2,510 research outputs found
Event-based Compositional Reasoning of Information-Flow Security for Concurrent Systems
High assurance of information-flow security (IFS) for concurrent systems is
challenging. A promising way for formal verification of concurrent systems is
the rely-guarantee method. However, existing compositional reasoning approaches
for IFS concentrate on language-based IFS. It is often not applicable for
system-level security, such as multicore operating system kernels, in which
secrecy of actions should also be considered. On the other hand, existing
studies on the rely-guarantee method are basically built on concurrent
programming languages, by which semantics of concurrent systems cannot be
completely captured in a straightforward way. In order to formally verify
state-action based IFS for concurrent systems, we propose a
rely-guarantee-based compositional reasoning approach for IFS in this paper. We
first design a language by incorporating ``Event'' into concurrent languages
and give the IFS semantics of the language. As a primitive element, events
offer an extremely neat framework for modeling system and are not necessarily
atomic in our language. For compositional reasoning of IFS, we use
rely-guarantee specification to define new forms of unwinding conditions (UCs)
on events, i.e., event UCs. By a rely-guarantee proof system of the language
and the soundness of event UCs, we have that event UCs imply IFS of concurrent
systems. In such a way, we relax the atomicity constraint of actions in
traditional UCs and provide a compositional reasoning way for IFS in which
security proof of systems can be discharged by independent security proof on
individual events. Finally, we mechanize the approach in Isabelle/HOL and
develop a formal specification and its IFS proof for multicore separation
kernels as a study case according to an industrial standard -- ARINC 653
A Survey of Techniques for Improving Security of GPUs
Graphics processing unit (GPU), although a powerful performance-booster, also
has many security vulnerabilities. Due to these, the GPU can act as a
safe-haven for stealthy malware and the weakest `link' in the security `chain'.
In this paper, we present a survey of techniques for analyzing and improving
GPU security. We classify the works on key attributes to highlight their
similarities and differences. More than informing users and researchers about
GPU security techniques, this survey aims to increase their awareness about GPU
security vulnerabilities and potential countermeasures
Proving the Absence of Microarchitectural Timing Channels
Microarchitectural timing channels are a major threat to computer security. A
set of OS mechanisms called time protection was recently proposed as a
principled way of preventing information leakage through such channels and
prototyped in the seL4 microkernel. We formalise time protection and the
underlying hardware mechanisms in a way that allows linking them to the
information-flow proofs that showed the absence of storage channels in seL4.Comment: Scott Buckley and Robert Sison were joint lead author
Modelling information routing with noninterference
To achieve the highest levels of assurance, MILS architectures need to be formally analysed. A key challenge is to reason about the interaction between the software applications running on top of MILS core components, such as the separation kernel. In this paper, we extend Rushby's model of noninterference with explicit information units and domain programs. These extensions enable the reasoning at an abstract level about systems built on top of noninterference. As an illustration of our approach, we formally model and analyse an example inspired by the GWV Firewall. <br/
Towards a formally designed and verified embedded operating system: case study using the B method
The dramatic growth in practical applications for iris biometrics has been accompanied
by relevant developments in the underlying algorithms and techniques. Along
with the research focused on near-infrared images captured with subject cooperation,
e orts are being made to minimize the trade-o between the quality of the captured
data and the recognition accuracy on less constrained environments, where images are
obtained at the visible wavelength, at increased distances, over simpli ed acquisition
protocols and adverse lightning conditions. At a rst stage, interpolation e ects on
normalization process are addressed, pointing the outcomes in the overall recognition
error rates. Secondly, a couple of post-processing steps to the Daugman's approach
are performed, attempting to increase its performance in the particular unconstrained
environments this thesis assumes. Analysis on both frequency and spatial domains
and nally pattern recognition methods are applied in such e orts. This thesis embodies
the study on how subject recognition can be achieved, without his cooperation,
making use of iris data captured at-a-distance, on-the-move and at visible wavelength
conditions. Widely used methods designed for constrained scenarios are analyzed
Outsmarting Network Security with SDN Teleportation
Software-defined networking is considered a promising new paradigm, enabling
more reliable and formally verifiable communication networks. However, this
paper shows that the separation of the control plane from the data plane, which
lies at the heart of Software-Defined Networks (SDNs), introduces a new
vulnerability which we call \emph{teleportation}. An attacker (e.g., a
malicious switch in the data plane or a host connected to the network) can use
teleportation to transmit information via the control plane and bypass critical
network functions in the data plane (e.g., a firewall), and to violate security
policies as well as logical and even physical separations. This paper
characterizes the design space for teleportation attacks theoretically, and
then identifies four different teleportation techniques. We demonstrate and
discuss how these techniques can be exploited for different attacks (e.g.,
exfiltrating confidential data at high rates), and also initiate the discussion
of possible countermeasures. Generally, and given today's trend toward more
intent-based networking, we believe that our findings are relevant beyond the
use cases considered in this paper.Comment: Accepted in EuroSP'1
- …