Sur la conception d'un service de changement de contexte et de sa preuve dans le proto-noyau Pip

International audienceThe Pip protokernel is a kernel whose trusted computing base is reduced to its bare bones. The goal of such minimisation is twofold: reduce the attack surface and reduce the cost of the formal proof of security. In particular, multiplexing is not implemented in the kernel but in a partition whose code is executed in user mode. This of course assumes that the kernel provides minimal services dedicated to signal sending. In this paper, we describe a streamlined service designed to allow for inter-partition communication through userland structures that mimic the traditional Interrupt Descriptor Table

Proving Partial-Correctness and Invariance Properties of Transition-System Models

International audienceWe propose a deductive verification approach for proving partial-correctness and invariance properties on transition-system models. Regarding partial correctness, we gen-eralise the recently introduced formalism of Reachability Logic, currently used as a language-parametric logic for programs, to transition systems. We propose a sound and relatively complete proof system for the resulting reachability logic. The soundness of the proof system is formally established in the Coq proof assistant, and the mechanised proof provides us with a Coq-certified Reachability-Logic prover for transition-system models. The relative completeness of the proof system, although theoretical in nature, also has a practical value, as it induces a proof strategy that is guaranteed to prove all valid formulas on a given transition system. The strategy reduces partial-correctness verification to invariance verification; for the latter we propose an incremental technique in order to deal with the case-explosion problem that affects it. All these techniques were instrumental in enabling us to prove, within reasonable time and effort limits, that the nontrivial algorithm implemented in security hypervisor that we designed in earlier work meets its expected functional requirements

A Verified Information-Flow Architecture

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model. We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators

CoSMeDis: a distributed social media platform with formally verified confidentiality guarantees

We present the design, implementation and information flow verification of CoSMeDis, a distributed social media platform. The system consists of an arbitrary number of communicating nodes, deployable at different locations over the Internet. Its registered users can post content and establish intra-node and inter-node friendships, used to regulate access control over the posts. The system’s kernel has been verified in the proof assistant Isabelle/HOL and automatically extracted as Scala code. We formalized a framework for composing a class of information flow security guarantees in a distributed system, applicable to input/output automata. We instantiated this framework to confidentiality properties for CoSMeDis’s sources of information: posts, friendship requests, and friendship status

CoSMeDis : a distributed social media platform with formally verified confidentiality guarantees

We present the design, implementation and information flow verification of CoSMeDis, a distributed social media platform. The system consists of an arbitrary number of communicating nodes, deployable at different locations over the Internet. Its registered users can post content and establish intra-node and inter-node friendships, used to regulate access control over the posts. The system's kernel has been verified in the proof assistant Isabelle/HOL and automatically extracted as Scala code. We formalized a framework for composing a class of information flow security guarantees in a distributed system, applicable to input/output automata. We instantiated this framework to confidentiality properties for CoSMeDis's sources of information: posts, friendship requests, and friendship status

Formal Verification of Information Flow Security for a Simple ARM-Based Separation Kernel

A separation kernel simulates a distributed environment using a single physical machine by executing partitions in isolation and appropriately controlling communication among them. We present a formal verification of information flow security for a simple separation kernel for ARMv7. Previous work on information flow kernel security leaves communication to be handled by model-external means, and cannot be used to draw conclusions when there is explicit interaction between partitions. We propose a different approach where communication between partitions is made explicit and the information flow is analyzed in the presence of such a channel. Limiting the kernel functionality as much as meaning-fully possible, we accomplish a detailed analysis and verification of the system, proving its correctness at the level of the ARMv7 assembly. As a sanity check we show how the security condition is reduced to noninterference in the special case where no communication takes place. The verification is done in HOL4 taking the Cambridge model of ARM as basis, transferring verification tasks on the actual assembly code to an adaptation of the BAP binary analysis tool developed at CMU.PROSPE

The Prosper run-time monitor: design and formal verification

Un runtime monitor è uno strumento che può essere usato per garantire una proprietà di sicurezza su una risorsa di sistema. Un comune approccio consiste in avere il runtime monitor come un modulo di sicurezza del kernel del sistema operativo. Questo approccio soffre di alcune problematiche che possono compromettere l'integrità del modulo di sicurezza. In un ambiente virtualizzato, un approccio alternativo è quello di sfruttare la proprietà di isolamento per garantire la protezione del modulo di sicurezza stesso. In questa tesi viene presentato un runtime monitor che si appoggia su Prosper hypervisor, un virtual machine monitor per embedded systems formalmente verificato. Il runtime monitor presentato è in grado di garantire delle proprietà di sicurezza tramite il monitoraggio delle hypercalls fornite dall'hypervisor al sistema operativo. Adottando un metodologia formale, viene discusso quale tipo di proprietà è possibile garantire con il runtime monitor di Prosper e viene identificata una proprietà di sicurezza che permette di proteggere il sistema operativo da attacchi di tipo code-injection. Questo è possibile grazie ad un meccanismo di validazione delle hypercalls che viene formalmente identificato. Il lavoro di tesi viene concluso presentando una verifica formale del meccanismo di validazione, dimostrando che la proprietà di sicurezza è valida su tutti gli stati raggiungibili dal sistema