3 research outputs found
A Verified Information-Flow Architecture
SAFE is a clean-slate design for a highly secure computer system, with
pervasive mechanisms for tracking and limiting information flows. At the lowest
level, the SAFE hardware supports fine-grained programmable tags, with
efficient and flexible propagation and combination of tags as instructions are
executed. The operating system virtualizes these generic facilities to present
an information-flow abstract machine that allows user programs to label
sensitive data with rich confidentiality policies. We present a formal,
machine-checked model of the key hardware and software mechanisms used to
dynamically control information flow in SAFE and an end-to-end proof of
noninterference for this model.
We use a refinement proof methodology to propagate the noninterference
property of the abstract machine down to the concrete machine level. We use an
intermediate layer in the refinement chain that factors out the details of the
information-flow control policy and devise a code generator for compiling such
information-flow policies into low-level monitor code. Finally, we verify the
correctness of this generator using a dedicated Hoare logic that abstracts from
low-level machine instructions into a reusable set of verified structured code
generators
A Methodology For Micro-Policies
This thesis proposes a formal methodology for defining, specifying, and
reasoning about micro-policies — security policies based on fine-grained tagging
that include forms of access control, memory safety, compartmentalization, and
information-flow control. Our methodology is based on a symbolic machine that
extends a conventional RISC-like architecture with tags. Tags express security
properties of parts of the program state ( this is an instruction, this is
secret, etc.), and are checked and propagated on every instruction according to
flexible user-supplied rules. We apply this methodology to two widely studied
policies, information-flow control and heap memory safety, implementing them
with the symbolic machine and formally characterizing their security guarantees:
for information-flow control, we prove a classic notion of
termination-insensitive noninterference; for memory safety, a novel property
that protects memory regions that a program cannot validly reach through the
pointers it possesses — which, we believe, provides a useful criterion for
evaluating and comparing different flavors of memory safety. We show how the
symbolic machine can be realized with a more practical processor design, where a
software monitor takes advantage of a hardware cache to speed up its execution
while protecting itself from potentially malicious user-level code. Our
development has been formalized and verified in the Coq proof assistant,
attesting that our methodology can provide rigorous security guarantees