A Trustworthy Monadic Formalization of the ARMv7 Instruction Set Architecture

Certified Programs and Proofs

2013

Abstract. In this paper, we formally verify security properties of the ARMv7 Instruction Set Architecture (ISA) for user mode executions. To obtain guarantees that arbitrary (and unknown) user processes are able to run isolated from privileged software and other user processes, instruction level noninterference and integrity properties are provided, along with proofs that transitions to privileged modes can only occur in a controlled manner. This work establishes a main requirement for operating system and hypervisor veri cation, as demonstrated for the PROSPER separation kernel. The proof is performed in the HOL4 theorem prover, taking the Cambridge model of ARM as basis. To this end, a proof tool has been developed, which assists the veri cation of relational state predicates semi-automatically.

“…Our proof uses the HOL4 [4] model of ARM, developed at Cambridge by Fox et al [10]. We extend this model by simple memory protection.…”

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Khakpour

Schwarz

Certified Programs and Proofs

2013

“…The verification uses the HOL4 model of ARMv7-A developed at Cambridge [11]. This model has been extensively tested and is phrased in a manner that retains a high resemblance to the pseudocode used by ARM in the architecture reference manual [1].…”

Section: Processor Modelmentioning

confidence: 99%

“…The verification is performed using a formal model of the ARMv7 architecture [11], implemented in the HOL4 interactive theorem prover.…”

Section: Introductionmentioning

confidence: 99%

Trustworthy Memory Isolation of Linux on Embedded Devices

Nemati

Trust and Trustworthy Computing

Guanciale

et al. 2015

Abstract. The isolation of security critical components from an untrusted OS allows to both protect applications and to harden the OS itself, for instance by run-time monitoring. Virtualization of the memory subsystem is a key component to provide such isolation. We present the design, implementation and verification of a virtualization platform for the ARMv7-A processor family. Our design is based on direct paging, an MMU virtualization mechanism previously introduced by Xen for the x86 architecture, and used later with minor variants by the Secure Virtual Architecture, SVA. We show that the direct paging mechanism can be implemented using a compact design, suitable for formal verification down to a low level of abstraction, without penalizing system performance. The verification is performed using the HOL4 theorem prover and uses a detailed model of the ARMv7-A ISA, including the MMU. We prove memory isolation of the hosted components along with information flow security for an abstract top level model of the virtualization mechanism. The abstract model is refined down to a HOL4 transition system closely resembling a C implementation. The virtualization mechanism is demonstrated on real hardware via a hypervisor capable of hosting Linux as an untrusted guest. 1

“…First, we extend the Cambridge HOL4 model of the ARM architecture [7] by a general device framework. To the best of our knowledge, this is the first theorem prover model for devices capable of reasoning on DMA.…”

Section: Introductionmentioning

confidence: 99%

Formal Verification of Secure User Mode Device Execution with DMA

Schwarz

Hardware and Software: Verification and Testing

2014

Abstract. Separation between processes on top of an operating system or between guests in a virtualized environment is essential for establishing security on modern platforms. A key requirement of the underlying hardware is the ability to support multiple partitions executing on the shared hardware without undue interference. For modern processor architectures -with hardware support for memory management, several modes of operation and I/O interfaces -this is a delicate issue requiring deep analysis at both instruction set and processor implementation level. In a first attempt to rigorously answer this type of questions we introduced in previous work an information flow analysis of user program execution on an ARMv7 platform with hardware supported memory protection, but without I/O. The analysis was performed as a semi-automatic proof search procedure on top of an ARMv7 ISA model implemented in the Cambridge HOL4 theorem prover by Fox et al. The restricted platform functionality, however, makes the analysis of limited practical value. In this paper we add support for devices, including DMA, to the analysis. To this end, we propose an approach to device modeling based on the idea of executing devices nondeterministically in parallel with the (single-core) deterministic processor, covering a fine granularity of interactions between the model components. Based on this model and taking the ARMv7 ISA as an example, we provide HOL4 proofs of several noninterference-oriented isolation properties for a partition executing in the presence of devices which potentially use DMA or interrupts.