Skip to main content

Combining Mechanized Proofs and Model-Based Testing in the Formal Analysis of a Hypervisor

Part of the Lecture Notes in Computer Science book series (LNPSE,volume 9995)

Abstract

Virtualization engines play a critical role in many modern software products. In an effort to gain definitive confidence on critical components, our company has invested on the formal verification of the NOVA micro hypervisor, following recent advances in similar academic and industrial operating-system verification projects. There are inherent difficulties in applying formal methods to low-level implementations, and even more under specific constraints arising in commercial software development. In order to deal with these, the chosen approach consists in the splitting of the verification effort by combining the definition of an abstract model of NOVA, the verification of fundamental security properties over this model, and testing the conformance of the model w.r.t. the NOVA implementation. This article reports on our experiences in applying formal methods to verify a hypervisor for commercial purposes. It describes the verification approach, and the security properties under consideration, and reports the results obtained.

Keywords

  • Kernel Objects
  • Hypervalent State
  • Untrusted Process
  • Conformance Testing
  • Unprivileged Mode

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Our company wants to remain anonymous.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-48989-6_5
  • Chapter length: 16 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   89.00
Price excludes VAT (USA)
  • ISBN: 978-3-319-48989-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   119.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.

Notes

  1. 1.

    In order to enforce resource revocation from untrusted components in our NOVA version, one needs a trusted component that performs all delegations and tracks them similarly to the mapping database that is part of many L4 implementations.

  2. 2.

    The NOVA documentation uses protection domain instead of process and execution context instead of thread but we stick to traditional terminology here.

References

  1. Barthe, G., Betarte, G., Campo, J.D., Luna, C.: Formally verifying isolation and availability in an idealized model of virtualization. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 231–245. Springer, Heidelberg (2011). doi:10.1007/978-3-642-21437-0_19

    CrossRef  Google Scholar 

  2. Bertrane, J., Cousot, P., Cousot, R., Feret, J., Mauborgne, L., Miné, A., Rival, X.: Static analysis and verification of aerospace software by abstract interpretation. Found. Trends Program. Lang. 2(2–3), 71–190 (2015)

    CrossRef  Google Scholar 

  3. Brat, G., Bushnell, D., Davies, M., Giannakopoulou, D., Howar, F., Kahsai, T.: Verifying the safety of a flight-critical system. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 308–324. Springer, Heidelberg (2015). doi:10.1007/978-3-319-19249-9_20

    CrossRef  Google Scholar 

  4. Brucker, A.D., Wolff, B.: On theorem prover-based testing. Formal Aspects Comput. 25(5), 683–721 (2013)

    MathSciNet  CrossRef  MATH  Google Scholar 

  5. Cai, H., Shao, Z., Vaynberg, A.: Certified self-modifying code. In: Proceedings of the ACM SIGPLAN 2007 Conference on Programming Language Design and Implementation, San Diego, California, USA, June 10–13, 2007, pp. 66–77 (2007)

    Google Scholar 

  6. Calcagno, C., et al.: Moving fast with software verification. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NFM 2015. LNCS, vol. 9058, pp. 3–11. Springer, Heidelberg (2015). doi:10.1007/978-3-319-17524-9_1

    Google Scholar 

  7. Elphinstone, K., Heiser, G.: From L3 to seL4 - what have we learnt in 20 years of L4 microkernels? In: Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles, SOSP 2013, pp. 133–150. ACM, New York (2013)

    Google Scholar 

  8. Feng, X., Shao, Z., Dong, Y., Guo, Y.: Certifying low-level programs with hardware interrupts and preemptive threads. In: Proceedings of the ACM SIGPLAN 2008 Conference on Programming Language Design and Implementation, Tucson, AZ, USA, June 7–13, 2008, pp. 170–182 (2008)

    Google Scholar 

  9. Gu, L., Vaynberg, A., Ford, B., Shao, Z., Costanzo, D.: Certikos: a certified kernel for secure cloud computing. In: APSys 2011 Asia Pacific Workshop on Systems, Shanghai, China, July 11-12, 2011, p. 3 (2011)

    Google Scholar 

  10. Klein, G., Elphinstone, K., Heiser, G., Andronick, J., Cock, D., Derrin, P., Elkaduwe, D., Engelhardt, K., Kolanski, R., Norrish, M., Sewell, T., Tuch, H., Winwood, S.: sel4: formal verification of an OS kernel. In: Proceedings of the 22nd ACM Symposium on Operating Systems Principles 2009, SOSP 2009, Big Sky, Montana, USA, October 11–14, 2009, pp. 207–220 (2009)

    Google Scholar 

  11. Kosmatov, N., Lemerre, M., Alec, C.: A case study on verification of a cloud hypervisor by proof and structural testing. In: Seidl, M., Tillmann, N. (eds.) TAP 2014. LNCS, vol. 8570, pp. 158–164. Springer, Heidelberg (2014). doi:10.1007/978-3-319-09099-3_12

    Google Scholar 

  12. Leroy, X.: A formally verified compiler back-end. J. Autom. Reasoning 43(4), 363–446 (2009)

    MathSciNet  CrossRef  MATH  Google Scholar 

  13. Liedtke, J.: Toward real \({\mu }\)-kernels. Commun. ACM 39(9), 70–77 (1996)

    CrossRef  Google Scholar 

  14. Lipton, R.J., Snyder, L.: A linear time algorithm for deciding subject security. J. ACM 24(3), 455–464 (1977)

    MathSciNet  CrossRef  MATH  Google Scholar 

  15. Liu, T., Huuck, R.: Case study: static security analysis of the android goldfish kernel. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 589–592. Springer, Heidelberg (2015). doi:10.1007/978-3-319-19249-9_39

    CrossRef  Google Scholar 

  16. Murray, T.C., Matichuk, D., Brassil, M., Gammie, P., Bourke, T., Seefried, S., Lewis, C., Gao, X., Klein, G.: sel4: from general purpose to a proof of information flow enforcement. In: 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19–22, 2013, pp. 415–429 (2013)

    Google Scholar 

  17. Newcombe, C., Rath, T., Zhang, F., Munteanu, B., Brooker, M., Deardeuff, M.: How amazon web services uses formal methods. Commun. ACM 58(4), 66–73 (2015)

    CrossRef  Google Scholar 

  18. Ramananandro, T., Reis, G.D., Leroy, X.: Formal verification of object layout for c++ multiple inheritance. In: Proceedings of the 38th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2011, Austin, TX, USA, January 26–28, 2011, pp. 67–80 (2011)

    Google Scholar 

  19. Ramananandro, T., Reis, G.D., Leroy, X.: A mechanized semantics for C++ object construction and destruction, with applications to resource management. In: Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, January 22–28, 2012, pp. 521–532 (2012)

    Google Scholar 

  20. Sewell, T., Winwood, S., Gammie, P., Murray, T., Andronick, J., Klein, G.: seL4 enforces integrity. In: Eekelen, M., Geuvers, H., Schmaltz, J., Wiedijk, F. (eds.) ITP 2011. LNCS, vol. 6898, pp. 325–340. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22863-6_24

    CrossRef  Google Scholar 

  21. Shao, Z.: Clean-slate development of certified OS kernels. In: Proceedings of the 2015 Conference on Certified Programs and Proofs, Cp. 2015, Mumbai, India, January 15–17, 2015, pp. 95–96 (2015)

    Google Scholar 

  22. Shapiro, J.S., Weber, S.: Verifying the eros confinement mechanism. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, SP 2000, p. 166. IEEE Computer Society, Washington, DC (2000)

    Google Scholar 

  23. Steinberg, U., Kauer, B.: Nova: a microhypervisor-based secure virtualization architecture. In: Proceedings of the 5th European Conference on Computer Systems, EuroSys 2010, pp. 209–222. ACM, New York (2010)

    Google Scholar 

  24. FireEye Formal Methods Team. Efficiently executable sets used by FireEye. Presented at the 8th Coq Workshop (2016). https://github.com/fireeye/MSetsExtra

  25. Zhao, H., Yang, M., Zhan, N., Gu, B., Zou, L., Chen, Y.: Formal verification of a descent guidance control program of a lunar lander. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol. 8442, pp. 733–748. Springer, Heidelberg (2014). doi:10.1007/978-3-319-06410-9_49

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Hendrik Tews .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2016 Springer International Publishing AG

About this paper

Cite this paper

Becker, H. et al. (2016). Combining Mechanized Proofs and Model-Based Testing in the Formal Analysis of a Hypervisor. In: Fitzgerald, J., Heitmeyer, C., Gnesi, S., Philippou, A. (eds) FM 2016: Formal Methods. FM 2016. Lecture Notes in Computer Science(), vol 9995. Springer, Cham. https://doi.org/10.1007/978-3-319-48989-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-48989-6_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-48988-9

  • Online ISBN: 978-3-319-48989-6

  • eBook Packages: Computer ScienceComputer Science (R0)