Applying Formal Methods to a Certifiably Secure Software System

Heitmeyer, Constance L.; Archer, Myla; Leonard, Elizabeth I.; McLean, John

doi:10.1109/tse.2007.70772

Cited by 66 publications

(64 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For security, the kernel and the processor must both be correct and agree on their mode of interaction. Most formal kernel analyses in the literature [7,12,13,15,18] address the kernel software itself, in source or binary form, and leave the properties of the instruction set architecture (ISA) to be handled by at. Our contribution is to suggest a possible approach, including tool support, for performing the ISA speci c security analysis, speci cally for user mode execution.…”

Section: Introductionmentioning

confidence: 99%

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Khakpour

Schwarz

Dam

2013

Certified Programs and Proofs

View full text Add to dashboard Cite

Abstract. In this paper, we formally verify security properties of the ARMv7 Instruction Set Architecture (ISA) for user mode executions. To obtain guarantees that arbitrary (and unknown) user processes are able to run isolated from privileged software and other user processes, instruction level noninterference and integrity properties are provided, along with proofs that transitions to privileged modes can only occur in a controlled manner. This work establishes a main requirement for operating system and hypervisor veri cation, as demonstrated for the PROSPER separation kernel. The proof is performed in the HOL4 theorem prover, taking the Cambridge model of ARM as basis. To this end, a proof tool has been developed, which assists the veri cation of relational state predicates semi-automatically.

show abstract

Section: Introductionmentioning

confidence: 99%

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Khakpour

Schwarz

Dam

2013

Certified Programs and Proofs

View full text Add to dashboard Cite

show abstract

“…the parts of the state the guest is not supposed to be able to write, such as non-guest memory, inaccessible processor registers and status flags, and the abstract state. We view this as an integrity property, similar to the nonexfiltration property of [13]. 3.…”

Section: Tls Consistency Propertiesmentioning

confidence: 99%

“…These properties, as in [13], are qualitatively different: The integrity property is first-order, and concerns the inability of the guest to directly write some other state variables. Since it is under guest control when and how to invoke the virtualization API, there are plenty of indirect communication channels connecting guests to the hypervisor.…”

Section: Tls Consistency Propertiesmentioning

confidence: 99%

“…We use the approach of [13] to analyze the hypervisor data separation properties. The observations of the guest in a state σ, h is represented by the structure O g ( σ, h ) = uregs, cpsr , mem g , coregs of user registers uregs, control register cpsr , guest memory mem g and coprocessor registers coregs.…”

Section: Tls Consistencymentioning

confidence: 99%

“…This is a key complication forced by the direct paging approach, and the solution to this problem is a key contribution of the paper. The upshot is that it is no longer self-evident that the desired memory isolation properties, non-exfiltration and non-infiltration in the terminology of [13], hold for the TLS, and an important part of the verification is therefore to formally validate this fact.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Trustworthy Memory Isolation of Linux on Embedded Devices

Nemati

Dam

Guanciale

et al. 2015

Trust and Trustworthy Computing

View full text Add to dashboard Cite

Abstract. The isolation of security critical components from an untrusted OS allows to both protect applications and to harden the OS itself, for instance by run-time monitoring. Virtualization of the memory subsystem is a key component to provide such isolation. We present the design, implementation and verification of a virtualization platform for the ARMv7-A processor family. Our design is based on direct paging, an MMU virtualization mechanism previously introduced by Xen for the x86 architecture, and used later with minor variants by the Secure Virtual Architecture, SVA. We show that the direct paging mechanism can be implemented using a compact design, suitable for formal verification down to a low level of abstraction, without penalizing system performance. The verification is performed using the HOL4 theorem prover and uses a detailed model of the ARMv7-A ISA, including the MMU. We prove memory isolation of the hosted components along with information flow security for an abstract top level model of the virtualization mechanism. The abstract model is refined down to a HOL4 transition system closely resembling a C implementation. The virtualization mechanism is demonstrated on real hardware via a hypervisor capable of hosting Linux as an untrusted guest. 1

show abstract

A formal approach to rigorous development of critical systems

Singh

Lawford

Maibaum

et al. 2021

J Software Evolu Process

View full text Add to dashboard Cite

Safety critical systems, such as medical, automotive, and avionics systems, play an important role in our daily lives. Increasing demand for new technologies in these safety critical systems requires rapid adoption of commercial hardware and software. However, the adoption of new hardware and software increases life‐threatening vulnerabilities. To aid in the reduction of these vulnerabilities and system failures, this paper proposes a framework based on formal methods for developing safety‐critical systems from requirements analysis to code generation. This framework includes a development process for documenting system requirements using tabular expressions, automatic formal model generation from the documented requirements, verification and validation of the generated formal models using proof techniques and animations, interactive simulation for validating the required behavior of the developed models by enabling domain experts to observe the system states according to, and finally, code generation from the formal model into a desired language. A prototype toolchain is developed to automate this framework. An assessment of the proposed framework is undertaken through a case study: insulin infusion pump (IIP).

show abstract

Applying Formal Methods to a Certifiably Secure Software System

Cited by 66 publications

References 30 publications

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Machine Assisted Proof of ARMv7 Instruction Level Isolation Properties

Trustworthy Memory Isolation of Linux on Embedded Devices

A formal approach to rigorous development of critical systems

Contact Info

Product

Resources

About