Formal Verification of Secure User Mode Device Execution with DMA

Schwarz, Oliver; Dam, Mads

doi:10.1007/978-3-319-13338-6_18

Cited by 10 publications

(7 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The MMU virtualization approach does not support DMA. To securely enable DMA the behaviour of the specific DMA controller must be formally modelled (in [43] the authors describe a framework for such extensions and establish Properties 1 and 2 for the resulting model) and the hypervisor must (i) mediate all accesses to the memory area where the controller's registers are mapped, (ii) enable a DMA channel only if the pointed physical blocks is data and (iii) update the reference counters accordingly. Several embedded platforms are equipped with IOMMUs, that provide HW support to isolate/confine external peripherals that use DMA.…”

Section: Discussionmentioning

confidence: 99%

“…This is so since the ARMv7 step theorems used by the lifter are defined only for predictable instructions, and since our invariant guarantees that the MMU configuration is always well defined. As a result unpredictable behaviour can arise only during non-privileged execution, the analysis of which we have in effect deferred to other work [43].…”

Section: Discussionmentioning

confidence: 99%

See 1 more Smart Citation

Provably secure memory isolation for Linux on ARM

Guanciale

Nemati

Dam

et al. 2016

JCS

Self Cite

View full text Add to dashboard Cite

The isolation of security critical components from an untrusted OS allows to both protect applications and to harden the OS itself. Virtualization of the memory subsystem is a key component to provide such isolation. We present the design, implementation and verification of a memory virtualization platform for ARMv7-A processors. The design is based on direct paging, an MMU virtualization mechanism previously introduced by Xen. It is shown that this mechanism can be implemented using a compact design, suitable for formal verification down to a low level of abstraction, without penalizing system performance. The verification is performed using the HOL4 theorem prover and uses a detailed model of the processor. We prove memory isolation along with information flow security for an abstract top-level model of the virtualization mechanism. The abstract model is refined down to a transition system closely resembling a C implementation. Additionally, it is demonstrated how the gap between the low-level abstraction and the binary level-can be filled, using tools that check Hoare contracts. The virtualization mechanism is demonstrated on real hardware via a hypervisor hosting Linux and supporting a tamper-proof run-time monitor that provably prevents code injection in the Linux guest.

QC 20161212

PROSPER, CERCE

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Provably secure memory isolation for Linux on ARM

Guanciale

Nemati

Dam

et al. 2016

JCS

Self Cite

View full text Add to dashboard Cite

QC 20161212

PROSPER, CERCE

show abstract

“…For security, the main concern is the preservation of memory isolation in the presence of DMA devices [13]. Kernel verification has been studied both for settings with IOMMUs [21,26,54] and for peripherals configured to comply with constrained access policies [46]. Finally, kernel code is not the only code executing on the system's processors.…”

Section: Related Workmentioning

confidence: 99%

On the verification of system-level information flow properties for virtualized execution platforms

2019

Self Cite

View full text Add to dashboard Cite

The security of embedded systems can be dramatically improved through the use of formally verified isolation mechanisms such as separation kernels, hypervisors, or microkernels. For trustworthiness, particularly for system-level behavior, the verifications need precise models of the underlying hardware. Such models are hard to attain, highly complex, and proofs of their security properties may not easily apply to similar but different platforms. This may render verification economically infeasible. To address these issues, we propose a compositional top-down approach to embedded system specification and verification, where the system-on-chip is modeled as a network of distributed automata communicating via paired synchronous message passing. Using abstract specifications for each component allows to delay the development of detailed models for cores, devices, etc., while still being able to verify high-level security properties like integrity and confidentiality, and soundly refine the result for different instantiations of the abstract components at a later stage. As a case study, we apply this methodology to the verification of information flow security for an industry-scale security-oriented hypervisor on the ARMv8-A platform and report on the complete verification of guest mode security properties in the HOL4 theorem prover.

show abstract

“…As a result, 108 exploitable bugs had been discovered, indicating that Model Checking could be a feasible and integral part of software development process. It is possible to develop models of incorrect and insecure program behavior that were precise enough to prevent false positives from dwarfing the real bugs [6].…”

Section: Related Workmentioning

confidence: 99%