Pip, un proto-noyau fait pour renforcer la sécurité dans les objets connectés

National audienceAvec le développement et l'évolution de plus en plus rapides des objets connectés (Internet of Things), la sécurité et la confidentialité sont devenues des propriétés désirées par chaque constructeur dans leurs appareils, moyennant un coût, en termes de performances, moindre. En tant que moyen d'assurer mathématiquement les propriétés désirées, la preuve formelle a fait son entrée dans le domaine du développement noyau. Cependant, la vérification formelle nécessite beaucoup de travail et impose plusieurs contraintes : la moindre modification du modèle ou du code provoque de nombreuses modifications sur la preuve. Comme réponse à ce problème, nous présentons Pip, un proto-noyau n'assurant que la propriété voulue, l'isolation mémoire, par le biais d'une base de confiance prouvée, tout en laissant le code utilisateur gérer les fonctionnalités restantes

Reverse Engineering of Binary Device Drivers with RevNIC

This paper presents a technique that helps automate the reverse engineering of device drivers. It takes a closed-source binary driver, automatically reverse engineers the driver’s logic, and synthesizes new device driver code that implements the exact same hardware protocol as the original driver. This code can be targeted at the same or a different OS. No vendor documentation or source code is required. Drivers are often proprietary and available for only one or two operating systems, thus restricting the range of device support on all other OSes. Restricted device support leads to low market viability of new OSes and hampers OS researchers in their efforts to make their ideas available to the “real world.” Reverse engineering can help automate the porting of drivers, as well as produce replacement drivers with fewer bugs and fewer security vulnerabilities. Our technique is embodied in RevNIC, a tool for reverse engineering network drivers. We use RevNIC to reverse engineer four proprietary Windows drivers and port them to four different OSes, both for PCs and embedded systems. The synthesized network drivers deliver performance nearly identical to that of the original drivers

Assured Android Execution Environments

Current cybersecurity best practices, techniques, tactics and procedures are insufficient to ensure the protection of Android systems. Software tools leveraging formal methods use mathematical means to assure both a design and implementation for a system and these methods can be used to provide security assurances. The goal of this research is to determine methods of assuring isolation when executing Android software in a contained environment. Specifically, this research demonstrates security properties relevant to Android software containers can be formally captured and validated, and that an implementation can be formally verified to satisfy a corresponding specification. A three-stage methodology called The Formal Verification Cycle is presented. This cycle focuses on the iteration over a set of security properties to validate each within a specification and their verification within a software implementation. A security property can be validated when its functional language prototype (e.g. a Haskell coded version of the property) is converted and processed by a formal method (e.g. a theorem proof assistant). This validation of the property enables the definition of the property in a software specification, which can be implemented separately in an imperative programming language (e.g. the Go programming language). Once the implementation is complete another formal method can be used (e.g. symbolic execution) to verify the imperative implementation satisfies the validated specification. Successful completion of this cycle shows a given implementation is equivalent to a functional language prototype, and this cycle assures a specification for the original desired security properties was properly implemented. This research shows an application of this cycle to develop Assured Android Execution Environments

Towards a formally designed and verified embedded operating system: case study using the B method

The dramatic growth in practical applications for iris biometrics has been accompanied by relevant developments in the underlying algorithms and techniques. Along with the research focused on near-infrared images captured with subject cooperation, e orts are being made to minimize the trade-o between the quality of the captured data and the recognition accuracy on less constrained environments, where images are obtained at the visible wavelength, at increased distances, over simpli ed acquisition protocols and adverse lightning conditions. At a rst stage, interpolation e ects on normalization process are addressed, pointing the outcomes in the overall recognition error rates. Secondly, a couple of post-processing steps to the Daugman's approach are performed, attempting to increase its performance in the particular unconstrained environments this thesis assumes. Analysis on both frequency and spatial domains and nally pattern recognition methods are applied in such e orts. This thesis embodies the study on how subject recognition can be achieved, without his cooperation, making use of iris data captured at-a-distance, on-the-move and at visible wavelength conditions. Widely used methods designed for constrained scenarios are analyzed

Elicitation of retinal neural circuitry with vision prosthetic devices

Vision prostheses currently under development by several research groups aim to restore functional sight to the profoundly blind suffering from retinal neural degenerative diseases. Human clinical trials in the last decade have demonstrated the ability of these devices to elicit simple percepts, such as bright spots of light. However, further improvements in implant perceptual efficacy will critically depend on improved understanding of the retinal neural mechanisms underlying the electrically evoked responses, and on how these mechanisms could be controlled artificially. In the first part of this thesis I quantitatively study, using a new statistical analysis technique, the temporal response properties of the retinal ganglion cells (RGCs) following electrical stimulation of the retina. I also demonstrate conclusively, for the first time, that small electrodes placed in the subretinal space could reliably elicit direct RGC spiking responses. In the second part of the thesis I investigate the mechanisms underlying the previously observed RGC response depression during repeated electrical stimulation of these cells. The experimental findings lead me to the development of a new stimulation method for preventing the response depression. The image processor is a crucial component of a vision prosthesis. It replaces some of the neural computations that occur in a healthy retina by converting visual stimuli into electrical stimuli. In the final part of the thesis I implement an image processor for a vision prosthesis. I show that such devices could be built with appropriate embedded hardware. Benchmark testing suggests that, depending on the complexity of the image processing strategies, care should be exercised in generalising the performance of algorithms developed on standard computers to these embedded devices

The correctness of a distributed real-time system

In this thesis we review and extend the pervasive correctness proof for an asynchronous distributed real-time system published in [KP07a]. We take a two-step approach: first, we argue about a single electronic control unit (ECU) consisting of a processor (running the OSEKtime-like operating system OLOS) and a FlexRay-like interface called automotive bus controller (ABC). We extend [KP07a] among others by a local OLOS model [Kna08] and go into details regarding the handling of interrupts and the treatment of devices. Second, we connect several ECUs via the ABCs and reason about the complete distributed system, see also [KP07b]. Note that the formalization of the scheduling correctness is reported in [ABK08b]. Through several abstraction layers we prove the correctness of the distributed system with respect to a new lock-step model COA that completely abstracts from the ABCs. By establishing the DISTR model [Kna08] it becomes possible to literally reuse the arguments from the first part of this thesis and therefore to simplify the analysis of the complete distributed system. To illustrate the applicability of DISTR, we have formally proven the top-level correctness theorem in the theorem prover Isabelle/HOL. Throughout the thesis we tie together theorems regarding: processor, ABC, compiler, micro kernel, operating system, and the worst case execution time analysis of applications and systems software.In dieser Arbeit betrachten und erweitern wir den durchgängigen Korrektheitsbeweis für ein asynchrones verteiltes Echtzeitsystem aus [KP07a]. Wir gehen in zwei Schritten vor: Zuerst betrachten wir eine einzelne elektronische Kontrolleinheit (ECU) bestehend aus einem Prozessor (welcher das OSEKtime ähnliche Betriebsystem OLOS ausführt) und einem FlexRay ähnlichem Interface, auch automobiler Bus Controller (ABC) genannt. Wir erweitern [KP07a] unter anderem um ein lokales OLOS Model [Kna08] und detaillieren die Behandlung von Interrupts sowie den Umgang mit Geräten. Im zweiten Schritt verbinden wir mehrere ECUs durch die ABCs und argumentieren über das gesamte System, siehe auch [KP07b]. Über die Formalisierung der Scheduler Korrektheit wird in [ABK08b] berichtet. Über mehrere Abstraktionsebenen beweisen wir die Korrektheit des verteilten Systems bezüglich eines neuen gleichgetakteten Modells COA in dem vollständig von den ABCs abstrahiert wird. Durch die Einführung des DISTR Models [Kna08] ist es möglich die Argumente aus dem ersten Teil dieser Arbeit in der Analyse des gesamten verteilten Systems wörtlich wieder zu verwenden. Um die Anwendbarkeit von DISTR zu verdeutlichen haben wir formal die oberste Korrektheits-Aussage im Theorembeweiser Isabelle/HOL bewiesen. Im Zuge dieser Arbeit verbinden wir Theoreme bezüglich: Prozessor, ABC, Compiler, Mikrokern, Betriebsystem und der Worst-Case Laufzeit-Analyse von Applikationen und System Software

Verification of programs in virtual memory using separation logic

Formal reasoning about programs executing in virtual memory is a difficult problem, as it is an environment in which writing to memory can change its layout. At the same time, correctly reasoning about virtual memory is essential to operating system verification, a field we are very much interested in. Current approaches rely on entering special modes or making high-level assertions about the nature of virtual memory which may or may not be correct. In this thesis, we examine the problems created by virtual memory and develop a unified view of memory, both physical and virtual, based on separation logic. We first develop this model for a simple programming language on a simplified architecture with a one-level page table, taking care to prove it constitutes a separation logic. We then extend the framework to deal with low-level C programs executing in a virtual memory environment of the ARMv6 architecture with a two-level page table. We perform two case studies involving mapping in of a new page into the current address space: first for the simple version of our logic, and finally for our full framework. The case studies demonstrate that separation logic style modular reasoning via the frame rule can be used in a unified model which encompasses virtual memory, even in the presence of page table writes. To our knowledge, we present the first model offering a unified view of virtual and physical memory, the first separation logic involving an address translation mechanism, as well as the first published model of a functional subset of ARM memory management unit. Our memory models, framework, proofs and all results are formalised in the Isabelle/HOL interactive theorem prover

Formal specification of a simple operating system

Within the Verisoft project, we aim at the pervasive modeling, implementation, and verification of a complete computer system, from gate-level hardware to applications running on top of an operating system. As an adequate representative for such a system we choose a system for writing, signing, and sending emails. The starting point of our work was a processor together with its assembly language, a compiler for a type safe C variant and a micro kernel. The goal of our work was to develop a (user-mode) operating system that bridges the gap between micro kernel and user applications. That is, formally specify and implement a system that, on the one hand, is built right on top of our micro kernel and, on the other hand, provides everything necessary for user applications such as an SMTP server, a signing server, and an email client. Furthermore, the design of this system should support its verification in a pervasive context. Within this thesis, we present the formal specification of such an operating system. Along with this specification, we (i) discuss the current state-of-the-art in formal methods applied to operating-systems design, (ii) justify our approach and distinguish it from other people\u27s work, (iii) detail our implementation and verification stack, (iv) describe the realization of our operating system, and (v) outline the verification of this system.Innerhalb des Verisoft-Projekts streben wir die durchgängige Modellierung, Implementierung und Verifikation eines kompletten Computersystems, von der Hardware auf Gatterebene bis hin zu Benutzeranwendungen, an. Ausgangspunkt unserer Arbeit war ein Prozessor inklusive Assembler Sprache, ein Compiler für eine typensichere C Variante und ein Mikrokern. Ziel unserer Arbeit war es, ein Betriebssystem (auf Benutzerebene) zu entwickeln, welches die Verbindung zwischen Mikrokern und Benutzeranwendungen herstellt. Das bedeutet, ein System formal zu spezifizieren und zu implementieren, welches auf der einen Seite direkt auf dem Mikrokern aufsetzt und auf der anderen Seite alle Voraussetzungen für Benutzeranwendungen wie einen SMTP Server, einen Signatur Server und ein E-Mail Programm erfüllt. Außerdem soll das Design dieses Systems seine durchgängige Verifikation unterstützen. In dieser Arbeit präsentieren wir die formale Spezifikation eines solchen Systems. Ferner (i) diskutieren wir den aktuellen Stand im Bereich der formalen Methoden im Betriebssystemdesign, (ii) rechtfertigen unseren Ansatz und differenzieren ihn von dem anderer, (iii) stellen die unterschiedlichen Implementierungs- und Verifikations-Schichten unseres Projektes vor, (iv) beschreiben unsere Umsetzung des Systems und (v) skizzieren seine Verifikation