CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward...
Transcript of CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward...
![Page 1: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/1.jpg)
CertiKOS: A Breakthrough toward Hacker-Resistant
Operating Systems
Zhong ShaoYale University
January 25, 2018
Acknowledgement: Ronghui Gu, Newman Wu, Hao Chen, Jieung Kim, Jeremie Koenig, Vilhelm Sjoberg, Mengqi Liu, Lionel Rieg, Quentin Carbonneaux, Unsung Lee, Jiyong Shin, David Costanzo, Tahina Ramananandro, Hernan Vanzetto, Shu-Chun Weng, Zefeng Zeng, Zhencao Zhang, Liang Gu, Jan Hoffmann, Joshua Lockerman, and Bryan Ford. This research is supported in part by DARPA CRASH and HACMS programs and NSF SaTC and Expeditions in Computing programs.
![Page 2: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/2.jpg)
Computer System
Motivation
Transportation
Health
Aviation
Environment
Desktop
Mobile
Financial
cloud
Hardware
OS
Applications
![Page 3: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/3.jpg)
Computer System
Motivation
Accident
Life
Loss
Environment
Crash
Mobile
Financial
cloud
Hardware
OS
Applications
![Page 4: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/4.jpg)
Motivation
System Software Runs Everywhere
Software errors
Untrusted No!?Test
$312B cost
![Page 5: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/5.jpg)
Motivation
“”— Edsger Dijkstra
Program testing can be used to show the presence of bugs, but never to show their absence.
![Page 6: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/6.jpg)
“ ”— seL4 [SOSP’09]
Complete formal verification is the only known way to guarantee that a system is free of programming errors.
Motivation
“”— NSF SFM Report[2016]
Formal methods are the only reliable way to achieve security and privacy in computer systems.
![Page 7: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/7.jpg)
“ ”— seL4 [SOSP’09]
Complete formal verification is the only known way to guarantee that a system is free of programming errors.
Motivation
“”— NSF SFM Report[2016]
Formal methods are the only reliable way to achieve security and privacy in computer systems.
mathematically prove
under all inputsunder all execution
program meets specification
rule out entire classes of attacks
Formal Verification
![Page 8: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/8.jpg)
Motivation
System Software Runs Everywhere
Software errors
Untrusted No!?Test
$312B cost
Challenges?
Formal Verification
![Page 9: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/9.jpg)
seL4 [SOSP’09] C 7.5k LOC
Proof 11 py
Asm500 LOCunverified
C1.3k LOCunverified
Challenges: huge proof efforts
![Page 10: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/10.jpg)
Challenges: Compositionality
Asm
Abstraction Gap
C
![Page 11: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/11.jpg)
A Complex System
Asm
Challenges: Compositionality
C
![Page 12: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/12.jpg)
A Complex System
Asm
Challenges: Compositionality
C
Verify
Verify
Verify
VerifyVerify
Verify
Verify
Verify Verify
![Page 13: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/13.jpg)
10 11
8
A Complex System
Asm
Compiler
Challenges: Compositionality
C
Verify
Verify
Verify
VerifyVerify
Verify
Verify
5
42
7 6
9
1
3
Verify
Verify
![Page 14: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/14.jpg)
10
8
5
114
2
7 6
9
1
3
A Complex System
Asm
Compiler
Challenges: Compositionality
C
Complete Verification
![Page 15: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/15.jpg)
multiprocessor
I/O concurrencymulti-thread
fine-grained lock fine-grained lock
Challenges: Concurrency
![Page 16: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/16.jpg)
10 11
8
5
42
7 6
9
1
3
Challenges: Concurrency
![Page 17: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/17.jpg)
1 0 1 18
5
42
7 6
91
3
Challenges: Concurrency
1 0 1 18
5
42
7 6
91
3
CPU i CPU j
fine-grained lock
Complete Verification
![Page 18: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/18.jpg)
Challenges: New Domain
System Verification
Huge gap
![Page 19: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/19.jpg)
Challenges: New Domain
System Verification
Huge gap
![Page 20: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/20.jpg)
Contribution
aim to solve all these challenges
Certified Abstraction LayersCertiKOS
![Page 21: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/21.jpg)
Contribution
Certified Abstraction Layers
1 0 1 18
5
42
7 6
91
3
1 0 1 18
5
42
7 6
91
3
CPU i CPU j
fine-grained lock
untangle
![Page 22: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/22.jpg)
Contribution
Certified Abstraction Layers
verify existing systems
build the next generation sssssssssystem software designed to be reliable
and secure
![Page 23: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/23.jpg)
Contribution
Certified Abstraction Layers
verify existing systems
build the next generation sssssssssystem software certified
![Page 24: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/24.jpg)
Contribution
Certified Abstraction Layers
verify existing systems
System Verification
Huge gapbuild the next generation sssssssssystem software certified
![Page 25: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/25.jpg)
Contribution
Certified Abstraction Layers
System Verification
verify existing systems
build the next generation sssssssssystem software certified
![Page 26: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/26.jpg)
Contribution
Certified Abstraction Layers
Certified System Software
verify existing systems
build the next generation sssssssssystem software certified
![Page 27: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/27.jpg)
Contribution
Certified Abstraction Layers
M1
L
L1
R1
L
M2
L2
R1�
L0
M0
LR0
![Page 28: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/28.jpg)
Contribution
Certified Abstraction Layers
R1
L0
M0
LR0
M1
L
L1
� M2
L2�
�
![Page 29: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/29.jpg)
Contribution
Certified Abstraction Layers
R1
L0
M0
R0
M1
L1
� M2
L2�
�o
CompCertX
R1
L0
M0
R0
M1
L1
� M2
L2�
�o
C
Asm L0
M3
R0�
L3
Asm
R’1
L’0
M’0R’0
M’1
L’1
� M’2
L’2�
�o
CompCertX
R’1
L’0
M’0R’0
M’1
L’1
� M’2
L’2�
�o
C
Asm
![Page 30: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/30.jpg)
Contribution
mC2 [OSDI’16]the first formally certified concurrent OS kernel with fine-grained locks6.5k C&Asm, 2 py
mCertiKOS [POPL’15]certified sequential OS kernels3k C&Asm, 1 py
Security [PLDI’16b] 0.5 py
Interrupt [PLDI’16a] 0.5 py Certified Abstraction
Layers[CCAL 2017]
![Page 31: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/31.jpg)
Contribution
functional correctnessliveness
no stack/integer/buffer overflow
no race condition
Certified System
Software
![Page 32: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/32.jpg)
ContributionmC2
CPU
Seria
l
VGA(Video)
Keyb
oard
IOAP
IC
Legend
Hardware
Driver
drive
Use
Data
Kern. Module
Core 0LAPIC 0
Core 1LAPIC 1
Core 8LAPIC 8...
Memory
Heap
BIO
S
DMA
Spin
Lo
cks
Ticket MCS Container
Alloc Tbl
PMM
IPC
SleepQPendQ
ELF Ldr
Trap & Syscall
Per Core
RdyQ
Scheduler
Thread
Cur TID PCPUPer T
hrea
d
k_stack
TCB
k_contextTSC
Hz
Timer
LAPIC
ProcessVM Monitor
Lib MemSync
. &
Mut
ual
Exclu
.
CVFIFOBBQ ...
Page Map VMM
Serial
VideoConsole Buffer
Kbd
Console
IOAP
IC
APIC
![Page 33: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/33.jpg)
ContributionmC2
Coq
machine-checkable proof
C layers6.1k LOC
400 LOCCompCertX
Asm layers Asm layers�
![Page 34: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/34.jpg)
ContributionmC2
Coq
machine-checkable proof
C layers6.1k LOC
400 LOCCompCertX
Asm layers Asm layers�
Proof AssistantACM Software System Award
Some of the significant results that were accomplished using Coq are proofs for the four color theorem, the development of CompCert (a fully verified compiler for C), the development at Harvard of a verified version of Google's software fault isolation, and most recent, the fully specified and verified hypervisor OS kernel CertiKOS.
“
”— ACM
![Page 35: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/35.jpg)
Deployment
CertiKOS on Landshark, DARPA HACMS
![Page 36: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/36.jpg)
Deployment
CertiKOS on Quadcopter
![Page 37: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/37.jpg)
Build a Certified System
Spin-lock Module
Case Study
CPU 0
KeyboardDriver3
CPU 1
Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
![Page 38: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/38.jpg)
11certified objects
specification ofmodules to trust
1
Certified Sequential Layer [POPL’15]
![Page 39: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/39.jpg)
11certified objects
specification ofmodules to trust
1
abs-state
Certified Sequential Layer [POPL’15]
![Page 40: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/40.jpg)
11certified objects
specification ofmodules to trust
1
abs-state
primitives
Certified Sequential Layer [POPL’15]
![Page 41: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/41.jpg)
111
memory
module
Certified Sequential Layer
M
L1
![Page 42: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/42.jpg)
implementation
111
AT
Certified Sequential Layer
L1
M
L2
![Page 43: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/43.jpg)
111
AT
implementation
Certified Sequential Layer
specification
L1
M
L2
![Page 44: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/44.jpg)
111
AT
33
3
implementation
specification
L1
Certified Sequential Layer
M
L2
![Page 45: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/45.jpg)
implementation
Example: Thread Queue
typedef struct tcb { state s; tcb *prev, *next; } tcb;
tcb tcbp[1024];
typedef struct tdq { tcb *head, *tail; } tdq;
tdq* td_queue; C
tcbp[0] tcbp[1] tcbp[2]
3
M
![Page 46: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/46.jpg)
implementation
Example: Thread Queue
typedef struct tcb { state s; tcb *prev, *next; } tcb;
tcb tcbp[1024];
typedef struct tdq { tcb *head, *tail; } tdq;
tdq* td_queue; C
tcbp[0] tcbp[1] tcbp[2]
3
M
![Page 47: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/47.jpg)
implementation
Example: Thread Queue
s0 s1 s2
typedef struct tcb { state s; tcb *prev, *next; } tcb;
tcb tcbp[1024];
typedef struct tdq { tcb *head, *tail; } tdq;
tdq* td_queue; C
tcbp[0] tcbp[1] tcbp[2]
3
M
![Page 48: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/48.jpg)
implementation
Example: Thread Queue
s0 s1 s2
head tail
tcbp[0] tcbp[1] tcbp[2]
typedef struct tcb { state s; tcb *prev, *next; } tcb;
tcb tcbp[1024];
typedef struct tdq { tcb *head, *tail; } tdq;
tdq* td_queue; C
3
M
![Page 49: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/49.jpg)
3
implementation
Example: Thread Queue
tcb* dequeue(tdq* q) { tcb *head, *next; tcb *i = null; if (!q) return i; head = q -> head; if (!head) return i; i = head; next = i -> next;
if (!next) { q -> head = null; q -> tail = null; } else { next -> prev = null; q -> head = next; } return i; }
s0 s1 s2
head tail
C
tcbp[0] tcbp[1] tcbp[2]
M
![Page 50: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/50.jpg)
3
implementation
Example: Thread Queue
tcb* dequeue(tdq* q) { tcb *head, *next; tcb *i = null; if (!q) return i; head = q -> head; if (!head) return i; i = head; next = i -> next;
if (!next) { q -> head = null; q -> tail = null; } else { next -> prev = null; q -> head = next; } return i; }
s0 s1 s2
head tail
C
tcbp[0] tcbp[1] tcbp[2]
M
![Page 51: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/51.jpg)
3
implementation
Example: Thread Queue
tcb* dequeue(tdq* q) { tcb *head, *next; tcb *i = null; if (!q) return i; head = q -> head; if (!head) return i; i = head; next = i -> next;
if (!next) { q -> head = null; q -> tail = null; } else { next -> prev = null; q -> head = next; } return i; }
s0 s1 s2
head tail
C
tcbp[0] tcbp[1] tcbp[2]
M
![Page 52: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/52.jpg)
Coq
Example: Thread Queue
Definition tcbp := ZMap.t state. Definition td_queue := List Z.
3
specification3
L2
![Page 53: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/53.jpg)
Coq
Example: Thread Queue
Definition tcbp := ZMap.t state. Definition td_queue := List Z.
3
specificationtcbp(0) tcbp(1) tcbp(2)
s0 s1 s2
3
L2
![Page 54: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/54.jpg)
Coq
Example: Thread Queue
Definition tcbp := ZMap.t state. Definition td_queue := List Z.
3
specification
s0 s1 s2
tcbp(0) tcbp(1) tcbp(2)
1
td_queue
:: 0 2:: :: nil
3
L2
![Page 55: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/55.jpg)
Example: Thread Queue3
specificationtcbp(0) tcbp(1) tcbp(2)
1
td_queue
:: 0 2:: :: nil
3
implementation
s0 s1 s2
head tail
tcbp[0] tcbp[1] tcbp[2]
R
s0 s1 s2
3
L2
M
![Page 56: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/56.jpg)
Example: Thread Queue
specificationtcbp(0) tcbp(1) tcbp(2)
1
td_queue
:: 0 2:: :: nil
3
Coq
Function dequeue (q) := match q with | head :: q’ => (q’, Some head) | nil => (nil, None) end.
s0 s1 s2
3
L2
![Page 57: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/57.jpg)
Example: Thread Queue
specificationtcbp(0) tcbp(1) tcbp(2)
1
td_queue
0 2:: :: nil
3
Coq
Function dequeue (q) := match q with | head :: q’ => (q’, Some head) | nil => (nil, None) end.
s0 s1 s2
executable
3
L2
![Page 58: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/58.jpg)
Program Context33
specification3
implementation
Simulation Proof
R RM
L1
L2
R
Deep SpecificationL2
M
![Page 59: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/59.jpg)
Deep Specification [POPL’15]
Deep spec captures all we need to know about over
No need to look at again
L2
M L1
M
Any property about can be proved using alone
M
L2
M
L1
L2
R
![Page 60: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/60.jpg)
kernel
MM
TM
PM
Trap
code
seq machine
mCertiKOS
![Page 61: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/61.jpg)
TM
PM
Trap
MM
seq machine
kernelmCertiKOS
![Page 62: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/62.jpg)
mem MM
TM
PM
Trap
memory management
seq machine
kernelmCertiKOS
�
![Page 63: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/63.jpg)
Trap
PM
MM
TM
TM
PM
Trap
mem
thread
proc
trap
seq machine
kernelmCertiKOS
![Page 64: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/64.jpg)
Trap
PM
TM
mem
thread
proc
trap
certified sequential kernelMM
mCertiKOS
seq machine
VM
![Page 65: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/65.jpg)
Trap
VM
mCertiKOS
mem
thread
proc
trap
seq machine virt�
virt�
PM
TM
MM
![Page 66: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/66.jpg)
TrapmCertiKOS
mem
thread
proc
seq machine virt�
virt�VM
VM
PM
TM
MM
trap
vm
![Page 67: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/67.jpg)
TrapmCertiKOS
mem
thread
proc
trap
seq machine virt
virt
vm
VM
PM
TM
MM
certified hypervisor
![Page 68: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/68.jpg)
mCertiKOS [POPL’15]
3k LOC1 person year
Can boot Linux as a guest
![Page 69: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/69.jpg)
Concurrent Framework [OSDI’16]
mem
thread
proc
trap
virt
seq machine
multicore machine CPU3CPU2CPU1CPU0
certified sequential kernel
![Page 70: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/70.jpg)
Concurrent Framework [OSDI’16]
mem
thread
proc
trap
virt
seq machine
multicore machine CPU3CPU2CPU1CPU0
machine liftingcontribution
certifiedconcurrent layer
CPU-local machine CPU0 CPU1 CPU2 CPU3
![Page 71: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/71.jpg)
Concurrent Framework [OSDI’16]
mem
thread
seq machine
spin-lock
CPU-local machine CPU0 CPU1 CPU2 CPU3
multicore machine CPU3CPU2CPU1CPU0
proc
trap
virt
contributionmachine lifting
certifiedconcurrent layer
![Page 72: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/72.jpg)
Concurrent Framework [OSDI’16]
mem
thread
proc
trap
virt
seq machine
spin-lock
CPU-local machine CPU0 CPU1 CPU2
thread-local machine
CPU3
multicore machine CPU3CPU2CPU1CPU0
![Page 73: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/73.jpg)
Certified Concurrent Layers
local certified objects
L1
![Page 74: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/74.jpg)
Certified Concurrent Layers
atomic objects
logical loga sequence of events
L1
x
![Page 75: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/75.jpg)
Certified Concurrent Layers
L1
logical loga sequence of events
atomic objectsx
![Page 76: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/76.jpg)
Certified Concurrent Layers
x
L1
logical loga sequence of events
atomic objects
![Page 77: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/77.jpg)
Certified Concurrent Layers
x
L1
to share
![Page 78: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/78.jpg)
Certified Concurrent Layers
L1
L2
x
fine-grained locking
![Page 79: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/79.jpg)
Concurrent Framework
machine lifting
CPU-local machine CPU0 CPU1 CPU2 CPU3
multicore machine CPU3CPU2CPU1CPU0
x
![Page 80: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/80.jpg)
step 0: raw x86 multicore model
CPU0
CPU1
atom
private
share
atom
0.a
1.a
multicore machine CPU3CPU2CPU1CPU0
![Page 81: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/81.jpg)
atom
private
share
atom
0.a 1.a
CPU0
CPU1
logical log
non-determinism
step 0: raw x86 multicore model
multicore machine CPU3CPU2CPU1CPU0
![Page 82: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/82.jpg)
atom
private
share
atom
0.a
1.a
0 1
1 0
CPU0
CPU1
step 0: raw x86 multicore model
multicore machine CPU3CPU2CPU1CPU0
non-determinism
![Page 83: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/83.jpg)
atom
private
share
atom
0.a
1.a
0 1 1 0
CPU0
CPU1
step 0: raw x86 multicore model
oracle
multicore machine CPU3CPU2CPU1CPU0
non-determinism
![Page 84: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/84.jpg)
atom
private
share
atom
0.a
1.a
0 1 1 0
CPU0
CPU1
step 1: logical hardware scheduler
Ehs
multicore machine CPU3CPU2CPU1CPU0
![Page 85: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/85.jpg)
atom
private
share
atom
0.a 1.a0 1 1 0
CPU0
CPU1
step 1: logical hardware scheduler
Ehs
logical log
multicore machine CPU3CPU2CPU1CPU0
![Page 86: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/86.jpg)
step 1: logical hardware scheduler
Ehs?
multicore machine CPU3CPU2CPU1CPU0
![Page 87: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/87.jpg)
step 2: push/pull memory model
Ehs machine with hardware scheduler
share
shared mem
CPU0
multicore machine CPU3CPU2CPU1CPU0
![Page 88: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/88.jpg)
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0
shared mem
pull
logical copy
multicore machine CPU3CPU2CPU1CPU0
![Page 89: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/89.jpg)
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0
shared mem
pull
logical copy
multicore machine CPU3CPU2CPU1CPU0
![Page 90: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/90.jpg)
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0 pull
shared mem
logical copy
shared mem
CPU1 pull
multicore machine CPU3CPU2CPU1CPU0
race condition
![Page 91: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/91.jpg)
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0 pull
shared mem
logical copy
push
multicore machine CPU3CPU2CPU1CPU0
![Page 92: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/92.jpg)
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0 pull push
shared mem
logical copy
multicore machine CPU3CPU2CPU1CPU0
![Page 93: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/93.jpg)
Ehs machine with hardware scheduler
machine with push/pull model
atom
private
private
atom
0.a
1.a
0 1 1 0
CPU0
CPU1
Ehs
step 3: environment context model
multicore machine CPU3CPU2CPU1CPU0
![Page 94: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/94.jpg)
Ehs machine with hardware scheduler
machine with push/pull model
atom
private
private
atom
0.a
1.a
1 1 0
CPU0
CPU1
Ehs 0
step 3: environment context model
multicore machine CPU3CPU2CPU1CPU0
![Page 95: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/95.jpg)
0
Ehs machine with hardware scheduler
machine with push/pull model
atom
private
private
atom
0.a
CPU0
CPU1
Ehs
1.a
1 1 0
step 3: environment context model
multicore machine CPU3CPU2CPU1CPU0
![Page 96: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/96.jpg)
Ehs machine with hardware scheduler
machine with push/pull model
atom
private
private
atom
0.a
CPU0
CPU1
1.a1 1 00E
environment context
step 3: environment context model
multicore machine CPU3CPU2CPU1CPU0
![Page 97: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/97.jpg)
Ehs machine with hardware scheduler
machine with push/pull model
step 4: remove unnecessary interleaving
CPU i machine CPU j machine
share privateatom pull push
multicore machine CPU3CPU2CPU1CPU0
![Page 98: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/98.jpg)
Ehs machine with hardware scheduler
machine with push/pull model
step 4: remove unnecessary interleaving
CPU i machine CPU j machine
share privateatom pull push
shuffle
multicore machine CPU3CPU2CPU1CPU0
![Page 99: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/99.jpg)
Ehs machine with hardware scheduler
machine with push/pull model
step 4: remove unnecessary interleaving
CPU i machine CPU j machine
share privateatom pull push
merge
multicore machine CPU3CPU2CPU1CPU0
![Page 100: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/100.jpg)
Ehs machine with hardware scheduler
machine with push/pull model
CPU i machine CPU j machine
atom
CPU-local machine CPU-local machine
0.a 1.a0 1 1 0logical log
E
seq machine seq machine
Machine Lifting
multicore machine CPU3CPU2CPU1CPU0
![Page 101: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/101.jpg)
Spin-lock Module
Case Study
KeyboardDriver3 Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
Build a Certified System
![Page 102: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/102.jpg)
Case Study
KeyboardDriver3 Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1Spin-lock Module
Build a Certified System
![Page 103: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/103.jpg)
Acquire Lock Specification
logical copy
safely pull
![Page 104: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/104.jpg)
Acquire Lock Specification
logical copy
safely pull
pull will eventually return
![Page 105: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/105.jpg)
Acquire Lock Specification
logical copy
mutual exclusion liveness
![Page 106: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/106.jpg)
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
pull (i); }
![Page 107: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/107.jpg)
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
get_now
pull
FAIticket
![Page 108: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/108.jpg)
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now getnow
![Page 109: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/109.jpg)
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now getnow
getnow
![Page 110: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/110.jpg)
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now
getnow
getnow
pull
![Page 111: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/111.jpg)
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now
getnow
getnow pull
![Page 112: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/112.jpg)
C
Example: Ticket Lock
liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticketget_now
getnow
getnow pull
unique t
#CPUs < 264
mutual exclusion
![Page 113: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/113.jpg)
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now
getnow
getnow pull}bounded
#CPUs is boundeda fair hardware schedulerlock holders will release lock
![Page 114: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/114.jpg)
Example: Ticket Lock
FAIticket
getnow
getnow pull
acq_lock acqlock
acq_lock
![Page 115: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/115.jpg)
C
Example: Ticket Lock
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
get_now < mutual exclusion will beviolated when there is an integer overflow for t
bug in the originalimplementation
![Page 116: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/116.jpg)
3
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
Build a Certified System
![Page 117: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/117.jpg)
3
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
Build a Certified System
Spin-lock Module
![Page 118: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/118.jpg)
Example: Shared Thread Queue
dequeue
local memory
![Page 119: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/119.jpg)
Example: Shared Thread Queue
dequeue
local memory
![Page 120: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/120.jpg)
Example: Shared Thread Queue
dequeue
shared memory
logicalcopy
acq lock
![Page 121: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/121.jpg)
Example: Shared Thread Queue
dequeue
shared memory
logicalcopy
acq lock
![Page 122: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/122.jpg)
Example: Shared Thread Queue
dequeue
shared memory
logicalcopy
acq lock
rel lock
![Page 123: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/123.jpg)
Example: Shared Thread Queue
dequeue
shared memory
logicalcopy
acq lock
rel lock
![Page 124: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/124.jpg)
Example: Shared Thread Queue
dequeue
shared memory
deq
![Page 125: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/125.jpg)
Example: Shared Thread Queue
dequeue
shared memory
![Page 126: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/126.jpg)
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Build a Certified System
![Page 127: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/127.jpg)
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Inter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Scheduling Module
Build a Certified System
![Page 128: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/128.jpg)
void yield () {
uint t = tid(); … (t, rdq());
uint s = (rdq()); … (t, s)
}
enq
deq
context_switch
Thread-Local Machine
![Page 129: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/129.jpg)
Thread-Local Machine
yieldsleep wakeup
Software Scheduler
CV
IPC
thread-local machine
[Operating SystemsPrinciples and Practice 2011]
Found hard bugs in the popularOS textbook
![Page 130: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/130.jpg)
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Build a Certified System
![Page 131: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/131.jpg)
Spin-lock Module
Case Study
Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
CPU 0 CPU 1
3
KeyboardDriver
Security
Build a Certified System
![Page 132: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/132.jpg)
Device Driver [PLDI16’a]
Device
0 0External events
State
Log 0 0 0
read/write
Raw Device ObjDriver Layers
Logical CPU
CPU i
Interrupt iret0
![Page 133: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/133.jpg)
Device Driver [PLDI16’a]
Device
0 0External events
Driver Layers
Logical CPU
CPU i
Interrupt iret0
State
Log 0 0 0
read/write
Raw Device Obj
DriverCode
Prims
Abs-State
Abstract Device Obj
![Page 134: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/134.jpg)
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Build a Certified System
![Page 135: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/135.jpg)
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Build a Certified System
![Page 136: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/136.jpg)
End-to-End Security [PLDI16’b]
TM
PM
Trap
mem
thread
proc
trap
seq machine
OObservation functionspecify and prove general security policies with declassification
MM
non-interferencefound security-bugs: spawn, palloc,…
security-preservation simulation
O
O0
O1
O2
O3
secure
secure
secure
secure
secure
![Page 137: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/137.jpg)
Spin-lock Module
Case Study
Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
KeyboardDriver
Build a Certified System
![Page 138: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/138.jpg)
Summary: Certified OS
CertiKOS is the first fully certified OS kernel that is done economically (< 3 person years), proves more properties, runs on concurrent HW, and is truly extensible
Still very high barriers of entry: (1) OS kernel development is very difficult(2) Formal specifications and proofs are hard to build(3) Need intimate programming language expertise to succeed• These are three completely different communities• Most people can only do one out of the above three. • The Yale team has been working on all three for >15 years
![Page 139: CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward Hacker-Resistant Operating Systems Zhong Shao Yale University January 25, 2018 Acknowledgement:](https://reader034.fdocuments.in/reader034/viewer/2022050716/5e2cbe389042bb71a554ec07/html5/thumbnails/139.jpg)
Summary: OS Landscape (Nov 2017)
Desktop: Linux, macOS, Windows, ChromeOS, freeBSD, …Hypervisor/Cloud: Linux KVM & Docker, VMWare, Xen, … Mobile: Android (Linux), iOS, …Embedded: Embedded Linux, VxWorks, QNX, LynxOS, …
• All of them are bloated, old, and contain many bugs• Urgently need new OSes for emerging platforms & apps
(IoTs, Drones, Self-Driving Cars, Cloud, NetworkOS, Blockchains, …)
OS evolution has reached an inflection point: Need a certified OS that provides security, extensibility, performance, and can work across multiple platforms.