Verification of TLB Virtualization Implemented in C

Alkassar, Eyad; Cohen, Ernie; Ковалев, Михаил Михайлович; Paul, Wolfgang J.

doi:10.1007/978-3-642-27705-4_17

Cited by 19 publications

(15 citation statements)

References 3 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The main precursor work on formally verified MMU virtualization uses the simulationbased approach of Paul et al [5,41,4]. In [5,41] shadow page tables are used to provide full virtualization, including virtual memory, for "baby VAMP", a simplified MIPS, using VCC.…”

Section: Discussionmentioning

confidence: 99%

“…Full virtualization is generally more complex than the paravirtualization approach studied in the present paper, but the machine model is simplified, information flow security is not supported by the simulation framework, and neither applications nor implementation on real hardware are reported. In [4] the same simulation-based approach is used to study TLB virtualization on an abstract version of the x64 virtual memory architecture. Other related work on verification of microkernels and hypervisors such as seL4 [33] or the Nova project [45] does not address MMU virtualization in detail.…”

Section: Discussionmentioning

confidence: 99%

“…Related work [5,41] uses shadow page tables to provide full virtualization, including virtual memory, for "baby VAMP", a simplified MIPS, using VCC. This work, along with later work [4] on TLB virtualization for an abstract mode of x64, has been verified using Wolfgang Paul's VCC-based simulation framework [13]. Also, the OKL4-microvisor uses shadow paging to virtualize the memory subsystem [26].…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Provably secure memory isolation for Linux on ARM

Guanciale

Nemati

Dam

et al. 2016

JCS

View full text Add to dashboard Cite

The isolation of security critical components from an untrusted OS allows to both protect applications and to harden the OS itself. Virtualization of the memory subsystem is a key component to provide such isolation. We present the design, implementation and verification of a memory virtualization platform for ARMv7-A processors. The design is based on direct paging, an MMU virtualization mechanism previously introduced by Xen. It is shown that this mechanism can be implemented using a compact design, suitable for formal verification down to a low level of abstraction, without penalizing system performance. The verification is performed using the HOL4 theorem prover and uses a detailed model of the processor. We prove memory isolation along with information flow security for an abstract top-level model of the virtualization mechanism. The abstract model is refined down to a transition system closely resembling a C implementation. Additionally, it is demonstrated how the gap between the low-level abstraction and the binary level-can be filled, using tools that check Hoare contracts. The virtualization mechanism is demonstrated on real hardware via a hypervisor hosting Linux and supporting a tamper-proof run-time monitor that provably prevents code injection in the Linux guest.

QC 20161212

PROSPER, CERCE

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Provably secure memory isolation for Linux on ARM

Guanciale

Nemati

Dam

et al. 2016

JCS

View full text Add to dashboard Cite

QC 20161212

PROSPER, CERCE

show abstract

“…Related work [3,21] uses shadow page tables to provide full virtualization, including virtual memory, for "baby VAMP", a simplified MIPS, using VCC. This work, along with later work on TLB virtualization for an abstract mode of x64 [2], has been verified using Wolfgang Paul's VCC-based simulation framework. Also, the OKL4-microvisor uses shadow paging to virtualize the memory subsystem [12].…”

Section: Related Workmentioning

confidence: 95%

Trustworthy Memory Isolation of Linux on Embedded Devices

Nemati

Dam

Guanciale

et al. 2015

Trust and Trustworthy Computing

View full text Add to dashboard Cite

Abstract. The isolation of security critical components from an untrusted OS allows to both protect applications and to harden the OS itself, for instance by run-time monitoring. Virtualization of the memory subsystem is a key component to provide such isolation. We present the design, implementation and verification of a virtualization platform for the ARMv7-A processor family. Our design is based on direct paging, an MMU virtualization mechanism previously introduced by Xen for the x86 architecture, and used later with minor variants by the Secure Virtual Architecture, SVA. We show that the direct paging mechanism can be implemented using a compact design, suitable for formal verification down to a low level of abstraction, without penalizing system performance. The verification is performed using the HOL4 theorem prover and uses a detailed model of the ARMv7-A ISA, including the MMU. We prove memory isolation of the hosted components along with information flow security for an abstract top level model of the virtualization mechanism. The abstract model is refined down to a HOL4 transition system closely resembling a C implementation. The virtualization mechanism is demonstrated on real hardware via a hypervisor capable of hosting Linux as an untrusted guest. 1

show abstract

“…Unlike [11] and [12], this technique was based on automated methods. [14] reports on verification of the translation lookaside buffer (TLB) virtualization, a core component of modern hypervisors. As devices run in parallel with software, they require concurrent program reasoning even for single-threaded software.…”

Section: Related Work and Conclusionmentioning

confidence: 99%

A Case Study on Verification of a Cloud Hypervisor by Proof and Structural Testing

Kosmatov¹,

Lemerre²,

Alec

2014

Tests and Proofs

View full text Add to dashboard Cite

Abstract. Complete formal verification of software remains extremely expensive and often reserved in practice for the most critical products. Test generation techniques are much less costly and can be used in combination with theorem proving tools to provide high confidence in the software correctness at an acceptable cost when an automatic prover does not succeed alone. This short paper presents a case study on verification of a cloud hypervisor with the Frama-C toolset, in which deductive verification has been advantageously combined with structural all-path testing. We describe our combined verification approach, present the adopted methodology and emphasize its benefits and limitations.

show abstract

Verification of TLB Virtualization Implemented in C

Cited by 19 publications

References 3 publications

Provably secure memory isolation for Linux on ARM

Provably secure memory isolation for Linux on ARM

Trustworthy Memory Isolation of Linux on Embedded Devices

A Case Study on Verification of a Cloud Hypervisor by Proof and Structural Testing

Contact Info

Product

Resources

About