1 / 17

Completing the Automated Verification of a Small Hypervisor

Completing the Automated Verification of a Small Hypervisor. W. Paul, S. Schmaltz, A. Shadrin Saarland University Thessaloniki, Oct 3, 2012. TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: A A A A A A. Background.

nika
Download Presentation

Completing the Automated Verification of a Small Hypervisor

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CompletingtheAutomatedVerificationof a Small Hypervisor W. Paul, S. Schmaltz, A. Shadrin Saarland University Thessaloniki, Oct 3, 2012 TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAAA

  2. Background • 2007-2010: efforttoformallyverify MS HyperV • partof German Verisoft-XT project (Paul, Broy, Podelski, Rybalchenko…), 13 Mio € • MS Windows + Research (Cohen, Moskal, Leino,…) • Wefailed 2010 • developmentoflightweightverificationtool (VCC) successful • wedid not knowsemanticsofmodels/whattoprove • outlineofexcitingpaperandpenciltheorycompleted in Cohen/Paul/Schmaltz SOFSEM 2013 • formal proofin VCC forsmallhypervisorcompleted: this talk

  3. Whatis a kernel ? • The Classic: Turing machinekernel • Simulating k onetape Turing machinesby 1 onetapeTuring machine • Tracks: addresstranslation • Head positionandstate: processcontrol block • Roundrobin: scheduling tape(1,left) s_1 tape(1,right) tape(2,left) s_2 tape(2,right) tape(3,left) s_3 tape(3,right)

  4. Whatis an M-kernel ? • processvirtualization: • simulating k guestmachinesof type M by 1 onehosttapemachineof type M • + sytemcalls • forinterprocesscommunication… • M: • MIPS, ARM, Power, x64… tape(1,left) s_1 tape(1,right) tape(2,left) s_2 tape(2,right) tape(3,left) s_3 tape(3,right)

  5. Whatis an M-hypervisor ? • simulatedmachinesarekernelsor OS • Turing machine: simulatedtapescanbesubdivided • 2 levelsofaddresstranslation • hardwareof simple processors (DLX) supportsonly 1 level • implementation • compositionof 2 translationsistranslation • createanduseshadowpagetablesforcompositionoftranslations tape(1,left) s_1 tape(1,right) tape(2,left) s_2 tape(2,right) tape(3,left) s_3 tape(3,right)

  6. babyhypervisor • simulate n MIPS machinesby 1 MIPS machine • guestsimulationrelation • memory: guest(u).m in translatedmemoryofhost • registers: guest(u).R = • host.R: u current • In PCB_u: otherwise

  7. Kernelcodehasnecessarilyassemblyportions • process save • copiesfrom CPU registerstoprocesscontrol block (PCB) • processrestore • copiesfrom PCB to CPU registers • CPU registers not visible in C PCB C variables CPU registers hardware

  8. correctnessofkernelwritten in C + assemblynecessarilyusescompilercorrectness • process save • copiesfrom CPU registerstoprocesscontrol block (PCB) • processrestore • copiesfrom PCB to CPU registers • CPU registers not visible in C • fullkernelverificationin Verisoft (2004-2007) • C0 + assembly • CPU registers in ‚external variables‘

  9. VSTTE 10:Verification of a smallhypervisor in VCCnot complete: compare ‚proofs‘ or ‚truehusbands‘ • shadowpagetablesimplemented • C portionsverified in VCC • macroassemblyportionsspecified • simulationtheoremformallyshown in VCC • CPU registersstored in hybrid variables • not ghostbecauseinformationflowstoandfromimplementation variables • C variable with 64 bitaddressof VCC, not reachablewith 48 bitarithmeticofhardware

  10. Howtoargue in VCC aboutmacroassembly • AMAST 2008, Maus et al • writesimulatorofassemblyportions in C with CPU registers in hybrid memory • simulatecallsfrom C tomacroassemblyandfrommacroassemblyto C by C functioncalls in a naive way • Here • verify save andrestore (almost) thiswayandjoin formal proofs • soundness… PCB C variables CPU registers hardware

  11. C-IL + macroassembly • C = C-IL + syntacticsugar • VSTTE 2012: Schmaltz & Shadrin: • semantics • C-IL • MASM withstackabstraction • C-IL + MASM • combinedcompiler + macroassemblercorrectness • argumentsaboutstackframelayouts

  12. Translating C-IL + MASM to VCC • simulate MASM stack in 3 arrays in hybrid memory • lifoportion • savedportion • pars portion • soundness/correctness • exercise on paper • translate MASM portionsofbabyhypervisorto VCC thisway (byhand) • verifyformally

  13. Completelyverifying a smallhypervisor • C portions: VSTTE 2010 • C-IL + MASM semantics + compiler + assembler: VSTTE 2012 • soundnessoftranslationto VCC: here • formallyverifymacroassemblyportions: here • done? replacebymacroassembly

  14. Completelyverifying a smallhypervisor • C portions: VSTTE 2010 • C-IL + MASM semantics + tcompiler + assembler: VSTTE 2012 • soundnessoftranslationto VCC: here • formallyverifymacroassemblyportions: here • save andrestorestackandbasepointer • invisible in macroassembly replacebymacroassembly

  15. 3 languagelevels ! • C-IL + MASM + assembly • semantics ? • proceedings: switch MASM/assemblywithemptystack • thenextendprevioussoundnessproofs • exercise asm

  16. combinedlanguagesemanticsgeneral

  17. Completelyverifying a smallhypervisor • C portions: VSTTE 2010 • C-IL + MASM + assemblysemantics + compiler + assembler: VSTTE 2012 • soundnessoftranslationto VCC: here • formallyverifymacroassembly + assemblyportions: here • done replacebymacroassembly + assembly

More Related