Formal Verification of a Multiprocessor Hypervisor on Arm Relaxed Memory Hardware

Q3 Computer Science

Operating Systems Review (ACM) Pub Date : 2021-10-26 DOI:10.1145/3477132.3483560

Runzhou Tao, Jianan Yao, Xupeng Li, Shih-wei Li, Jason Nieh, Ronghui Gu

{"title":"Formal Verification of a Multiprocessor Hypervisor on Arm Relaxed Memory Hardware","authors":"Runzhou Tao, Jianan Yao, Xupeng Li, Shih-wei Li, Jason Nieh, Ronghui Gu","doi":"10.1145/3477132.3483560","DOIUrl":null,"url":null,"abstract":"Concurrent systems software is widely-used, complex, and error-prone, posing a significant security risk. We introduce VRM, a new framework that makes it possible for the first time to verify concurrent systems software, such as operating systems and hypervisors, on Arm relaxed memory hardware. VRM defines a set of synchronization and memory access conditions such that a program that satisfies these conditions can be mostly verified on a sequentially consistent hardware model and the proofs will automatically hold on relaxed memory hardware. VRM can be used to verify concurrent kernel code that is not data race free, including code responsible for managing shared page tables in the presence of relaxed MMU hardware. Using VRM, we verify the security guarantees of a retrofitted implementation of the Linux KVM hypervisor on Arm. For multiple versions of KVM, we prove KVM's security properties on a sequentially consistent model, then prove that KVM satisfies VRM's required program conditions such that its security proofs hold on Arm relaxed memory hardware. Our experimental results show that the retrofit and VRM conditions do not adversely affect the scalability of verified KVM, as it performs similar to unmodified KVM when concurrently running many multiprocessor virtual machines with real application workloads on Arm multiprocessor server hardware. Our work is the first machine-checked proof for concurrent systems software on Arm relaxed memory hardware.","PeriodicalId":38935,"journal":{"name":"Operating Systems Review (ACM)","volume":"16 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2021-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"19","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Operating Systems Review (ACM)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3477132.3483560","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"Computer Science","Score":null,"Total":0}

引用次数: 19

Abstract

Concurrent systems software is widely-used, complex, and error-prone, posing a significant security risk. We introduce VRM, a new framework that makes it possible for the first time to verify concurrent systems software, such as operating systems and hypervisors, on Arm relaxed memory hardware. VRM defines a set of synchronization and memory access conditions such that a program that satisfies these conditions can be mostly verified on a sequentially consistent hardware model and the proofs will automatically hold on relaxed memory hardware. VRM can be used to verify concurrent kernel code that is not data race free, including code responsible for managing shared page tables in the presence of relaxed MMU hardware. Using VRM, we verify the security guarantees of a retrofitted implementation of the Linux KVM hypervisor on Arm. For multiple versions of KVM, we prove KVM's security properties on a sequentially consistent model, then prove that KVM satisfies VRM's required program conditions such that its security proofs hold on Arm relaxed memory hardware. Our experimental results show that the retrofit and VRM conditions do not adversely affect the scalability of verified KVM, as it performs similar to unmodified KVM when concurrently running many multiprocessor virtual machines with real application workloads on Arm multiprocessor server hardware. Our work is the first machine-checked proof for concurrent systems software on Arm relaxed memory hardware.

查看原文本刊更多论文

Arm宽松内存硬件上多处理器Hypervisor的正式验证

并发系统软件应用广泛，复杂且容易出错，存在很大的安全风险。我们介绍了VRM，这是一个新的框架，首次可以在Arm宽松内存硬件上验证并发系统软件，如操作系统和管理程序。VRM定义了一组同步和内存访问条件，这样满足这些条件的程序可以在顺序一致的硬件模型上进行验证，并且证明将自动保留在宽松的内存硬件上。VRM可以用来验证不存在数据竞争的并发内核代码，包括在宽松的MMU硬件存在下负责管理共享页表的代码。使用VRM，我们验证了Linux KVM hypervisor在Arm上的改进实现的安全保证。对于多个版本的KVM，我们在顺序一致的模型上证明了KVM的安全特性，然后证明KVM满足VRM所需的程序条件，使得其安全证明在Arm宽松内存硬件上成立。我们的实验结果表明，改进和VRM条件不会对经过验证的KVM的可扩展性产生不利影响，因为当在Arm多处理器服务器硬件上并发运行具有实际应用工作负载的多个多处理器虚拟机时，它的性能与未修改的KVM相似。我们的工作是Arm放松内存硬件上并发系统软件的第一个机器检查证明。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Operating Systems Review (ACM) Computer Science-Computer Networks and Communications

CiteScore

2.80

自引率

0.00%

发文量

期刊介绍： Operating Systems Review (OSR) is a publication of the ACM Special Interest Group on Operating Systems (SIGOPS), whose scope of interest includes: computer operating systems and architecture for multiprogramming, multiprocessing, and time sharing; resource management; evaluation and simulation; reliability, integrity, and security of data; communications among computing processors; and computer system modeling and analysis.