

# The seL4<sup>®</sup> Report

An Update From seL4 Land

Gernot Heiser Chair, seL4 Foundation

gernot@sel4.systems

### The Highlights of the Year



#### seL4 is verified on RISC-V!

2020/06/09



Sounds great! But what does it mean?

seL4

seL4 (https://sel4.systems/) (pronounced *e* arguably the world's most secure operatin

The OS kernel is the lowest level of software running on a computer system. It is executes in privileged mode (S-mode in RISC-V; M-mode is reserved for microc kernel is ultimately responsible for the security of a computer system.

#### Data61, Linux Foundation launch seL4 open source foundation

itnews

By Matt Johnston on Apr 8, 2020 2:03PM

To accelerate seL4 microkernel developments.

The Linux Foundation is set to host a new global not-for-profit



foundation established by the CSIRO's Data61 to promote and fund the development of its security-focused microkernel, seL4.

FOSDEM, Feb'21

### The Highlights of the Year



- The seL4 Foundation (June's talk right after this):
  - Open governance for the seL4 ecosystem
  - Trademark registration in Australia and US, others in progress
- ✓ **Verification:** RISC-V (RV64) functional correctness proof done!
  - Binary verification (translation correctness) progressing
  - MCS verification progressing (see my FOSDEM'20 talk)
- seL4 System development
  - RFCs for seL4 Core, seL4 Core Platform
  - soon: RFC for seL4 driver framework
- Research:
  - > Verifying *time* protection
  - Secure multi-server OS





What is seL4?

Gernot Heiser: The seL4 Report

FOSDEM, Feb'21

4

## Background: What is **Sel** 4?



seL4 is an open source, high-assurance, high-performance operating system microkernel







#### seL4 is the most trustworthy foundation for safety- and security-critical systems



Already in use across many domains:

automotive, aviation, space, defence, critical infrastructure, cyber-physical systems, IoT, industry 4.0, certified security...



### Unique Verification by Mathematical Proof



### ... and Performance



Latency (in cycles) of a round-trip cross-address-space IPC on x64

| Still the world's fastest microkernel! | Source                                       | seL4 | Fiasco.OC | Zircon |
|----------------------------------------|----------------------------------------------|------|-----------|--------|
|                                        | Mi et al, 2019                               | 986  | 2717      | 8157   |
|                                        | Gu et al, 2020                               | 1450 | 3057      | 8151   |
|                                        | seL4.systems, Nov'20                         | 797  | N/A       | N/A    |
|                                        |                                              |      |           |        |
|                                        | Temporary performant<br>regression in Dec'19 |      |           |        |

Sources:

- Zeyu Mi, Dingji Li, Zihan Yang, Xinran Wang, Haibo Chen: "SkyBridge: Fast and Secure Inter-Process Communication for Microkernels", EuroSys, April 2020
- Jinyu Gu, Xinyue Wu, Wentai Li, Nian Liu, Zeyu Mi, Yubin Xia, Haibo Chen: "Harmonizing Performance and Isolation in Microkernels with Efficient Intra-kernel Isolation and Communication", Usenix ATC, June 2020
- seL4 Performance, <a href="https://sel4.systems/About/Performance/">https://sel4.systems/About/Performance/</a>, accessed 2020-11-08



## Making seL4 Easier to Use

#### The seL4 Core Platform

FOSDEM, Feb'21

Gernot Heiser: The seL4 Report

9

### Why seL4 Core Platform?



With seL4 we achieved unprecedented levels of security and user-unfriendliness [2015]

The seL4 API is (for good reason):

- very general
- very low-level
- architecture-dependent
- very spartan
- ... and requires a lot of expertise to use correctly

See https://microkerneldude.wordpress.com/2020/ 03/11/sel4-design-principles/

Almost all present deployments are:

- embedded/cyber-physical systems
- simple, static architectures



#### Aims of the seL4 Core Platform



#### Small OS for IoT, cyber-physical and other embedded use cases

- Ease development and deployment
- Provide reasonable degree of application portability, defined HW interfaces
- Support implementation diversity through well-defined interfaces
- Support code re-use between related deployments
- Simple programming model ensures "correct" use of seL4 mechanisms
- Retain near-minimal trusted computing base (TCB)
- Leverage seL4-enforced isolation for strong security/safety
- Retain seL4's superior performance
- Be amenable to formal verification of the TCB



## The seL4 Core Platform is POSIX-Compliant

## Of Course Not

Posix is past its use-by date, and too inefficient for seL4. See Curtis Millar's seL4 Summit talk

Core Platform properties:

- Simple execution model
- Simple communication model
- Real-time capable
- Efficient
- Deadlock-free
- Some integrity properties enforced by build tools
- Suitable for formal reasoning

For legacy software use virtual machines!

#### Target Hardware: Embedded SoCs



- Homogenous multicore
- Shared L2 cache
- Single system image
- Uniform memory access
- Accelerators (GPUs etc) are "devices"





### **Core Platform Abstractions**

### Abstractions: Protection Domain





#### **Represents physical memory** contiguous • integer multiple of page size • May be mapped into one or more PDs page-aligned at a virtual address • **Protected Procedure** with defined caching attributes Call (PPC) with specific permissions • May be attached to a CC shared buffer Communicatic • zero-copy communication **Notification** MR Memory Region (MR)

#### Abstractions: Memory Region



seL4 Summit, Nov'20

Ben Leslie & Gernot Heiser: The seL4 Core Platform

16



### Abstractions: Communication Channels



#### **Abstractions: Notifications**



- Notifications are binary semaphores
  - Multiple signals from same PD may not invoke *notification procedure* multiple times
- Processing of signals from multiple PDs should happen in priority order
  - Ideally enforced by Core Platform tooling
- For now limit of 64 CCs per PD (seL4 limitation)

Support triggering of events:

- can signal PD's Notification through CC
- this invokes target PD's notification procedure
- Platform provides source PD's identity
  - uses seL4's badged capabilities
- Signalling is asynchronous





#### **Abstractions: Protected Procedure Calls**





### Abstractions: Virtual Machine (VM)





#### **Core Platform Considerations**



• ≤ 1 thread per core

- For now targeting static architectures:
  - All PDs known at build time

Will (eventually) support late loading/re-loading of (known) PDs

#### Summary: seL4 Core Platform



- Designed to ease construction of welldesigned seL4-based embedded systems
- Design mostly complete: RFC-5
- Will integrate with the seL4 Driver Framework
- We'll provide best-practice training material



Protected Procedure Call (PPC)



Memory Region (MR)

seL4 Summit, Nov'20

Ben Leslie & Gernot Heiser: The seL4 Core Platform



## **Research Update**

Verifying time protection

Secure multi-server OS

FOSDEM, Feb'21

What's the Issue with Temporal Isolation?



#### **Safety: Timeliness**

Execution interference

#### **Security: Confidentiality**

• Leakage via timing channels



Gernot Heiser: seL4 State of the Union



### Cause: Competition for HW Resources



Affect execution speed

- Inter-process interference
- Competing access to micro-architectural features
- Hidden by the HW-SW contract!

Solution: *Time Protection* – Eliminate interference by preventing sharing

FOSDEM, Feb'21

#### Time Protection: Partition all Hardware State



SP

FOSDEM, Feb'21

#### Measuring Leakage: Channel Matrix





#### Measuring Leakage: Channel Matrix





FOSDEM, Feb'21

#### Challenge: Broken Hardware



BHB channel on x86 Sky Lake, time protection

#### BHB channel on x86 Sky Lake, no mitigation



#### **Challenge: Broken Hardware**



0.100000

0.010000

0.001000

0.000100

0.000010



#### BHB channel on Arm Cortex A53, time protection

FOSDEM, Feb'21

#### **RISC-V** To The Rescue!

New instruction fence.t: flush of *all* microarchitectural state in ETH Ariane processor and evaluated channels on FPGA implementation



FOSDEM, Feb'21

Gernot Heiser: The seL4 Report

**Best Paper** 

Similar result for all other channels

[Wistoff et all, DATE'21]



#### **On-Going Work**



#### Research: Secure Multi-Server OS



#### Aim: A truly secure, general-purpose OS

- ✓ Support wide class of use cases, fully dynamic
- Support wide class of security policies
- Support changes of security policy during execution
- Support least privilege (aka principle of least authority, POLA)
- Support formal verification of security policy enforcement
  - > Incl confidentiality, integrity, availability
- Performance comparable to monolithic systems

#### Secure Multi-Server OS Features



- Policy-mechanism separation:
  - Servers implement abstractions independent of security policy
  - Policy is encapsulated in a single security server
- Dynamic information-flow control:
  - Communication limited by security policy
- Resource-availability guarantee through resource donation
- Performance by minimising security overhead
  - Checks only on connection establishment
  - Connection removed on policy change
- Design for formal verification

Stay tuned for detailed white paper!

#### Take-Aways:



- seL4 Foundation takes seL4 to the next level
  - open development
  - > open governance
  - community funding
  - maturing ecosystem
  - increasing deployments

If you're a member of the seL4 Community, please let us know how you want the next seL4 Summit to look!

- RISC-V is now a first-class seL4 architecture
  - functional correctness done, other verification in progress
- Ambitious research agenda:
  - > provably eliminate timing channels
  - > secure, general-purpose multi-server OS

#### seL4: Defining the state of the art in secure OS since 2009



## Questions?



# Licensing: What Does the GPL Imply?





## What Does This Mean?

### Kinds of properties proved

- Behaviour of C code is fully captured by abstract model
- Behaviour of C code is fully captured by executable model
- Kernel never fails, behaviour is always well-defined
  - assertions never fail
  - will never de-reference null pointer
  - will never access array out of bounds
  - cannot be subverted by misformed input

• ...

- All syscalls terminate, reclaiming memory is safe, ...
- Well typed references, aligned objects, kernel always mapped...
- Access control is decidable



Can prove further properties on abstract level!

RISC-V Summit, Dec'20

Gernot Heiser: seL4 on RISC-V

### How Can I Use It?



- Open source (GPL v2): Download from https://github.com/sel4
- But keep in mind: seL4 is an OS microkernel and hypervisor, not an OS!
- Many OS components available on the seL4 GitHub



### How Can I Use It?

- Open source (GPL v2): Download from https://github.com/sel4
- ✓ But keep in mind: seL4 is an OS microkernel and hypervisor, not an OS!
- Many OS components available on the seL4 GitHub
- Alternative: HENSOLDT Cyber's TRENTOS



92



## So, Why Aren't We Done?



What's the Issue with Temporal Isolation?



### **Safety: Timeliness**

Execution interference

### **Security: Confidentiality**

• Leakage via timing channels



### MCS Kernel: Capabilities for Time



- Memory
- Threads
- Address spaces
- Communication endpoints
- Interrupts
- ...

MCS model: Capabilities also authorise CPU time

• Scheduling objects



## Scheduling Contexts

### **Classical thread attributes**

> Priority



### > Priority Scheduling context capability Scheduling context object T: period C: budget ( $\leq$ T) Scheduling-context object specifies CPU bandwidth limit **C** = 2 C = 250T = 3T = 1000 Ensure time available to lower-priority threads

New thread attributes

> Time slice

FOSDEM, Feb'21



# Client is charged for server's time $\begin{bmatrix} Running \\ Client_1 \\ P_1 \\ Our P_1 \\ P_2 \\ Our P_2 \\ Our$

Scheduling-context capabilities: a principled, light-weight OS mechanism for managing time [Lyons et al, EuroSys'18]

**Budget Donation** 

### **MCS Summary**



Generally much cleaner model, cleans up a number of other things ⇒ Use for all new work!

- Verification getting close (Arm v7 and RV64)
- Legacy model will be archived once verification is done



## **Partition Hardware: Page Colouring**



Small amount of static kernel memory needs special handling

- seL4: userland supplies kernel memory
  ⇒ colouring userland colours dynamic kernel memory
- Per-partition kernel image to colour kernel

[Ge et al. EuroSys'19]



FOSDEM, Feb'21



# Temporal Partitioning: Flush on Switch

Must remove any history dependence!



# **Evaluation: Prime & Probe Attack**





1. Fill cache with own data

2. Touch *n* cache lines

Input signal

- 2.
- 3. Traverse cache,

measure execution time

#### Output signal



### Can We Verify Time Protection?

Assume we have:

- hardware that implements a suitable contract,
- a formal specification of that hardware,

can we prove that our kernel eliminates all timing channels?



# **Proving Spatial Partitioning**



### Proving Temporal Partitioning



Prove: flush all non-partitioned HW

- Needs model of stateful HW
- Somewhat idealised on present HW ... but matches our Ariane
- Functional property
- 1.  $T_0 = current_time()$
- 2. Switch user context
- 3. Flush on-core state
- 4. Touch all shared data needed for return
- 5. while (T0+WCET < current\_time());
- 6. Reprogram timer
- 7. return

Prove: padding is correct – how?

Prove: access to shared data is deterministic

- Each access sees same cache state
- Needs cache model
- Functional property



## **Use Minimal Abstraction of Clocks**

**Abstract clock = monotonically increasing counter** Operations:

- Add constant to clock value
- Compare clock values

To prove: padding loop terminates as soon as **clock** ≥ **T0+WCET** 

• Functional property!

### Status

- Published analysis of hardware mechanisms (APSys'18) Best Paper
- ✓ Published time protection design and analysis (EuroSys'19) Best Paper
  - demonstrated effectiveness within limits set by hardware flaws (Arm, x86)
- Published planned approach to verification (HotOS'19)
- Published minimal hardware support for time protection (CARRV'20)
  - evaluation demonstrated efficacy and performance
- > Working on:
  - Integrating time-protection mechanisms with clean seL4 model
    - Done: Rebased experimental kernel off latest seL4 mainline (x86, Arm, RISC-V)
    - In progress: Real system model that integrates the mechanisms
  - Proving timing-channel absence (on conforming hardware)
    - **Done:** Confidentiality proofs for flushing and time padding on simplified HW model
    - In progress: Include pre-fetching of data
    - To do: Extend to realistic hardware model

