Systems with small trusted computing bases (TCBs) open possibility for automated security verification of systems

1
Automated Verification of a Security Hypervisor
with a Realistic Hardware Model Jason Franklin,
Sagar Chaki, Anupam Datta, Carnegie Mellon
University
Motivation
Overview

• Systems with small trusted computing bases (TCBs)
  open possibility for automated security
  verification of systems
• Example SecVisor - a 3kLOC security hypervisor
  designed to guarantee only user-approved code
  executes with kernel privilege Seshadri et al.
  SOSP 07

• Goals Develop tools and techniques to
  automatically verify security of systems that
  utilize memory protection mechanisms
• Design Analysis Model check SecVisors design,
  find and repair two vulnerabilities, and verify
  repaired design
• Towards Realistic Hardware Models Exploit system
  structure to prove security of arbitrarily large
  model (measured in terms of page table entries
  (PTEs)) by verifying only small model (with 1
  PTE)
• Implementation Analysis In-progress work
  includes verifying SecVisors C source code.
  Approach includes development of C-model of x86
  hardware virtualization extensions, bit-precise
  adversarial model checker, and new techniques for
  scalable verification

Security hypervisor provides
layer of verifiable protection
lt10kLOC
Narrow interface
Tractability vs. Fidelity

• To make verification tractable, system model and
  adversary are restricted to unrealistically small
  number of PTEs
• Thus, these results do NOT demonstrate absence of
  attacks for realistic systems
• Exploit structure of memory protection mechanisms
  and access control properties to extend
  verification to realistic memory models. We prove

Design Analysis

• Model Develop formal models of SecVisor,
  hardware platform, and adversary. Total
  Verification Model Size SecVisor Model HW
  Model Adversary Model
• Security Property In every reachable state of
  the system, W?? X permissions hold on page table
  and Device Exclusion Vector (DEV) implying only
  user-approved code executes with kernel privilege
• Vulnerabilities Model checker identified two
  vulnerabilities in shadow page table (SPT) design
  that carry over to implementation. Both
  vulnerabilities caused by missing checks in SPT
  synchronization code

Small World Theorem (SWT) If SecVisors security
properties are violated in a arbitrarily large
but finite memory model then they are violated in
a small memory model

• SWT implies that a small memory model is
  sufficient for verification of SecVisors access
  control-based memory protection. It generalizes
  to other secure systems

Principle of Efficiently-Verifiable Memory
Protection Small World Language and Logic
(SWL) codifies the design principle behind
efficiently-verifiable memory protection. Any
system expressible in SWL satisfies the Small
World Theorem and hence has an efficiently-verifia
ble memory protection subsystem.
Source Code Verification

• In-progress work includes verifying SecVisors C
  source code. Approach includes development of
  C-model of x86 hardware virtualization
  extensions, bit-precise adversarial model
  checker, and new techniques for scalable
  verification
• Secure Composition Verifying separate stages of
  systems (e.g., bootstrap and runtime) and
  securely compose the resulting verified
  subsystems
• Security Skeleton Extraction Automatically
  extract just the security-relevant code, thereby
  greatly reducing verification costs