128 research outputs found
Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties
In this paper, we formally verify security properties of the ARMv7 Instruction Set Architecture (ISA) for user mode executions.
To obtain guarantees that arbitrary (and unknown) user processes are able to run isolated from privileged software and other user processes, instruction level noninterference and integrity properties are provided, along with proofs that transitions to privileged modes can only occur in a controlled manner.
This work establishes a main requirement for operating system and hypervisor verification, as demonstrated for the PROSPER separation kernel. The proof is performed in the HOL4 theorem prover, taking the Cambridge model of ARM as basis.
To this end, a proof tool has been developed, which assists the verification of relational state predicates semi-automatically
A Verified Information-Flow Architecture
SAFE is a clean-slate design for a highly secure computer system, with
pervasive mechanisms for tracking and limiting information flows. At the lowest
level, the SAFE hardware supports fine-grained programmable tags, with
efficient and flexible propagation and combination of tags as instructions are
executed. The operating system virtualizes these generic facilities to present
an information-flow abstract machine that allows user programs to label
sensitive data with rich confidentiality policies. We present a formal,
machine-checked model of the key hardware and software mechanisms used to
dynamically control information flow in SAFE and an end-to-end proof of
noninterference for this model.
We use a refinement proof methodology to propagate the noninterference
property of the abstract machine down to the concrete machine level. We use an
intermediate layer in the refinement chain that factors out the details of the
information-flow control policy and devise a code generator for compiling such
information-flow policies into low-level monitor code. Finally, we verify the
correctness of this generator using a dedicated Hoare logic that abstracts from
low-level machine instructions into a reusable set of verified structured code
generators
Event-based Compositional Reasoning of Information-Flow Security for Concurrent Systems
High assurance of information-flow security (IFS) for concurrent systems is
challenging. A promising way for formal verification of concurrent systems is
the rely-guarantee method. However, existing compositional reasoning approaches
for IFS concentrate on language-based IFS. It is often not applicable for
system-level security, such as multicore operating system kernels, in which
secrecy of actions should also be considered. On the other hand, existing
studies on the rely-guarantee method are basically built on concurrent
programming languages, by which semantics of concurrent systems cannot be
completely captured in a straightforward way. In order to formally verify
state-action based IFS for concurrent systems, we propose a
rely-guarantee-based compositional reasoning approach for IFS in this paper. We
first design a language by incorporating ``Event'' into concurrent languages
and give the IFS semantics of the language. As a primitive element, events
offer an extremely neat framework for modeling system and are not necessarily
atomic in our language. For compositional reasoning of IFS, we use
rely-guarantee specification to define new forms of unwinding conditions (UCs)
on events, i.e., event UCs. By a rely-guarantee proof system of the language
and the soundness of event UCs, we have that event UCs imply IFS of concurrent
systems. In such a way, we relax the atomicity constraint of actions in
traditional UCs and provide a compositional reasoning way for IFS in which
security proof of systems can be discharged by independent security proof on
individual events. Finally, we mechanize the approach in Isabelle/HOL and
develop a formal specification and its IFS proof for multicore separation
kernels as a study case according to an industrial standard -- ARINC 653
Modelling information routing with noninterference
To achieve the highest levels of assurance, MILS architectures need to be formally analysed. A key challenge is to reason about the interaction between the software applications running on top of MILS core components, such as the separation kernel. In this paper, we extend Rushby's model of noninterference with explicit information units and domain programs. These extensions enable the reasoning at an abstract level about systems built on top of noninterference. As an illustration of our approach, we formally model and analyse an example inspired by the GWV Firewall. <br/
A Formal Model of Partitioning for Integrated Modular Avionics
The aviation industry is gradually moving toward the use of integrated modular avionics (IMA) for civilian transport aircraft. An important concern for IMA is ensuring that applications are safely partitioned so they cannot interfere with one another. We have investigated the problem of ensuring safe partitioning and logical non-interference among separate applications running on a shared Avionics Computer Resource (ACR). This research was performed in the context of ongoing standardization efforts, in particular, the work of RTCA committee SC-182, and the recently completed ARINC 653 application executive (APEX) interface standard. We have developed a formal model of partitioning suitable for evaluating the design of an ACR. The model draws from the mathematical modeling techniques developed by the computer security community. This report presents a formulation of partitioning requirements expressed first using conventional mathematical notation, then formalized using the language of SRI'S Prototype Verification System (PVS). The approach is demonstrated on three candidate designs, each an abstraction of features found in real systems
- …