The document discusses the challenges of creating truly dependable systems that are also affordable. It summarizes research done at NICTA on developing the seL4 microkernel, which has undergone formal verification to prove functional correctness and isolation properties. This level of assurance was achieved at a relatively affordable cost of $400 per line of code. The research demonstrates that formal methods can be cost-effective for developing high-assurance systems if the trusted computing base is minimized and components are designed for verification. Ongoing work aims to further scale this approach to larger systems.

1. Can Truly Dependable
Systems Be Affordable?
@GernotHeiser
NICTA and UNSW Australia
1 APSys'13 Keynote

2. Copyright Notice
These slides are distributed under the Creative Commons
Attribution 3.0 License
• You are free:
– to share—to copy, distribute and transmit the work
– to remix—to adapt the work
• under the following conditions:
– Attribution: You must attribute the work (but not in any way that
suggests that the author endorses you or your use of the work) as
follows:
• “Courtesy of Gernot Heiser, [Institution]”, where [Institution] is one of
“UNSW” or “NICTA”
The complete license text can be found at
http://creativecommons.org/licenses/by/3.0/legalcode
©2013 Gernot Heiser, NICTA 2
COMP9242 S2/2014 W01

3. Present Systems are NOT Trustworthy!
©2013 Gernot Heiser, NICTA 3
APSys'13 Keynote
Yet they are expensive:
• $1,000 per line of code for
“high-assurance” software!
3

4. Fundamental issue: large stacks, need isolation
E.g. medical implant
• 1 kLOC critical code
• 20–100 kLOC trusted
computing base (TCB)
• 100s of bugs
• dozens of exploits!
1,000 LOC
4 APSys'13 Keynote
Control,
monitoring,
maintenance
Network
stacks
Device
drivers
Processor
>10,000
LOC
>10,000
LOC
©2013 Gernot Heiser, NICTA 4
Life-supporting
RTOS
1,000 LOC
1,000 LOC

5. High Assurance Bad Practice
Uncritical/
untrusted
Processor
©2013 Gernot Heiser, NICTA 5
Sensitive/
critical/
trusted
• TCB of millions of LOC
• Expect 1000s of bugs
• Expect 100s of vulnerabilities
Hacker’s
delight!
Isolation?
Xen/VMware/KVM
hypervisor
Huge TCB
5 APSys'13 Keynote

6. High Assurance Best Practice
Uncritical/
untrusted
Processor
©2013 Gernot Heiser, NICTA 6
Sensitive/
critical/
trusted
• Isolate
• Minimise the TCB
• Assure TCB by
• testing
• code inspection
• bug-finding tools
Separation kernel
Minimal
“trusted
computing
base” (TCB)
base”
Always
incomplete!
6 APSys'13 Keynote

7. State of the Art: NICTA’s seL4 Microkernel
Uncritical/
untrusted
Processor
©2013 Gernot Heiser, NICTA 7
Strong
Isolation
Sensitive/
critical/
trusted
seL4 microkernel
Truly
dependable
TCB
7 APSys'13 Keynote
• Provable isolation!
• Provable assurance!
No place for
bugs to hide!

8. NICTA’s seL4: Mathematical Proof of Isolation
Proof Proof Proof
©2013 Gernot Heiser, NICTA 8
APSys'13 Keynote
Integrity
Abstract
Model
C Imple-mentation
Confiden-tiality
Availability
Binary
code
Functional
correctness
[SOSP’09]
Isolation
properties
[ITP’11, S&P’13]
Translation
correctness
[PLDI’13]
Exclusions (at present):
• Initialisation
• Privileged state & caches
• Multicore
• Covert timing channels
Timeliness
[RTSS’11]
8

9. ©2013 Gernot Heiser, NICTA 99 Cyber Security August'13

10. NICTA’s seL4 Microkernel: Unique Assurance
©2013 Gernot Heiser, NICTA 10
APSys'13 Keynote
First and only operating-system with
functional-correctness proof: operation
is always according to specification
First and only operating-system with
proof of integrity and confidentiality
enforcement – at the level of binary code!
First and only protected-mode
operating-system with complete
and sound timing analysis
World’s fastest microkernel
on ARM architecture
Predecessor
deployed on
2 billion devices
10

11. seL4: Cost of Assurance
Proof Proof Proof
©2013 Gernot Heiser, NICTA 11
APSys'13 Keynote
Integrity
Abstract
Model
C Imple-mentation
Confiden-tiality
Availability
Binary
code
20.5 py
4.5 years
1 py
4 months
0 py
By construction
4.5 py
2 py, 1.5 years
Mostly for tools
11
2 py, 1 year
Mostly for tools
$400 per line
of code!
Estimate repeat
cost: $200/LOC

12. Cost of Assurance
Industry Best Practice:
• “High assurance”: $1,000/LOC, no guarantees, unoptimised
• Low assurance: $100–200/LOC, 1–5 faults/kLOC, optimised
State of the Art – seL4:
– $400/LOC, 0 faults/kLOC, optimised
• Estimate repeat would cost half
– that’s about the development cost of the predecessor Pistachio!
• Aggressive optimisation [APSys’12]
– much faster than traditional high-assurance kernels
– as fast as best-performing low-assurance kernels
12 APSys'13 Keynote
©2013 Gernot Heiser, NICTA 12

13. What Have We Learnt?
Formal verification probably didn’t produce a more secure kernel
• In reality, traditional separation kernels are probably secure
But:
• We now have certainty
• We did it probably at less cost
Real achievement:
• Cost-competitive at a scale where traditional approaches still work
• Foundation for scaling beyond: 2 ⨉ cheaper, 10 ⨉ bigger!
How?
• Combine theorem proving with
– synthesis
– domain–specific languages (DSLs)
13 APSys'13 Keynote
©2013 Gernot Heiser, NICTA 13

14. Boeing Unmanned
Little Bird (AH-6)
Deployment Vehicle
©2013 Gernot Heiser, NICTA 14
SMACCMcopter
Research Vehicle
Next Step: Full System Assurance
DARPA HACMS Program:
• Provable vehicle safety
• “Red Team” must not be able
to divert vehicle
14 APSys'13 Keynote

15. Control Board Mission Board
Verified RTOS
Radio
control
©2013 Gernot Heiser, NICTA 15
C&C
File
system
seL4 – verified microkernel
Hardware
Hardware
Sensors
• gyro,
• accel,
• …
C&C
Radio
Micro-controller
Control
Monitor
CAN bus
controller
Network
camera
Proces-sor
Untrusted
Linux
kernel,
image
processing
Device
drivers
CAN Bus Key:
Trusted
Trusted, NICTA
Untrusted
System Structure
15 APSys'13 Keynote

16. Architecting System-Level Security/Safety
Architecture Specification
Requirements
(specific set of
security/safety
properties)
Component Model
Untr
trusted Untr
Correctness Formal
©2013 Gernot Heiser, NICTA 16
Automatic
Analysis
(Requirements
fulfilled)
Component Implementations
Untr
trusted Untr
Verified Glue Code
seL4 Kernel
Glue Code Proof
seL4 Proof
proof Synthesis
Functional
correctness Security
Automatic Generation
of Glue code
Communication Init
16 Cyber Security August'13

17. Synthesis: Device Drivers [SOSP’09]
Formal
Formalise
specs!
Formal
©2013 Gernot Heiser, NICTA 17
driver.c
OS Interface
Spec
Device Spec
17 APSys'13 Keynote

18. Actually works! (On Linux & seL4)
IDE disk controller W5100 Eth shield Intel PRO/1000
Asix AX88772
USB-to-Eth adapter
©2013 Gernot Heiser, NICTA 18
Ethernet
SD host controller
UART controller
18 APSys'13 Keynote

19. Synthesis: Device Drivers
In progress:
• Extract device spec from
device design work-flow
• Manual optimisations
• Verified synthesis
©2013 Gernot Heiser, NICTA 19
driver.c
APSys'13 Keynote
Formal
OS Interface
Spec
Formal
Device Spec
19

20. Hardware Design Workflow
Informal specification
High-level model
Manual transformation
Register-transfer-level
description
netlist
©2013 Gernot Heiser, NICTA 20
Too
detailed
(for now)
• Low-level description:
registers, gates, wires.
• Cycle-accurate
• Precisely models internal
device architecture and
interfaces
• “Gold reference”
20 APSys'13 Keynote

21. Hardware Design Workflow
Informal specification
High-level model
Manual transformation
Register-transfer-level
description
netlist
Use for now
©2013 Gernot Heiser, NICTA 21
• Captures external
behaviour
• Abstracts away structure
and timing
• Abstracts away the low-level
interface
bus_write(u32 addr, u32 val)
{
...
}
21 APSys'13 Keynote

22. DSLs: File System
©2013 Gernot Heiser, NICTA 22
Abstract
Spec
(Isabelle)
Component
Component
Spec
Component
Component
Spec
(Isabelle)
Component
Spec
(DSL)
Spec
(DSL)
Spec
(DSL)
Component
Implementation
(C)
Component
Implementation
(C)Generated
Component
Implementation
(Generated C)
Manual
Proof
Generated
Proof
Component
Spec
(Isabelle)
Gene- (Isabelle)
rator
APSys'13 Keynote
File-system properties:
• Multiple, pre-defined
abstraction levels
• Naturally modular
• Lots of “boring” code
• (de-)serialisation
• error handling
22

23. File System Code and Proof Co-Generation
Proof
Proof
Manual, FS-specific
Manual, FS-independent
Generated
Proof
Proof
©2013 Gernot Heiser, NICTA 23
CSDL code
Declarations
of Types,
Functions
verified filesystem code
Verified C code
DDSL code
generation
Control
Code
Data layout
Control
Code
ADT
Code
(De-)seriali-sation
Code
Isabelle specs & proofs
Control
Code Spec
ADT
Code Spec
(De)-serial.
Code Spec Functional spec
Proof
Proof
generation
generation
APSys'13 Keynote
Case study: Flash file system
• Linux-compatible
• Fits between VFS and
flash abstraction (UBI)
23

24. Future: Full-Scale Trustworthy System
Untrusted
Apps
Verified Resource Management
©2013 Gernot Heiser, NICTA 24
Cyber Security August'13
Verified critical application
Verified microkernel
Verified
File systems
Verified
Device
Drivers
Processor Devices
Verified
Network
Stacks
Verified
High-level
runtime
Untrusted VM
Untrusted
Linux
Untrusted Apps
24

25. Lessons Learnt So Far
Formal methods are expensive?
• Cost-effective for high assurance on small to moderate scale
• $200-400/LOC for 10kLOC
We think we can scale bigger and cheaper:
• Componentisation
– verify components in isolation – enabled by seL4 guarantees
– cost – performance tradeoff
• Synthesis
• Abstraction: DSLs, HLLs increase productivity
Big challenge: Proof composition
25 APSys'13 Keynote
©2013 Gernot Heiser, NICTA 25

26. Where To Find More
• UNSW Advanced Operating Systems Course
http://www.cse.unsw.edu.au/~cs9242
• NICTA Trustworthy Systems research
http://trustworthy.systems
• seL4 open-source portal
http://sel4.systems
• L4 Microkernel Headquarters
http://l4hq.org
• Gernot’s blog:
http://microkerneldude.wordpress.com/
• Gernot’s research home page:
http://ssrg.nicta.com.au/people/?cn=Gernot+Heiser
©2013 Gernot Heiser, NICTA 26
COMP9242 S2/2014 W01