Hardware Support for Safety Interlocks and Introspection

Dhawan, Udit; Kwon, Ae‐Ran; Kadrić, Edin; Hriţcu, Cătălin; Pierce, Benjamin C.; Smith, Jonathan M.; DeHon, André; Malecha, Gregory; Morrisett, Greg; Knight, Thomas F.; Sutherland, Andrew V.; Hawkins, Tom; Zyxnfryx, Amanda; Wittenberg, David; Trei, Peter; Ray, Siddharth S.; Sullivan, Greg

doi:10.1109/sasow.2012.11

Cited by 12 publications

(21 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…More detailed descriptions can be found elsewhere [29,33,34,35,45,46,56,62]. SAFE's system software performs process scheduling, stream-based interprocess communication, storage allocation and garbage collection, and management of the low-level tagging hardware (the focus of this paper).…”

Section: Overview Of Safementioning

confidence: 99%

“…Proof-carrying code [12,13,38] and typed assembly language [61,94,95] have been used for enforcing IFC on low-level code without low-level analysis or adding the compiler to the TCB. In SAFE [29,34] we follow a different approach, enforcing noninterference using purely dynamic checks, for arbitrary binaries in a custom-designed instruction set. The mechanisms we use for this are similar to those found in recent work on purely dynamic IFC for high-level languages [1,4,5,6,7,40,41,44,45,63,72,75,78,83,86]; however, as far as we know, we are the first to push these ideas to the lowest level.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

A verified information-flow architecture

Amorim

Collins

DeHon

et al. 2016

JCS

Self Cite

View full text Add to dashboard Cite

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to dynamically control information flow in SAFE and an end-to-end proof of noninterference for this model.We use a refinement proof methodology to propagate the noninterference property of the abstract machine down to the concrete machine level. We use an intermediate layer in the refinement chain that factors out the details of the information-flow control policy and devise a code generator for compiling such information-flow policies into low-level monitor code. Finally, we verify the correctness of this generator using a dedicated Hoare logic that abstracts from low-level machine instructions into a reusable set of verified structured code generators.

show abstract

Section: Overview Of Safementioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

A verified information-flow architecture

Amorim

Collins

DeHon

et al. 2016

JCS

Self Cite

View full text Add to dashboard Cite

show abstract

“…Micro-Policies The micro-policies framework and the PUMP architecture have their roots in SAFE, a clean-slate, securityoriented architecture [36], [40] and the earlier TIARA [75] and ARIES [20] designs. There, the PUMP was used only to implement dynamic IFC; other special-purpose hardware mechanisms enforced properties such as memory safety [55] and compartmentalization [40].…”

Section: Related Workmentioning

confidence: 99%

“…There, the PUMP was used only to implement dynamic IFC; other special-purpose hardware mechanisms enforced properties such as memory safety [55] and compartmentalization [40]. Still, the PUMP design in the SAFE system was made quite flexible, since dynamic IFC is an active area of research, with various mechanisms [14], [18], [19], [48], [50], [78] and "label models" [61], [77] being proposed regularly, making baked-into-hardware solutions unattractive.…”

Section: Related Workmentioning

confidence: 99%

Micro-Policies: Formally Verified, Tag-Based Security Monitors

Amorim¹,

Dénès

Giannarakis

et al. 2015

2015 IEEE Symposium on Security and Privacy

Self Cite

View full text Add to dashboard Cite

Abstract-Recent advances in hardware design have demonstrated mechanisms allowing a wide range of low-level security policies (or micro-policies) to be expressed using rules on metadata tags. We propose a methodology for defining and reasoning about such tag-based reference monitors in terms of a high-level "symbolic machine," and we use this methodology to define and formally verify micro-policies for dynamic sealing, compartmentalization, control-flow integrity, and memory safety; in addition, we show how to use the tagging mechanism to protect its own integrity. For each micro-policy, we prove by refinement that the symbolic machine instantiated with the policy's rules embodies a high-level specification characterizing a useful security property. Last, we show how the symbolic machine itself can be implemented in terms of a hardware rule cache and a software controller.

show abstract

“…A number of papers have appeared on several aspects of the SAFE project, such as the hardware interlocks [1], multi-level cache algorithms for tag management [2], and error handling in the presence of dynamic information flow control [3]. We presented a paper [4] at the 2011 Workshop on Programming Languages and Operating Systems (PLOS) describing our initial design goals.…”

Section: Introduction the Case For Clean-slate Co-designmentioning

confidence: 99%

SAFE: A clean-slate architecture for secure systems

Chiricescu

DeHon

Demange

et al. 2013

2013 IEEE International Conference on Technologies for Homeland Security (HST)

Self Cite

View full text Add to dashboard Cite

SAFE is a large-scale, clean-slate co-design project encompassing hardware architecture, programming languages, and operating systems. Funded by DARPA, the goal of SAFE is to create a secure computing system from the ground up. SAFE hardware provides memory safety, dynamic type checking, and native support for dynamic information flow control. The Breeze programming language leverages the security features of the underlying machine, and the "zero kernel" operating system avoids relying on any single privileged component for overall system security. The SAFE project is working towards formally verifying security properties of the runtime software. The SAFE system sets a new high-water mark for system security, allowing secure applications to be built on a solid foundation rather than on the inherently vulnerable conventional platforms available today.

show abstract

Hardware Support for Safety Interlocks and Introspection

Cited by 12 publications

References 25 publications

A verified information-flow architecture

A verified information-flow architecture

Micro-Policies: Formally Verified, Tag-Based Security Monitors

SAFE: A clean-slate architecture for secure systems

Contact Info

Product

Resources

About