[ANN] Muen development version 0.9 released
95 views
Skip to first unread message
Reto Buerki
Jan 30, 2018, 5:10:29 AM1/30/18
to muen-dev
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
We are proud to announce the availability of Muen version 0.9.
The following major features and improvements have been implemented
since the last announcement:
=== Crash Audit
Release builds of the Muen kernel do not produce any form of log output.
On one hand, such logging code would increase the size of the kernel and
therefore the TCB of any Muen system. On the other hand I/O operations
would introduce unacceptable timing variances in kernel execution.
As unexpected errors may happen during operation, a mechanism to
determine the cause of failure must be present in production systems.
For example, faulty hardware may trigger a Machine-Check exception (#MC)
to inform the operating system of the error condition.
The new kernel crash audit facility provides multiple slots to store
per-CPU crash information which enables system integrators to determine
the cause of the failure.
When an error condition is detected a new crash audit record is
allocated and filled with the exception information. To transition the
system into a pristine state, the kernel then triggers a controlled
system reboot.
The crash audit information is stored in an uncached memory region that
survives warm reboots. It is mapped read-only into the address space of
the debug server subject which outputs crash audit records to the
configured logging facility on startup.
=== PCI config space emulation
PCI config space emulation is a building block to protect devices
attached to untrusted subjects from software attacks. The attack vector
is a malicious driver which programs the device in a way to trigger
unexpected behavior which could invalidate the security properties of
the whole system. For example reprogramming PCI Base Address Registers
(BARs) to overlap with resources of other devices may result in
undefined system behavior.
The new Device Manager (DM) subject implemented in SPARK 2014 performs
PCI config space emulation. Access to PCI config space fields of a
device is controlled by entries in the rules database. Direct write
access is only allowed for specific fields and access to PCI BARs is
virtualized. This way, an untrusted device driver is unable to change
the BAR settings of a device.
=== Support for MirageOS/Solo5 subjects
MirageOS is a library operating system written in OCaml [1]. Solo5 [2]
is a base layer to run MirageOS unikernels on top of various
hypervisors. By porting Solo5 to Muen it is now possible to run such
unikernels as subjects on Muen. The port includes networking support via
muennet [3] thus enabling interesting new applications.
One particularly noteworthy use case is our migration of the project
website to a self-hosted Muen system containing a MirageOS unikernel
which serves the static website over TLS. How to build MirageOS
unikernels for Muen and how the project website is built and deployed is
documented here [4].
=== Toolchain improvements
The build process and the toolchain have been reworked in order to make
component builds independent of the policy compilation step. Component
XML specifications are now provided by the component instead of being
part of the global system policy. The component specification can be
dynamically generated as part of the component build to adapt it to a
concrete scenario.
An example is the debug server component that extracts the configured
log facilities and the number of log clients from the system policy.
This information is written to the component specification which is then
used to parameterize the build.
The new Mucbinsplit binary splitting tool leverages the new build
sequence to generate the XML memory layout based on the compiled
component ELF binary. This avoids the cumbersome manual specification of
memory region sizes and allows the application of restrictive per-region
access rights.
Prior to the policy expansion and validation steps, the generated
component specifications are joined with the system policy by the new
Mucfgjoin tool.
=== Kernel improvements
The kernel memory layout has been changed to minimize sharing of data
between kernels running on different CPUs. Each kernel now has its own
CPU-local copy of the .data and .bss ELF sections which makes
library-level data local by default. Data shared between CPUs must be
explicitly placed in the .globaldata section via pragma Linker_Section.
This release also includes cautionary changes to address potential
attack vectors resulting from speculative execution CPU design issues.
Further information including our detailed analysis of Meltdown and
Spectre with regards to Muen can be found here [5][6].
Many other improvements and stabilizations such as e.g. separate kernel
interrupt stacks and proper handling of NMIs and MCEs have been
implemented as part of this release.
=== Further changes
* Add support for xHCI debug capability [7]
* Add support for Intel Apollo Lake microarchitecture
* Add Docker image for Muen development environment
* Extraction of PS/2 driver component
* Update Linux kernel to version 4.14.13 (incl. PTI)
=== Roundup
This release is another step forward in the continuous development of
the Muen platform. Enhancements like the Crash Audit facility, PCI
config space emulation or refactored component processing address
requirements for running Muen systems in production environments.
One aspect of this release that we are particularly proud of is that
through the support for MirageOS we were able to build a Muen system
which serves the project website via TLS using a very small TCB. Since
the TLS tunnel is terminated inside the unikernel, the Linux subject is
only required for network connectivity and can thus be completely
excluded from the web server's TCB.
Further information about Muen is available on the project website [8]
and the git repository can be found at [9].
Please feel free to give the latest development version of Muen a try.
As always, feedback is very much appreciated!
Kind regards,
The Muen Team
[1] - https://mirage.io/
[2] - https://github.com/Solo5/solo5
[3] - https://git.codelabs.ch/?p=muen/linux/muennet.git
[4] - https://muen.sk/articles/
[5] - https://groups.google.com/forum/#!topic/muen-dev/1ILwIz8h-kM
[6] - https://groups.google.com/forum/#!topic/muen-dev/4tC3MbPxTOQ
[7] - https://git.codelabs.ch/?p=libxhcidbg.git
[8] - https://muen.sk/
[9] - https://git.codelabs.ch/?p=muen.git
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtRpRfLSe/E8H4OecpJ58PN48zmYFAlpwRI0ACgkQpJ58PN48
zmaV4g/+ILVF2xjuE7hxsvaVgmFX64cSvxGU6QpOrgjBmVaTlyYkvsLOSy3Usbbh
EJW3qTR7PxOarN9UFd1MFWw700rKLNHEVtolXn+GscgAd0chhAO0gTAcfRdITCua
D+Nj+AuIMtmMO9y7HbJUr8N3wHSGacjM5CmL0KC98kS15p7yBGJpecJwn233xyVy
orm1TihBel+MOu1HN61WSyoWMAAUt4pQasaVzyyRtBciOYcXaQ5QEs2E/atPc9m2
GDSUSCtIi1H112glSidhDQmJASWlgmD+OJoOPtu0+SaVN4WR8ZYyJ4fLOn5qegr0
SX9s/+U7UMe4sp19NOR2QN/QRgHwq02Gv+2Q5AhCLRpR4fxdBAKrDcxsskG0OOKD
4JZLv8m0JxTkT8YNIFdWtetOaCpDiYDteVhIL9PxevFt8T7RCkeDOkHrk9zFwu8S
7YDGV1LqDyrS6aQuD7vInDwIgm+gSYbz6g2D7dWEAXIX2bZYDhI5uTQ00RQ2B0bj
fk56dy3U3KRUYzya8/dAJM8bE35sTGO9rRI4Mia88tzxDZSLLeJcr03iDM3uUIQv
eVgwG292h/jexOHqz9l28MG8b0Z13aqnG91CawDc5P3lhY/DIcTMfkW/tStCmLTb
BIm63GoNtPFZwyz1cyGfQfaDU4HDSbYM5oPCnZgDYa20TJCQTJw=
=66RZ
-----END PGP SIGNATURE-----
Hash: SHA256
We are proud to announce the availability of Muen version 0.9.
The following major features and improvements have been implemented
since the last announcement:
=== Crash Audit
Release builds of the Muen kernel do not produce any form of log output.
On one hand, such logging code would increase the size of the kernel and
therefore the TCB of any Muen system. On the other hand I/O operations
would introduce unacceptable timing variances in kernel execution.
As unexpected errors may happen during operation, a mechanism to
determine the cause of failure must be present in production systems.
For example, faulty hardware may trigger a Machine-Check exception (#MC)
to inform the operating system of the error condition.
The new kernel crash audit facility provides multiple slots to store
per-CPU crash information which enables system integrators to determine
the cause of the failure.
When an error condition is detected a new crash audit record is
allocated and filled with the exception information. To transition the
system into a pristine state, the kernel then triggers a controlled
system reboot.
The crash audit information is stored in an uncached memory region that
survives warm reboots. It is mapped read-only into the address space of
the debug server subject which outputs crash audit records to the
configured logging facility on startup.
=== PCI config space emulation
PCI config space emulation is a building block to protect devices
attached to untrusted subjects from software attacks. The attack vector
is a malicious driver which programs the device in a way to trigger
unexpected behavior which could invalidate the security properties of
the whole system. For example reprogramming PCI Base Address Registers
(BARs) to overlap with resources of other devices may result in
undefined system behavior.
The new Device Manager (DM) subject implemented in SPARK 2014 performs
PCI config space emulation. Access to PCI config space fields of a
device is controlled by entries in the rules database. Direct write
access is only allowed for specific fields and access to PCI BARs is
virtualized. This way, an untrusted device driver is unable to change
the BAR settings of a device.
=== Support for MirageOS/Solo5 subjects
MirageOS is a library operating system written in OCaml [1]. Solo5 [2]
is a base layer to run MirageOS unikernels on top of various
hypervisors. By porting Solo5 to Muen it is now possible to run such
unikernels as subjects on Muen. The port includes networking support via
muennet [3] thus enabling interesting new applications.
One particularly noteworthy use case is our migration of the project
website to a self-hosted Muen system containing a MirageOS unikernel
which serves the static website over TLS. How to build MirageOS
unikernels for Muen and how the project website is built and deployed is
documented here [4].
=== Toolchain improvements
The build process and the toolchain have been reworked in order to make
component builds independent of the policy compilation step. Component
XML specifications are now provided by the component instead of being
part of the global system policy. The component specification can be
dynamically generated as part of the component build to adapt it to a
concrete scenario.
An example is the debug server component that extracts the configured
log facilities and the number of log clients from the system policy.
This information is written to the component specification which is then
used to parameterize the build.
The new Mucbinsplit binary splitting tool leverages the new build
sequence to generate the XML memory layout based on the compiled
component ELF binary. This avoids the cumbersome manual specification of
memory region sizes and allows the application of restrictive per-region
access rights.
Prior to the policy expansion and validation steps, the generated
component specifications are joined with the system policy by the new
Mucfgjoin tool.
=== Kernel improvements
The kernel memory layout has been changed to minimize sharing of data
between kernels running on different CPUs. Each kernel now has its own
CPU-local copy of the .data and .bss ELF sections which makes
library-level data local by default. Data shared between CPUs must be
explicitly placed in the .globaldata section via pragma Linker_Section.
This release also includes cautionary changes to address potential
attack vectors resulting from speculative execution CPU design issues.
Further information including our detailed analysis of Meltdown and
Spectre with regards to Muen can be found here [5][6].
Many other improvements and stabilizations such as e.g. separate kernel
interrupt stacks and proper handling of NMIs and MCEs have been
implemented as part of this release.
=== Further changes
* Add support for xHCI debug capability [7]
* Add support for Intel Apollo Lake microarchitecture
* Add Docker image for Muen development environment
* Extraction of PS/2 driver component
* Update Linux kernel to version 4.14.13 (incl. PTI)
=== Roundup
This release is another step forward in the continuous development of
the Muen platform. Enhancements like the Crash Audit facility, PCI
config space emulation or refactored component processing address
requirements for running Muen systems in production environments.
One aspect of this release that we are particularly proud of is that
through the support for MirageOS we were able to build a Muen system
which serves the project website via TLS using a very small TCB. Since
the TLS tunnel is terminated inside the unikernel, the Linux subject is
only required for network connectivity and can thus be completely
excluded from the web server's TCB.
Further information about Muen is available on the project website [8]
and the git repository can be found at [9].
Please feel free to give the latest development version of Muen a try.
As always, feedback is very much appreciated!
Kind regards,
The Muen Team
[1] - https://mirage.io/
[2] - https://github.com/Solo5/solo5
[3] - https://git.codelabs.ch/?p=muen/linux/muennet.git
[4] - https://muen.sk/articles/
[5] - https://groups.google.com/forum/#!topic/muen-dev/1ILwIz8h-kM
[6] - https://groups.google.com/forum/#!topic/muen-dev/4tC3MbPxTOQ
[7] - https://git.codelabs.ch/?p=libxhcidbg.git
[8] - https://muen.sk/
[9] - https://git.codelabs.ch/?p=muen.git
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtRpRfLSe/E8H4OecpJ58PN48zmYFAlpwRI0ACgkQpJ58PN48
zmaV4g/+ILVF2xjuE7hxsvaVgmFX64cSvxGU6QpOrgjBmVaTlyYkvsLOSy3Usbbh
EJW3qTR7PxOarN9UFd1MFWw700rKLNHEVtolXn+GscgAd0chhAO0gTAcfRdITCua
D+Nj+AuIMtmMO9y7HbJUr8N3wHSGacjM5CmL0KC98kS15p7yBGJpecJwn233xyVy
orm1TihBel+MOu1HN61WSyoWMAAUt4pQasaVzyyRtBciOYcXaQ5QEs2E/atPc9m2
GDSUSCtIi1H112glSidhDQmJASWlgmD+OJoOPtu0+SaVN4WR8ZYyJ4fLOn5qegr0
SX9s/+U7UMe4sp19NOR2QN/QRgHwq02Gv+2Q5AhCLRpR4fxdBAKrDcxsskG0OOKD
4JZLv8m0JxTkT8YNIFdWtetOaCpDiYDteVhIL9PxevFt8T7RCkeDOkHrk9zFwu8S
7YDGV1LqDyrS6aQuD7vInDwIgm+gSYbz6g2D7dWEAXIX2bZYDhI5uTQ00RQ2B0bj
fk56dy3U3KRUYzya8/dAJM8bE35sTGO9rRI4Mia88tzxDZSLLeJcr03iDM3uUIQv
eVgwG292h/jexOHqz9l28MG8b0Z13aqnG91CawDc5P3lhY/DIcTMfkW/tStCmLTb
BIm63GoNtPFZwyz1cyGfQfaDU4HDSbYM5oPCnZgDYa20TJCQTJw=
=66RZ
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages