research-article

Design of a symbolically executable embedded hypervisor

Author:

Jan NordholzAuthors Info & Claims

EuroSys '20: Proceedings of the Fifteenth European Conference on Computer Systems

Article No.: 6, Pages 1 - 16

https://doi.org/10.1145/3342195.3387516

Published: 17 April 2020 Publication History

Abstract

Hypervisor implementations such as XMHF, Nova, PROSPER, prplHypervisor, the various L4 descendants, as well as KVM and Xen offer mechanisms for dynamic startup and reconfiguration, including the allocation, delegation and destruction of objects and resources at runtime. Some use cases such as cloud computing depend on this dynamicity, yet its inclusion also renders the state space intractable to simulation-based verification tools. On the other hand, system architectures for embedded devices are often fixed in the number and properties of isolated tasks, therefore a much simpler, less dynamic hypervisor design would suffice. We close this design gap by presenting Phidias, a new hypervisor consisting of a minimal runtime codebase that is almost devoid of dynamicity, and a comprehensive compile-time configuration framework. We then leverage this lack of dynamic components to non-interactively verify the validity of certain invariants. Specifically, we verify hypervisor integrity by subjecting the compiled hypervisor binary to our own symbolic execution engine. Finally, we discuss our results, point out possible improvements, and hint at unexplored characteristics of a static hypervisor design.

References

[1]

Mike Accetta, Robert Baron, William Bolosky, David Golub, Richard Rashid, Avadis Tevanian, and Michael Young. 1986. Mach: A new kernel foundation for UNIX development. In Summer Conference Proceedings 1986, Vol. 4. USENIX Association, 64--75.

[2]

Eyad Alkassar, Mark A Hillebrand, Wolfgang Paul, and Elena Petrova. 2010. Automated verification of a small hypervisor. In International Conference on Verified Software: Theories, Tools, and Experiments. Springer, 40--54.

[3]

Eyad Alkassar, Wolfgang J Paul, Artem Starostin, and Alexandra Tsyban. 2010. Pervasive verification of an OS microkernel. In International Conference on Verified Software: Theories, Tools, and Experiments. Springer, 71--85.

[4]

ARM Holdings. 2014. ARM architecture reference manual ARMv7-A and ARMv7-R edition. http://infocenter.arm.com/help/topic/com.arm.doc.ddi0406c/.

[5]

ARM Holdings. 2016. ARMv8-A reference manual (Issue A.k). http://infocenter.arm.com/help/topic/com.arm.doc.ddi0487a.k_10775/index.html.

[6]

Alasdair Armstrong, Thomas Bauereiss, Brian Campbell, Alastair Reid, Kathryn E. Gray, Robert M. Norton, Prashanth Mundkur, Mark Wassell, Jon French, Christopher Pulte, Shaked Flur, Ian Stark, Neel Krishnaswami, and Peter Sewell. 2019. ISA Semantics for ARMv8-a, RISC-v, and CHERI-MIPS. Proc. ACM Program. Lang. 3, POPL, Article 71 (Jan. 2019), 31 pages.

Digital Library

[7]

AUTOSAR. 2019. AUTOSAR Standards. https://www.autosar.org/standards.

[8]

Paul Barham, Boris Dragovic, Keir Fraser, Steven Hand, Tim Harris, Alex Ho, Rolf Neugebauer, Ian Pratt, and Andrew Warfield. 2003. Xen and the art of virtualization. ACM SIGOPS Operating Systems Review 37, 5 (2003), 164--177.

Digital Library

[9]

Andrew Baumann, Paul Barham, Pierre-Evariste Dagand, Tim Harris, Rebecca Isaacs, Simon Peter, Timothy Roscoe, Adrian Schüpbach, and Akhilesh Singhania. 2009. The multikernel: a new OS architecture for scalable multicore systems. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles. ACM, 29--44.

Digital Library

[10]

Christoph Baumann, Mads Dam, Viktor Do, Christian Gehrmann, Roberto Guanciale, Narges Khakpour, Hamed Nemati, Oliver Schwarz, and Arash Vahidi. 2016. Verifying a security hypervisor. http://www.vinnova.se/PageFiles/751327324/A10%20SSF%20PROSPER%20poster.pdf

[11]

Christoph Baumann, Mats Näslund, Christian Gehrmann, Oliver Schwarz, and Hans Thorsen. 2016. A high assurance virtualization platform for ARMv8. In Networks and Communications (EuCNC), 2016 European Conference on. IEEE, 210--214.

[12]

Christoph Baumann, Oliver Schwarz, and Mads Dam. 2017. Compositional Verification of Security Properties for Embedded Execution Platforms. In PROOFS 2017. 6th International Workshop on Security Proofs for Embedded Systems, Vol. 49. 1--16.

[13]

Allan Blanchard, Nikolai Kosmatov, Matthieu Lemerre, and Frédéeric Loulergue. 2015. A case study on formal verification of the Anaxagoros hypervisor paging system with Frama-C. In International Workshop on Formal Methods for Industrial Critical Systems. Springer, 15--30.

[14]

Cristian Cadar and Koushik Sen. 2013. Symbolic execution for software testing: three decades later. Commun. ACM 56, 2 (2013), 82--90.

Digital Library

[15]

Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2012. The S2E Platform: Design, Implementation, and Applications. ACM Trans. Comput. Syst. 30, 1, Article 2 (Feb. 2012), 49 pages.

Digital Library

[16]

Ernie Cohen, Markus Dahlweid, Mark Hillebrand, Dirk Leinenbach, Michał Moskal, Thomas Santen, Wolfram Schulte, and Stephan Tobies. 2009. VCC: A practical system for verifying concurrent C. In International Conference on Theorem Proving in Higher Order Logics. Springer, 23--42.

Digital Library

[17]

Alfons Crespo, Ismael Ripoll, and Miguel Masmano. 2010. Partitioned embedded architecture based on hypervisor: The XtratuM approach. In Dependable Computing Conference (EDCC), 2010 European. IEEE, 67--72.

Digital Library

[18]

Christoffer Dall, Shih-Wei Li, and Jason Nieh. 2017. Optimizing the Design and Implementation of the Linux ARM Hypervisor. In 2017 USENIX Annual Technical Conference (USENIX ATC 17). USENIX Association, Santa Clara, CA, 221--233. https://www.usenix.org/conference/atc17/technical-sessions/presentation/dall

[19]

Christoffer Dall and Jason Nieh. 2014. KVM/ARM: the design and implementation of the Linux ARM hypervisor. ACM SIGARCH Computer Architecture News 42, 1 (2014), 333--348.

Digital Library

[20]

Leonardo De Moura and Nikolaj Bjørner. 2008. Z3: an efficient SMT solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 337--340.

Digital Library

[21]

devicetree.org Technical Steering Committee. 2020. Device Tree specification (v0.3). https://www.devicetree.org.

[22]

Adam Dunkels. 2001. Design and implementation of the lwIP TCP/IP stack. Swedish Institute of Computer Science 2 (2001), 77.

[23]

Embedded Microprocessor Benchmark Consortium (EEMBC). 2012. CoreMark CPU benchmark. https://www.eembc.org/coremark/

[24]

Kevin Elphinstone and Gernot Heiser. 2013. From L3 to seL4: what have we learnt in 20 years of L4 microkernels?. In Proceedings of the Twenty-Fourth ACM Symposium on Operating Systems Principles (Farminton, Pennsylvania) (SOSP '13). ACM, 133--150.

Digital Library

[25]

Shaked Flur, Kathryn E Gray, Christopher Pulte, Susmit Sarkar, Ali Sezgin, Luc Maranget, Will Deacon, and Peter Sewell. 2016. Modelling the ARMv8 architecture, operationally: concurrency and ISA. In ACM SIGPLAN Notices, Vol. 51. ACM, 608--621.

Digital Library

[26]

Keir Fraser and Martine J. Silbermann. 2006. Resizing memory with balloons and hotplug. In Proceedings of the Linux Symposium. 313--319.

[27]

Ronghui Gu, Zhong Shao, Hao Chen, Xiongnan (Newman) Wu, Jieung Kim, Vilhelm Sjöberg, and David Costanzo. 2016. CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels. In 12th USENIX Symposium on Operating Systems Design and Implementation (OSDI 16). USENIX Association, Savannah, GA, 653--669. https://www.usenix.org/conference/osdi16/technical-sessions/presentation/gu

Digital Library

[28]

Trevor Hansen, Peter Schachte, and Harald Søndergaard. 2009. State joining and splitting for the symbolic execution of binaries. In International Workshop on Runtime Verification. Springer, 76--92.

Digital Library

[29]

Gernot Heiser and Ben Leslie. 2010. The OKL4 microvisor: convergence point of microkernels and hypervisors. In Proceedings of the first ACM Asia-Pacific Workshop on Systems. ACM, 19--24.

Digital Library

[30]

Joo-Young Hwang, Sang-Bum Suh, Sung-Kwan Heo, Chan-Ju Park, Jae-Min Ryu, Seong-Yeol Park, and Chul-Ryun Kim. 2008. Xen on ARM: system virtualization using Xen hypervisor for ARM-based secure mobile phones. In 5th IEEE Consumer Communications and Networking Conference (CCNC). IEEE, 257--261.

[31]

Imagination Technologies. 2013. MIPS virtualization. https://www.imgtec.com/mips/architectures/virtualization/.

[32]

Eric Keller, Jakub Szefer, Jennifer Rexford, and Ruby B. Lee. 2010. NoHype: Virtualized Cloud Infrastructure Without the Virtualization. In Proceedings of the 37th Annual International Symposium on Computer Architecture (Saint-Malo, France) (ISCA '10). ACM, New York, NY, USA, 350--361.

Digital Library

[33]

James C. King. 1976. Symbolic Execution and Program Testing. Commun. ACM 19, 7 (1976), 385--394.

Digital Library

[34]

Avi Kivity, Yaniv Kamay, Dor Laor, Uri Lublin, and Anthony Liguori. 2007. KVM: the Linux virtual machine monitor. In Proceedings of the Linux symposium, Vol. 1. 225--230.

[35]

Gerwin Klein. 2009. Operating system verification---an overview. Sadhana 34, 1 (2009), 27--69.

[36]

Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, et al. 2009. seL4: formal verification of an OS kernel. In Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. ACM, 207--220.

Digital Library

[37]

Adam Lackorzynski and Alexander Warg. 2009. Taming subsystems: capabilities as universal resource access control in L4. In Proceedings of the second Workshop on Isolation and Integration in Embedded Systems. ACM, 25--30.

Digital Library

[38]

Dirk Leinenbach and Thomas Santen. 2009. Verifying the Microsoft Hyper-V hypervisor with VCC. In International Symposium on Formal Methods. Springer, 806--809.

Digital Library

[39]

Xavier Leroy. 2009. Formal Verification of a Realistic Compiler. Commun. ACM 52, 7 (July 2009), 107--115.

Digital Library

[40]

Jochen Liedtke. 1994. Improving IPC by kernel design. In ACM SIGOPS Operating Systems Review, Vol. 27. ACM, 175--188.

[41]

Jochen Liedtke. 1995. On micro-kernel construction. Vol. 29. ACM.

[42]

Jochen Liedtke. 1996. Toward real microkernels. Commun. ACM 39, 9 (1996), 70--77.

Digital Library

[43]

Jochen Liedtke, Kevin Elphinstone, Sebastian Schonberg, Hermarill Härtig, Gernot Heiser, Nahina Islam, and Trent Jaeger. 1997. Achieved IPC performance (still the foundation for extensibility). In The 6th Workshop on Hot Topics in Operating Systems. IEEE, 28--31.

[44]

Miguel Masmano, Ismael Ripoll, Alfons Crespo, and J Metge. 2009. XtratuM: a hypervisor for safety critical embedded systems. In 11th Real-Time Linux Workshop. Citeseer, 263--272.

[45]

Dimiter Milushev, Wim Beck, and Dave Clarke. 2012. Noninterference via Symbolic Execution. In Formal Techniques for Distributed Systems, Holger Giese and Grigore Rosu (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 152--168.

[46]

Toby Murray, Daniel Matichuk, Matthew Brassil, Peter Gammie, and Gerwin Klein. 2012. Noninterference for Operating System Kernels. In Certified Programs and Proofs, Chris Hawblitzel and Dale Miller (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 126--142.

[47]

Luke Nelson, Helgi Sigurbjarnarson, Kaiyuan Zhang, Dylan Johnson, James Bornholt, Emina Torlak, and Xi Wang. 2017. Hyperkernel: Push-Button Verification of an OS Kernel. In Proceedings of the 26th Symposium on Operating Systems Principles (Shanghai, China) (SOSP '17). Association for Computing Machinery, New York, NY, USA, 252--269.

Digital Library

[48]

John K Ousterhout et al. 1982. Scheduling techniques for concurrent systems. In ICDCS, Vol. 82. 22--30.

[49]

David A Ramos and Dawson Engler. 2015. Under-constrained symbolic execution: correctness checking for real code. In 24th USENIX Security Symposium (USENIX Security 15). 49--64.

[50]

Edward J Schwartz, Thanassis Avgerinos, and David Brumley. 2010. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Security and privacy (SP), 2010 IEEE symposium on. IEEE, 317--331.

Digital Library

[51]

Arvind Seshadri, Mark Luk, Ning Qu, and Adrian Perrig. 2007. SecVisor: A tiny hypervisor to provide lifetime kernel code integrity for commodity OSes. In ACM SIGOPS Operating Systems Review, Vol. 41. ACM, 335--350.

Digital Library

[52]

Thomas Arthur Leck Sewell, Magnus O Myreen, and Gerwin Klein. 2013. Translation validation for a verified OS kernel. ACM SIGPLAN Notices 48, 6 (2013), 471--482.

Digital Library

[53]

Takahiro Shinagawa, Hideki Eiraku, Kouichi Tanimoto, Kazumasa Omote, Shoichi Hasegawa, Takashi Horie, Manabu Hirano, Kenichi Kourai, Yoshihiro Oyama, Eiji Kawai, et al. 2009. Bitvisor: a thin hypervisor for enforcing i/o device security. In Proceedings of the 2009 ACM International Conference on Virtual Execution Environments. ACM, 121--130.

Digital Library

[54]

Y. Shoshitaishvili, R. Wang, C. Salls, N. Stephens, M. Polino, A. Dutcher, J. Grosen, S. Feng, C. Hauser, C. Kruegel, and G. Vigna. 2016. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. In 2016 IEEE Symposium on Security and Privacy (SP). 138--157.

[55]

Udo Steinberg and Bernhard Kauer. 2010. NOVA: a microhypervisor-based secure virtualization architecture. In Proceedings of the 5th European conference on Computer systems. ACM, 209--222.

Digital Library

[56]

Tachio Terauchi and Alex Aiken. 2005. Secure Information Flow as a Safety Problem. In Proceedings of the 12th International Conference on Static Analysis (London, UK) (SAS'05). Springer-Verlag, Berlin, Heidelberg, 352--367.

Digital Library

[57]

Amit Vasudevan, Sagar Chaki, Limin Jia, Jonathan McCune, James Newsome, and Anupam Datta. 2013. Design, implementation and verification of an extensible and modular hypervisor framework. In Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 430--444.

Digital Library

[58]

Alexander Vaynberg and Zhong Shao. 2012. Compositional verification of a baby virtual memory manager. In International Conference on Certified Programs and Proofs. Springer, 143--159.

Digital Library

[59]

David von Oheimb. 2004. Information Flow Control Revisited: Non-influence = Noninterference + Nonleakage. In Computer Security - ESORICS 2004, Pierangela Samarati, Peter Ryan, Dieter Gollmann, and Refik Molva (Eds.). Springer Berlin Heidelberg, Berlin, Heidelberg, 225--243.

[60]

W3C. 2004. XML Schema Part 0: Primer. http://www.w3.org/TR/xmlschema-0/.

[61]

Fengwei Xu, Ming Fu, Xinyu Feng, Xiaoran Zhang, Hui Zhang, and Zhaohui Li. 2016. A practical verification framework for preemptive OS kernels. In Proceedings of the 28th Conference on Computer Aided Verification.

[62]

Arseniy Zaostrovnykh, Solal Pirelli, Rishabh Iyer, Matteo Rizzo, Luis Pedrosa, Katerina Argyraki, and George Candea. 2019. Verifying Software Network Functions with No Verification Expertise. In Proceedings of the 27th ACM Symposium on Operating Systems Principles (Huntsville, Ontario, Canada) (SOSP '19). Association for Computing Machinery, New York, NY, USA, 275--290.

Digital Library

Cited By

Dai ZLiu SSjoberg VLi XChen YWang WJia YAnderson SElbeheiry LSondhi SZhang YNi ZYan SGu RHe ZTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Verifying Rust Implementation of Page Tables in a Software Enclave HypervisorProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640398(1218-1232)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640398
Röckl JProtsenko MHuber MMüller TFreiling F(2021)Advanced System Resiliency Based on Virtualization Techniques for IoT DevicesProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485836(455-467)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485836
Nicole OLemerre MBardin SRival X(2021)No Crash, No Exploit: Automated Verification of Embedded Kernels2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS52030.2021.00011(27-39)Online publication date: May-2021
https://doi.org/10.1109/RTAS52030.2021.00011
Show More Cited By

Index Terms

Design of a symbolically executable embedded hypervisor

Recommendations

Fast and live hypervisor replacement
VEE 2019: Proceedings of the 15th ACM SIGPLAN/SIGOPS International Conference on Virtual Execution Environments

Hypervisors are increasingly complex and must be often updated for applying security patches, bug fixes, and feature upgrades. However, in a virtualized cloud infrastructure, updates to an operational hypervisor can be highly disruptive. Before being ...
Optimizing I/O performance in ViMo-S hypervisor with zero-copy method
ICSCA '17: Proceedings of the 6th International Conference on Software and Computer Applications

ARM CPU is expanding into server market with the introduction of virtualization extensions. Virtualization is one of the key technologies that is commonly employed in servers. Virtualization is provided by hypervisor and ViMo-S is a prototype hypervisor ...
Virtual Machine Migration Method between Different Hypervisor Implementations and Its Evaluation
WAINA '12: Proceedings of the 2012 26th International Conference on Advanced Information Networking and Applications Workshops

Virtualization technologies are an important building block for cloud services. Each service will run on virtual machines (VMs) deployed over different hyper visors in the future. Therefore, a VM migration method between different hyper visor ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EuroSys '20: Proceedings of the Fifteenth European Conference on Computer Systems

April 2020

49 pages

ISBN:9781450368827

DOI:10.1145/3342195

General Chairs:
Angelos Bilas
University of Crete and FORTH-ICS
,
Kostas Magoutis
University of Crete and FORTH-ICS
,
Evangelos Markatos
University of Crete and FORTH-ICS
,
Program Chairs:
Dejan Kostic
KTH Royal Institute of Technology, Sweden
,
Margo Seltzer
The University of British Columbia, Canada

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 April 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

EuroSys '20

Sponsor:

SIGOPS

EuroSys '20: Fifteenth EuroSys Conference 2020

April 27 - 30, 2020

Heraklion, Greece

Acceptance Rates

EuroSys '20 Paper Acceptance Rate 43 of 234 submissions, 18%;

Overall Acceptance Rate 241 of 1,308 submissions, 18%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
682
Total Downloads

Downloads (Last 12 months)38
Downloads (Last 6 weeks)6

Reflects downloads up to 20 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dai ZLiu SSjoberg VLi XChen YWang WJia YAnderson SElbeheiry LSondhi SZhang YNi ZYan SGu RHe ZTsafrir DMusuvathi MGupta RAbu-Ghazaleh N(2024)Verifying Rust Implementation of Page Tables in a Software Enclave HypervisorProceedings of the 29th ACM International Conference on Architectural Support for Programming Languages and Operating Systems, Volume 210.1145/3620665.3640398(1218-1232)Online publication date: 27-Apr-2024
https://dl.acm.org/doi/10.1145/3620665.3640398
Röckl JProtsenko MHuber MMüller TFreiling F(2021)Advanced System Resiliency Based on Virtualization Techniques for IoT DevicesProceedings of the 37th Annual Computer Security Applications Conference10.1145/3485832.3485836(455-467)Online publication date: 6-Dec-2021
https://dl.acm.org/doi/10.1145/3485832.3485836
Nicole OLemerre MBardin SRival X(2021)No Crash, No Exploit: Automated Verification of Embedded Kernels2021 IEEE 27th Real-Time and Embedded Technology and Applications Symposium (RTAS)10.1109/RTAS52030.2021.00011(27-39)Online publication date: May-2021
https://doi.org/10.1109/RTAS52030.2021.00011
Vasudevan AManiatis PMartins R(2020)überSparkACM SIGOPS Operating Systems Review10.1145/3421473.342147654:1(8-22)Online publication date: 31-Aug-2020
https://dl.acm.org/doi/10.1145/3421473.3421476

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents