

Australia's Global University School of Computer Science & Engineering
Trustworthy Systems Group

# Verification Status of Time Protection and Microkit-based OS Services

## **Dr Rob Sison**

Senior Research Associate, UNSW Sydney r.sison@unsw.edu.au



## sel4 The verified seL4 OS microkernel



Verification Status of Time Protection and Microkit-based OS Services, Oct'24



© Rob Sison 2024, CC BY 4.0





## seld The verified seL4 OS microkernel



Verification Status of Time Protection and Microkit-based OS Services, Oct'24



© Rob Sison 2024, CC BY 4.0





## Seld The verified seL4 OS microkernel



Verification Status of Time Protection and Microkit-based OS Services, Oct'24





© Rob Sison 2024, CC BY 4.0





syscall interface



Verification Status of Time Protection and Microkit-based OS Services, Oct'24

© Rob Sison 2024, CC BY 4.0









© Rob Sison 2024, CC BY 4.0



















© Rob Sison 2024, CC BY 4.0









© Rob Sison 2024, CC BY 4.0









































Verification Status of Time Protection and Microkit-based OS Services, Oct'24











Verification Status of Time Protection and Microkit-based OS Services, Oct'24











Verification Status of Time Protection and Microkit-based OS Services, Oct'24











Verification Status of Time Protection and Microkit-based OS Services, Oct'24

© Rob Sison 2024, CC BY 4.0



UNSW



Non-blocking cases: Straightforward

© Rob Sison 2024, CC BY 4.0





- Non-blocking cases: Straightforward
  - e.g. seL4\_Recv returns immediately

© Rob Sison 2024, CC BY 4.0





- Non-blocking cases: Straightforward
  - e.g. seL4\_Recv returns immediately
  - Prove Hoare triple over single kernel entry/exit  $\bullet$

© Rob Sison 2024, CC BY 4.0





- Non-blocking cases: Straightforward
  - e.g. seL4\_Recv returns immediately
  - Prove Hoare triple over single kernel entry/exit •

Blocking cases: Tricky ullet

© Rob Sison 2024, CC BY 4.0





- Non-blocking cases: Straightforward
  - e.g. seL4\_Recv returns immediately
  - Prove Hoare triple over single kernel entry/exit •

- Blocking cases: Tricky ullet
  - e.g. seL4\_Recv blocks waiting for seL4 Call









- Non-blocking cases: Straightforward
  - e.g. seL4\_Recv returns immediately
  - Prove Hoare triple over single kernel entry/exit •

- Blocking cases: Tricky  $\bullet$ 
  - e.g. seL4\_Recv blocks waiting for seL4\_Call
  - Kernel returns to different user! ... Caller is woken by seL4 Call later.







- Non-blocking cases: Straightforward •
  - e.g. seL4\_Recv returns immediately
  - Prove Hoare triple over single kernel entry/exit

- Blocking cases: Tricky ullet
  - e.g. seL4\_Recv blocks waiting for seL4\_Call
  - Kernel returns to different user! ... Caller is woken by seL4\_Call later.
  - Not handled by prior OS verification work ullet
    - cf. CertiKOS ESOP'20 blocks on IO, not another user







- Non-blocking cases: Straightforward
  - e.g. seL4\_Recv returns immediately
  - Prove Hoare triple over single kernel entry/exit

- Blocking cases: Tricky  $\bullet$ 
  - e.g. seL4\_Recv blocks waiting for seL4\_Call
  - Kernel returns to different user! ... Caller is woken by seL4\_Call later.
  - Not handled by prior OS verification work ullet
    - cf. CertiKOS ESOP'20 blocks on IO, not another user























Verification Status of Time Protection and Microkit-based OS Services, Oct'24



© Rob Sison 2024, CC BY 4.0







## Microkit-based OS services, drivers (+ devices)

Ethernet virtualisation architecture for







Verification Status of Time Protection and Microkit-based OS Services, Oct'24





© Rob Sison 2024, CC BY 4.0







© Rob Sison 2024, CC BY 4.0









© Rob Sison 2024, CC BY 4.0

















- - Deadlock freedom for aggressive optimisations













© Rob Sison 2024, CC BY 4.0















© Rob Sison 2024, CC BY 4.0













- - Deadlock freedom for aggressive optimisations
  - Correctness under weak memory models





Targets: drivers, components











- - Deadlock freedom for aggressive optimisations
  - Correctness under weak memory models





Targets: drivers, components













- Targets: drivers, components



© Rob Sison 2024, CC BY 4.0











- Targets: drivers, components

Correctness under weak memory models

**Functional correctness** 













- Deadlock freedom for aggressive optimisations
- Correctness under weak memory models



- Targets: drivers, components
- **Functional correctness**
- Requirements for device verification

APSys'23: Verified with SMT

















- Target: SPSC queues
  - Deadlock freedom for aggressive optimisations
  - Correctness under weak memory models



- Targets: drivers, components
- **Functional correctness**
- Requirements for device verification

APSys'23: Verified with SMT





© Rob Sison 2024, CC BY 4.0















- Deadlock freedom for aggressive optimisations
- Correctness under weak memory models







- Targets: drivers, components
- **Functional correctness**
- Requirements for device verification





© Rob Sison 2024, CC BY 4.0









# Verification status













# Verification status



Verification Status of Time Protection and Microkit-based OS Services, Oct'24













Verification Status of Time Protection and Microkit-based OS Services, Oct'24





















© Rob Sison 2024, CC BY 4.0





OSes typically implement *memory protection*. lacksquare





Memory





- OSes typically implement *memory protection*.
- But: Mere memory access changes  $\bullet$ microarchitectural state — this affects timing.







© Rob Sison 2024, CC BY 4.0



- OSes typically implement *memory protection*.  $\bullet$
- But: Mere memory access changes  $\bullet$ microarchitectural state — this affects timing.







© Rob Sison 2024, CC BY 4.0



- OSes typically implement memory protection.  $\bullet$
- But: Mere memory access changes  $\bullet$ microarchitectural state — this affects timing.







- OSes typically implement *memory protection*.  $\bullet$
- But: Mere memory access changes  $\bullet$ microarchitectural state — this affects timing.











- OSes typically implement memory protection.  $\bullet$
- But: Mere memory access changes  $\bullet$ microarchitectural state — this affects timing.







- OSes typically implement *memory protection*.  $\bullet$
- But: Mere memory access changes  $\bullet$ microarchitectural state — this affects timing.







© Rob Sison 2024, CC BY 4.0



- OSes typically implement *memory protection*.  $\bullet$
- But: Mere memory access changes  $\bullet$ microarchitectural state — this affects timing.









- OSes typically implement *memory protection*.
- But: Mere memory access changes  $\bullet$ microarchitectural state - this affects timing.
- To prevent these *timing channels*, OSes can implement *time protection*: See EuroSys: [Ge et al. 2019]
  - *Partition* off-core memory caches







© Rob Sison 2024, CC BY 4.0



- OSes typically implement *memory protection*.
- But: <u>Mere memory access</u> changes  $\bullet$ microarchitectural state — this affects timing.
- To prevent these *timing channels*, OSes can implement *time protection*: See EuroSys: [Ge et al. 2019]
  - *Partition* off-core memory caches  $\bullet$
  - *Flush* on-core and non-architected state  $\bullet$ and *pad* time on context switch







© Rob Sison 2024, CC BY 4.0



- OSes typically implement *memory protection*.
- But: <u>Mere memory access</u> changes microarchitectural state — this affects timing.
- To prevent these *timing channels*, OSes can implement *time protection*: See EuroSys: [Ge et al. 2019]
  - *Partition* off-core memory caches  $\bullet$
  - *Flush* on-core and non-architected state  $\bullet$ and *pad* time on context switch









- OSes typically implement *memory protection*.
- But: <u>Mere memory access</u> changes microarchitectural state — this affects timing.
- To prevent these *timing channels*, OSes can implement *time protection*: See EuroSys: [Ge et al. 2019]
  - *Partition* off-core memory caches  $\bullet$
  - *Flush* on-core and non-architected state  $\bullet$ and *pad* time on context switch





"Flush": Write fixed content; wait up to fixed time.





- OSes typically implement *memory protection*.
- But: <u>Mere memory access</u> changes microarchitectural state — this affects timing.
- To prevent these *timing channels*, OSes can implement *time protection*: See EuroSys: [Ge et al. 2019]
  - *Partition* off-core memory caches  $\bullet$
  - *Flush* on-core and non-architected state  $\bullet$ and *pad* time on context switch





"Flush": Write fixed content; wait up to fixed time.





- OSes typically implement *memory protection*.
- But: <u>Mere memory access</u> changes microarchitectural state — this affects timing.
- To prevent these *timing channels*, OSes can implement *time protection*: See EuroSys: [Ge et al. 2019]
  - *Partition* off-core memory caches  $\bullet$
  - *Flush* on-core and non-architected state  $\bullet$ and *pad* time on context switch





"Flush": Write fixed content; wait up to fixed time.





- OSes typically implement *memory protection*.
- But: <u>Mere memory access</u> changes microarchitectural state — this affects timing.
- To prevent these *timing channels*, OSes can implement *time protection*: See EuroSys: [Ge et al. 2019]
  - *Partition* off-core memory caches  $\bullet$
  - *Flush* on-core and non-architected state and *pad* time on context switch
- seL4 OS kernel's enforcement of time protection:
  - Implemented, evaluated empirically on ARM, x86 See EuroSys: [Ge et al. 2019]



"Flush": Write fixed content; wait up to fixed time.





- OSes typically implement *memory protection*.
- But: <u>Mere memory access</u> changes microarchitectural state — this affects timing.
- To prevent these *timing channels*, OSes can implement *time protection*: See EuroSys: [Ge et al. 2019]
  - *Partition* off-core memory caches  $\bullet$
  - *Flush* on-core and non-architected state and *pad* time on context switch
- seL4 OS kernel's enforcement of time protection:
  - Implemented, evaluated empirically on ARM, x86 See EuroSys: [Ge et al. 2019]
  - Ported to RISC-V with hardware support See arXiv preprint: [Buckley, Sison et al. 2023] HW support: [Wistoff et al. 2023]



"Flush": Write fixed content; wait up to fixed time.





















© Rob Sison 2024, CC BY 4.0









Confidentiality incl. time protection

Confidentiality incl. time protection

© Rob Sison 2024, CC BY 4.0









© Rob Sison 2024, CC BY 4.0





© Rob Sison 2024, CC BY 4.0



### **Proving seL4 implements Time Protection**



• Abstract model (ASpec) checks touched addresses (TA) set



© Rob Sison 2024, CC BY 4.0



## **Proving seL4 implements Time Protection**



- Abstract model (ASpec) checks *touched addresses* (TA) set
- (2A) Key **ASpec** property: TA  $\subseteq$  domain's addresses (according to security policy)





© Rob Sison 2024, CC BY 4.0



## **Proving seL4 implements Time Protection**



- Abstract model (ASpec) checks touched addresses (TA) set
- (2A) Key **ASpec** property: TA  $\subseteq$  domain's addresses (according to security policy)
  - Also: AInvs, Access, InfoFlow need repairs









- Abstract model (ASpec) checks touched addresses (TA) set
- (2A) Key **ASpec** property: TA  $\subseteq$  domain's addresses (according to security policy)
  - Also: AInvs, Access, InfoFlow need repairs









- Abstract model (ASpec) checks touched addresses (TA) set
- (2A) Key **ASpec** property: TA  $\subseteq$  domain's addresses (according to security policy)
  - Also: AInvs, Access, InfoFlow need repairs







### **Proving seL4 implements Time Protection** seL4 Kernel Noninterference FM'23: Defined for OS kernels Security policy ASpec InfoFlow Access AInvs TA 2A Verify for abstract model incl. time protection refinement 2B ExecSpec TA' refinement +? Noninterference\_Refinement 2B Update refinement 2B CSpec InfoFlowC TA" Proof 2C Verify for C implementation incl. time protection

- Abstract model (ASpec) checks touched addresses (TA) set
- (2A) Key **ASpec** property: TA  $\subseteq$  domain's addresses (according to security policy)
  - Also: AInvs, Access, InfoFlow need repairs
- (2B + 2C) Refinement: TA"  $\subseteq$  TA'  $\subseteq$  TA ? (via ExecSpec)









### **Proving seL4 implements Time Protection** seL4 Kernel Noninterference FM'23: Defined for OS kernels Security policy ASpec InfoFlow Access AInvs TA 2A Verify for abstract model incl. time protection refinement 2B ExecSpec TA' refinement +? Noninterference\_Refinement 2B Update refinement 2B CSpec InfoFlowC TA" Proof 2C Verify for C implementation incl. time protection

- Abstract model (ASpec) checks touched addresses (TA) set
- (2A) Key **ASpec** property: TA  $\subseteq$  domain's addresses (according to security policy)
  - Also: AInvs, Access, InfoFlow need repairs
- (2B + 2C) Refinement: TA"  $\subseteq$  TA'  $\subseteq$  TA ? (via ExecSpec)
  - Modulo: Detail on addresses added by refinement to CSpec



















# Verification status







































# Trustworthy Systems @ CSE, UNSW Sydney



Verification Status of Time Protection and Microkit-based OS Services, Oct'24



