ABSTRACT
Hypervisor implementations such as XMHF, Nova, PROSPER, prplHypervisor, the various L4 descendants, as well as KVM and Xen offer mechanisms for dynamic startup and reconfiguration, including the allocation, delegation and destruction of objects and resources at runtime. Some use cases such as cloud computing depend on this dynamicity, yet its inclusion also renders the state space intractable to simulation-based verification tools. On the other hand, system architectures for embedded devices are often fixed in the number and properties of isolated tasks, therefore a much simpler, less dynamic hypervisor design would suffice. We close this design gap by presenting Phidias, a new hypervisor consisting of a minimal runtime codebase that is almost devoid of dynamicity, and a comprehensive compile-time configuration framework. We then leverage this lack of dynamic components to non-interactively verify the validity of certain invariants. Specifically, we verify hypervisor integrity by subjecting the compiled hypervisor binary to our own symbolic execution engine. Finally, we discuss our results, point out possible improvements, and hint at unexplored characteristics of a static hypervisor design.
- Mike Accetta, Robert Baron, William Bolosky, David Golub, Richard Rashid, Avadis Tevanian, and Michael Young. 1986. Mach: A new kernel foundation for UNIX development. In Summer Conference Proceedings 1986, Vol. 4. USENIX Association, 64--75.Google Scholar
- Eyad Alkassar, Mark A Hillebrand, Wolfgang Paul, and Elena Petrova. 2010. Automated verification of a small hypervisor. In International Conference on Verified Software: Theories, Tools, and Experiments. Springer, 40--54.Google ScholarCross Ref
- Eyad Alkassar, Wolfgang J Paul, Artem Starostin, and Alexandra Tsyban. 2010. Pervasive verification of an OS microkernel. In International Conference on Verified Software: Theories, Tools, and Experiments. Springer, 71--85.Google ScholarCross Ref
- ARM Holdings. 2014. ARM architecture reference manual ARMv7-A and ARMv7-R edition. http://infocenter.arm.com/help/topic/com.arm.doc.ddi0406c/.Google Scholar
- ARM Holdings. 2016. ARMv8-A reference manual (Issue A.k). http://infocenter.arm.com/help/topic/com.arm.doc.ddi0487a.k_10775/index.html.Google Scholar
- Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Alastair Reid, Kathryn E. Gray, Robert M. Norton, Prashanth Mundkur, Mark Wassell, Jon French, Christopher Pulte, Shaked Flur, Ian Stark, Neel Krishnaswami, and Peter Sewell. 2019. ISA Semantics for ARMv8-a, RISC-v, and CHERI-MIPS. Proc. ACM Program. Lang. 3, POPL, Article 71 (Jan. 2019), 31 pages. Google ScholarDigital Library
- AUTOSAR. 2019. AUTOSAR Standards. https://www.autosar.org/standards.Google Scholar
- Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. ACM SIGOPS Operating Systems Review 37, 5 (2003), 164--177.Google ScholarDigital Library
- Andrew Baumann, Paul Barham, Pierre-Evariste Dagand, Tim Harris, Rebecca Isaacs, Simon Peter, Timothy Roscoe, Adrian Schüpbach, and Akhilesh Singhania. 2009. The multikernel: a new OS architecture for scalable multicore systems. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. ACM, 29--44.Google ScholarDigital Library
- Christoph Baumann, Mads Dam, Viktor Do, Christian Gehrmann, Roberto Guanciale, Narges Khakpour, Hamed Nemati, Oliver Schwarz, and Arash Vahidi. 2016. Verifying a security hypervisor. http://www.vinnova.se/PageFiles/751327324/A10%20SSF%20PROSPER%20poster.pdfGoogle Scholar
- Christoph Baumann, Mats Näslund, Christian Gehrmann, Oliver Schwarz, and Hans Thorsen. 2016. A high assurance virtualization platform for ARMv8. In Networks and Communications (EuCNC), 2016 European Conference on. IEEE, 210--214.Google ScholarCross Ref
- Christoph Baumann, Oliver Schwarz, and Mads Dam. 2017. Compositional Verification of Security Properties for Embedded Execution Platforms. In PROOFS 2017. 6th International Workshop on Security Proofs for Embedded Systems, Vol. 49. 1--16.Google Scholar
- Allan Blanchard, Nikolai Kosmatov, Matthieu Lemerre, and Frédéeric Loulergue. 2015. A case study on formal verification of the Anaxagoros hypervisor paging system with Frama-C. In International Workshop on Formal Methods for Industrial Critical Systems. Springer, 15--30.Google ScholarCross Ref
- Cristian Cadar and Koushik Sen. 2013. Symbolic execution for software testing: three decades later. Commun. ACM 56, 2 (2013), 82--90.Google ScholarDigital Library
- Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2012. The S2E Platform: Design, Implementation, and Applications. ACM Trans. Comput. Syst. 30, 1, Article 2 (Feb. 2012), 49 pages. Google ScholarDigital Library
- Ernie Cohen, Markus Dahlweid, Mark Hillebrand, Dirk Leinenbach, Michał Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. 2009. VCC: A practical system for verifying concurrent C. In International Conference on Theorem Proving in Higher Order Logics. Springer, 23--42.Google ScholarDigital Library
- Alfons Crespo, Ismael Ripoll, and Miguel Masmano. 2010. Partitioned embedded architecture based on hypervisor: The XtratuM approach. In Dependable Computing Conference (EDCC), 2010 European. IEEE, 67--72.Google ScholarDigital Library
- Christoffer Dall, Shih-Wei Li, and Jason Nieh. 2017. Optimizing the Design and Implementation of the Linux ARM Hypervisor. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 221--233. https://www.usenix.org/conference/atc17/technical-sessions/presentation/dallGoogle Scholar
- Christoffer Dall and Jason Nieh. 2014. KVM/ARM: the design and implementation of the Linux ARM hypervisor. ACM SIGARCH Computer Architecture News 42, 1 (2014), 333--348.Google ScholarDigital Library
- Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: an efficient SMT solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 337--340.Google ScholarDigital Library
- devicetree.org Technical Steering Committee. 2020. Device Tree specification (v0.3). https://www.devicetree.org.Google Scholar
- Adam Dunkels. 2001. Design and implementation of the lwIP TCP/IP stack. Swedish Institute of Computer Science 2 (2001), 77.Google Scholar
- Embedded Microprocessor Benchmark Consortium (EEMBC). 2012. CoreMark CPU benchmark. https://www.eembc.org/coremark/Google Scholar
- Kevin Elphinstone and Gernot Heiser. 2013. From L3 to seL4: what have we learnt in 20 years of L4 microkernels?. In Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles (Farminton, Pennsylvania) (SOSP '13). ACM, 133--150. Google ScholarDigital Library
- Shaked Flur, Kathryn E Gray, Christopher Pulte, Susmit Sarkar, Ali Sezgin, Luc Maranget, Will Deacon, and Peter Sewell. 2016. Modelling the ARMv8 architecture, operationally: concurrency and ISA. In ACM SIGPLAN Notices, Vol. 51. ACM, 608--621.Google ScholarDigital Library
- Keir Fraser and Martine J. Silbermann. 2006. Resizing memory with balloons and hotplug. In Proceedings of the Linux Symposium. 313--319.Google Scholar
- Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA, 653--669. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/guGoogle ScholarDigital Library
- Trevor Hansen, Peter Schachte, and Harald Søndergaard. 2009. State joining and splitting for the symbolic execution of binaries. In International Workshop on Runtime Verification. Springer, 76--92.Google ScholarDigital Library
- Gernot Heiser and Ben Leslie. 2010. The OKL4 microvisor: convergence point of microkernels and hypervisors. In Proceedings of the first ACM Asia-Pacific Workshop on Systems. ACM, 19--24.Google ScholarDigital Library
- Joo-Young Hwang, Sang-Bum Suh, Sung-Kwan Heo, Chan-Ju Park, Jae-Min Ryu, Seong-Yeol Park, and Chul-Ryun Kim. 2008. Xen on ARM: system virtualization using Xen hypervisor for ARM-based secure mobile phones. In 5th IEEE Consumer Communications and Networking Conference (CCNC). IEEE, 257--261.Google ScholarCross Ref
- Imagination Technologies. 2013. MIPS virtualization. https://www.imgtec.com/mips/architectures/virtualization/.Google Scholar
- Eric Keller, Jakub Szefer, Jennifer Rexford, and Ruby B. Lee. 2010. NoHype: Virtualized Cloud Infrastructure Without the Virtualization. In Proceedings of the 37th Annual International Symposium on Computer Architecture (Saint-Malo, France) (ISCA '10). ACM, New York, NY, USA, 350--361. Google ScholarDigital Library
- James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (1976), 385--394. Google ScholarDigital Library
- Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. KVM: the Linux virtual machine monitor. In Proceedings of the Linux symposium, Vol. 1. 225--230.Google Scholar
- Gerwin Klein. 2009. Operating system verification---an overview. Sadhana 34, 1 (2009), 27--69.Google ScholarCross Ref
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, et al. 2009. seL4: formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. ACM, 207--220.Google ScholarDigital Library
- Adam Lackorzynski and Alexander Warg. 2009. Taming subsystems: capabilities as universal resource access control in L4. In Proceedings of the second Workshop on Isolation and Integration in Embedded Systems. ACM, 25--30.Google ScholarDigital Library
- Dirk Leinenbach and Thomas Santen. 2009. Verifying the Microsoft Hyper-V hypervisor with VCC. In International Symposium on Formal Methods. Springer, 806--809.Google ScholarDigital Library
- Xavier Leroy. 2009. Formal Verification of a Realistic Compiler. Commun. ACM 52, 7 (July 2009), 107--115. Google ScholarDigital Library
- Jochen Liedtke. 1994. Improving IPC by kernel design. In ACM SIGOPS Operating Systems Review, Vol. 27. ACM, 175--188.Google Scholar
- Jochen Liedtke. 1995. On micro-kernel construction. Vol. 29. ACM.Google Scholar
- Jochen Liedtke. 1996. Toward real microkernels. Commun. ACM 39, 9 (1996), 70--77.Google ScholarDigital Library
- Jochen Liedtke, Kevin Elphinstone, Sebastian Schonberg, Hermarill Härtig, Gernot Heiser, Nahina Islam, and Trent Jaeger. 1997. Achieved IPC performance (still the foundation for extensibility). In The 6th Workshop on Hot Topics in Operating Systems. IEEE, 28--31.Google ScholarCross Ref
- Miguel Masmano, Ismael Ripoll, Alfons Crespo, and J Metge. 2009. XtratuM: a hypervisor for safety critical embedded systems. In 11th Real-Time Linux Workshop. Citeseer, 263--272.Google Scholar
- Dimiter Milushev, Wim Beck, and Dave Clarke. 2012. Noninterference via Symbolic Execution. In Formal Techniques for Distributed Systems, Holger Giese and Grigore Rosu (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 152--168.Google Scholar
- Toby Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, and Gerwin Klein. 2012. Noninterference for Operating System Kernels. In Certified Programs and Proofs, Chris Hawblitzel and Dale Miller (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 126--142.Google Scholar
- Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang. 2017. Hyperkernel: Push-Button Verification of an OS Kernel. In Proceedings of the 26th Symposium on Operating Systems Principles (Shanghai, China) (SOSP '17). Association for Computing Machinery, New York, NY, USA, 252--269. Google ScholarDigital Library
- John K Ousterhout et al. 1982. Scheduling techniques for concurrent systems. In ICDCS, Vol. 82. 22--30.Google Scholar
- David A Ramos and Dawson Engler. 2015. Under-constrained symbolic execution: correctness checking for real code. In 24th USENIX Security Symposium (USENIX Security 15). 49--64.Google Scholar
- Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Security and privacy (SP), 2010 IEEE symposium on. IEEE, 317--331.Google ScholarDigital Library
- Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In ACM SIGOPS Operating Systems Review, Vol. 41. ACM, 335--350.Google ScholarDigital Library
- Thomas Arthur Leck Sewell, Magnus O Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. ACM SIGPLAN Notices 48, 6 (2013), 471--482.Google ScholarDigital Library
- Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, et al. 2009. Bitvisor: a thin hypervisor for enforcing i/o device security. In Proceedings of the 2009 ACM International Conference on Virtual Execution Environments. ACM, 121--130.Google ScholarDigital Library
- Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna. 2016. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In 2016 IEEE Symposium on Security and Privacy (SP). 138--157. Google ScholarCross Ref
- Udo Steinberg and Bernhard Kauer. 2010. NOVA: a microhypervisor-based secure virtualization architecture. In Proceedings of the 5th European conference on Computer systems. ACM, 209--222.Google ScholarDigital Library
- Tachio Terauchi and Alex Aiken. 2005. Secure Information Flow as a Safety Problem. In Proceedings of the 12th International Conference on Static Analysis (London, UK) (SAS'05). Springer-Verlag, Berlin, Heidelberg, 352--367. Google ScholarDigital Library
- Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2013. Design, implementation and verification of an extensible and modular hypervisor framework. In Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 430--444.Google ScholarDigital Library
- Alexander Vaynberg and Zhong Shao. 2012. Compositional verification of a baby virtual memory manager. In International Conference on Certified Programs and Proofs. Springer, 143--159.Google ScholarDigital Library
- David von Oheimb. 2004. Information Flow Control Revisited: Non-influence = Noninterference + Nonleakage. In Computer Security - ESORICS 2004, Pierangela Samarati, Peter Ryan, Dieter Gollmann, and Refik Molva (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 225--243.Google Scholar
- W3C. 2004. XML Schema Part 0: Primer. http://www.w3.org/TR/xmlschema-0/.Google Scholar
- Fengwei Xu, Ming Fu, Xinyu Feng, Xiaoran Zhang, Hui Zhang, and Zhaohui Li. 2016. A practical verification framework for preemptive OS kernels. In Proceedings of the 28th Conference on Computer Aided Verification.Google ScholarCross Ref
- Arseniy Zaostrovnykh, Solal Pirelli, Rishabh Iyer, Matteo Rizzo, Luis Pedrosa, Katerina Argyraki, and George Candea. 2019. Verifying Software Network Functions with No Verification Expertise. In Proceedings of the 27th ACM Symposium on Operating Systems Principles (Huntsville, Ontario, Canada) (SOSP '19). Association for Computing Machinery, New York, NY, USA, 275--290. Google ScholarDigital Library
Index Terms
- Design of a symbolically executable embedded hypervisor
Recommendations
Fast and live hypervisor replacement
VEE 2019: Proceedings of the 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution EnvironmentsHypervisors are increasingly complex and must be often updated for applying security patches, bug fixes, and feature upgrades. However, in a virtualized cloud infrastructure, updates to an operational hypervisor can be highly disruptive. Before being ...
Optimizing I/O performance in ViMo-S hypervisor with zero-copy method
ICSCA '17: Proceedings of the 6th International Conference on Software and Computer ApplicationsARM CPU is expanding into server market with the introduction of virtualization extensions. Virtualization is one of the key technologies that is commonly employed in servers. Virtualization is provided by hypervisor and ViMo-S is a prototype hypervisor ...
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications WorkshopsVirtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...
Comments