A verified information-flow architecture

Amorim, Arthur Azevedo de; Collins, Nathan; DeHon, André; Demange, Delphine; Hriţcu, Cătălin; Pichardie, David; Pierce, Benjamin C.; Pollack, Robert; Tolmach, Andrew

doi:10.3233/jcs-15784

Cited by 20 publications

(32 citation statements)

References 93 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This assumption ensures that, at the level of abstraction we consider here, allocations in high contexts cannot influence the values of pointers allocated in low contexts, and we can thus use syntactic equality to check indistinguishability of pointers. While this assumption on allocation might seem unrealistic, previous work has shown formally that because block identifiers are opaque, this machine can be realized by a lower-level machine with a single standard allocator (Azevedo de Amorim et al 2014). …”

Section: Per-level Allocation Stamps Reachability and Noninterferencementioning

confidence: 99%

“…We define what it means for this basic IFC machine to be "secure" using a standard notion of termination-insensitive noninterference (Austin and Flanagan 2009;Azevedo de Amorim et al 2014;Hriţcu et al 2013a;Sabelfeld and Myers 2003); we call it end-to-end noninterference (or EENI) to distinguish it from the stronger notions we will introduce in §6. The main idea of EENI is to directly encode the intuition that secret inputs should not influence public outputs.…”

Section: Noninterference (Eeni)mentioning

confidence: 99%

“…In a (fine-grained) dynamic IFC system (Austin and Flanagan 2009;Azevedo de Amorim et al 2014;Bichhawat et al 2014b;Hriţcu et al 2013a;Sabelfeld and Russo 2009;Stefan et al 2011) security levels (called labels) are attached to runtime values and propagated during execution, enforcing the constraint that information derived from secret data does not leak to untrusted processes or to the public network. Each value is protected by an individual IFC label representing a security level (e.g., secret or public).…”

Section: Stack Machine With Labeled Datamentioning

confidence: 99%

“…(Other choices would give the observer either somewhat more powere.g., we could make the stack observable-or somewhat less-e.g., we could restrict the observer to some designated region of "I/O memory," or extend the architecture with I/O instructions and only observe the traces of inputs and outputs (Azevedo de Amorim et al 2014). ) 2.2 Definition: Machine states S 1 = pc 1 s 1 m 1 i 1 and S 2 = pc 2 s 2 m 2 i 2 are indistinguishable with respect to memories, written S 1 ≈ mem S 2 , if m 1 ≈ m 2 and i 1 ≈ i 2 .…”

Section: Definitionmentioning

confidence: 99%

“…While even simpler notions of dynamic taint tracking are well studied for both high-and low-level languages, it has only recently been shown (Austin and Flanagan 2009;Sabelfeld and Russo 2009) that dynamic checks are capable of soundly enforcing strong security properties. Moreover, until recently (Azevedo de Amorim et al 2014;Bichhawat et al 2014a;Hriţcu et al 2013b), sound dynamic IFC has been studied only in the context of high-level languages (Austin and Flanagan 2009;Bichhawat et al 2014b;Hriţcu et al 2013a;Sabelfeld and Russo 2009;Stefan et al 2011); the unstructured control flow of a low-level machine poses additional challenges.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Testing noninterference, quickly

Hriţcu¹,

Lampropoulos

Spector-Zabusky

et al. 2016

J. Funct. Prog.

Self Cite

View full text Add to dashboard Cite

Information-flow control mechanisms are difficult both to design and to prove correct. To reduce the time wasted on doomed proof attempts due to broken definitions, we advocate modern random testing techniques for finding counterexamples during the design process. We show how to use QuickCheck, a property-based random-testing tool, to guide the design of increasingly complex information-flow abstract machines, leading up to a sophisticated register machine with a novel and highly permissive flow-sensitive dynamic enforcement mechanism that is sound in the presence of first-class public labels. We find that both sophisticated strategies for generating well-distributed random programs and readily falsifiable formulations of noninterference properties are critically important for efficient testing. We propose several approaches and evaluate their effectiveness on a collection of injected bugs of varying subtlety. We also present an effective technique for shrinking large counterexamples to minimal, easily comprehensible ones. Taken together, our best methods enable us to quickly and automatically generate simple counterexamples for more than 45 bugs. Moreover, we show how testing guides the discovery of the sophisticated invariants needed for the noninterference proof of our most complex machine.

show abstract

Section: Per-level Allocation Stamps Reachability and Noninterferencementioning

confidence: 99%

Section: Noninterference (Eeni)mentioning

confidence: 99%

Section: Stack Machine With Labeled Datamentioning

confidence: 99%

Section: Definitionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Testing noninterference, quickly

Hriţcu¹,

Lampropoulos

Spector-Zabusky

et al. 2016

J. Funct. Prog.

Self Cite

View full text Add to dashboard Cite

show abstract

Witnessing Secure Compilation

Namjoshi

Tabajara

2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Compiler optimizations are designed to improve run-time performance while preserving input-output behavior. Correctness in this sense does not necessarily preserve security: it is known that standard optimizations may break or weaken security properties that hold of the source program. This work develops a translation validation method for secure compilation. Security (hyper-)properties are expressed using automata operating over a bundle of program traces. A flexible, automatonbased refinement scheme, generalizing existing refinement methods, guarantees that the associated security property is preserved by a program transformation. In practice, the refinement relations ("security witnesses") can be generated during compilation and validated independently with a refinement checker. This process is illustrated for common optimizations. Crucially, it is not necessary to verify the compiler implementation itself, which is infeasible in practice for production compilers.

show abstract

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Bauereiss

Campbell

Sewell

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Memory safety bugs continue to be a major source of security vulnerabilities in our critical infrastructure. The CHERI project has proposed extending conventional architectures with hardware-supported capabilities to enable fine-grained memory protection and scalable compartmentalisation, allowing historically memory-unsafe C and C++ to be adapted to deterministically mitigate large classes of vulnerabilities, while requiring only minor changes to existing system software sources. Arm is currently designing and building Morello, a CHERI-enabled prototype architecture, processor, SoC, and board, extending the high-performance Neoverse N1, to enable industrial evaluation of CHERI and pave the way for potential mass-market adoption. However, for such a major new security-oriented architecture feature, it is important to establish high confidence that it does provide the intended protections, and that cannot be done with conventional engineering techniques.In this paper we put the Morello architecture on a solid mathematical footing from the outset. We define the fundamental security property that Morello aims to provide, reachable capability monotonicity, and prove that the architecture definition satisfies it. This proof is mechanised in Isabelle/HOL, and applies to a translation of the official Arm specification of the Morello instruction-set architecture (ISA) into Isabelle. The main challenge is handling the complexity and scale of a production architecture: 62,000 lines of specification, translated to 210,000 lines of Isabelle. We do so by factoring the proof via a narrow abstraction capturing essential properties of arbitrary CHERI ISAs, expressed above a monadic intra-instruction semantics. We also develop a model-based test generator, which generates instruction-sequence tests that give good specification coverage, used in early testing of the Morello implementation and in Morello QEMU development, and we use Arm’s internal test suite to validate our model.This gives us machine-checked mathematical proofs of whole-ISA security properties of a full-scale industry architecture, at design-time. To the best of our knowledge, this is the first demonstration that that is feasible, and it significantly increases confidence in Morello.

show abstract

A verified information-flow architecture

Cited by 20 publications

References 93 publications

Testing noninterference, quickly

Testing noninterference, quickly

Witnessing Secure Compilation

Verified Security for the Morello Capability-enhanced Prototype Arm Architecture

Contact Info

Product

Resources

About