Provably secure memory isolation for Linux on ARM: Submission to special issue on Verified Information Flow Security
2016 (English)In: Journal of Computer Security, ISSN 0926-227X, E-ISSN 1875-8924, Vol. 24, no 6, 793-837 p.Article in journal (Refereed) Published
The isolation of security critical components from an untrusted OS allows to both protect applications and to harden the OS itself. Virtualization of the memory subsystem is a key component to provide such isolation. We present the design, implementation and verification of a memory virtualization platform for ARMv7-A processors. The design is based on direct paging, an MMU virtualization mechanism previously introduced by Xen. It is shown that this mechanism can be implemented using a compact design, suitable for formal verification down to a low level of abstraction, without penalizing system performance. The verification is performed using the HOL4 theorem prover and uses a detailed model of the processor. We prove memory isolation along with information flow security for an abstract top-level model of the virtualization mechanism. The abstract model is refined down to a transition system closely resembling a C implementation. Additionally, it is demonstrated how the gap between the low-level abstraction and the binary level-can be filled, using tools that check Hoare contracts. The virtualization mechanism is demonstrated on real hardware via a hypervisor hosting Linux and supporting a tamper-proof run-time monitor that provably prevents code injection in the Linux guest.
Place, publisher, year, edition, pages
IOS Press, 2016. Vol. 24, no 6, 793-837 p.
Formal verification, information flow security, separation kernel, hypervisor
Engineering and Technology
Research subject Computer Science
IdentifiersURN: urn:nbn:se:kth:diva-197900DOI: 10.3233/JCS-160558OAI: oai:DiVA.org:kth-197900DiVA: diva2:1054670
FunderSwedish Foundation for Strategic Research
QC 201612122016-12-082016-12-082016-12-12Bibliographically approved