research-article

Design of a symbolically executable embedded hypervisor

Author:
Jan Nordholz

Technische Universität Berlin, Berlin, Germany

Technische Universität Berlin, Berlin, Germany
View Profile

EuroSys '20: Proceedings of the Fifteenth European Conference on Computer SystemsApril 2020Article No.: 6Pages 1–16https://doi.org/10.1145/3342195.3387516

Published:17 April 2020Publication History

EuroSys '20: Proceedings of the Fifteenth European Conference on Computer Systems

Pages 1–16

ABSTRACT

Hypervisor implementations such as XMHF, Nova, PROSPER, prplHypervisor, the various L4 descendants, as well as KVM and Xen offer mechanisms for dynamic startup and reconfiguration, including the allocation, delegation and destruction of objects and resources at runtime. Some use cases such as cloud computing depend on this dynamicity, yet its inclusion also renders the state space intractable to simulation-based verification tools. On the other hand, system architectures for embedded devices are often fixed in the number and properties of isolated tasks, therefore a much simpler, less dynamic hypervisor design would suffice. We close this design gap by presenting Phidias, a new hypervisor consisting of a minimal runtime codebase that is almost devoid of dynamicity, and a comprehensive compile-time configuration framework. We then leverage this lack of dynamic components to non-interactively verify the validity of certain invariants. Specifically, we verify hypervisor integrity by subjecting the compiled hypervisor binary to our own symbolic execution engine. Finally, we discuss our results, point out possible improvements, and hint at unexplored characteristics of a static hypervisor design.

References

Mike Accetta, Robert Baron, William Bolosky, David Golub, Richard Rashid, Avadis Tevanian, and Michael Young. 1986. Mach: A new kernel foundation for UNIX development. In Summer Conference Proceedings 1986, Vol. 4. USENIX Association, 64--75.Google Scholar
Eyad Alkassar, Mark A Hillebrand, Wolfgang Paul, and Elena Petrova. 2010. Automated verification of a small hypervisor. In International Conference on Verified Software: Theories, Tools, and Experiments. Springer, 40--54.Google ScholarCross Ref
Eyad Alkassar, Wolfgang J Paul, Artem Starostin, and Alexandra Tsyban. 2010. Pervasive verification of an OS microkernel. In International Conference on Verified Software: Theories, Tools, and Experiments. Springer, 71--85.Google ScholarCross Ref
ARM Holdings. 2014. ARM architecture reference manual ARMv7-A and ARMv7-R edition. http://infocenter.arm.com/help/topic/com.arm.doc.ddi0406c/.Google Scholar
ARM Holdings. 2016. ARMv8-A reference manual (Issue A.k). http://infocenter.arm.com/help/topic/com.arm.doc.ddi0487a.k_10775/index.html.Google Scholar
Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Alastair Reid, Kathryn E. Gray, Robert M. Norton, Prashanth Mundkur, Mark Wassell, Jon French, Christopher Pulte, Shaked Flur, Ian Stark, Neel Krishnaswami, and Peter Sewell. 2019. ISA Semantics for ARMv8-a, RISC-v, and CHERI-MIPS. Proc. ACM Program. Lang. 3, POPL, Article 71 (Jan. 2019), 31 pages. Google ScholarDigital Library
AUTOSAR. 2019. AUTOSAR Standards. https://www.autosar.org/standards.Google Scholar
Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. ACM SIGOPS Operating Systems Review 37, 5 (2003), 164--177.Google ScholarDigital Library
Andrew Baumann, Paul Barham, Pierre-Evariste Dagand, Tim Harris, Rebecca Isaacs, Simon Peter, Timothy Roscoe, Adrian Schüpbach, and Akhilesh Singhania. 2009. The multikernel: a new OS architecture for scalable multicore systems. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. ACM, 29--44.Google ScholarDigital Library
Christoph Baumann, Mads Dam, Viktor Do, Christian Gehrmann, Roberto Guanciale, Narges Khakpour, Hamed Nemati, Oliver Schwarz, and Arash Vahidi. 2016. Verifying a security hypervisor. http://www.vinnova.se/PageFiles/751327324/A10%20SSF%20PROSPER%20poster.pdfGoogle Scholar
Christoph Baumann, Mats Näslund, Christian Gehrmann, Oliver Schwarz, and Hans Thorsen. 2016. A high assurance virtualization platform for ARMv8. In Networks and Communications (EuCNC), 2016 European Conference on. IEEE, 210--214.Google ScholarCross Ref
Christoph Baumann, Oliver Schwarz, and Mads Dam. 2017. Compositional Verification of Security Properties for Embedded Execution Platforms. In PROOFS 2017. 6th International Workshop on Security Proofs for Embedded Systems, Vol. 49. 1--16.Google Scholar
Allan Blanchard, Nikolai Kosmatov, Matthieu Lemerre, and Frédéeric Loulergue. 2015. A case study on formal verification of the Anaxagoros hypervisor paging system with Frama-C. In International Workshop on Formal Methods for Industrial Critical Systems. Springer, 15--30.Google ScholarCross Ref
Cristian Cadar and Koushik Sen. 2013. Symbolic execution for software testing: three decades later. Commun. ACM 56, 2 (2013), 82--90.Google ScholarDigital Library
Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2012. The S2E Platform: Design, Implementation, and Applications. ACM Trans. Comput. Syst. 30, 1, Article 2 (Feb. 2012), 49 pages. Google ScholarDigital Library
Ernie Cohen, Markus Dahlweid, Mark Hillebrand, Dirk Leinenbach, Michał Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. 2009. VCC: A practical system for verifying concurrent C. In International Conference on Theorem Proving in Higher Order Logics. Springer, 23--42.Google ScholarDigital Library
Alfons Crespo, Ismael Ripoll, and Miguel Masmano. 2010. Partitioned embedded architecture based on hypervisor: The XtratuM approach. In Dependable Computing Conference (EDCC), 2010 European. IEEE, 67--72.Google ScholarDigital Library
Christoffer Dall, Shih-Wei Li, and Jason Nieh. 2017. Optimizing the Design and Implementation of the Linux ARM Hypervisor. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 221--233. https://www.usenix.org/conference/atc17/technical-sessions/presentation/dallGoogle Scholar
Christoffer Dall and Jason Nieh. 2014. KVM/ARM: the design and implementation of the Linux ARM hypervisor. ACM SIGARCH Computer Architecture News 42, 1 (2014), 333--348.Google ScholarDigital Library
Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: an efficient SMT solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 337--340.Google ScholarDigital Library
devicetree.org Technical Steering Committee. 2020. Device Tree specification (v0.3). https://www.devicetree.org.Google Scholar
Adam Dunkels. 2001. Design and implementation of the lwIP TCP/IP stack. Swedish Institute of Computer Science 2 (2001), 77.Google Scholar
Embedded Microprocessor Benchmark Consortium (EEMBC). 2012. CoreMark CPU benchmark. https://www.eembc.org/coremark/Google Scholar
Kevin Elphinstone and Gernot Heiser. 2013. From L3 to seL4: what have we learnt in 20 years of L4 microkernels?. In Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles (Farminton, Pennsylvania) (SOSP '13). ACM, 133--150. Google ScholarDigital Library
Shaked Flur, Kathryn E Gray, Christopher Pulte, Susmit Sarkar, Ali Sezgin, Luc Maranget, Will Deacon, and Peter Sewell. 2016. Modelling the ARMv8 architecture, operationally: concurrency and ISA. In ACM SIGPLAN Notices, Vol. 51. ACM, 608--621.Google ScholarDigital Library
Keir Fraser and Martine J. Silbermann. 2006. Resizing memory with balloons and hotplug. In Proceedings of the Linux Symposium. 313--319.Google Scholar
Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA, 653--669. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/guGoogle ScholarDigital Library
Trevor Hansen, Peter Schachte, and Harald Søndergaard. 2009. State joining and splitting for the symbolic execution of binaries. In International Workshop on Runtime Verification. Springer, 76--92.Google ScholarDigital Library
Gernot Heiser and Ben Leslie. 2010. The OKL4 microvisor: convergence point of microkernels and hypervisors. In Proceedings of the first ACM Asia-Pacific Workshop on Systems. ACM, 19--24.Google ScholarDigital Library
Joo-Young Hwang, Sang-Bum Suh, Sung-Kwan Heo, Chan-Ju Park, Jae-Min Ryu, Seong-Yeol Park, and Chul-Ryun Kim. 2008. Xen on ARM: system virtualization using Xen hypervisor for ARM-based secure mobile phones. In 5th IEEE Consumer Communications and Networking Conference (CCNC). IEEE, 257--261.Google ScholarCross Ref
Imagination Technologies. 2013. MIPS virtualization. https://www.imgtec.com/mips/architectures/virtualization/.Google Scholar
Eric Keller, Jakub Szefer, Jennifer Rexford, and Ruby B. Lee. 2010. NoHype: Virtualized Cloud Infrastructure Without the Virtualization. In Proceedings of the 37th Annual International Symposium on Computer Architecture (Saint-Malo, France) (ISCA '10). ACM, New York, NY, USA, 350--361. Google ScholarDigital Library
James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (1976), 385--394. Google ScholarDigital Library
Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. KVM: the Linux virtual machine monitor. In Proceedings of the Linux symposium, Vol. 1. 225--230.Google Scholar
Gerwin Klein. 2009. Operating system verification---an overview. Sadhana 34, 1 (2009), 27--69.Google ScholarCross Ref
Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, et al. 2009. seL4: formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. ACM, 207--220.Google ScholarDigital Library
Adam Lackorzynski and Alexander Warg. 2009. Taming subsystems: capabilities as universal resource access control in L4. In Proceedings of the second Workshop on Isolation and Integration in Embedded Systems. ACM, 25--30.Google ScholarDigital Library
Dirk Leinenbach and Thomas Santen. 2009. Verifying the Microsoft Hyper-V hypervisor with VCC. In International Symposium on Formal Methods. Springer, 806--809.Google ScholarDigital Library
Xavier Leroy. 2009. Formal Verification of a Realistic Compiler. Commun. ACM 52, 7 (July 2009), 107--115. Google ScholarDigital Library
Jochen Liedtke. 1994. Improving IPC by kernel design. In ACM SIGOPS Operating Systems Review, Vol. 27. ACM, 175--188.Google Scholar
Jochen Liedtke. 1995. On micro-kernel construction. Vol. 29. ACM.Google Scholar
Jochen Liedtke. 1996. Toward real microkernels. Commun. ACM 39, 9 (1996), 70--77.Google ScholarDigital Library
Jochen Liedtke, Kevin Elphinstone, Sebastian Schonberg, Hermarill Härtig, Gernot Heiser, Nahina Islam, and Trent Jaeger. 1997. Achieved IPC performance (still the foundation for extensibility). In The 6th Workshop on Hot Topics in Operating Systems. IEEE, 28--31.Google ScholarCross Ref
Miguel Masmano, Ismael Ripoll, Alfons Crespo, and J Metge. 2009. XtratuM: a hypervisor for safety critical embedded systems. In 11th Real-Time Linux Workshop. Citeseer, 263--272.Google Scholar
Dimiter Milushev, Wim Beck, and Dave Clarke. 2012. Noninterference via Symbolic Execution. In Formal Techniques for Distributed Systems, Holger Giese and Grigore Rosu (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 152--168.Google Scholar
Toby Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, and Gerwin Klein. 2012. Noninterference for Operating System Kernels. In Certified Programs and Proofs, Chris Hawblitzel and Dale Miller (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 126--142.Google Scholar
Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang. 2017. Hyperkernel: Push-Button Verification of an OS Kernel. In Proceedings of the 26th Symposium on Operating Systems Principles (Shanghai, China) (SOSP '17). Association for Computing Machinery, New York, NY, USA, 252--269. Google ScholarDigital Library
John K Ousterhout et al. 1982. Scheduling techniques for concurrent systems. In ICDCS, Vol. 82. 22--30.Google Scholar
David A Ramos and Dawson Engler. 2015. Under-constrained symbolic execution: correctness checking for real code. In 24th USENIX Security Symposium (USENIX Security 15). 49--64.Google Scholar
Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Security and privacy (SP), 2010 IEEE symposium on. IEEE, 317--331.Google ScholarDigital Library
Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In ACM SIGOPS Operating Systems Review, Vol. 41. ACM, 335--350.Google ScholarDigital Library
Thomas Arthur Leck Sewell, Magnus O Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. ACM SIGPLAN Notices 48, 6 (2013), 471--482.Google ScholarDigital Library
Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, et al. 2009. Bitvisor: a thin hypervisor for enforcing i/o device security. In Proceedings of the 2009 ACM International Conference on Virtual Execution Environments. ACM, 121--130.Google ScholarDigital Library
Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna. 2016. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In 2016 IEEE Symposium on Security and Privacy (SP). 138--157. Google ScholarCross Ref
Udo Steinberg and Bernhard Kauer. 2010. NOVA: a microhypervisor-based secure virtualization architecture. In Proceedings of the 5th European conference on Computer systems. ACM, 209--222.Google ScholarDigital Library
Tachio Terauchi and Alex Aiken. 2005. Secure Information Flow as a Safety Problem. In Proceedings of the 12th International Conference on Static Analysis (London, UK) (SAS'05). Springer-Verlag, Berlin, Heidelberg, 352--367. Google ScholarDigital Library
Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2013. Design, implementation and verification of an extensible and modular hypervisor framework. In Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 430--444.Google ScholarDigital Library
Alexander Vaynberg and Zhong Shao. 2012. Compositional verification of a baby virtual memory manager. In International Conference on Certified Programs and Proofs. Springer, 143--159.Google ScholarDigital Library
David von Oheimb. 2004. Information Flow Control Revisited: Non-influence = Noninterference + Nonleakage. In Computer Security - ESORICS 2004, Pierangela Samarati, Peter Ryan, Dieter Gollmann, and Refik Molva (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 225--243.Google Scholar
W3C. 2004. XML Schema Part 0: Primer. http://www.w3.org/TR/xmlschema-0/.Google Scholar
Fengwei Xu, Ming Fu, Xinyu Feng, Xiaoran Zhang, Hui Zhang, and Zhaohui Li. 2016. A practical verification framework for preemptive OS kernels. In Proceedings of the 28th Conference on Computer Aided Verification.Google ScholarCross Ref
Arseniy Zaostrovnykh, Solal Pirelli, Rishabh Iyer, Matteo Rizzo, Luis Pedrosa, Katerina Argyraki, and George Candea. 2019. Verifying Software Network Functions with No Verification Expertise. In Proceedings of the 27th ACM Symposium on Operating Systems Principles (Huntsville, Ontario, Canada) (SOSP '19). Association for Computing Machinery, New York, NY, USA, 275--290. Google ScholarDigital Library

Index Terms

Design of a symbolically executable embedded hypervisor

Recommendations

Fast and live hypervisor replacement
VEE 2019: Proceedings of the 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Hypervisors are increasingly complex and must be often updated for applying security patches, bug fixes, and feature upgrades. However, in a virtualized cloud infrastructure, updates to an operational hypervisor can be highly disruptive. Before being ...
Read More
Optimizing I/O performance in ViMo-S hypervisor with zero-copy method
ICSCA '17: Proceedings of the 6th International Conference on Software and Computer Applications

ARM CPU is expanding into server market with the introduction of virtualization extensions. Virtualization is one of the key technologies that is commonly employed in servers. Virtualization is provided by hypervisor and ViMo-S is a prototype hypervisor ...
Read More
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications Workshops

Virtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
EuroSys '20: Proceedings of the Fifteenth European Conference on Computer Systems
April 2020
49 pages
ISBN:9781450368827
DOI:10.1145/3342195
General Chairs:
Angelos Bilas
University of Crete and FORTH-ICS
,
Kostas Magoutis
University of Crete and FORTH-ICS
,
Evangelos Markatos
University of Crete and FORTH-ICS
,
Program Chairs:
Dejan Kostic
KTH Royal Institute of Technology, Sweden
,
Margo Seltzer
The University of British Columbia, Canada
Copyright © 2020 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 17 April 2020
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
SAT solving
embedded
hypervisor
symbolic execution
Qualifiers
- research-article
Conference

Acceptance Rates
EuroSys '20 Paper Acceptance Rate43of234submissions,18%Overall Acceptance Rate241of1,308submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 4
  Total Citations
  View Citations
- 656
  Total Downloads
- Downloads (Last 12 months)49
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Design of a symbolically executable embedded hypervisor

EuroSys '20: Proceedings of the Fifteenth European Conference on Computer Systems

ABSTRACT

References

Cited By

Index Terms

Recommendations

Fast and live hypervisor replacement

Optimizing I/O performance in ViMo-S hypervisor with zero-copy method

Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation