% Quark # towards [a zero-vulnerability software stack](http://www.cis.upenn.edu/~bcpierce/papers/chalmers-deepspec-2015.pdf) # what have we discussed so far kernel routes messages between hw/processes -------------------------- -------------------------------- reorder messages: commutativity & scalability fast I/O path: exokernel & end-to-end log & replay messages: (non)determinism group messages: transactions enforce rules on messages: security (integrity & prvivacy) ---------------------------- -------------------------------- # browser/kernel security systems rules (specifications) TCB ------------- ------------------------- ---- capsicum ?? ?? SFI ?? ?? singularity ?? ?? [IBOS] ?? ?? quark ?? ?? . . . quark: non-interference, cookie privacy/integrity, address bar correctness [IBOS]: http://tangshuo.github.io/ibos.html#slide10 # quark overview only the kernel can perform privileged actions tabs/cookie processes cannot - must go through the kernel how to ensure that? # quark kernel single-threaded kernel abstractions: tabs, channels, cookies system state: current/active tab, list of tabs, list of cookies actions (messages): make tabs, read/write channels, ... trace: a list of actions Example: typing in "+" will create a tab ``` WroteMsg(t, Render), MkTab(t), Read(stdin, "+"), ... <------------------------------------------------------- ``` # specifications (security invariants) predicated on traces: valid trace ⇒ system correctness single-step state transition: `step_correct tr req rsp` construct kernel state from trace: `kernel_state tr` # example: state integrity kernel state changes only in resp. to user pressing control keys ``` Theorem kstate_dep_user: forall tr req rsp, step_correct tr req rsp -> proj_user_control tr = proj_user_control (rsp ++ req ++ tr) -> kernel_state tr = kernel_state (rsp ++ req ++ tr). ``` `proj_user_control`: project actions like `(Read c stdin)` no control key pressed (alt.): `proj_user_control (rsp ++ req) = []` # example: response integrity kernel response depends on request and kernel state only: (slightly different from the paper version) ``` Theorem kresponse_dep_kstate: forall tr1 tr2 req rsp1 rsp2, kernel_state tr1 = kernel_state tr2 -> step_correct tr1 req rsp1 -> step_correct tr2 req rsp2 -> rsp1 = rsp2. ``` # q functional correctness vs safety properties? tabs as principals? postMessages? same-origin policies? what kind of systems would be a good fit for trace-based verification? # specify & reason about systems predicated traces: Quark, Verdi (PLDI'14) reference impl w/ refinement: seL4 (SOSP'09), CertiKOS (POPL'15) high-level impl w/ layers of DSLs: Kit, CompCert (CACM'09), Jitk (OSDI'14) pre/postcondition (Hoare logic): ExpressOS (ASPLOS'13), Ironclad (OSDI'14) . . . which are good for reasoning about functional correctness? isolation (e.g., microkernel/hypervisor)? concurrency (e.g., RCU)? fail-stop crash? liveness? timing?