2022 IEEE 35th Computer Security Foundations Symposium (CSF) 2022
DOI: 10.1109/csf54842.2022.9919645
|View full text |Cite
|
Sign up to set email alerts
|

Proving full-system security properties under multiple attacker models on capability machines

Abstract: Assembly-level protection mechanisms (virtual memory, trusted execution environments, virtualization) make it possible to guarantee security properties of a full system in the presence of arbitrary attacker provided code. However, they typically only support a single trust boundary: code is either trusted or untrusted, and protection cannot be nested. Capability machines provide protection mechanisms that are more finegrained and that do support arbitrary nesting of protection. We show in this paper how this e… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
18
0

Year Published

2023
2023
2024
2024

Publication Types

Select...
2
1

Relationship

3
0

Authors

Journals

citations
Cited by 3 publications
(18 citation statements)
references
References 29 publications
0
18
0
Order By: Relevance
“…As demonstrated before [25,26,52], such a UC is agnostic of software abstractions but supports reasoning about untrusted code. Essentially, one can register integrity properties of trusted code as invariants 2 , and then use the UC for justifying jumps to untrusted code.…”
Section: Capability Safety For Minimalcapsmentioning
confidence: 88%
See 3 more Smart Citations
“…As demonstrated before [25,26,52], such a UC is agnostic of software abstractions but supports reasoning about untrusted code. Essentially, one can register integrity properties of trusted code as invariants 2 , and then use the UC for justifying jumps to untrusted code.…”
Section: Capability Safety For Minimalcapsmentioning
confidence: 88%
“…A word on the machine is either an integer or a capability and these can be stored in general-purpose registers (GPRs) and in memory. MinimalCaps supports memory and object capabilities, a superset of what is supported in Cerise [25,26,52].…”
Section: Capability Machinesmentioning
confidence: 99%
See 2 more Smart Citations
“…The work of Georges et al [11], [12] and Skorstengaard et al [28], [29] prove a variety of stack safety properties that can be enforced on capability machines. Similarly, Van Strydonck et al [30] develop a library of verified wrappers around drivers leveraging capabilities for enforcing security properties. While these works also define and prove security properties about hardware, all their reasoning is done at the ISA level and must thus assume that the ISA is correctly implemented in hardware.…”
Section: F Quantitative Summary Of the Proof Effortmentioning
confidence: 99%