370 likes | 494 Views
Theory of Multicore Hypervisor Verification. W. Paul Saarland University joint work with E. Cohen, S. Schmaltz…. What is a kernel ?. The Classic : Turing machine kernel Simulating k one tape Turing machines by 1 one tape T uring machine Tracks: address translation
E N D
Theoryof Multicore HypervisorVerification W. Paul Saarland University jointworkwith E. Cohen, S. Schmaltz….
Whatis a kernel ? • The Classic: Turing machinekernel • Simulating k onetape Turing machinesby 1 onetapeTuring machine • Tracks: addresstranslation • Head positionandstate: processcontrol block • Roundrobin: scheduling tape(1,left) s_1 tape(1,right) tape(2,left) s_2 tape(2,right) tape(3,left) s_3 tape(3,right)
Whatis an M-kernel ? • processvirtualization: • simulating k machinesof type M by 1 onetapemachineof type M • + sytemcalls • forinterprocesscommunication… • M: • MIPS, ARM, Power, x64… tape(1,left) s_1 tape(1,right) tape(2,left) s_2 tape(2,right) tape(3,left) s_3 tape(3,right)
Whatis a hypervisor ? • guestscanbeoperatingsystems, i.e. in systemmode • 2 levelsoftranslation • hypervisorpagetables • guestpagetables • ‚subdividetracks‘ • hardwaresupport • nestedpagetables • nohardwaresupport: • compositionoftranslationsistranslation • maintain ‚shadowpagetables‘ (SPT) forcombinedtranslatio • redirectmemorymanagementunit (mmu) to SPTs
Background • 2007-2010: efforttoformallyverify MS HyperV • partof German Verisoft-XT project (Paul, Broy, Podelski, Rybalchenko…), 13 Mio € • MS Windows + Research (Cohen, Moskal, Leino,…) • Wefailed 2010 • tooldevelopment (VCC) successful • crucialportionsofcodeverified • tooldocumentationandsoundnessargumentlessthanperfect • paperandpenciltheoryincomplete in 2010 • Wedid not know(exactlyenough) whattoprove
Hypervisor Correctness iseither • Onetheorem in 1 theory • thenweare in weaponsbusinessofcycber war • orbughunting • thenwe (formal verificationehineers) arecompetingwiththesoftwarecommunity • andmaygetbeatenup
This talk (only) 2 years after end ofproject • outlines • model stackformulticorehypervisorverification • I thinkcomplete • simulationtheoremsbetweenlayers • soundnessof VCC anditsuse • sizeofremaininggaps: • <= PhDthesis • I supervised59 so far
Threekindsofarguments • abstraction • classicalcommutativediagrams • order construction • in nondeterministic model ofconcurrentimplementation • fromdetailsofdeterministicimplementation • order reduction • excludew.l.o.g. interleavings in concurrent model
7 maintheories (1) • multicore ISA-sp • systemprogrammersmanual • hardwarecorrectness • serial ISA abstraction • to ISA-u (forusers) • seriallanguagestack • C + macroassembly + ISA-sp • compilers + macroassemblers • C+ ISA + devices • drivers • exceptionhandlers • boot • ownership in concurrentcomputation • push throughstack • serialcompilertranslates parallel C
7 maintheories (2) • Soundness of VCC anditsuse • C + ghost + assertions • VCC proofsimplyownershipdiscipline • useof C-verifierfor C+ISA + devices • Hypervisor correctness • virtualtreadsimulation (kernellayer) • nestedaddresstransation (shadowpagetables) • ISA-spvirtualization
ISA-sp (1) • X64 • Intel: 3000 pages • AMD 1500 pages • Diss. Degenbaev 300 pagesmath • http://rg-master.cs.uni-sb.de/publikationen/UD11.pdf • MIPS-86 • MIPS-ISA+ X86 memory model • 15 pages • http://www-wjp.cs.uni-saarland.de/publikationen/SchmaltzMIPS.pdf
ISA-sp(2): X64 disk APIC • X64 ISA model • E. Cohen: nondeterministiccommunicatingsequentialcomponents • sb: storebuffer • mmu: memorymanagementunit • APIC: device, interrupts • disk: forbooting • detailssubtle • betterreverseengineer MIPS-86 andprove mem + caches sb mmu core
ISA-sp (3): MIPS-86 hardwarecorrectness (formal/paper) • Processorcorrectness • pipelined • onememorymode: WB • softwareconditions: alignment; noselfmodifyingcode • digital gatelevel + gatedelays • sequentiallyconsistentsharedmemory (MOESI) • April 4, 2012 • 283 pages • http://www-wjp.cs.uni-saarland.de/lehre/vorlesung/rechnerarchitektur2/ws1112/layouts/multicorebook.pdf • TODO • fetchandadd (easy) • fencesandsync (easy) • consistentmemorymodes (easy) • interrupts + devices (subtle) • MMU (subtle) • storebuffers (easy) • Tomasuloscheduler (hard)
ISA-spto ISA-u (1) • Caches invisible • Usecacheablememorymodesonly • compatibilityofcoherencyprotocols (MOESI +….) • sideremark in Smith & Plezkum mem + caches sb mmu core sb: storebuffer
ISA-spto ISA-u (2) • cachesinvisible • sb invisible in singlecore • easy folkloretheorem • proof: Degenbaev et al: Pervasivetheoryofmemory 2009 • In Susanne Albers and Helmut Alt and Stefan Näher, editors, EfficientAlgorithms -- Essays Dedicatedto Kurt Mehlhorn on the Occasion of His 60th Birthday,Saarbrückenvolume 5760 ofLecture Notes in Computer Science, pages 74-98, Springer, 2009. mem sb mmu core sb: storebuffer sb: storebuffer
ISA-spto ISA-u (3) • cachesinvisible • sb invisible • mmu invisible • setuppagetabletree • linear/translatedmemory • easy folkloretheorem • proof: Degenbaev et al: Pervasivetheoryofmemory 2009 mem mmu core sb: storebuffer
ISA-spto ISA-u (4) • cachesinvisible • sb invisible • mmu invisible • ISA-u mem core
languagestack (1)C+macroassembly + assembly+ISA-sp • C smallstepssemantics (interleave in parallel C) • C+ macroassemblyrealisticandcloseto VCC • usesstackabstraction • process save andrestorehandlesstackpointers • invisible in C + macroassembly C compiler m-asm m-assembler ISA-u=asm before ISA-sp
languagestack (3)compilation • Optimizing C compiler: • Xavier Leroy. Formal verificationof a realisticcompiler. C ACM, 52(7):107-115, 2009. • Optimizing C Compiler + macroassembler + assembler • C calls m-asmandviceversa • functionpointers • Paper theory: Diss Shadrin. http://www-wjp.cs.uni-saarland.de/publikationen/Sh12.pdf • Schmaltz and Shadrin: VSTTE 2012 • Paul et al: SEFM 2012
MIPS ISA-u +devices (1)formal hardwarecorrectness • Hardware truely parallel, processorpipelined • ISA nondeterministicconcurrent, 1 stepat a time • construct order ofsteps • DissTverdychev, http://www-wjp.cs.uni-saarland.de/publikationen/Tv09.pdf • hardwarecomplexdue to a detail in ISA forexternalinterruptsthatweused • ‚continue‘ insteadof ‚repeat‘ as in X86 dev 1 proc dev k
MIPS ISA-u + devices (2) formal (C+assembly)- drivercorrectness • disableanddon‘tpollinterruptsofdevices >1 • reordertheirdevicesteps out ofdriverrunofdev 1 • preand post conditionsfordrivers… • Diss. Alkassar • http://scidok.sulb.uni-saarland.de/volltexte/2009/2420/pdf/Dissertation_1410_Alka_Eyad_2009.pdf • Alkassar et al: TACAS 08 dev 1 proc dev k
MIPS ISA-u + devices (3) startup • Hypervisor: • disk: bootloader • APIC: wakeupothercores • Diss Pentchev 2013? • secureboot: • digital signatures • Verisoft (2003-2007) dev 1 proc dev k
Ownership (1)concept • Classifyaddresses • local (e.g. C stack) • sharedandreadonly (e.g. program) • sharedowned (temporarilylocal/locked) • sharedwriteable not owned (locks) • invariants: • atmost 1 owner …. • disjointness… • safeprograms: actlikenamesofaddressclassessuggest • accessestoclass 4 atomicatthelanguagelevel
Ownership (2)Def: structured parallel C (folklore) • Classifyaddresses • local (e.g. C stack) • sharedandreadonly (e.g. program) • sharedowned (temporarilylocal/locked) • sharedwriteable not owned (locks) • multiple C threads • sequentiallyconsistentmemory • shared: heap + global variables • local: stacks • safew.r.t. ownership • class 4 access: volatile
Ownership (3)structured parallel C to parallel assembly • IF • translatethreadswithsequentialcompiler • translate volatile C accesstointerlocked ISA-u access • THEN • ISA programsafe • multicore ISA-u simulates parallel C • A. Appel, X. Leroy et al: formalwork in progress • nostorebuffers • Dissertation C. Baumann 2012: pushingthisthroughentirelanguagehierarchy on paper
Ownership (4)parallel storebufferreduction in ISA-sp dirty • maintainlocaldirtybits • class 4 writesince last localsb- flush • class 4 readonlyifdirty =0 • Cohen Schirmer ITP 2010: storebuffers invisible • formal • nommu • tobepushedthroughhierarchy • implementsb-flushascompilerintrinsic in C C compiler m-asm m-assembler ISA-u=asm before ISA-sp
Ownership (5)semanticsfrom hell hyperV dirty • Def: VCC-C: • structured parallel C • with Cohen Schirmer dirtybits • VCC-C + m-asm + asm +ISA-sp C compiler m-asm m-assembler ISA-u=asm before ISA-sp guest
Ownership (5)semanticsfrom hell hyperV dirty • VCC-C: • structured parallel C • with Cohen Schirmer dirtybits • VCC-C + m-asm + asm +ISA-sp • sharedshadowpagetables • MMU (ISA-sp) walks SPTs (volatile C datastructure) • order reduction: interleave MMU stepsat volatile C accessesto SPTs C compiler m-asm m-assembler ISA-u=asm before ISA-sp guest
Model stack VCC-C +…+ISA.sp (2-5) compilation ISA-sp hardwarecorrectness (1) digital hardware timinganalysis (1) gates+ regs.+drivers + delay
model andtheorystack hyperV correct soundness TODO • Soundness of VCC and ist use • VCC is parallel C verifier • Theorem: hyperVvirtualizes multiple ISA-sp (+ systemcalls) (7) (6) VCC-C +…+ISA.sp (2-5) compilation ISA-sp hardwarecorrectness (1) digital hardware timinganalysis (1) gates+ regs.+drivers + delay
VCC (1) soundness: arguingaboutownership • C + ghost: Dissertation Schmaltz 2012 • semantics • simulationof C byC+ghost • ghostcode must terminate • VCC-C + ghost • TODO for VCC soundness • Semanticsofassertionlanguageof C + ghost (logics) • showthatassertionsgeneratedby VCC implyownership + Cohen Schirmer dirtybitdiscipline • soundnessofverificationconditiongeneratorusedforserialand parallel langueconstructs
VCC (2) useforC + m-assembly +ISA-sp • Dissertation Maus (Podelski) • hybrid C variables, located in memory outside ofregular C variables • code non C portionsof ISA-sp in hybrid variables • writeobvious C simulator • translate m-assemblymacrosinto C functioncalls in the naive way • wildlyproductive • 14K LOC verified • Maus et al: AMAST 2008 • soundness: • Dissertation Shadrin • Paul et al: SEFM 12
HyperVcorrectness (1)kernellayer: manythreads • Simulation of K C+masm + ISA-spthreadsby k physical ISA-spthreads • compile C part • threadcontrolblocks • savingandrestoringstackandheappointers • C + masm + asm • APICs hardtosimulate • similartokernelcorrectnessfrom Verisoft-1 Project (14 Mio €) • paper: Gargano et al: TPHOLs 2005 • formal: Alkassar et al, VSTTE 2010 • Dissertation Alekhin 2013?
HyperVcorrectness (2)shadowpagetables • 2 translations • guest-OS touser • hosttoguest - OS • withhardwaresupport • nestedpagetables • no formal model andhardwareconstructionyet • withoutharwaresupport • compositionoftranslationsistranslation • SPT forcomposition • Redirect MMU to SPTs • SPT-algorithmwithoutsharingbeweenprocessors, formal • Dissertation Kovalev 2012 • Alkassar et al FMCAD 2010 • in MS product SPTs withsharing
HyperVcorrectness(3)ISA-spvirtualizationandsystemcalls • Virtualization • withkernellayerand SPTs similartoVerisoft-1 • new: stateof ISA-spcomponentsofsleepingvirtualprocesors • sbempty • cachesfromhardware • tlbemptyortaggedas in hardware • Simple Hypervisor • formal in VCC • without save/restore: Alkassar et al: VSTTE 10 • with: Paul et al: SEFM 12 • systemcallsand C datastruturesofkernelas in formalwork • seL4 (only C portion but canextendwith Verisoft-1 technology) • orDissDörrenbächer 2010 http://www-wjp.cs.uni-saarland.de/publikationen/JD10.pdf • orDiss M. Schmidt 2011http://www-wjp.cs.uni-saarland.de/publikationen/MS11.pdf (partofVerisoftautomotivesubproject. Broy-Paul)
Final remark • Paul VSTTE 2005 • a formal proofis an engineeringobject • a paperproofis a building plan • IFIP workinggroup on verifiedsoftware 2012 • lack of such buildingplansrecognizedasmajorobstclefordevelopmentofformallyverifiedsystems • verydifficulttopublish so far • ThankYou