Proving the Absence of Microarchitectural Timing Channels

Microarchitectural timing channels are a major threat to computer security. A set of OS mechanisms called time protection was recently proposed as a principled way of preventing information leakage through such channels and prototyped in the seL4 microkernel. We formalise time protection and the underlying hardware mechanisms in a way that allows linking them to the information-flow proofs that showed the absence of storage channels in seL4.Comment: Scott Buckley and Robert Sison were joint lead author

Characteristics, primary treatment, and survival of MDS/MPN with neutrophilia:a population-based study

Myelodysplastic and myeloproliferative neoplasms (MDS/MPN) with neutrophilia, until recently called atypical chronic myeloid leukemia (aCML), being part of the MDS/MPN is a very rare disease with poor prognosis. Although emerging data reveal its cytogenetic and molecular profile, integrated survival and treatment data remain scarce. We analyzed a cohort of 347 adult patients diagnosed with MDS/MPN with neutrophilia, registered in the Netherlands Cancer Registry between 2001 and 2019. Our demographic baseline data align with other cohorts. We observed cytogenetic aberrations exclusively in patients aged &gt;65 years, with trisomy 8 being the most common abnormality. We identified 16 distinct molecular mutations, with some patients (16/101) harboring up to 3 different mutations; ASXL1 being the most frequent one (22%). In a multivariable Cox regression analysis, only age, hemoglobin level and allogeneic hematopoietic stem cell transplant (alloHSCT) were associated with overall survival (aged &gt;65 years; hazard ratio [HR] 1.85; P = .001 and alloHSCT HR, 0.51; P = .039). Because no other treatment modality seemed to affect survival and might cause toxicity, we propose that all patients eligible for alloHSCT should, whenever possible, receive an allogeneic transplant. It is imperative that we strive to improve outcomes for patients who are not eligible for alloHSCT. Tackling this challenge requires international collaborative efforts to conduct prospective intervention studies.</p

Cogent: uniqueness types and certifying compilation

This paper presents a framework aimed at significantly reducing the cost of proving functional correctness for low-level operating systems components. The framework is designed around a new functional programming language, Cogent. A central aspect of the language is its uniqueness type system, which eliminates the need for a trusted runtime or garbage collector while still guaranteeing memory safety, a crucial property for safety and security. Moreover, it allows us to assign two semantics to the language: The first semantics is imperative, suitable for efficient C code generation, and the second is purely functional, providing a user-friendly interface for equational reasoning and verification of higher-level correctness properties. The refinement theorem connecting the two semantics allows the compiler to produce a proof via translation validation certifying the correctness of the generated C code with respect to the semantics of the Cogent source program. We have demonstrated the effectiveness of our framework for implementation and for verification through two file system implementations

Cogent: uniqueness types and certifying compilation.

This paper presents a framework aimed at significantly reducing the cost of proving functional correctness for low-level operating systems components. The framework is designed around a new functional programming language, Cogent. A central aspect of the language is its uniqueness type system, which eliminates the need for a trusted runtime or garbage collector while still guaranteeing memory safety, a crucial property for safety and security. Moreover, it allows us to assign two semantics to the language: The first semantics is imperative, suitable for efficient C code generation, and the second is purely functional, providing a user-friendly interface for equational reasoning and verification of higher-level correctness properties. The refinement theorem connecting the two semantics allows the compiler to produce a proof via translation validation certifying the correctness of the generated C code with respect to the semantics of the Cogent source program. We have demonstrated the effectiveness of our framework for implementation and for verification through two file system implementations

Lassie: HOL4 Tactics by Example

Proof engineering efforts using interactive theorem proving have yielded several impressive projects in software systems and mathematics. A key obstacle to such efforts is the requirement that the domain expert is also an expert in the low-level details in constructing the proof in a theorem prover. In particular, the user needs to select a sequence of tactics that lead to a successful proof, a task that in general requires knowledge of the exact names and use of a large set of tactics. We present Lassie, a tactic framework for the HOL4 theorem prover that allows individual users to define their own tactic language by example and give frequently used tactics or tactic combinations easier-to-remember names. The core of Lassie is an extensible semantic parser, which allows the user to interactively extend the tactic language through a process of definitional generalization. Defining tactics in Lassie thus does not require any knowledge in implementing custom tactics, while proofs written in Lassie retain the correctness guarantees provided by the HOL4 system. We show through case studies how Lassie can be used in small and larger proofs by novice and more experienced interactive theorem prover users, and how we envision it to ease the learning curve in a HOL4 tutorial