CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward...
Transcript of CertiKOS: A Breakthrough toward Hacker-Resistant Operating ... · CertiKOS: A Breakthrough toward...
CertiKOS: A Breakthrough toward Hacker-Resistant
Operating Systems
Zhong ShaoYale University
January 25, 2018
Acknowledgement: Ronghui Gu, Newman Wu, Hao Chen, Jieung Kim, Jeremie Koenig, Vilhelm Sjoberg, Mengqi Liu, Lionel Rieg, Quentin Carbonneaux, Unsung Lee, Jiyong Shin, David Costanzo, Tahina Ramananandro, Hernan Vanzetto, Shu-Chun Weng, Zefeng Zeng, Zhencao Zhang, Liang Gu, Jan Hoffmann, Joshua Lockerman, and Bryan Ford. This research is supported in part by DARPA CRASH and HACMS programs and NSF SaTC and Expeditions in Computing programs.
Computer System
Motivation
Transportation
Health
Aviation
Environment
Desktop
Mobile
Financial
cloud
Hardware
OS
Applications
Computer System
Motivation
Accident
Life
Loss
Environment
Crash
Mobile
Financial
cloud
Hardware
OS
Applications
Motivation
System Software Runs Everywhere
Software errors
Untrusted No!?Test
$312B cost
Motivation
“”— Edsger Dijkstra
Program testing can be used to show the presence of bugs, but never to show their absence.
“ ”— seL4 [SOSP’09]
Complete formal verification is the only known way to guarantee that a system is free of programming errors.
Motivation
“”— NSF SFM Report[2016]
Formal methods are the only reliable way to achieve security and privacy in computer systems.
“ ”— seL4 [SOSP’09]
Complete formal verification is the only known way to guarantee that a system is free of programming errors.
Motivation
“”— NSF SFM Report[2016]
Formal methods are the only reliable way to achieve security and privacy in computer systems.
mathematically prove
under all inputsunder all execution
program meets specification
rule out entire classes of attacks
Formal Verification
Motivation
System Software Runs Everywhere
Software errors
Untrusted No!?Test
$312B cost
Challenges?
Formal Verification
seL4 [SOSP’09] C 7.5k LOC
Proof 11 py
Asm500 LOCunverified
C1.3k LOCunverified
Challenges: huge proof efforts
Challenges: Compositionality
Asm
Abstraction Gap
C
A Complex System
Asm
Challenges: Compositionality
C
A Complex System
Asm
Challenges: Compositionality
C
Verify
Verify
Verify
VerifyVerify
Verify
Verify
Verify Verify
10 11
8
A Complex System
Asm
Compiler
Challenges: Compositionality
C
Verify
Verify
Verify
VerifyVerify
Verify
Verify
5
42
7 6
9
1
3
Verify
Verify
10
8
5
114
2
7 6
9
1
3
A Complex System
Asm
Compiler
Challenges: Compositionality
C
Complete Verification
multiprocessor
I/O concurrencymulti-thread
fine-grained lock fine-grained lock
Challenges: Concurrency
10 11
8
5
42
7 6
9
1
3
Challenges: Concurrency
1 0 1 18
5
42
7 6
91
3
Challenges: Concurrency
1 0 1 18
5
42
7 6
91
3
CPU i CPU j
fine-grained lock
Complete Verification
Challenges: New Domain
System Verification
Huge gap
Challenges: New Domain
System Verification
Huge gap
Contribution
aim to solve all these challenges
Certified Abstraction LayersCertiKOS
Contribution
Certified Abstraction Layers
1 0 1 18
5
42
7 6
91
3
1 0 1 18
5
42
7 6
91
3
CPU i CPU j
fine-grained lock
untangle
Contribution
Certified Abstraction Layers
verify existing systems
build the next generation sssssssssystem software designed to be reliable
and secure
Contribution
Certified Abstraction Layers
verify existing systems
build the next generation sssssssssystem software certified
Contribution
Certified Abstraction Layers
verify existing systems
System Verification
Huge gapbuild the next generation sssssssssystem software certified
Contribution
Certified Abstraction Layers
System Verification
verify existing systems
build the next generation sssssssssystem software certified
Contribution
Certified Abstraction Layers
Certified System Software
verify existing systems
build the next generation sssssssssystem software certified
Contribution
Certified Abstraction Layers
M1
L
L1
R1
L
M2
L2
R1�
L0
M0
LR0
Contribution
Certified Abstraction Layers
R1
L0
M0
LR0
M1
L
L1
� M2
L2�
�
Contribution
Certified Abstraction Layers
R1
L0
M0
R0
M1
L1
� M2
L2�
�o
CompCertX
R1
L0
M0
R0
M1
L1
� M2
L2�
�o
C
Asm L0
M3
R0�
L3
Asm
R’1
L’0
M’0R’0
M’1
L’1
� M’2
L’2�
�o
CompCertX
R’1
L’0
M’0R’0
M’1
L’1
� M’2
L’2�
�o
C
Asm
Contribution
mC2 [OSDI’16]the first formally certified concurrent OS kernel with fine-grained locks6.5k C&Asm, 2 py
mCertiKOS [POPL’15]certified sequential OS kernels3k C&Asm, 1 py
Security [PLDI’16b] 0.5 py
Interrupt [PLDI’16a] 0.5 py Certified Abstraction
Layers[CCAL 2017]
Contribution
functional correctnessliveness
no stack/integer/buffer overflow
no race condition
Certified System
Software
ContributionmC2
CPU
Seria
l
VGA(Video)
Keyb
oard
IOAP
IC
Legend
Hardware
Driver
drive
Use
Data
Kern. Module
Core 0LAPIC 0
Core 1LAPIC 1
Core 8LAPIC 8...
Memory
Heap
BIO
S
DMA
Spin
Lo
cks
Ticket MCS Container
Alloc Tbl
PMM
IPC
SleepQPendQ
ELF Ldr
Trap & Syscall
Per Core
RdyQ
Scheduler
Thread
Cur TID PCPUPer T
hrea
d
k_stack
TCB
k_contextTSC
Hz
Timer
LAPIC
ProcessVM Monitor
Lib MemSync
. &
Mut
ual
Exclu
.
CVFIFOBBQ ...
Page Map VMM
Serial
VideoConsole Buffer
Kbd
Console
IOAP
IC
APIC
ContributionmC2
Coq
machine-checkable proof
C layers6.1k LOC
400 LOCCompCertX
Asm layers Asm layers�
ContributionmC2
Coq
machine-checkable proof
C layers6.1k LOC
400 LOCCompCertX
Asm layers Asm layers�
Proof AssistantACM Software System Award
Some of the significant results that were accomplished using Coq are proofs for the four color theorem, the development of CompCert (a fully verified compiler for C), the development at Harvard of a verified version of Google's software fault isolation, and most recent, the fully specified and verified hypervisor OS kernel CertiKOS.
“
”— ACM
Deployment
CertiKOS on Landshark, DARPA HACMS
Deployment
CertiKOS on Quadcopter
Build a Certified System
Spin-lock Module
Case Study
CPU 0
KeyboardDriver3
CPU 1
Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
11certified objects
specification ofmodules to trust
1
Certified Sequential Layer [POPL’15]
11certified objects
specification ofmodules to trust
1
abs-state
Certified Sequential Layer [POPL’15]
11certified objects
specification ofmodules to trust
1
abs-state
primitives
Certified Sequential Layer [POPL’15]
111
memory
module
Certified Sequential Layer
M
L1
implementation
111
AT
Certified Sequential Layer
L1
M
L2
111
AT
implementation
Certified Sequential Layer
specification
L1
M
L2
111
AT
33
3
implementation
specification
L1
Certified Sequential Layer
M
L2
implementation
Example: Thread Queue
typedef struct tcb { state s; tcb *prev, *next; } tcb;
tcb tcbp[1024];
typedef struct tdq { tcb *head, *tail; } tdq;
tdq* td_queue; C
tcbp[0] tcbp[1] tcbp[2]
3
M
implementation
Example: Thread Queue
typedef struct tcb { state s; tcb *prev, *next; } tcb;
tcb tcbp[1024];
typedef struct tdq { tcb *head, *tail; } tdq;
tdq* td_queue; C
tcbp[0] tcbp[1] tcbp[2]
3
M
implementation
Example: Thread Queue
s0 s1 s2
typedef struct tcb { state s; tcb *prev, *next; } tcb;
tcb tcbp[1024];
typedef struct tdq { tcb *head, *tail; } tdq;
tdq* td_queue; C
tcbp[0] tcbp[1] tcbp[2]
3
M
implementation
Example: Thread Queue
s0 s1 s2
head tail
tcbp[0] tcbp[1] tcbp[2]
typedef struct tcb { state s; tcb *prev, *next; } tcb;
tcb tcbp[1024];
typedef struct tdq { tcb *head, *tail; } tdq;
tdq* td_queue; C
3
M
3
implementation
Example: Thread Queue
tcb* dequeue(tdq* q) { tcb *head, *next; tcb *i = null; if (!q) return i; head = q -> head; if (!head) return i; i = head; next = i -> next;
if (!next) { q -> head = null; q -> tail = null; } else { next -> prev = null; q -> head = next; } return i; }
s0 s1 s2
head tail
C
tcbp[0] tcbp[1] tcbp[2]
M
3
implementation
Example: Thread Queue
tcb* dequeue(tdq* q) { tcb *head, *next; tcb *i = null; if (!q) return i; head = q -> head; if (!head) return i; i = head; next = i -> next;
if (!next) { q -> head = null; q -> tail = null; } else { next -> prev = null; q -> head = next; } return i; }
s0 s1 s2
head tail
C
tcbp[0] tcbp[1] tcbp[2]
M
3
implementation
Example: Thread Queue
tcb* dequeue(tdq* q) { tcb *head, *next; tcb *i = null; if (!q) return i; head = q -> head; if (!head) return i; i = head; next = i -> next;
if (!next) { q -> head = null; q -> tail = null; } else { next -> prev = null; q -> head = next; } return i; }
s0 s1 s2
head tail
C
tcbp[0] tcbp[1] tcbp[2]
M
Coq
Example: Thread Queue
Definition tcbp := ZMap.t state. Definition td_queue := List Z.
3
specification3
L2
Coq
Example: Thread Queue
Definition tcbp := ZMap.t state. Definition td_queue := List Z.
3
specificationtcbp(0) tcbp(1) tcbp(2)
s0 s1 s2
3
L2
Coq
Example: Thread Queue
Definition tcbp := ZMap.t state. Definition td_queue := List Z.
3
specification
s0 s1 s2
tcbp(0) tcbp(1) tcbp(2)
1
td_queue
:: 0 2:: :: nil
3
L2
Example: Thread Queue3
specificationtcbp(0) tcbp(1) tcbp(2)
1
td_queue
:: 0 2:: :: nil
3
implementation
s0 s1 s2
head tail
tcbp[0] tcbp[1] tcbp[2]
R
s0 s1 s2
3
L2
M
Example: Thread Queue
specificationtcbp(0) tcbp(1) tcbp(2)
1
td_queue
:: 0 2:: :: nil
3
Coq
Function dequeue (q) := match q with | head :: q’ => (q’, Some head) | nil => (nil, None) end.
s0 s1 s2
3
L2
Example: Thread Queue
specificationtcbp(0) tcbp(1) tcbp(2)
1
td_queue
0 2:: :: nil
3
Coq
Function dequeue (q) := match q with | head :: q’ => (q’, Some head) | nil => (nil, None) end.
s0 s1 s2
executable
3
L2
Program Context33
specification3
implementation
Simulation Proof
R RM
L1
L2
R
Deep SpecificationL2
M
Deep Specification [POPL’15]
Deep spec captures all we need to know about over
No need to look at again
L2
M L1
M
Any property about can be proved using alone
M
L2
M
L1
L2
R
kernel
MM
TM
PM
Trap
code
seq machine
mCertiKOS
TM
PM
Trap
MM
seq machine
kernelmCertiKOS
mem MM
TM
PM
Trap
memory management
seq machine
kernelmCertiKOS
�
Trap
PM
MM
TM
TM
PM
Trap
mem
thread
proc
trap
seq machine
kernelmCertiKOS
Trap
PM
TM
mem
thread
proc
trap
certified sequential kernelMM
mCertiKOS
seq machine
VM
Trap
VM
mCertiKOS
mem
thread
proc
trap
seq machine virt�
virt�
PM
TM
MM
TrapmCertiKOS
mem
thread
proc
seq machine virt�
virt�VM
VM
PM
TM
MM
trap
vm
TrapmCertiKOS
mem
thread
proc
trap
seq machine virt
virt
vm
VM
PM
TM
MM
certified hypervisor
mCertiKOS [POPL’15]
3k LOC1 person year
Can boot Linux as a guest
Concurrent Framework [OSDI’16]
mem
thread
proc
trap
virt
seq machine
multicore machine CPU3CPU2CPU1CPU0
certified sequential kernel
Concurrent Framework [OSDI’16]
mem
thread
proc
trap
virt
seq machine
multicore machine CPU3CPU2CPU1CPU0
machine liftingcontribution
certifiedconcurrent layer
CPU-local machine CPU0 CPU1 CPU2 CPU3
Concurrent Framework [OSDI’16]
mem
thread
seq machine
spin-lock
CPU-local machine CPU0 CPU1 CPU2 CPU3
multicore machine CPU3CPU2CPU1CPU0
proc
trap
virt
contributionmachine lifting
certifiedconcurrent layer
Concurrent Framework [OSDI’16]
mem
thread
proc
trap
virt
seq machine
spin-lock
CPU-local machine CPU0 CPU1 CPU2
thread-local machine
CPU3
multicore machine CPU3CPU2CPU1CPU0
Certified Concurrent Layers
local certified objects
L1
Certified Concurrent Layers
atomic objects
logical loga sequence of events
L1
x
Certified Concurrent Layers
L1
logical loga sequence of events
atomic objectsx
Certified Concurrent Layers
x
L1
logical loga sequence of events
atomic objects
Certified Concurrent Layers
x
L1
to share
Certified Concurrent Layers
L1
L2
x
fine-grained locking
Concurrent Framework
machine lifting
CPU-local machine CPU0 CPU1 CPU2 CPU3
multicore machine CPU3CPU2CPU1CPU0
x
step 0: raw x86 multicore model
CPU0
CPU1
atom
private
share
atom
0.a
1.a
multicore machine CPU3CPU2CPU1CPU0
atom
private
share
atom
0.a 1.a
CPU0
CPU1
logical log
non-determinism
step 0: raw x86 multicore model
multicore machine CPU3CPU2CPU1CPU0
atom
private
share
atom
0.a
1.a
0 1
1 0
CPU0
CPU1
step 0: raw x86 multicore model
multicore machine CPU3CPU2CPU1CPU0
non-determinism
atom
private
share
atom
0.a
1.a
0 1 1 0
CPU0
CPU1
step 0: raw x86 multicore model
oracle
multicore machine CPU3CPU2CPU1CPU0
non-determinism
atom
private
share
atom
0.a
1.a
0 1 1 0
CPU0
CPU1
step 1: logical hardware scheduler
Ehs
multicore machine CPU3CPU2CPU1CPU0
atom
private
share
atom
0.a 1.a0 1 1 0
CPU0
CPU1
step 1: logical hardware scheduler
Ehs
logical log
multicore machine CPU3CPU2CPU1CPU0
step 1: logical hardware scheduler
Ehs?
multicore machine CPU3CPU2CPU1CPU0
step 2: push/pull memory model
Ehs machine with hardware scheduler
share
shared mem
CPU0
multicore machine CPU3CPU2CPU1CPU0
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0
shared mem
pull
logical copy
multicore machine CPU3CPU2CPU1CPU0
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0
shared mem
pull
logical copy
multicore machine CPU3CPU2CPU1CPU0
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0 pull
shared mem
logical copy
shared mem
CPU1 pull
multicore machine CPU3CPU2CPU1CPU0
race condition
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0 pull
shared mem
logical copy
push
multicore machine CPU3CPU2CPU1CPU0
step 2: push/pull memory model
Ehs machine with hardware scheduler
shareCPU0 pull push
shared mem
logical copy
multicore machine CPU3CPU2CPU1CPU0
Ehs machine with hardware scheduler
machine with push/pull model
atom
private
private
atom
0.a
1.a
0 1 1 0
CPU0
CPU1
Ehs
step 3: environment context model
multicore machine CPU3CPU2CPU1CPU0
Ehs machine with hardware scheduler
machine with push/pull model
atom
private
private
atom
0.a
1.a
1 1 0
CPU0
CPU1
Ehs 0
step 3: environment context model
multicore machine CPU3CPU2CPU1CPU0
0
Ehs machine with hardware scheduler
machine with push/pull model
atom
private
private
atom
0.a
CPU0
CPU1
Ehs
1.a
1 1 0
step 3: environment context model
multicore machine CPU3CPU2CPU1CPU0
Ehs machine with hardware scheduler
machine with push/pull model
atom
private
private
atom
0.a
CPU0
CPU1
1.a1 1 00E
environment context
step 3: environment context model
multicore machine CPU3CPU2CPU1CPU0
Ehs machine with hardware scheduler
machine with push/pull model
step 4: remove unnecessary interleaving
CPU i machine CPU j machine
share privateatom pull push
multicore machine CPU3CPU2CPU1CPU0
Ehs machine with hardware scheduler
machine with push/pull model
step 4: remove unnecessary interleaving
CPU i machine CPU j machine
share privateatom pull push
shuffle
multicore machine CPU3CPU2CPU1CPU0
Ehs machine with hardware scheduler
machine with push/pull model
step 4: remove unnecessary interleaving
CPU i machine CPU j machine
share privateatom pull push
merge
multicore machine CPU3CPU2CPU1CPU0
Ehs machine with hardware scheduler
machine with push/pull model
CPU i machine CPU j machine
atom
CPU-local machine CPU-local machine
0.a 1.a0 1 1 0logical log
E
seq machine seq machine
Machine Lifting
multicore machine CPU3CPU2CPU1CPU0
Spin-lock Module
Case Study
KeyboardDriver3 Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
Build a Certified System
Case Study
KeyboardDriver3 Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1Spin-lock Module
Build a Certified System
Acquire Lock Specification
logical copy
safely pull
Acquire Lock Specification
logical copy
safely pull
pull will eventually return
Acquire Lock Specification
logical copy
mutual exclusion liveness
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
pull (i); }
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
get_now
pull
FAIticket
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now getnow
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now getnow
getnow
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now
getnow
getnow
pull
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now
getnow
getnow pull
C
Example: Ticket Lock
liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticketget_now
getnow
getnow pull
unique t
#CPUs < 264
mutual exclusion
C
Example: Ticket Lock
mutual exclusion liveness+
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
FAIticket
get_now
getnow
getnow pull}bounded
#CPUs is boundeda fair hardware schedulerlock holders will release lock
Example: Ticket Lock
FAIticket
getnow
getnow pull
acq_lock acqlock
acq_lock
C
Example: Ticket Lock
void acq_lock (uint i) {
uint64 t = FAI_ticket (i);
while ( get_now (i) != t) { }
u ll (i); }
FAI_ticket
pull
get_now < mutual exclusion will beviolated when there is an integer overflow for t
bug in the originalimplementation
3
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
Build a Certified System
3
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
Build a Certified System
Spin-lock Module
Example: Shared Thread Queue
dequeue
local memory
Example: Shared Thread Queue
dequeue
local memory
Example: Shared Thread Queue
dequeue
shared memory
logicalcopy
acq lock
Example: Shared Thread Queue
dequeue
shared memory
logicalcopy
acq lock
Example: Shared Thread Queue
dequeue
shared memory
logicalcopy
acq lock
rel lock
Example: Shared Thread Queue
dequeue
shared memory
logicalcopy
acq lock
rel lock
Example: Shared Thread Queue
dequeue
shared memory
deq
Example: Shared Thread Queue
dequeue
shared memory
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Build a Certified System
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Inter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Scheduling Module
Build a Certified System
void yield () {
uint t = tid(); … (t, rdq());
uint s = (rdq()); … (t, s)
}
enq
deq
context_switch
Thread-Local Machine
Thread-Local Machine
yieldsleep wakeup
Software Scheduler
CV
IPC
thread-local machine
[Operating SystemsPrinciples and Practice 2011]
Found hard bugs in the popularOS textbook
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Build a Certified System
Spin-lock Module
Case Study
Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
CPU 0 CPU 1
3
KeyboardDriver
Security
Build a Certified System
Device Driver [PLDI16’a]
Device
0 0External events
State
Log 0 0 0
read/write
Raw Device ObjDriver Layers
Logical CPU
CPU i
Interrupt iret0
Device Driver [PLDI16’a]
Device
0 0External events
Driver Layers
Logical CPU
CPU i
Interrupt iret0
State
Log 0 0 0
read/write
Raw Device Obj
DriverCode
Prims
Abs-State
Abstract Device Obj
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Build a Certified System
Spin-lock Module
Case Study
KeyboardDriverThread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
Build a Certified System
End-to-End Security [PLDI16’b]
TM
PM
Trap
mem
thread
proc
trap
seq machine
OObservation functionspecify and prove general security policies with declassification
MM
non-interferencefound security-bugs: spawn, palloc,…
security-preservation simulation
O
O0
O1
O2
O3
secure
secure
secure
secure
secure
Spin-lock Module
Case Study
Thread Queue Module
Scheduling ModuleInter-Process Communication
Keyboard
User Application
SendCompiler
Security
CPU 0 CPU 1
3
KeyboardDriver
Build a Certified System
Summary: Certified OS
CertiKOS is the first fully certified OS kernel that is done economically (< 3 person years), proves more properties, runs on concurrent HW, and is truly extensible
Still very high barriers of entry: (1) OS kernel development is very difficult(2) Formal specifications and proofs are hard to build(3) Need intimate programming language expertise to succeed• These are three completely different communities• Most people can only do one out of the above three. • The Yale team has been working on all three for >15 years
Summary: OS Landscape (Nov 2017)
Desktop: Linux, macOS, Windows, ChromeOS, freeBSD, …Hypervisor/Cloud: Linux KVM & Docker, VMWare, Xen, … Mobile: Android (Linux), iOS, …Embedded: Embedded Linux, VxWorks, QNX, LynxOS, …
• All of them are bloated, old, and contain many bugs• Urgently need new OSes for emerging platforms & apps
(IoTs, Drones, Self-Driving Cars, Cloud, NetworkOS, Blockchains, …)
OS evolution has reached an inflection point: Need a certified OS that provides security, extensibility, performance, and can work across multiple platforms.