This document discusses the Muen Separation Kernel developed by secunet Security Networks AG and researchers at HSR University of Applied Sciences Rapperswil. It describes how Muen uses a separation kernel to isolate untrusted components and reduce complexity in the trusted computing base. Formal verification with SPARK 2014 helps prove properties like correct VMCS addressing and ensures the integrity of the kernel.
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
Muen Separation Kernel overview
1. .
secunet Security Networks AG
.
.
The Muen Separation Kernel
.. Robert Dorn
Reto Buerki
Adrian Rueegsegger
HSR University of
Applied Sciences Rapperswil
23.10.2014
2. .
About secunet
Germany's leading provider of IT security
Security partner of the Federal Republic of Germany
More than 340 employees
Robert Dorn, Senior Consultant at secunet
Responsible for design & development of Separation
Kernel based systems
www.secunet.com
Page 2 23.10.2014 The Muen Separation Kernel
3. .
About HSR
University of Applied Sciences with
around 1500 students
Located in Rapperswil, Switzerland
Reto Buerki & Adrian-Ken
Rueegsegger, researchers @
Institute for Internet Technologies
and Applications
Core developers of Muen
www.hsr.ch
Page 3 23.10.2014 The Muen Separation Kernel
4. .
Security of Complex Software
P(Program_Correct) = P (Line_Correct)SLOC
Page 4 23.10.2014 The Muen Separation Kernel
19. .
Deterministic Behaviour
No long-running code paths
No preemption necessary
Fixed cyclic scheduling
Avoidance of Covert Channels
Page 15 23.10.2014 The Muen Separation Kernel
20. .
Features
Multicore support
Fixed cyclic scheduling
PCI device passthrough using Intel VT-d
Support for 64-bit native and 32/64-bit Linux
Event mechanism
Shared memory channels for inter-subject
communication
Minimal Zero-Footprint Run-Time (RTS)
Full availability of source code and documentation
Page 16 23.10.2014 The Muen Separation Kernel
21. .
SPARK 2014 for Operating Systems
No pointers
No dynamic
memory allocation
No concurrency
Page 17 23.10.2014 The Muen Separation Kernel
22. .
SPARK 2014 for Operating Systems
No pointers
No dynamic
memory allocation
No concurrency
Fixed structures
Static resource
allocation
One kernel instance / CPU
Abort on host interrupts
Page 17 23.10.2014 The Muen Separation Kernel
23. .
SPARK 2014 for Operating Systems
No pointers
No dynamic
memory allocation
No concurrency
Fixed structures
Static resource
allocation
One kernel instance / CPU
Abort on host interrupts
! Greatly simplified verification
Page 17 23.10.2014 The Muen Separation Kernel
24. .
Lean verification
Proof annotations are part of the language
Implicit generation of VCs for integrity preservation
(Absence of runtime errors)
Most ARTE VCs proven automatically1
Integration of theorem provers possible when needed
Speed allows proofs to be part of build process
1With current wavefront, except "properties of constant records"
Page 18 23.10.2014 The Muen Separation Kernel
25. .
Modelling the System
ASM Init .
..
Initialize
VMX Enter
Subject
Subject
Subject
Page 19 23.10.2014 The Muen Separation Kernel
26. .
Modelling the System
ASM Init .
..
Initialize
VMX Handler
VMX Enter
Subject
Subject
Subject
VMX Exit
Page 19 23.10.2014 The Muen Separation Kernel
27. .
Modelling the System
.
Initialize
VMX Handler
Subject
Subject
Subject
Page 19 23.10.2014 The Muen Separation Kernel
28. .
Modelling the System
.
Initialize
VMX Handler
Environment
Initialize
Environment
Run
Page 19 23.10.2014 The Muen Separation Kernel
29. .
Modelling the System
Initial Inv. .
..
Loop Inv.
Initialize
VMX Handler
Inv. + Env. Model
Environment
Initialize
Environment
Run
Page 19 23.10.2014 The Muen Separation Kernel
30. .
Future verification options
Proof of complex properties
Interaction with theorem provers
Interface modelling (ghost state)
Soundness of memory layout
…
Page 20 23.10.2014 The Muen Separation Kernel
31. .
Demo
This presentation is given on a system running on
Muen
Page 21 23.10.2014 The Muen Separation Kernel
32. .
Current / Future Work
Short-term
Prove additional properties
PCI-Configspace emulation
Time Virtualization
Long-term
Functional correctness proofs
Windows Virtualization
Dynamic resource management
Page 22 23.10.2014 The Muen Separation Kernel
33. .
Summary
Secure software is limited in complexity
Separation of untrusted components essential
Muen provides a solid foundation for high assurance
systems
Muen is the base of complex high security solutions
in development
SPARK 2014 enables lean verification
Formal verification can be done under commercial
constraints
Page 23 23.10.2014 The Muen Separation Kernel
34. .
Q & A
Discussion
Get Muen at
http://muen.sk/
Page 24 23.10.2014 The Muen Separation Kernel
35. .
Intel Virtualization Technology
VT-x is Intel's virtualization technology for the x86
platform
Virtual Machine state is saved in control structure
(VMCS)
Introduction of VMX root and non-root modes
New processor instructions (VMX) to switch modes
and manage VMCS
Hardware-assisted virtualization drastically reduces
complexity of VMM
Page 25 23.10.2014 The Muen Separation Kernel
36. .
Modelling the System
.
Initialize
VMX Handler
Exception Handler
STOP
ASM Init ..
VMX Enter
VMX Exit
VMX Enter
Interrupt
Subject
Subject
Subject
Page 26 23.10.2014 The Muen Separation Kernel