Abstract

This paper describes our experience with symbolic model checking in an industrial setting. We have proved that the initial boot code running in data centers at Amazon Web Services is memory safe, an essential step in establishing the security of any data center. Standard static analysis tools cannot be easily used on boot code without modification owing to issues not commonly found in higher-level code, including memory-mapped device interfaces, byte-level memory access, and linker scripts. This paper describes automated solutions to these issues and their implementation in the C Bounded Model Checker (CBMC). CBMC is now the first source-level static analysis tool to extract the memory layout described in a linker script for use in its analysis.

Highlights

  • Boot code is the first code to run in a data center; the security of a data center depends on the security of the boot code

  • It is hard to demonstrate boot code security using standard techniques, as boot code is difficult to test and debug, and boot code must run without the support of common security mitigations available to the operating system and user applications. This industrial experience report describes work to prove the memory safety of initial boot code running in data centers at Amazon Web Services (AWS)

  • 1. memory-mapped input/output (MMIO) for accessing devices, 2. device behavior behind these MMIO regions, 3. byte-level memory access as the dominant form of memory access, and 4. linker scripts used during the build process

Read more

Summary

Introduction

Boot code is the first code to run in a data center; the security of a data center depends on the security of the boot code. We describe the challenges we faced analyzing AWS boot code, some of which render existing approaches to software verification unsound or imprecise. Not handling MMIO or linker scripts results in imprecision (false positives), and not modeling device behavior is unsound (false negatives). Our solutions automate boot code verification and require no changes to the code being analyzed This makes our work well-suited for deployment in a continuous validation environment to ensure that memory safety issues do not reappear in the code as it evolves during development. We use CBMC, but any other bit-precise, sound, automated static analysis tool could be used

Related Work
Boot Code
Boot Code Implementation
Boot Code Security
Boot Code Verification Challenges
Memory-Mapped I/O
Device Behavior
Byte-Level Memory Access
Memory Copying
Linker Scripts
Industrial Boot Code Verification
Test Harness
Running CBMC
Conclusion
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call