Product Programs in the Wild: Retrofitting Program Verifiers to Check Information Flow Security

Eilers, Marco; Meier, Severin; Müller, Péter

doi:10.1007/978-3-030-81685-8_34

Cited by 4 publications

(4 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Internally, HyperViper encodes the validity constraints for all resource specifications as well as all other proof obligations imposed by our logic into the Viper intermediate language. To encode relational proof obligations, it uses a modular product program construction [Eilers et al 2018], and combines it with existing encodings for concurrent programs [Leino and Müller 2009] in a sound way [Eilers et al 2021]. Subsequently, it automatically verifies the generated program using one of Viper's backend verifiers and, ultimately, the Z3 SMT solver [de Moura and Bjørner 2008].…”

Section: Implementation and Evaluationmentioning

confidence: 99%

“…Researchers have developed a plethora of type systems [Smith 2007], static analyses [Giffhorn and Snelting 2015], program transformations [Eilers et al 2021], and program logics [Ernst and Murray 2019;Murray et al 2018] to verify information flow security of concurrent programs, as well as multiple definitions of information flow security in this setting. Bisimulation-based properties [Focardi and Gorrieri 1995] and observational determinism [Zdancewic and Myers 2003] are properties of (sets of) traces, which assume that attackers can observe either low program variables or low events during the execution of the program, unlike our setting, where we assume that the attacker can observe only the public output of the program.…”

Section: Related Workmentioning

confidence: 99%

“…Since possibilistic non-interference is too weak in practice, most existing techniques target either traditional or probabilistic noninterference. As discussed previously, they achieve this goal by entirely preventing secret-dependent execution time differences, under the idealized assumption that only high branches can lead to such differences [Eilers et al 2021;Ernst and Murray 2019;Murray et al 2018;Schoepe et al 2020;Smith 2006Smith , 2007. These techniques can be applied to more realistic settings by also preventing other sources of timing differences, but preventing them entirely on standard hardware is very complex and requires strong assumptions about the used compiler and hardware.…”

Section: Related Workmentioning

confidence: 99%

“…[Murray et al 2018;Smith 2007] or work for programs using locks to protect shared memory like our logic (e.g. [Eilers et al 2021;Ernst and Murray 2019]), but some recent logics target more complex settings, like fine-grained concurrency [Frumin et al 2021] or relaxed memory models [Yan and Murray 2021]. We believe that our approach also extends to fine-grained concurrency, since the general idea of making sure that concurrent changes commute also applies in this setting.…”

Section: Related Workmentioning

confidence: 99%

See 3 more Smart Citations

CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity

Eilers¹,

Dardinier²,

Müller³

2022

Preprint

View full text Add to dashboard Cite

Information flow security ensures that the secret data manipulated by a program does not influence its observable output. Proving information flow security is especially challenging for concurrent programs, where operations on secret data may influence the execution time of a thread and, thereby, the interleaving between threads. Such internal timing channels may affect the observable outcome of a program even if an attacker does not observe execution times. Existing verification techniques for information flow security in concurrent programs attempt to prove that secret data does not influence the relative timing of threads. However, these techniques are often restrictive (for instance because they disallow branching on secret data) and make strong assumptions about the execution platform (ignoring caching, processor instructions with data-dependent execution time, and other common features that affect execution time).In this paper, we present a novel verification technique for secure information flow in concurrent programs that lifts these restrictions and does not make any assumptions about timing behavior. The key idea is to prove that all mutating operations performed on shared data commute, such that different thread interleavings do not influence its final value. Crucially, commutativity is required only for an abstraction of the shared data that contains the information that will be leaked to a public output. Abstract commutativity is satisfied by many more operations than standard commutativity, which makes our technique widely applicable.We formalize our technique in CommCSL, a relational concurrent separation logic with support for commutativity-based reasoning, and prove its soundness in Isabelle/HOL. We have implemented Comm-CSL in HyperViper, an automated verifier based on the Viper verification infrastructure, and demonstrate its ability to verify challenging examples.

show abstract

Section: Implementation and Evaluationmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity

Eilers¹,

Dardinier²,

Müller³

2022

Preprint

View full text Add to dashboard Cite

show abstract

Verification Algorithms for Automated Separation Logic Verifiers

Eilers,

Schwerhoff,

Müller

2024

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Most automated program verifiers for separation logic use either symbolic execution or verification condition generation to extract proof obligations, which are then handed over to an SMT solver. Existing verification algorithms are designed to be sound, but differ in performance and completeness. These characteristics may also depend on the programs and properties to be verified. Consequently, developers and users of program verifiers have to select a verification algorithm carefully for their application domain. Taking an informed decision requires a systematic comparison of the performance and completeness characteristics of the verification algorithms used by modern separation logic verifiers, but such a comparison does not exist.This paper describes five verification algorithms for separation logic, three that are used in existing tools and two novel algorithms that combine characteristics of existing symbolic execution and verification condition generation algorithms. A detailed evaluation of implementations of these five algorithms in the Viper infrastructure assesses their performance and completeness for different classes of input programs. Based on the experimental results, we identify candidate portfolios of algorithms that maximize completeness and performance.

show abstract

Proof Automation for Linearizability in Separation Logic

Mulder

Krebbers

2023

Proc. ACM Program. Lang.

View full text Add to dashboard Cite

Recent advances in concurrent separation logic enabled the formal verification of increasingly sophisticated fine-grained ( i.e. , lock-free) concurrent programs. For such programs, the golden standard of correctness is linearizability , which expresses that concurrent executions always behave as some valid sequence of sequential executions. Compositional approaches to linearizability (such as contextual refinement and logical atomicity) make it possible to prove linearizability of whole programs or compound data structures ( e.g. , a ticket lock) using proofs of linearizability of their individual components ( e.g. , a counter). While powerful, these approaches are also laborious—state-of-the-art tools such as Iris, FCSL, and Voila all require a form of interactive proof. This paper develops proof automation for contextual refinement and logical atomicity in Iris. The key ingredient of our proof automation is a collection of proof rules whose application is directed by both the program and the logical state. This gives rise to effective proof search strategies that can prove linearizability of simple examples fully automatically. For more complex examples, we ensure the proof automation cooperates well with interactive proof tactics by minimizing the use of backtracking. We implement our proof automation in Coq by extending and generalizing Diaframe, a proof automation extension for Iris. While the old version (Diaframe 1.0) was limited to ordinary Hoare triples, the new version (Diaframe 2.0) is extensible in its support for program verification styles: our proof search strategies for contextual refinement and logical atomicity are implemented as modules for Diaframe 2.0. We evaluate our proof automation on a set of existing benchmarks and novel proofs, showing that it provides significant reduction of proof work for both approaches to linearizability.

show abstract

Product Programs in the Wild: Retrofitting Program Verifiers to Check Information Flow Security

Cited by 4 publications

References 46 publications

CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity

CommCSL: Proving Information Flow Security for Concurrent Programs using Abstract Commutativity

Verification Algorithms for Automated Separation Logic Verifiers

Proof Automation for Linearizability in Separation Logic

Contact Info

Product

Resources

About