1 / 37

Theory of Multicore Hypervisor Verification

Theory of Multicore Hypervisor Verification. W. Paul Saarland University joint work with E. Cohen, S. Schmaltz…. What is a kernel ?. The Classic : Turing machine kernel Simulating k one tape Turing machines by 1 one tape T uring machine Tracks: address translation

chynna
Download Presentation

Theory of Multicore Hypervisor Verification

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Theoryof Multicore HypervisorVerification W. Paul Saarland University jointworkwith E. Cohen, S. Schmaltz….

  2. Whatis a kernel ? • The Classic: Turing machinekernel • Simulating k onetape Turing machinesby 1 onetapeTuring machine • Tracks: addresstranslation • Head positionandstate: processcontrol block • Roundrobin: scheduling tape(1,left) s_1 tape(1,right) tape(2,left) s_2 tape(2,right) tape(3,left) s_3 tape(3,right)

  3. Whatis an M-kernel ? • processvirtualization: • simulating k machinesof type M by 1 onetapemachineof type M • + sytemcalls • forinterprocesscommunication… • M: • MIPS, ARM, Power, x64… tape(1,left) s_1 tape(1,right) tape(2,left) s_2 tape(2,right) tape(3,left) s_3 tape(3,right)

  4. Whatis a hypervisor ? • guestscanbeoperatingsystems, i.e. in systemmode • 2 levelsoftranslation • hypervisorpagetables • guestpagetables • ‚subdividetracks‘ • hardwaresupport • nestedpagetables • nohardwaresupport: • compositionoftranslationsistranslation • maintain ‚shadowpagetables‘ (SPT) forcombinedtranslatio • redirectmemorymanagementunit (mmu) to SPTs

  5. Background • 2007-2010: efforttoformallyverify MS HyperV • partof German Verisoft-XT project (Paul, Broy, Podelski, Rybalchenko…), 13 Mio € • MS Windows + Research (Cohen, Moskal, Leino,…) • Wefailed 2010 • tooldevelopment (VCC) successful • crucialportionsofcodeverified • tooldocumentationandsoundnessargumentlessthanperfect • paperandpenciltheoryincomplete in 2010 • Wedid not know(exactlyenough) whattoprove

  6. Hypervisor Correctness iseither • Onetheorem in 1 theory • thenweare in weaponsbusinessofcycber war • orbughunting • thenwe (formal verificationehineers) arecompetingwiththesoftwarecommunity • andmaygetbeatenup

  7. This talk (only) 2 years after end ofproject • outlines • model stackformulticorehypervisorverification • I thinkcomplete • simulationtheoremsbetweenlayers • soundnessof VCC anditsuse • sizeofremaininggaps: • <= PhDthesis • I supervised59 so far

  8. Threekindsofarguments • abstraction • classicalcommutativediagrams • order construction • in nondeterministic model ofconcurrentimplementation • fromdetailsofdeterministicimplementation • order reduction • excludew.l.o.g. interleavings in concurrent model

  9. 7 maintheories (1) • multicore ISA-sp • systemprogrammersmanual • hardwarecorrectness • serial ISA abstraction • to ISA-u (forusers) • seriallanguagestack • C + macroassembly + ISA-sp • compilers + macroassemblers • C+ ISA + devices • drivers • exceptionhandlers • boot • ownership in concurrentcomputation • push throughstack • serialcompilertranslates parallel C

  10. 7 maintheories (2) • Soundness of VCC anditsuse • C + ghost + assertions • VCC proofsimplyownershipdiscipline • useof C-verifierfor C+ISA + devices • Hypervisor correctness • virtualtreadsimulation (kernellayer) • nestedaddresstransation (shadowpagetables) • ISA-spvirtualization

  11. ISA-sp (1) • X64 • Intel: 3000 pages • AMD 1500 pages • Diss. Degenbaev 300 pagesmath • http://rg-master.cs.uni-sb.de/publikationen/UD11.pdf • MIPS-86 • MIPS-ISA+ X86 memory model • 15 pages • http://www-wjp.cs.uni-saarland.de/publikationen/SchmaltzMIPS.pdf

  12. ISA-sp(2): X64 disk APIC • X64 ISA model • E. Cohen: nondeterministiccommunicatingsequentialcomponents • sb: storebuffer • mmu: memorymanagementunit • APIC: device, interrupts • disk: forbooting • detailssubtle • betterreverseengineer MIPS-86 andprove mem + caches sb mmu core

  13. ISA-sp (3): MIPS-86 hardwarecorrectness (formal/paper) • Processorcorrectness • pipelined • onememorymode: WB • softwareconditions: alignment; noselfmodifyingcode • digital gatelevel + gatedelays • sequentiallyconsistentsharedmemory (MOESI) • April 4, 2012 • 283 pages • http://www-wjp.cs.uni-saarland.de/lehre/vorlesung/rechnerarchitektur2/ws1112/layouts/multicorebook.pdf • TODO • fetchandadd (easy) • fencesandsync (easy) • consistentmemorymodes (easy) • interrupts + devices (subtle) • MMU (subtle) • storebuffers (easy) • Tomasuloscheduler (hard)

  14. ISA-spto ISA-u (1) • Caches invisible • Usecacheablememorymodesonly • compatibilityofcoherencyprotocols (MOESI +….) • sideremark in Smith & Plezkum mem + caches sb mmu core sb: storebuffer

  15. ISA-spto ISA-u (2) • cachesinvisible • sb invisible in singlecore • easy folkloretheorem • proof: Degenbaev et al: Pervasivetheoryofmemory 2009 • In Susanne Albers and Helmut Alt and Stefan Näher, editors, EfficientAlgorithms -- Essays Dedicatedto Kurt Mehlhorn on the Occasion of His 60th Birthday,Saarbrückenvolume 5760 ofLecture Notes in Computer Science, pages 74-98, Springer, 2009. mem sb mmu core sb: storebuffer sb: storebuffer

  16. ISA-spto ISA-u (3) • cachesinvisible • sb invisible • mmu invisible • setuppagetabletree • linear/translatedmemory • easy folkloretheorem • proof: Degenbaev et al: Pervasivetheoryofmemory 2009 mem mmu core sb: storebuffer

  17. ISA-spto ISA-u (4) • cachesinvisible • sb invisible • mmu invisible • ISA-u mem core

  18. languagestack (1)C+macroassembly + assembly+ISA-sp • C smallstepssemantics (interleave in parallel C) • C+ macroassemblyrealisticandcloseto VCC • usesstackabstraction • process save andrestorehandlesstackpointers • invisible in C + macroassembly C compiler m-asm m-assembler ISA-u=asm before ISA-sp

  19. languagestack (2)combinedlanguagesemantics

  20. languagestack (3)compilation • Optimizing C compiler: • Xavier Leroy. Formal verificationof a realisticcompiler. C ACM, 52(7):107-115, 2009. • Optimizing C Compiler + macroassembler + assembler • C calls m-asmandviceversa • functionpointers • Paper theory: Diss Shadrin. http://www-wjp.cs.uni-saarland.de/publikationen/Sh12.pdf • Schmaltz and Shadrin: VSTTE 2012 • Paul et al: SEFM 2012

  21. MIPS ISA-u +devices (1)formal hardwarecorrectness • Hardware truely parallel, processorpipelined • ISA nondeterministicconcurrent, 1 stepat a time • construct order ofsteps • DissTverdychev, http://www-wjp.cs.uni-saarland.de/publikationen/Tv09.pdf • hardwarecomplexdue to a detail in ISA forexternalinterruptsthatweused • ‚continue‘ insteadof ‚repeat‘ as in X86 dev 1 proc dev k

  22. MIPS ISA-u + devices (2) formal (C+assembly)- drivercorrectness • disableanddon‘tpollinterruptsofdevices >1 • reordertheirdevicesteps out ofdriverrunofdev 1 • preand post conditionsfordrivers… • Diss. Alkassar • http://scidok.sulb.uni-saarland.de/volltexte/2009/2420/pdf/Dissertation_1410_Alka_Eyad_2009.pdf • Alkassar et al: TACAS 08 dev 1 proc dev k

  23. MIPS ISA-u + devices (3) startup • Hypervisor: • disk: bootloader • APIC: wakeupothercores • Diss Pentchev 2013? • secureboot: • digital signatures • Verisoft (2003-2007) dev 1 proc dev k

  24. Ownership (1)concept • Classifyaddresses • local (e.g. C stack) • sharedandreadonly (e.g. program) • sharedowned (temporarilylocal/locked) • sharedwriteable not owned (locks) • invariants: • atmost 1 owner …. • disjointness… • safeprograms: actlikenamesofaddressclassessuggest • accessestoclass 4 atomicatthelanguagelevel

  25. Ownership (2)Def: structured parallel C (folklore) • Classifyaddresses • local (e.g. C stack) • sharedandreadonly (e.g. program) • sharedowned (temporarilylocal/locked) • sharedwriteable not owned (locks) • multiple C threads • sequentiallyconsistentmemory • shared: heap + global variables • local: stacks • safew.r.t. ownership • class 4 access: volatile

  26. Ownership (3)structured parallel C to parallel assembly • IF • translatethreadswithsequentialcompiler • translate volatile C accesstointerlocked ISA-u access • THEN • ISA programsafe • multicore ISA-u simulates parallel C • A. Appel, X. Leroy et al: formalwork in progress • nostorebuffers • Dissertation C. Baumann 2012: pushingthisthroughentirelanguagehierarchy on paper

  27. Ownership (4)parallel storebufferreduction in ISA-sp dirty • maintainlocaldirtybits • class 4 writesince last localsb- flush • class 4 readonlyifdirty =0 • Cohen Schirmer ITP 2010: storebuffers invisible • formal • nommu • tobepushedthroughhierarchy • implementsb-flushascompilerintrinsic in C C compiler m-asm m-assembler ISA-u=asm before ISA-sp

  28. Ownership (5)semanticsfrom hell hyperV dirty • Def: VCC-C: • structured parallel C • with Cohen Schirmer dirtybits • VCC-C + m-asm + asm +ISA-sp C compiler m-asm m-assembler ISA-u=asm before ISA-sp guest

  29. Ownership (5)semanticsfrom hell hyperV dirty • VCC-C: • structured parallel C • with Cohen Schirmer dirtybits • VCC-C + m-asm + asm +ISA-sp • sharedshadowpagetables • MMU (ISA-sp) walks SPTs (volatile C datastructure) • order reduction: interleave MMU stepsat volatile C accessesto SPTs C compiler m-asm m-assembler ISA-u=asm before ISA-sp guest

  30. Model stack VCC-C +…+ISA.sp (2-5) compilation ISA-sp hardwarecorrectness (1) digital hardware timinganalysis (1) gates+ regs.+drivers + delay

  31. model andtheorystack hyperV correct soundness TODO • Soundness of VCC and ist use • VCC is parallel C verifier • Theorem: hyperVvirtualizes multiple ISA-sp (+ systemcalls) (7) (6) VCC-C +…+ISA.sp (2-5) compilation ISA-sp hardwarecorrectness (1) digital hardware timinganalysis (1) gates+ regs.+drivers + delay

  32. VCC (1) soundness: arguingaboutownership • C + ghost: Dissertation Schmaltz 2012 • semantics • simulationof C byC+ghost • ghostcode must terminate • VCC-C + ghost • TODO for VCC soundness • Semanticsofassertionlanguageof C + ghost (logics) • showthatassertionsgeneratedby VCC implyownership + Cohen Schirmer dirtybitdiscipline • soundnessofverificationconditiongeneratorusedforserialand parallel langueconstructs

  33. VCC (2) useforC + m-assembly +ISA-sp • Dissertation Maus (Podelski) • hybrid C variables, located in memory outside ofregular C variables • code non C portionsof ISA-sp in hybrid variables • writeobvious C simulator • translate m-assemblymacrosinto C functioncalls in the naive way • wildlyproductive • 14K LOC verified • Maus et al: AMAST 2008 • soundness: • Dissertation Shadrin • Paul et al: SEFM 12

  34. HyperVcorrectness (1)kernellayer: manythreads • Simulation of K C+masm + ISA-spthreadsby k physical ISA-spthreads • compile C part • threadcontrolblocks • savingandrestoringstackandheappointers • C + masm + asm • APICs hardtosimulate • similartokernelcorrectnessfrom Verisoft-1 Project (14 Mio €) • paper: Gargano et al: TPHOLs 2005 • formal: Alkassar et al, VSTTE 2010 • Dissertation Alekhin 2013?

  35. HyperVcorrectness (2)shadowpagetables • 2 translations • guest-OS touser • hosttoguest - OS • withhardwaresupport • nestedpagetables • no formal model andhardwareconstructionyet • withoutharwaresupport • compositionoftranslationsistranslation • SPT forcomposition • Redirect MMU to SPTs • SPT-algorithmwithoutsharingbeweenprocessors, formal • Dissertation Kovalev 2012 • Alkassar et al FMCAD 2010 • in MS product SPTs withsharing

  36. HyperVcorrectness(3)ISA-spvirtualizationandsystemcalls • Virtualization • withkernellayerand SPTs similartoVerisoft-1 • new: stateof ISA-spcomponentsofsleepingvirtualprocesors • sbempty • cachesfromhardware • tlbemptyortaggedas in hardware • Simple Hypervisor • formal in VCC • without save/restore: Alkassar et al: VSTTE 10 • with: Paul et al: SEFM 12 • systemcallsand C datastruturesofkernelas in formalwork • seL4 (only C portion but canextendwith Verisoft-1 technology) • orDissDörrenbächer 2010 http://www-wjp.cs.uni-saarland.de/publikationen/JD10.pdf • orDiss M. Schmidt 2011http://www-wjp.cs.uni-saarland.de/publikationen/MS11.pdf (partofVerisoftautomotivesubproject. Broy-Paul)

  37. Final remark • Paul VSTTE 2005 • a formal proofis an engineeringobject • a paperproofis a building plan • IFIP workinggroup on verifiedsoftware 2012 • lack of such buildingplansrecognizedasmajorobstclefordevelopmentofformallyverifiedsystems • verydifficulttopublish so far • ThankYou

More Related