## **Provable Security and Safety**

#### The seL4 Microkernel and its Use in Critical Systems

Gernot Heiser | gernot.heiser@data61.csiro.au | @GernotHeiser http://microkerneldude.wordpress.com February 2016

https://trustworthy.systems/

DATA



2 | WSOS Graz Feb'16

#### Mesa, AZ, 24 July 2015







3 | WSOS Graz Feb'16



#### What is seL4?



#### seL4: The world's most (only?) secure

OS kernel – provably! GPLed GPLed

5 | WSOS Graz Feb'16

## **Philosophy Underlying seL4**



- 1. Security is paramount and drives design
- 2. Security is no excuse for bad performance
- 3. General-purpose platform for wide range of use cases





### **Fundamental Requirement: Isolation**





#### "High Assurance" **Bad** Practice









# A system must be considered *untrustworthy* unless *proved* otherwise!

Corollary [with apologies to Dijkstra]:

Testing, code inspection, etc. can only show *lack of trustworthiness*!

Claim:



## **Fundamental Design Decisions for seL4**

1. Memory management is user-level responsibility

DATA 61

Isolation

Verification,

Performance

- Kernel never allocates memory (post-boot)
- Kernel objects controlled by user-mode servers
- 2. Memory management is fully delegatable
  - Supports hierarchical system design
  - Enabled by *capability-based access control*
- 3. "Incremental consistency" design pattern
  - Fast transitions between consistent states
    - Restartable operations with progress guarantee
  - No concurrency in the kernel
  - Interrupts never enabled in kernel <sup>Q</sup>
  - Interruption points to bound latencies
  - Clustered multikernel design for multicores

**Perfor-**

mance

**Real-time** 





#### seL4 Isolation Goes Deep





## **WiP: Temporal Isolation Guarantees**



#### **Safety: Timeliness**

• Execution interference

#### **Security: Confidentiality**

• Leakage via timing channels



## Using seL4: DARPA HACMS Program



#### HACMS: High-Assurance Cyber-Military Systems

- Goal: create technology for the construction of high-assurance cyber-physical systems
  - functionally correct
  - satisfying appropriate safety and security properties
- Specific project aims:
  - Protect autonomous systems from cyber attacks
  - Demonstrate deployment in real-world systems
  - Open-source all non-vehicle-specific code

#### HACMS: 3 Teams





Air Team – "SMACCM"



Land Team



Image courtesy of chanpipat at <a href="https://www.science.com">FreeDigitalPhotos.net</a>

## **HACMS: 3** Phases

- Phase 1: August '12 to January '14
  - Simplified high-assurance system
- Phase 2: February '14 to July '15
  - Adding real-world complexity
  - Full-system demo
- Phase 3: August'15 to January'17
  - Transition to real-world military vehicle
    - Boeing Unmanned Little Bird helicopter
    - Autonomous US Army trucks
    - Possibly research drone as "minimal viable product"



#### Secure, Mathematically-Assured Composition of Control Models

#### **SMACCM Objectives:**

- Provable vehicle safety
- "Red Team" must not be able to divert vehicle
- No sacrificing performance



Unmanned Little Bird Deployment Vehicle SMACCMcopter Research Vehicle











## **Dealing with Multicore**

W2SSO\$ Graz Feb'16

## **Approaches for Multicore Kernels**





### **Multicore Kernel Trade-Offs**











#### **Cost of Locking: Round-Trip Intra-Core IPC**







## **Microkernel Multicore Design**



#### Assertion 1: Minimise locks, not locked code

- Amount of locked code is small anyway, 100–200 instructions
- Corresponds to fine- to medium-grained locks in Linux
- Cost of locks is within an OoM of kernel execution time
- Kernel times are short ⇒ contention is low



### **Cache Line Migration Latencies**





## **Microkernel Multicore Design**



Assertion 1: Minimise locks, not locked code

- Amount of locked code is small anyway, 100–200 instructions
- Corresponds to medium-grained locks in Linux
- Cost of locks is within an OoM of kernel execution time
- Kernel times are short  $\Rightarrow$  contention is low

#### Assertion 2: Don't share mikrokernel data without shared cache

• Migrating only a few cache lines takes longer than rest of syscall

#### seL4 Multicore Design: Clustered Multikernel





## **Microkernel Multicore Design**



Assertion 1: Minimise locks, not locked code

- Amount of locked code is small anyway, 100–200 instructions
- Corresponds to medium-grained locks in Linux
- Cost of locks is within an OoM of kernel execution time
- Kernel times are short  $\Rightarrow$  contention is low

Assertion 2: Don't share mikrokernel data without shared cache

• Migrating only a few cache lines takes longer than rest of syscall

#### **Assertion 3: Big lock will perform for closely-coupled cores**

- Shared caches presently have moderate core counts
- Big lock in a *well-designed* microkernel will scale there

# Thank you

DATA

6

**Gernot Heiser** | gernot.heiser@data61.csiro.au | @GernotHeiser http://microkerneldude.wordpress.com February 2016



https://trustworthy.systems/