  Xavier Leroy,et al.  A Formally-Verified C Static Analyzer , 2015, POPL.

[13]  Patrick Cousot,et al.  A static analyzer for large safety-critical software , 2003, PLDI.

[14]  Marie-Laure Potet,et al.  Statically detecting use after free on binary code , 2014, Journal of Computer Virology and Hacking Techniques.

[15]  Brian N. Bershad,et al.  Extensibility safety and performance in the SPIN operating system , 1995, SOSP.

[16]  Gernot Heiser,et al.  Comprehensive formal verification of an OS microkernel , 2014, TOCS.

[17]  Wolfgang J. Paul,et al.  Completing the Automated Verification of a Small Hypervisor - Assembler Code Verification , 2012, SEFM.

[18]  Adel Djoudi,et al.  Recovering High-Level Conditions from Binary Programs , 2016, FM.

[19]  Roberto Guanciale,et al.  Machine code verification of a tiny ARM hypervisor , 2013, TrustED '13.

[20]  James R. Larus,et al.  Singularity: rethinking the software stack , 2007, OPSR.

[21]  Zhong Shao,et al.  CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels , 2016, OSDI.

[22]  Jan Tobias Mühlberg,et al.  Verifying FreeRTOS: from requirements to binary code , 2011 .

[23]  Jorge A. Navas,et al.  An Abstract Domain of Uninterpreted Functions , 2016, VMCAI.

[24]  Philippe Granger Static analysis of arithmetical congruences , 1989 .

[25]  Dmitry Kravchenko,et al.  Alternating Control Flow Reconstruction , 2012, VMCAI.

[26]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[27]  Guillaume Brat,et al.  Precise and efficient static array bound checking for large embedded C programs , 2004, PLDI '04.

[28]  Bor-Yuh Evan Chang,et al.  Relational inductive shape analysis , 2008, POPL '08.

[29]  Jean-Yves Marion,et al.  Backward-Bounded DSE: Targeting Infeasibility Questions on Obfuscated Codes , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[30]  Krithi Ramamritham,et al.  Scheduling algorithms and operating systems support for real-time systems , 1994, Proc. IEEE.

[31]  Antoine Miné,et al.  Symbolic Methods to Enhance the Precision of Numerical Abstract Domains , 2006, VMCAI.

[32]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[33]  Philippe Herrmann,et al.  Refinement-Based CFG Reconstruction from Unstructured Programs , 2011, VMCAI.

[34]  John M. Rushby,et al.  Design and verification of secure systems , 1981, SOSP.

[35]  Andrew Ferraiuolo,et al.  Komodo: Using verification to disentangle secure-enclave hardware from software , 2017, SOSP.

[36]  Amer Diwan,et al.  Type-based alias analysis , 1998, PLDI.

[37]  Sagar Chaki,et al.  überSpark: Enforcing Verifiable Object Abstractions for Automated Compositional Security Analysis of a Hypervisor , 2016, USENIX Security Symposium.

[38]  Marie-Laure Potet,et al.  Finding the needle in the heap: combining static analysis and dynamic symbolic execution to trigger use-after-free , 2016, SSPREW '16.

[39]  Adam Dunkels,et al.  Contiki - a lightweight and flexible operating system for tiny networked sensors , 2004, 29th Annual IEEE International Conference on Local Computer Networks.

[40]  Chris Hawblitzel,et al.  Safe to the last instruction: automated verification of a type-safe operating system , 2011, CACM.

[41]  Antoine Miné,et al.  Static Analysis of Run-Time Errors in Embedded Critical Parallel C Programs , 2011, ESOP.

[42]  Stefan Kowalewski,et al.  Range Analysis of Microcontroller Code Using Bit-Level Congruences , 2010, FMICS.

[43]  Yu Guo,et al.  Deep Specifications and Certified Abstraction Layers , 2015, POPL.

[44]  David Brumley,et al.  The Mayhem Cyber Reasoning System , 2018, IEEE Security & Privacy.

[45]  Olivier Ly,et al.  The BINCOA Framework for Binary Code Analysis , 2011, CAV.

[46]  Mark A. Hillebrand,et al.  Automated Verification of a Small Hypervisor , 2010, VSTTE.

[47]  Marie-Laure Potet,et al.  Get Rid of Inline Assembly through Verification-Oriented Lifting , 2019, 2019 34th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[48]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[49]  Jean-Yves Marion,et al.  Specification of concretization and symbolization policies in symbolic execution , 2016, ISSTA.

[50]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[51]  Mark Marron,et al.  Structural Analysis: Shape Information via Points-To Computation , 2012, ArXiv.

[52]  James Newsome,et al.  Design, Implementation and Verification of an eXtensible and Modular Hypervisor Framework , 2013, 2013 IEEE Symposium on Security and Privacy.

[53]  Philippe Herrmann,et al.  Structural Testing of Executables , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[54]  Richard A. Kemmerer,et al.  Specification and verification of the UCLA Unix security kernel , 1979, CACM.

[55]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[56]  Xavier Rival,et al.  The trace partitioning abstract domain , 2007, TOPL.

[57]  William R. Bevier,et al.  Kit: A Study in Operating System Verification , 1989, IEEE Trans. Software Eng..

[58]  Helmut Veith,et al.  An Abstract Interpretation-Based Framework for Control Flow Reconstruction from Binaries , 2008, VMCAI.

[59]  Wolfram Schulte,et al.  A Precise Yet Efficient Memory Model For C , 2009, Electron. Notes Theor. Comput. Sci..

[60]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[61]  Raymond J. Richards Modeling and Security Analysis of a Commercial Real-Time Operating System Kernel , 2010, Design and Verification of Microprocessor Systems for High-Assurance Applications.

[62]  Minkyu Jung,et al.  B2R2: Building an Efficient Front-End for Binary Analysis , 2019, Proceedings 2019 Workshop on Binary Analysis Research.

[63]  Dawson R. Engler,et al.  Exokernel: an operating system architecture for application-level resource management , 1995, SOSP.