26,396 research outputs found
A Verified Information-Flow Architecture
SAFE is a clean-slate design for a highly secure computer system, with
pervasive mechanisms for tracking and limiting information flows. At the lowest
level, the SAFE hardware supports fine-grained programmable tags, with
efficient and flexible propagation and combination of tags as instructions are
executed. The operating system virtualizes these generic facilities to present
an information-flow abstract machine that allows user programs to label
sensitive data with rich confidentiality policies. We present a formal,
machine-checked model of the key hardware and software mechanisms used to
dynamically control information flow in SAFE and an end-to-end proof of
noninterference for this model.
We use a refinement proof methodology to propagate the noninterference
property of the abstract machine down to the concrete machine level. We use an
intermediate layer in the refinement chain that factors out the details of the
information-flow control policy and devise a code generator for compiling such
information-flow policies into low-level monitor code. Finally, we verify the
correctness of this generator using a dedicated Hoare logic that abstracts from
low-level machine instructions into a reusable set of verified structured code
generators
Types for Location and Data Security in Cloud Environments
Cloud service providers are often trusted to be genuine, the damage caused by
being discovered to be attacking their own customers outweighs any benefits
such attacks could reap. On the other hand, it is expected that some cloud
service users may be actively malicious. In such an open system, each location
may run code which has been developed independently of other locations (and
which may be secret). In this paper, we present a typed language which ensures
that the access restrictions put on data on a particular device will be
observed by all other devices running typed code. Untyped, compromised devices
can still interact with typed devices without being able to violate the
policies, except in the case when a policy directly places trust in untyped
locations. Importantly, our type system does not need a middleware layer or all
users to register with a preexisting PKI, and it allows for devices to
dynamically create new identities. The confidentiality property guaranteed by
the language is defined for any kind of intruder: we consider labeled
bisimilarity i.e. an attacker cannot distinguish two scenarios that differ by
the change of a protected value. This shows our main result that, for a device
that runs well typed code and only places trust in other well typed devices,
programming errors cannot cause a data leakage.Comment: Short version to appear in Computer Security Foundations Symposium
(CSF'17), August 201
A formally verified compiler back-end
This article describes the development and formal verification (proof of
semantic preservation) of a compiler back-end from Cminor (a simple imperative
intermediate language) to PowerPC assembly code, using the Coq proof assistant
both for programming the compiler and for proving its correctness. Such a
verified compiler is useful in the context of formal methods applied to the
certification of critical software: the verification of the compiler guarantees
that the safety properties proved on the source code hold for the executable
compiled code as well
A Wait-free Multi-word Atomic (1,N) Register for Large-scale Data Sharing on Multi-core Machines
We present a multi-word atomic (1,N) register for multi-core machines
exploiting Read-Modify-Write (RMW) instructions to coordinate the writer and
the readers in a wait-free manner. Our proposal, called Anonymous Readers
Counting (ARC), enables large-scale data sharing by admitting up to
concurrent readers on off-the-shelf 64-bits machines, as opposed to the most
advanced RMW-based approach which is limited to 58 readers. Further, ARC avoids
multiple copies of the register content when accessing it---this affects
classical register's algorithms based on atomic read/write operations on single
words. Thus it allows for higher scalability with respect to the register size.
Moreover, ARC explicitly reduces improves performance via a proper limitation
of RMW instructions in case of read operations, and by supporting constant time
for read operations and amortized constant time for write operations. A proof
of correctness of our register algorithm is also provided, together with
experimental data for a comparison with literature proposals. Beyond assessing
ARC on physical platforms, we carry out as well an experimentation on
virtualized infrastructures, which shows the resilience of wait-free
synchronization as provided by ARC with respect to CPU-steal times, proper of
more modern paradigms such as cloud computing.Comment: non
- âŠ