A high assurance virtualization platform for ARMv8

Baumann, Christoph; Näslund, Mats; Gehrmann, Christian; Schwarz, Oliver; Thorsen, Hans

doi:10.1109/eucnc.2016.7561034

Cited by 9 publications

(6 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main functionality of the HASPOC hypervisor [8] is to bring up the platform into a state where different guest systems can run in statically allocated, isolated partitions, such that each guest owns a number of cores, devices, and their interrupts, as well as a region of memory exclusively. Inter-guest communication (IGC) is allowed only via predefined unidirectional shared memory channels between pairs of guests and associated inter-processor notification interrupts that can be requested through hypercalls.…”

Section: Hypervisor Modelmentioning

confidence: 99%

“…In this paper we report on a tool-assisted experiment using the HOL4 theorem prover to verify information flow security for an industry-scale security-oriented bare-metal hypervisor on ARMv8 [8]. Developed in the open-source HASPOC project [25], the hypervisor provides full virtualization with low performance overhead and supports several versions of Linux (Debian, Ubuntu) and Android running on the HiKey 96-boards platform based on the 8-core HiSilicon Kirin 620 Cortex-A53 SoC.…”

Section: Introductionmentioning

confidence: 99%

“…The design and requirements of the hypervisor itself are described in more detail in [8]. -A proof of trace equivalence between the system model and the ideal model, with key parts machine-verified using the HOL4 theorem prover.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On the verification of system-level information flow properties for virtualized execution platforms

2019

Self Cite

View full text Add to dashboard Cite

The security of embedded systems can be dramatically improved through the use of formally verified isolation mechanisms such as separation kernels, hypervisors, or microkernels. For trustworthiness, particularly for system-level behavior, the verifications need precise models of the underlying hardware. Such models are hard to attain, highly complex, and proofs of their security properties may not easily apply to similar but different platforms. This may render verification economically infeasible. To address these issues, we propose a compositional top-down approach to embedded system specification and verification, where the system-on-chip is modeled as a network of distributed automata communicating via paired synchronous message passing. Using abstract specifications for each component allows to delay the development of detailed models for cores, devices, etc., while still being able to verify high-level security properties like integrity and confidentiality, and soundly refine the result for different instantiations of the abstract components at a later stage. As a case study, we apply this methodology to the verification of information flow security for an industry-scale security-oriented hypervisor on the ARMv8-A platform and report on the complete verification of guest mode security properties in the HOL4 theorem prover.

show abstract

Section: Hypervisor Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

On the verification of system-level information flow properties for virtualized execution platforms

2019

Self Cite

View full text Add to dashboard Cite

show abstract

“…The contribution of this paper consists of a formal, compositional and highly automated methodology for reasoning over memory usage at the assembly-level. 3 Our approach first uses untrusted tools to generate a formal memory usage certificate (see Section 2). This certificate contains 1.)…”

Section: Introductionmentioning

confidence: 99%

Highly Automated Formal Proofs over Memory Usage of Assembly Code

Verbeek

Bockenek

Ravindran

2020

Tools and Algorithms for the Construction and Analysis of Systems

View full text Add to dashboard Cite

We present a methodology for generating a characterization of the memory used by an assembly program, as well as a formal proof that the assembly is bounded to the generated memory regions. A formal proof of memory usage is required for compositional reasoning over assembly programs. Moreover, it can be used to prove low-level security properties, such as integrity of the return address of a function. Our verification method is based on interactive theorem proving, but provides automation by generating pre- and postconditions, invariants, control-flow, and assumptions on memory layout. As a case study, three binaries of the Xen hypervisor are disassembled. These binaries are the result of a complex build-chain compiling production code, and contain various complex and nested loops, large and compound data structures, and functions with over 100 basic blocks. The methodology has been successfully applied to 251 functions, covering 12,252 assembly instructions.

show abstract

“…As a case study, we apply the methodology to the verification of information flow security for an industry scale security-oriented hypervisor on ARMv8 [7]. The hypervisor, developed in the open source HASPOC project [19], provides full virtualization and supports several versions of Linux (Debian, Ubuntu) and Android running on the HiKey 96-boards platform based on the 8-core HiSilicon Kirin 620 Cortex-A53 SoC.…”

Section: Introductionmentioning

confidence: 99%

Compositional Verification of Security Properties for Embedded Execution Platforms

Baumann

Schwarz

Dam

EPiC Series in Computing

Self Cite

View full text Add to dashboard Cite

The security of embedded systems can be dramatically improved through the use of formally verified isolation mechanisms such as separation kernels, hypervisors, or microkernels. For trustworthiness, particularly for system level behaviour, the verifications need precise models of the underlying hardware. Such models are hard to attain, highly complex, and proofs of their security properties may not easily apply to similar but different platforms. This may render verification economically infeasible.To address these issues, we propose a compositional top-down approach to embedded system specification and verification, where the system-on-chip is modeled as a network of distributed automata communicating via paired synchronous message passing. Using abstract specifications for each component allows to delay the development of detailed models for cores, devices, etc., while still being able to verify high level security properties like integrity and confidentiality, and soundly refine the result for different instantiations of the abstract components at a later stage.As a case study, we apply this methodology to the verification of information flow security for an industry scale security-oriented hypervisor on the ARMv8-A platform. The hypervisor statically assigns (multiple) cores to each guest system and implements a rudimentary, but usable, inter guest communication discipline. We have completed a pen-and-paper security proof for the hypervisor down to state transition level and report on a partially completed verification of guest mode security in the HOL4 theorem prover.

show abstract

A high assurance virtualization platform for ARMv8

Cited by 9 publications

References 8 publications

On the verification of system-level information flow properties for virtualized execution platforms

On the verification of system-level information flow properties for virtualized execution platforms

Highly Automated Formal Proofs over Memory Usage of Assembly Code

Compositional Verification of Security Properties for Embedded Execution Platforms

Contact Info

Product

Resources

About