#### Provable Security

#### Henrik Karlsson (henrik10@kth.se)

Supervisors: Mads Dam & Roberto Guanciale KTH Royal Institute of Technology

October 27, 2022





- Example Application & Proof-of-Concept
- Simply Secure Separation Kernel (S3K)
- S3K Process Scheduling
- Multicore HolBA & Kernel Verification
- Sesearch plan



#### Example Application & Proof-of-Concept









- Monitor Monitors system & handles commands
- Functions Interact with environment and output data
- TCP/IP Handle TCP/IP communication
- Crypto engine Encrypts & Decrypts Packages



- Monitor Manage apps & handles commands
- Dummy Functions  $f_0$ ,  $f_1$  Process and output data
- UART Handle UART communication
- Crypto engine Encrypts & Decrypts Packages



- Monitor Manage apps & handles commands
- Dummy Functions  $f_0$ ,  $f_1$  Process and output data
- UART Handle UART communication
- Crypto engine Encrypts & Decrypts Packages



- Monitor Manage apps & handles commands
- Dummy Functions  $f_0$ ,  $f_1$  Process and output data
- UART Handle UART communication
- Crypto engine Encrypts & Decrypts Packages



- Monitor Manage apps & handles commands
- Dummy Functions  $f_0$ ,  $f_1$  Process and output data
- UART Handle UART communication
- Crypto engine Encrypts & Decrypts Packages



- Monitor Manage apps & handles commands
- Dummy Functions  $f_0$ ,  $f_1$  Process and output data
- UART Handle UART communication
- Crypto engine Encrypts & Decrypts Packages

## Simply Secure Separation Kernel (S3K)

Memory Protection and Management

- Memory Protection and Management
- Secure Time Management for Real-Time Systems

- Memory Protection and Management
- Secure Time Management for Real-Time Systems
- Secure Inter-Process Communication (IPC)

- Memory Protection and Management
- Secure Time Management for Real-Time Systems
- Secure Inter-Process Communication (IPC)
- Process Monitoring

- Memory Protection and Management
- Secure Time Management for Real-Time Systems
- Secure Inter-Process Communication (IPC)
- Process Monitoring
- Targeting standard RISC-V 64-bit (RV64IMA) with MPU<sup>1</sup>

- Memory Protection and Management
- Secure Time Management for Real-Time Systems
- Secure Inter-Process Communication (IPC)
- Process Monitoring
- Targeting standard RISC-V 64-bit (RV64IMA) with MPU<sup>1</sup>

 $\sim$  2000 lines of C/Assembly

<sup>&</sup>lt;sup>1</sup>MPU - Memory Protection Unit, protects physical memory.

Previously mentioned features are implemented using capabilities

• Capability = object in kernel representing a resource

Process X

| Kernel                   |
|--------------------------|
| Process X's capabilities |
| Memory Slice             |
| Memory Slice             |
| Time Slice               |
| Supervise Y              |
|                          |
|                          |
|                          |
| IPC Endpoint             |

Previously mentioned features are implemented using capabilities

- Capability = object in kernel representing a resource
- Process owning a capability has access to corresponding resource



Previously mentioned features are implemented using capabilities

- Capability = object in kernel representing a resource
- Process owning a capability has access to corresponding resource
- Process can derive new capabilities from existing capabilities



■ Memory Slice – Manage access to a physical memory region.

▶ PMP – Configure RISC-V's MPU, grants memory access.

- Memory Slice Manage access to a physical memory region.
  - ▶ PMP Configure RISC-V's MPU, grants memory access.
- Time Slice Manage and grant execution time on a core.

- Memory Slice Manage access to a physical memory region.
  - ▶ PMP Configure RISC-V's MPU, grants memory access.
- Time Slice Manage and grant execution time on a core.
- Channels Manage IPC channels and endpoints.
  - ► Receiver/Sender Unidirectional IPC channel.
  - Server/Client Bidirectional IPC channel.

- Memory Slice Manage access to a physical memory region.
  - ▶ PMP Configure RISC-V's MPU, grants memory access.
- Time Slice Manage and grant execution time on a core.
- Channels Manage IPC channels and endpoints.
  - ► Receiver/Sender Unidirectional IPC channel.
  - Server/Client Bidirectional IPC channel.
- Supervisor Manage a set of processes.

#### S3K Process Scheduling





Cores can only run one process at the time.



- Cores can only run one process at the time.
- Multiplexing the Core main duty of the kernel.



Cores can only run one process at the time.

- Multiplexing the Core main duty of the kernel.
- Context switch  $\implies$  overhead.



- Cores can only run one process at the time.
- Multiplexing the Core main duty of the kernel.
- Context switch ⇒ overhead.
- Core multiplexing technique = Process Scheduling.



- Cores can only run one process at the time.
- Multiplexing the Core main duty of the kernel.
- Context switch  $\implies$  overhead.
- Core multiplexing technique = Process Scheduling.
- Best scheduler? Performance vs. Safety vs. Security.



- Cores can only run one process at the time.
- Multiplexing the Core main duty of the kernel.
- Context switch  $\implies$  overhead.
- Core multiplexing technique = Process Scheduling.
- Best scheduler? Performance vs. Safety vs. Security.
  - Processor utilization? Supercomputer, Desktop, ...



- Cores can only run one process at the time.
- Multiplexing the Core main duty of the kernel.
- Context switch  $\implies$  overhead.
- Core multiplexing technique = Process Scheduling.
- Best scheduler? Performance vs. Safety vs. Security.
  - Processor utilization? Supercomputer, Desktop, ...
  - ▶ Meet deadline? Airplane, Car, Routers, Industrial Machines, ...



- Cores can only run one process at the time.
- Multiplexing the Core main duty of the kernel.
- Context switch  $\implies$  overhead.
- Core multiplexing technique = Process Scheduling.
- Best scheduler? Performance vs. Safety vs. Security.
  - Processor utilization? Supercomputer, Desktop, ...
  - ▶ Meet deadline? Airplane, Car, Routers, Industrial Machines, ...
  - Prevent side-channels attacks? Secure servers, routers, ...

## S3K Scheduling



■ Modified RR – Minor frames defined by time slice capabilities.



- Modified RR Minor frames defined by time slice capabilities.
- Fair Process with execution time gets execution time.



- Modified RR Minor frames defined by time slice capabilities.
- Fair Process with execution time gets execution time.
- Predictable Process knows time slice capabilities, thus their execution time.

<sup>2</sup>Flush cache, branch predictors, etc., support is hardware dependant.





- Modified RR Minor frames defined by time slice capabilities.
- Fair Process with execution time gets execution time.
- Predictable Process knows time slice capabilities, thus their execution time.
- Temporal Isolation A process's execution time depends only on its capabilities.

<sup>2</sup>Flush cache, branch predictors, etc., support is hardware dependant.



- Modified RR Minor frames defined by time slice capabilities.
- Fair Process with execution time gets execution time.
- Predictable Process knows time slice capabilities, thus their execution time.
- Temporal Isolation A process's execution time depends only on its capabilities.
- Low-overhead Scheduling decided by a lookup table.

<sup>&</sup>lt;sup>2</sup>Flush cache, branch predictors, etc., support is hardware dependant.



- Modified RR Minor frames defined by time slice capabilities.
- Fair Process with execution time gets execution time.
- Predictable Process knows time slice capabilities, thus their execution time.
- Temporal Isolation A process's execution time depends only on its capabilities.
- Low-overhead Scheduling decided by a lookup table.
- Dynamic Process can alter their time slices.

<sup>2</sup>Flush cache, branch predictors, etc., support is hardware dependant.

Henrik Karlsson (KTH)

Provable Security

## Time Slice Capability



- hartid ID of a hardware thread.<sup>3</sup>
- begin start of a time slice
- free start of minor frame
- end end of a time slice and minor frame

<sup>3</sup>Hardware Thread – Logically separate processor.

#### Proof-of-Concept with Time Slices



#### Proof-of-Concept with Time Slice

Monitor has the initial time slice





### Proof-of-Concept with Time Slice



(only create slices from *free* to *end*)



#### Monitor derives capability C



#### Monitor derives capability D



#### Proof-of-Concept with Time Slice

#### Monitor sends capability D to F0

(using IPC or supervisor capability)



#### Proof-of-Concept with Time Slice

#### F0 deletes capability D

(Core idle from *free* to *end*)





#### Monitor derives capability D again



#### Multicore HolBA & Kernel Verification







Memory operations may be reordered in RISC-V.



Writes may be reordered.



Reads may be reordered.



#### Verification of multicore RISC-V need all reorderings. Multicore HoIBA provides this!





#### Research Plan

- Dec. 2022 Complete proof-of-concept
- Jan./Feb. 2023 Evaluation and publication of kernel with proof-of-concept

<sup>&</sup>lt;sup>4</sup>Worst-case execution time

#### Research Plan

- Dec. 2022 Complete proof-of-concept
- Jan./Feb. 2023 Evaluation and publication of kernel with proof-of-concept
- Spring 2023
  - Publication of multicore HolBA
  - ▶ Measurements of WCET<sup>4</sup> and jitter of non-preemptive kernel parts
  - Implement secure interrupts, optimized scheduler, and 32-bit kernel version



<sup>&</sup>lt;sup>4</sup>Worst-case execution time

- Dec. 2022 Complete proof-of-concept
- Jan./Feb. 2023 Evaluation and publication of kernel with proof-of-concept
- Spring 2023
  - Publication of multicore HolBA
  - ▶ Measurements of WCET<sup>4</sup> and jitter of non-preemptive kernel parts
  - Implement secure interrupts, optimized scheduler, and 32-bit kernel version
- Summer 2023
  - Model and proofs on some concurrent kernel code using multicore HolBA
  - Finish sequential high-level model of kernel

<sup>&</sup>lt;sup>4</sup>Worst-case execution time

- Dec. 2022 Complete proof-of-concept
- Jan./Feb. 2023 Evaluation and publication of kernel with proof-of-concept
- Spring 2023
  - Publication of multicore HolBA
  - ▶ Measurements of WCET<sup>4</sup> and jitter of non-preemptive kernel parts
  - Implement secure interrupts, optimized scheduler, and 32-bit kernel version
- Summer 2023
  - Model and proofs on some concurrent kernel code using multicore HolBA
  - Finish sequential high-level model of kernel
- Autumn 2023 Finish concurrent high-level model of kernel

<sup>&</sup>lt;sup>4</sup>Worst-case execution time

### Questions?



### Multicore Scheduling



Process runs on one core, for determinism,<sup>5</sup> we need priority rules.

- currently running core
- core with smallest ID.



<sup>&</sup>lt;sup>5</sup>non-determinism may leak information

## Multicore Scheduling



Process runs on one core, for determinism,<sup>5</sup> we need priority rules.

- currently running core
- core with smallest ID.



<sup>&</sup>lt;sup>5</sup>non-determinism may leak information

## Multicore Scheduling



Process runs on one core, for determinism,<sup>5</sup> we need priority rules.

- currently running core
- Iongest quantum (not implemented)
- core with smallest ID

<sup>&</sup>lt;sup>5</sup>non-determinism may leak information