26
Can Truly Dependable Systems Be Affordable? @GernotHeiser NICTA and UNSW Australia 1 APSys'13 Keynote

Affordable trustworthy-systems

Embed Size (px)

DESCRIPTION

overview of NICTA's Trustworthy Systems research. Formal verification of the seL4 microkernel, what it means, how to use it to build trustworthy systems. Cost of verified systems

Citation preview

Page 1: Affordable trustworthy-systems

Can Truly Dependable Systems Be Affordable? @GernotHeiser NICTA and UNSW Australia

1 APSys'13 Keynote

Page 2: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 2

Copyright Notice

These slides are distributed under the Creative Commons Attribution 3.0 License

•  You are free: –  to share—to copy, distribute and transmit the work –  to remix—to adapt the work

•  under the following conditions: –  Attribution: You must attribute the work (but not in any way that

suggests that the author endorses you or your use of the work) as follows:

•  “Courtesy of Gernot Heiser, [Institution]”, where [Institution] is one of “UNSW” or “NICTA”

The complete license text can be found at http://creativecommons.org/licenses/by/3.0/legalcode

COMP9242 S2/2014 W01

Page 3: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 3

Present Systems are NOT Trustworthy!

APSys'13 Keynote

Yet they are expensive: •  $1,000 per line of code for “high-assurance” software!

3

Page 4: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 4

Fundamental issue: large stacks, need isolation

E.g. medical implant

APSys'13 Keynote 4

Processor

Device drivers

Life-supporting

•  1 kLOC critical code •  20–100 kLOC trusted computing base (TCB) •  100s of bugs •  dozens of exploits!

RTOS

Network stacks

Control, monitoring, maintenance

1,000 LOC

1,000 LOC

1,000 LOC

>10,000 LOC

>10,000 LOC

Page 5: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 5

High Assurance Bad Practice

Processor

Uncritical/ untrusted

Sensitive/ critical/ trusted

•  TCB of millions of LOC •  Expect 1000s of bugs •  Expect 100s of vulnerabilities

Isolation?

Xen/VMware/KVM hypervisor

Huge TCB

Hacker’s delight!

APSys'13 Keynote 5

Page 6: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 6

High Assurance Best Practice

Processor

Uncritical/ untrusted

Sensitive/ critical/ trusted

•  Isolate •  Minimise the TCB •  Assure TCB by

•  testing •  code inspection •  bug-finding tools

Separation kernel

Minimal “trusted

computing base”

Minimal “trusted

computing base” (TCB)

Always incomplete!

APSys'13 Keynote 6

Page 7: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 7

State of the Art: NICTA’s seL4 Microkernel

Processor

Uncritical/ untrusted

Sensitive/ critical/ trusted

Strong Isolation

seL4 microkernel

Truly dependable

TCB

APSys'13 Keynote 7

•  Provable isolation! •  Provable assurance!

No place for bugs to hide!

Page 8: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 8

NICTA’s seL4: Mathematical Proof of Isolation

APSys'13 Keynote

Integrity

Abstract Model

C Imple-mentation

Confiden-tiality Availability

Binary code

Proo

f Pr

oof

Proo

f

Functional correctness [SOSP’09]

Isolation properties

[ITP’11, S&P’13]

Translation correctness

[PLDI’13]

Exclusions (at present): •  Initialisation •  Privileged state & caches •  Multicore •  Covert timing channels

Timeliness [RTSS’11]

8

Page 9: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 9 Cyber Security August'13 9

Page 10: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 10

NICTA’s seL4 Microkernel: Unique Assurance

APSys'13 Keynote

First and only operating-system with functional-correctness proof: operation is always according to specification

First and only operating-system with proof of integrity and confidentiality enforcement – at the level of binary code!

First and only protected-mode operating-system with complete and sound timing analysis

World’s fastest microkernel on ARM architecture

Predecessor deployed on 2 billion devices

10

Page 11: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 11

seL4: Cost of Assurance

APSys'13 Keynote

Integrity

Abstract Model

C Imple-mentation

Confiden-tiality Availability

Binary code

Proo

f Pr

oof

Proo

f

20.5 py 4.5 years

1 py 4 months

0 py By construction

4.5 py

2 py, 1.5 years Mostly for tools

11

2 py, 1 year Mostly for tools

$400 per line of code!

Estimate repeat cost: $200/LOC

Page 12: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 12

Cost of Assurance

Industry Best Practice: •  “High assurance”: $1,000/LOC, no guarantees, unoptimised •  Low assurance: $100–200/LOC, 1–5 faults/kLOC, optimised

State of the Art – seL4: –  $400/LOC, 0 faults/kLOC, optimised

•  Estimate repeat would cost half –  that’s about the development cost of the predecessor Pistachio!

•  Aggressive optimisation [APSys’12] –  much faster than traditional high-assurance kernels –  as fast as best-performing low-assurance kernels

APSys'13 Keynote 12

Page 13: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 13

What Have We Learnt?

Formal verification probably didn’t produce a more secure kernel •  In reality, traditional separation kernels are probably secure But: •  We now have certainty •  We did it probably at less cost Real achievement: •  Cost-competitive at a scale where traditional approaches still work •  Foundation for scaling beyond: 2 ⨉ cheaper, 10 ⨉ bigger!

How? •  Combine theorem proving with

–  synthesis –  domain–specific languages (DSLs)

APSys'13 Keynote 13

Page 14: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 14

Boeing Unmanned Little Bird (AH-6) Deployment Vehicle

SMACCMcopter Research Vehicle

Next Step: Full System Assurance

DARPA HACMS Program: •  Provable vehicle safety •  “Red Team” must not be able

to divert vehicle

APSys'13 Keynote 14

Page 15: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 15

Hardware

Hardware

Sensors • gyro, • accel, • …

C&C Radio

Micro-controller

Radio control

Verified RTOS C

ontro

l

Mon

itor

CA

N b

us

cont

rolle

r

Network camera

Proces-sor

seL4 – verified microkernel

C&C

Untrusted Linux

kernel, image

processing

Mission Board Control Board

Device drivers

File system

CAN Bus Key: Trusted Trusted, NICTA Untrusted

System Structure

APSys'13 Keynote 15

Page 16: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 16

Architecture Specification

Requirements (specific set of security/safety

properties)

Component Model

Untr

trusted Untr

Automatic Analysis (Requirements fulfilled)

Verified Glue Code

Component Implementations

Untr

trusted Untr

seL4 Kernel

Glue Code Proof

seL4 Proof

Correctness Formal proof Synthesis

Functional correctness Security

Automatic Generation of Glue code

Communication Init

Architecting System-Level Security/Safety

Cyber Security August'13 16

Page 17: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 17

Synthesis: Device Drivers [SOSP’09]

driver.c

OS Interface

Spec

Device Spec

Formal OS Interface

Spec

Formal Device Spec

Formalise specs!

Formalise specs!

APSys'13 Keynote 17

Page 18: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 18

Actually works! (On Linux & seL4)

Asix AX88772 USB-to-Eth adapter

SD host controller

W5100 Eth shield IDE disk controller Intel PRO/1000 Ethernet

UART controller

APSys'13 Keynote 18

Page 19: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 19

Synthesis: Device Drivers

In progress: •  Extract device spec from

device design work-flow •  Manual optimisations •  Verified synthesis

APSys'13 Keynote

driver.c

Formal OS Interface

Spec

Formal Device Spec

19

Page 20: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 20

Hardware Design Workflow

Informal specification

High-level model

Register-transfer-level description

netlist

Manual transformation

•  Low-level description: registers, gates, wires.

•  Cycle-accurate •  Precisely models internal

device architecture and interfaces

•  “Gold reference”

Too detailed (for now)

APSys'13 Keynote 20

Page 21: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 21

Hardware Design Workflow

Informal specification

High-level model

Register-transfer-level description

netlist

Manual transformation

•  Captures external behaviour

•  Abstracts away structure and timing

•  Abstracts away the low-level interface

bus_write(u32 addr, u32 val) { ... }

High-level model

Use for now

APSys'13 Keynote 21

Page 22: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 22

DSLs: File System

Abstract Spec (Isabelle)

Component Implementation (Generated C)

Component Implementation (C)Generated

Component Implementation (C)

Component Spec (DSL)

Component Spec (DSL)

Component Spec (DSL)

Generated Proof

Manual Proof

Component Spec (Isabelle)

Component Spec (Isabelle)

Component Spec (Isabelle) Gene-

rator

APSys'13 Keynote

File-system properties: •  Multiple, pre-defined abstraction levels •  Naturally modular •  Lots of “boring” code

•  (de-)serialisation •  error handling

22

Page 23: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 23

File System Code and Proof Co-Generation

DDSL code

CSDL code Declarations of Types, Functions

verif

ied

files

yste

m c

ode

generation

Control Code

Data layout

Verif

ied

C c

ode

Control Code

ADT Code

(De-)seriali- sation Code

Isab

elle

spe

cs &

pro

ofs

Control Code Spec

ADT Code Spec

(De)-serial. Code Spec

Func

tiona

l spe

c

Proof

Proof

Proof

Proof

Proof

Proof

Manual, FS-specific

Manual, FS-independent

Generated

generation

gene

ratio

n

APSys'13 Keynote

Case study: Flash file system •  Linux-compatible •  Fits between VFS and flash abstraction (UBI)

23

Page 24: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 24

Future: Full-Scale Trustworthy System

Cyber Security August'13

Verified critical application

Verified microkernel

Verified Device Drivers

Processor Devices

Verified File systems

Verified Resource Management

Verified Network Stacks

Verified High-level runtime

Untrusted VM

Untrusted Linux

Untrusted Apps

Untrusted Apps

24

Page 25: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 25

Lessons Learnt So Far

Formal methods are expensive? •  Cost-effective for high assurance on small to moderate scale •  $200-400/LOC for 10kLOC

We think we can scale bigger and cheaper: •  Componentisation

–  verify components in isolation – enabled by seL4 guarantees –  cost – performance tradeoff

•  Synthesis •  Abstraction: DSLs, HLLs increase productivity Big challenge: Proof composition

APSys'13 Keynote 25

Page 26: Affordable trustworthy-systems

©2013 Gernot Heiser, NICTA 26

Where To Find More

•  UNSW Advanced Operating Systems Course http://www.cse.unsw.edu.au/~cs9242

•  NICTA Trustworthy Systems research http://trustworthy.systems

•  seL4 open-source portal http://sel4.systems

•  L4 Microkernel Headquarters http://l4hq.org

•  Gernot’s blog: http://microkerneldude.wordpress.com/

•  Gernot’s research home page: http://ssrg.nicta.com.au/people/?cn=Gernot+Heiser

COMP9242 S2/2014 W01