A brief tour about F9 microkernel and BitSec hypervisor
This slide won't covering all aspect about them, but to focus on some point in these two kernel.
F9 microkernel repo: https://github.com/f9micro/f9-kernel
Impress template from: http://technology.chtsai.org/impress/
1. A tour of F9 microkernel and BitSec hypervisorA tour of F9 microkernel and BitSec hypervisor
Louie Lu (Louie Lu ( 呂紹榕呂紹榕 ) <louie.lu@hopebaytech.com>) <louie.lu@hopebaytech.com>
11/24 @ ARRC Tainan11/24 @ ARRC Tainan
5. 11/25/16 5
●
From 2nd
gen to 3nd
gen microkenrel
2nd
Generation microkernel
L3
Qualitative improvement of IPC performance
22 times faster then Mach
1993 [Jochen Liedkte]
L4 family
start from 1995, V2 ABI about L3
6. 11/25/16 6
●
From 2nd
gen to 3nd
gen microkenrel
2nd
Generation microkernel
L3
Qualitative improvement of IPC performance
22 times faster then Mach
1993 [Jochen Liedkte]
L4 family
start from 1995, V2 ABI about L3
Fiasco, the first high level language (C++) and open
source L4 microkernel
L4Ka::Pistachio,
OKL4, from OKLabs
7. 11/25/16 7
●
From 2nd
gen to 3nd
gen microkenrel
2nd
Generation microkernel
L3
Qualitative improvement of IPC performance
22 times faster then Mach
1993 [Jochen Liedkte]
L4 family
start from 1995, V2 ABI about L3
Fiasco, the first high level language (C++) and open
source L4 microkernel
L4Ka::Pistachio,
OKL4, from OKLabs
8. 11/25/16 8
●
From 2nd
gen to 3nd
gen microkenrel
2nd
Generation microkernel
Issues about Ad-hoc
Global thread name space => covert channel
Threads as IPC target => insufficient encapsulation
Single kernel memory pool => DOS attack
Insufficient delegation of authority
9. 11/25/16 9
●
From 2nd
gen to 3nd
gen microkenrel
3rd
Generation microkernel, focus on...
Capability Model
Less system calls (seL4 only have 3 syscalls)
Clear semantics (Async EndPoint ...etc)
Formal Verification
10. 11/25/16 10
●
From 2nd
gen to 3nd
gen microkenrel
Capability Model
Cnode, Caps in seL4
fine-graint permission control
Less system calls (seL4 only have 3 syscalls)
Clear semantics (Async EndPoint ...etc)
Formal Verification
11. 11/25/16 11
●
From 2nd
gen to 3nd
gen microkenrel
Capability Model
Cnode, Caps in seL4
Less system calls (seL4 only have 3 syscalls)
Clear semantics (Async EndPoint ...etc)
Formal Verification
seL4 [SOSO'09]
Verve [PLDI'10]
FSCQ [SOSP'15]
mCertiKOS ['POPL'15]
CoGENT [ASPLOS'16]
12. 11/25/16 12
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification
seL4 [SOSP'09]
mCertiKOS [POPL'15]
verified sequential kernels
13. 11/25/16 13
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification
Ironcald [OSDI'14]
verified software stack
14. 11/25/16 14
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification
FSCQ [SOSP'15]
CoGENT [ASPLOS'16]
verified sequential file systems
16. 11/25/16 16
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification – Concurrent Memory kernel ?
from certikos-osdi16
17. 11/25/16 17
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification – Concurrent Memory kernel ?
from certikos-osdi16
18. 11/25/16 18
●
From 2nd
gen to 3nd
gen microkenrel
Formal Verification – Concurrent Memory kernel ?
CertiKOS [OSDI'16]
Solve the problem
global changes
I/O concurrency
fine-grained lock
liveness
compiler
cost...
19. 11/25/16 19
●
From 2nd
gen to 3nd
gen microkenrel
The still unsolved problem (From L3 to seL4 20y)
Principled, policy-free control of CPU time.
Handling of multicore processors in the age of
verification.
23. 11/25/16 23
F9 microkernel - MPU
Protected Memory System Architecture (PMSAv7)
ARMv7-M supports PMSAv7
MPU
Support 8 memory region for setting
Provide access premission control
Provide memory execute setting
24. 11/25/16 24
F9 microkernel - MPU
MPU Register
MPU_TYPE - Type Register
MPU_CTRL - Control Regiser
MPU_RNR - Region Number Register
MPU_RBAR - Region Base Address Register
MPU_RASR - Region Attribute and Size Register
25. 11/25/16 25
F9 microkernel - MPU
MPU – Region Number Register
Select the region to read or write
affect with RBAR, RASR
26. 11/25/16 26
F9 microkernel - MPU
MPU – Region Base Address Register
Setting base address of the region
Setting region is valid or not
Setting which region to writes
So you may just change this value without RNR
41. 11/25/16 41
F9 microkenrel – Address Space
Address Space API
as_t *as_create(uint32_t as_spaceid);
call by:
42. 11/25/16 42
F9 microkenrel – Address Space
Address Space API
as_t *as_create(uint32_t as_spaceid);
code:
43. 11/25/16 43
F9 microkenrel – Address Space
Address Space API
void as_map_user(as_t *as);
Map user text, data and hardware device memory
void as_map_ktext(as_t *as);
Map kernel text, data
44. 11/25/16 44
F9 microkenrel – Address Space
Address Space API
void as_setup_mpu(as_t *as, memptr_t sp, memptr_t
pc, memptr_t stack_base, size_t stack_size);
45. 11/25/16 45
F9 microkenrel – Address Space
Address Space API
as_setup_mpu
protect stack fpages first
then
PC
always-mapped fpages
other
46. 11/25/16 46
F9 microkernel – Memory management
System calls are provided to manage address
spaces:
Grant: The memory page is granted to a new user and
cannot be used anymore by its former user.
Map: This implements shared memory – the memory
page is passed to another task but can be used by both
tasks.
Flush: The memory page that has been mapped to
other users will be flushed out of their address space.
47. 11/25/16 47
F9 microkernel – Memory management
System calls are provided to manage address
spaces:
Grant: The memory page is granted to a new user and
cannot be used anymore by its former user.
Map: This implements shared memory – the memory
page is passed to another task but can be used by both
tasks.
Flush: The memory page that has been mapped to
other users will be flushed out of their address space.
48. 11/25/16 48
F9 microkernel – Memory management
System calls are provided to manage address
spaces:
Grant: The memory page is granted to a new user and
cannot be used anymore by its former user.
Map: This implements shared memory – the memory
page is passed to another task but can be used by both
tasks. (as_map_user/ktext)
Flush: The memory page that has been mapped to
other users will be flushed out of their address space.
49. 11/25/16 49
F9 microkernel – Memory management
System calls are provided to manage address
spaces:
Grant: The memory page is granted to a new user and
cannot be used anymore by its former user.
Map: This implements shared memory – the memory
page is passed to another task but can be used by both
tasks.
Flush: The memory page that has been mapped to
other users will be flushed out of their address space.
(unmap_fpage)
50. 11/25/16 50
F9 microkernel – Memory management
Recursive Address Space:
Initial address space controlled by first process.
Controls all available memory
Other address spaces empty at boot
In F9 microkernel, root thread was the init address space
holder
51. 11/25/16 51
F9 microkernel – Memory management
Recursive Address Space:
Initial address space controlled by first process.
Controls all available memory
Other address spaces empty at boot
In F9 microkernel, root thread was the init address space
holder
Other processes (threads) obtain memory pages from
first or from their other processes that got page from
parent
52. 11/25/16 52
F9 microkernel – Memory management
Recursive Address Space:
Initial address space controlled by first process.
Controls all available memory
Other address spaces empty at boot
In F9 microkernel, root thread was the init address space
holder
Other processes (threads) obtain memory pages from
first or from their other processes that got page from
parent
53. 11/25/16 53
F9 microkernel – Memory management
Recursive Address Space:
Initial address space controlled by first process.
Controls all available memory
Other address spaces empty at boot
In F9 microkernel, root thread was the init address space
holder
Other processes (threads) obtain memory pages from
first or from their other processes that got page from
parent
55. 11/25/16 55
F9 microkernel – Debugging Tools
KDB
In-kernel debugger is built and run at boot by default
support multiple useful command
easy to adding new command
56. 11/25/16 56
F9 microkernel – Debugging Tools
KDB
In-kernel debugger is built and run at boot by default
support multiple useful command
63. 11/25/16 63
F9 microkernel – The Bug
The Bug
Really matter one
Adding new feature for l4test (a test suite from pisachio)
IPC testing via Local destination Id
64. 11/25/16 64
F9 microkernel – The Bug
The Bug
Really matter one
Adding new feature for l4test (a test suite from pisachio)
IPC testing via Local destination Id
65. 11/25/16 65
F9 microkernel – The Bug
The Bug
Really matter one
Adding new feature for l4test (a test suite from pisachio)
IPC testing via Local destination Id
66. 11/25/16 66
F9 microkernel – The Bug
The Bug
Really matter one
Adding new feature for l4test (a test suite from pisachio)
IPC testing via Local destination Id
73. 11/25/16 73
BitSec
BitSec is......
BitSec is a microkernel intended for high-reliability
embedded applications on ARMv7-M architecture
processors, such as the Cortex-M4.
BitSec is a third-generation microkernel. Its design is
heavily inspired by EROS/KeyKOS, MINIX 3, and the L4
family, particularly seL4.
74. 11/25/16 74
BitSec
BitSec, like other third-generation microkernel
Focuses on minimality and security,
Expresses all authority through explicit capabilities,
Moves other mechanisms with security implications
outside the kernel,
Blurs the line between a traditional microkernel and a
hypervisor, and
Targets a very small kernel codebase (in BitSec’s case,
less than 2500 sloccount lines of code).
75. 11/25/16 75
BitSec
BitSec, like other third-generation microkernel
Focuses on minimality and security,
Expresses all authority through explicit capabilities,
Moves other mechanisms with security implications
outside the kernel,
Blurs the line between a traditional microkernel and a
hypervisor, and
Targets a very small kernel codebase (in BitSec’s case,
less than 2500 sloccount lines of code).
77. 11/25/16 77
BitSec
BitSec is not...
A complete operating system
By analogy: putting the Linux kernel on a computer
doesn’t allow one to run Firefox. Linux is only a kernel;
there’s a whole lot of operating system that must be
added to make a complete system.
This is even more true of BitSec than of Linux, because
BitSec’s design is so minimal. Like other third-
generation microkernels, BitSec doesn’t even include
hardware drivers in the kernel.
79. 11/25/16 79
BitSec
BitSec is not...
A complete operating system
By analogy: putting the Linux kernel on a computer
doesn’t allow one to run Firefox. Linux is only a kernel;
there’s a whole lot of operating system that must be
added to make a complete system.
This is even more true of BitSec than of Linux, because
BitSec’s design is so minimal. Like other third-
generation microkernels, BitSec doesn’t even include
hardware drivers in the kernel.
80. 11/25/16 80
BitSec - Key
BitSec capability: Key
Conceptually, Key combines
A reference to a kernel object
A set of operations on that object that the key enables
81. 11/25/16 81
BitSec - Key
BitSec capability: Key
Implementation, a key is a kernel data structure built
from three part
A brand, which distinguishes kines of keys to particular
object from one another
A generation, which distinguishes keys to successive
objects, created in the same location, from one another.
A pointer to a kernel object.
83. 11/25/16 83
BitSec - Key
BitSec capability: Key
struct
keys can be freely copied but not directly created
mint the key from object table
84. 11/25/16 84
BitSec - Key
BitSec capability: Key
Brands
64 bit value chosen when the key was create (minted)
indelible, cannot be alter except by minting a new key
program cannot discover the brand of keys they hold
when a key is copied, the copies bear the same brand
85. 11/25/16 85
BitSec - Key
BitSec capability: Key
keys can be freely copied but not directly created
mint the key from object table
program can only perform three operations on a key
Copy the key into a different key register
Send a message to the object designated by the key
Receive a message from the object designated by the
key
86. 11/25/16 86
BitSec - Key
BitSec capability: Key
keys can be freely copied but not directly created
mint the key from object table
program can not do following without holding addi auth
Determine the kind of kernel object designated by a key
Determine if two keys designate the same kernel object
Determine if two keys give the same rights on their
designated objects
87. 11/25/16 87
BitSec - Key
BitSec capability: Key
keys can be freely copied but not directly created
mint the key from object table
program can not do following without holding addi auth
Determine the kind of kernel object designated by a key
Determine if two keys designate the same kernel object
Determine if two keys give the same rights on their
designated objects
88. 11/25/16 88
BitSec - Key
BitSec capability: Key
Generations and Revocation
used to provide efficient revocation
When program invokes a key
kernel compares the key's generation to a object
generation
If two match, proceeds normally
If not match, object has been invalidated
89. 11/25/16 89
BitSec - Key
BitSec capability: Key
Generations and Revocation
used to provide efficient revocation
When program invokes a key
kernel compares the key's generation to a object
generation
If two match, proceeds normally
If not match, object has been invalidated
90. 11/25/16 90
BitSec – Object Oriented
BitSec design: Object Oriented
Using c++11 standard
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.
91. 11/25/16 91
BitSec – Object Oriented
BitSec design: Object Oriented
Using c++11 standard
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.
For example: the Keys
92. 11/25/16 92
BitSec – Object Oriented
BitSec design: Object Oriented
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.
For example: the Keys
93. 11/25/16 93
BitSec – Object Oriented
BitSec design: Object Oriented
Using c++11 standard
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.
For example: the Keys
94. 11/25/16 94
BitSec – Object Oriented
BitSec design: Object Oriented
Using c++11 standard
Every resource and service that the system can see in
the kernel is represented as an objectbundling together
state and operations on that state.
For example: the Keys
And can be usable from C
95. 11/25/16 95
BitSec – Object Oriented
BitSec design: Object Oriented
And can be usable from C
BitSec is implemented in C++11, but was designed to
be usable from legacy languages suchas C and
assembler.
As FreeRTOS/BitSec is entirely C (and C90 at that), this
seems to have worked.
96. 11/25/16 96
BitSec – Future work
BitSec future work
Enhancement of the build systems
porting guest OS to BitSec
(FreeRTOS, Linux, or maybe from stratch)
Formal Verify by CoGENT
Adding network stack ?
100. 11/25/16 100
References
CertiKOS: An Extensible Architecture for Building Certified Concurrent OS Kernels
http://flint.cs.yale.edu/certikos/publications/certikos-osdi16.pdf
F9 microkernel & ARM hypervisor
https://hackmd.io/s/r16AUMbJe
F9: A secure microkernel for MMUless embedded systems
https://github.com/grapherd/f9-report
F9: A secure and Efficient Microkernel Built for Deeply Embedded Systems
http://www.slideshare.net/jserv/f9-microkernel
Technical Report on the BitSec Kernel
OpenOCD general command
http://openocd.org/doc/html/General-Commands.html
Editor's Notes
Brands allow two keys to the same object to behave differently. The meaning of a brand is entirely up to the object designated by the key. Kernel objects specify the meaning of brands so that the System can mint appropriate keys,
but transparent objects (particularly Gates) pass the brand up to programs for interpretation.
It may encode access permissions, unique client identifiers, etc.