AdaCore Blog

Muen Separation Kernel Written in SPARK

by Yannick Moy

Two students of the University of Applied Sciences Rapperswil in Switzerland, Reto Buerki and Adrian-Ken Rueegsegger, have written a small separation kernel in SPARK (less than 3000 lines of SPARK, with an additional 300 lines of Assembly) exploiting the hardware virtualization technology available in modern INTEL chips. Quite a milestone!

To present the impact of this work, I need to talk about the multilevel workstation R&D project at Secunet. Secunet (short for secunet Security Networks AG) is a small German company developing secure IT solutions for the German government and military. They have a well-known multilevel workstation product called SINA based on a hardened linux kernel. The SINA products are used for example by all German embassies around the world to send classified information. The SINA workstation allows German government employees to access different networks (say, the Internet on one side, and a confidential intranet on the other side) on the same machine, switching from one to the other with a few key strokes.

Since 2010, Secunet is investigating the use of SPARK to build the next version of SINA, to ensure complete absence of run-time errors in the trusted computing base of the system (thus fully preventing security attacks based on buffer overflows and the like), and to prove high-level security properties of the system (using a bridge from SPARK to the Isabelle proof assistant that they developed). 

They have truly done an amazing job, not implementing only the core workstation in SPARK, including IPsec, but also the drivers for the keyboard and graphics card! All in a system that is 180 times smaller than a minimal equivalent linux solution (see slide 20 in the presentation I mention above), hence can be inspected by experts with a much higher degree of confidence. Stefan Berghofer presented at the SPARK User Group in 2012 how they verified formally a big number library and an ASN.1 parser (a well-known source of vulnerabilities in many high integrity systems) using SPARK and Isabelle.

Still, the larger part of the system is implemented in C, without formal guarantees regarding the absence of run-time errors, as the multilevel workstation is based on the LynxSecure separation kernel commercialized by LynuxWorks. It is this separation kernel that the much smaller Muen separation kernel in SPARK is meant to replace.

Now, why an open-source separation kernel? Their view is that a separation kernel should be a commodity that multiple parties can contribute to, so that each one can work on their core business. Which, for Secunet, is providing German government and military with ultra secure information systems, and that requires much more than a separation kernel. I encourage you to look at their webpage, which points in particular to the Git repository for the source of Muen, and the associated public mailing-list.

Posted in #Language    #Formal Verification    #SPARK   

About Yannick Moy

Yannick Moy is a Senior Software Engineer at AdaCore and co-director of the ProofInUse joint laboratory. At AdaCore, he works on software source code analyzers CodePeer and SPARK, aiming either at detecting bugs or at verifying safety/security properties. Yannick leads the developments of SPARK, a product he presents in articles, conferences, classes and blogs (in particular blog.adacore.com). Yannick previously worked on source code analyzers for PolySpace (now The MathWorks) and at Université Paris-Sud.