Proving Partial-Correctness and Invariance Properties of Transition-System Models

International audienceWe propose a deductive verification approach for proving partial-correctness and invariance properties on transition-system models. Regarding partial correctness, we gen-eralise the recently introduced formalism of Reachability Logic, currently used as a language-parametric logic for programs, to transition systems. We propose a sound and relatively complete proof system for the resulting reachability logic. The soundness of the proof system is formally established in the Coq proof assistant, and the mechanised proof provides us with a Coq-certified Reachability-Logic prover for transition-system models. The relative completeness of the proof system, although theoretical in nature, also has a practical value, as it induces a proof strategy that is guaranteed to prove all valid formulas on a given transition system. The strategy reduces partial-correctness verification to invariance verification; for the latter we propose an incremental technique in order to deal with the case-explosion problem that affects it. All these techniques were instrumental in enabling us to prove, within reasonable time and effort limits, that the nontrivial algorithm implemented in security hypervisor that we designed in earlier work meets its expected functional requirements

Achieving virtualization trustworthiness using software mechanisms

International audienceThis paper presents the challenges of implementing a bare-metal hypervisor without using hardware virtualization features. This choice is dictated by two reasons:(i) some processor do not include virtualization instructions,(ii) in the context formal verification, the proof relies on good behavior of the hardware. Thus eliminating hardware features will let us have a more precise proof.Implementing virtualization features in hardware is a complex work: the instruction set remains large, and despite of the documentation, some behaviors are not obvious, if not undefined. Moreover, doing this in software forces us to freeze the guest to perform work, decreasing performances. We implemented a software hypervisor that has the particularity to run the guest systems in privilege mode. Before that, the hypervisor dynamically analyze the guest code and runs it after setting breakpoints on sensitive instructions. To perform the analysis, we extracted the whole ARM and Thumb instruction set to identify sensitives instructions, which has to be handled by the hypervisor. In order to preserve acceptable performances, we only track code running on privileged mode.Thus, guest kernel run at the same level of privileges as the hypervisor. We evaluated the performances of our approach using micro-benchmarks and macro-benchmarks to evaluate the impact of the process on a piece of code and on a whole system. The results show that, when running a guest that performs pre-emptive scheduling and running its tasks in user mode, our hypervisor performs with a reasonable overhead: from 0.3% to 15% overhead on several synthetic benchmarks. We finally provide several ideas for further optimization and a direction for future work