37 research outputs found
On Pitts' Relational Properties of Domains
Andrew Pitts' framework of relational properties of domains is a powerful
method for defining predicates or relations on domains, with applications
ranging from reasoning principles for program equivalence to proofs of adequacy
connecting denotational and operational semantics. Its main appeal is handling
recursive definitions that are not obviously well-founded: as long as the
corresponding domain is also defined recursively, and its recursion pattern
lines up appropriately with the definition of the relations, the framework can
guarantee their existence. Pitts' original development used the Knaster-Tarski
fixed-point theorem as a key ingredient. In these notes, I show how his
construction can be seen as an instance of other key fixed-point theorems: the
inverse limit construction, the Banach fixed-point theorem and the Kleene
fixed-point theorem. The connection underscores how Pitts' construction is
intimately tied to the methods for constructing the base recursive domains
themselves, and also to techniques based on guarded recursion, or
step-indexing, that have become popular in the last two decades
A Methodology For Micro-Policies
This thesis proposes a formal methodology for defining, specifying, and
reasoning about micro-policies — security policies based on fine-grained tagging
that include forms of access control, memory safety, compartmentalization, and
information-flow control. Our methodology is based on a symbolic machine that
extends a conventional RISC-like architecture with tags. Tags express security
properties of parts of the program state ( this is an instruction, this is
secret, etc.), and are checked and propagated on every instruction according to
flexible user-supplied rules. We apply this methodology to two widely studied
policies, information-flow control and heap memory safety, implementing them
with the symbolic machine and formally characterizing their security guarantees:
for information-flow control, we prove a classic notion of
termination-insensitive noninterference; for memory safety, a novel property
that protects memory regions that a program cannot validly reach through the
pointers it possesses — which, we believe, provides a useful criterion for
evaluating and comparing different flavors of memory safety. We show how the
symbolic machine can be realized with a more practical processor design, where a
software monitor takes advantage of a hardware cache to speed up its execution
while protecting itself from potentially malicious user-level code. Our
development has been formalized and verified in the Coq proof assistant,
attesting that our methodology can provide rigorous security guarantees
Really Natural Linear Indexed Type Checking
Recent works have shown the power of linear indexed type systems for
enforcing complex program properties. These systems combine linear types with a
language of type-level indices, allowing more fine-grained analyses. Such
systems have been fruitfully applied in diverse domains, including implicit
complexity and differential privacy. A natural way to enhance the
expressiveness of this approach is by allowing the indices to depend on runtime
information, in the spirit of dependent types. This approach is used in DFuzz,
a language for differential privacy. The DFuzz type system relies on an index
language supporting real and natural number arithmetic over constants and
variables. Moreover, DFuzz uses a subtyping mechanism to make types more
flexible. By themselves, linearity, dependency, and subtyping each require
delicate handling when performing type checking or type inference; their
combination increases this challenge substantially, as the features can
interact in non-trivial ways. In this paper, we study the type-checking problem
for DFuzz. We show how we can reduce type checking for (a simple extension of)
DFuzz to constraint solving over a first-order theory of naturals and real
numbers which, although undecidable, can often be handled in practice by
standard numeric solvers
Beyond Good and Evil: Formalizing the Security Guarantees of Compartmentalizing Compilation
Compartmentalization is good security-engineering practice. By breaking a
large software system into mutually distrustful components that run with
minimal privileges, restricting their interactions to conform to well-defined
interfaces, we can limit the damage caused by low-level attacks such as
control-flow hijacking. When used to defend against such attacks,
compartmentalization is often implemented cooperatively by a compiler and a
low-level compartmentalization mechanism. However, the formal guarantees
provided by such compartmentalizing compilation have seen surprisingly little
investigation.
We propose a new security property, secure compartmentalizing compilation
(SCC), that formally characterizes the guarantees provided by
compartmentalizing compilation and clarifies its attacker model. We reconstruct
our property by starting from the well-established notion of fully abstract
compilation, then identifying and lifting three important limitations that make
standard full abstraction unsuitable for compartmentalization. The connection
to full abstraction allows us to prove SCC by adapting established proof
techniques; we illustrate this with a compiler from a simple unsafe imperative
language with procedures to a compartmentalized abstract machine.Comment: Nit
A Verified Information-Flow Architecture
SAFE is a clean-slate design for a highly secure computer system, with
pervasive mechanisms for tracking and limiting information flows. At the lowest
level, the SAFE hardware supports fine-grained programmable tags, with
efficient and flexible propagation and combination of tags as instructions are
executed. The operating system virtualizes these generic facilities to present
an information-flow abstract machine that allows user programs to label
sensitive data with rich confidentiality policies. We present a formal,
machine-checked model of the key hardware and software mechanisms used to
dynamically control information flow in SAFE and an end-to-end proof of
noninterference for this model.
We use a refinement proof methodology to propagate the noninterference
property of the abstract machine down to the concrete machine level. We use an
intermediate layer in the refinement chain that factors out the details of the
information-flow control policy and devise a code generator for compiling such
information-flow policies into low-level monitor code. Finally, we verify the
correctness of this generator using a dedicated Hoare logic that abstracts from
low-level machine instructions into a reusable set of verified structured code
generators
Micro-Policies: Formally Verified, Tag-Based Security Monitors
Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level “symbolic machine,” and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy’s rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller
Testing noninterference, quickly
Information-flow control mechanisms are difficult to design and labor intensive to prove correct. To reduce the time wasted on proof attempts doomed to fail due to broken definitions, we advocate modern random testing techniques for finding counterexamples during the design process. We show how to use QuickCheck, a property-based random-testing tool, to guide the design of a simple information-flow abstract machine. We find that both sophisticated strategies for generating well-distributed random programs and readily falsifiable formulations of noninterference properties are critically important. We propose several approaches and evaluate their effectiveness on a collection of injected bugs of varying subtlety. We also present an effective technique for shrinking large counterexamples to minimal, easily comprehensible ones. Taken together, our best methods enable us to quickly and automatically generate simple counterexamples for all these bugs
Impact of COVID-19 on cardiovascular testing in the United States versus the rest of the world
Objectives: This study sought to quantify and compare the decline in volumes of cardiovascular procedures between the United States and non-US institutions during the early phase of the coronavirus disease-2019 (COVID-19) pandemic.
Background: The COVID-19 pandemic has disrupted the care of many non-COVID-19 illnesses. Reductions in diagnostic cardiovascular testing around the world have led to concerns over the implications of reduced testing for cardiovascular disease (CVD) morbidity and mortality.
Methods: Data were submitted to the INCAPS-COVID (International Atomic Energy Agency Non-Invasive Cardiology Protocols Study of COVID-19), a multinational registry comprising 909 institutions in 108 countries (including 155 facilities in 40 U.S. states), assessing the impact of the COVID-19 pandemic on volumes of diagnostic cardiovascular procedures. Data were obtained for April 2020 and compared with volumes of baseline procedures from March 2019. We compared laboratory characteristics, practices, and procedure volumes between U.S. and non-U.S. facilities and between U.S. geographic regions and identified factors associated with volume reduction in the United States.
Results: Reductions in the volumes of procedures in the United States were similar to those in non-U.S. facilities (68% vs. 63%, respectively; p = 0.237), although U.S. facilities reported greater reductions in invasive coronary angiography (69% vs. 53%, respectively; p < 0.001). Significantly more U.S. facilities reported increased use of telehealth and patient screening measures than non-U.S. facilities, such as temperature checks, symptom screenings, and COVID-19 testing. Reductions in volumes of procedures differed between U.S. regions, with larger declines observed in the Northeast (76%) and Midwest (74%) than in the South (62%) and West (44%). Prevalence of COVID-19, staff redeployments, outpatient centers, and urban centers were associated with greater reductions in volume in U.S. facilities in a multivariable analysis.
Conclusions: We observed marked reductions in U.S. cardiovascular testing in the early phase of the pandemic and significant variability between U.S. regions. The association between reductions of volumes and COVID-19 prevalence in the United States highlighted the need for proactive efforts to maintain access to cardiovascular testing in areas most affected by outbreaks of COVID-19 infection