SAFE: A clean-slate architecture for secure systems

Chiricescu, Silviu; DeHon, André; Demange, Delphine; Iyer, Suraj; Kliger, Aleksey; Morrisett, Greg; Pierce, Benjamin C.; Reubenstein, Howard; Smith, Jonathan M.; Sullivan, Greg; Thomas, Arthur N.; Tov, Jesse; White, Christopher M.; Wittenberg, David

doi:10.1109/ths.2013.6699066

Cited by 14 publications

(11 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It was first presented in Hriţcu et al [2016], where it was also proved in Coq to be noninterfering. The register machine contains a plethora of features, originally intended to model an experimental processor architecture [Chiricescu et al 2013], that make generating well-distributed inputs much harder and executing tests much slower. We briefly describe the delta between this machine and the stack machine; for the interested reader, the machine is defined formally in Hriţcu et al…”

Section: The Ifc Register Machinementioning

confidence: 99%

Coverage guided, property based testing

Lampropoulos

Hicks

Pierce

2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

Property-based random testing, exemplified by frameworks such as Haskell's QuickCheck, works by testing an executable predicate (a property) on a stream of randomly generated inputs. Property testing works very well in many cases, but not always. Some properties are conditioned on the input satisfying demanding semantic invariants that are not consequences of its syntactic structureÐe.g., that an input list must be sorted or have no duplicates. Most randomly generated inputs fail to satisfy properties with such sparse preconditions, and so are simply discarded. As a result, much of the target system may go untested. We address this issue with a novel technique called coverage guided, property based testing (CGPT). Our approach is inspired by the related area of coverage guided fuzzing, exemplified by tools like AFL. Rather than just generating a fresh random input at each iteration, CGPT can also produce new inputs by mutating previous ones using type-aware, generic mutation operators. The target program is instrumented to track which control flow branches are executed during a run and inputs whose runs expand control-flow coverage are retained for future mutations. This means that, when sparse conditions in the target are satisfied and new coverage is observed, the input that triggered them will be retained and used as a springboard to go further. We have implemented CGPT as an extension to the QuickChick property testing tool for Coq programs; we call our implementation FuzzChick. We evaluate FuzzChick on two Coq developments for abstract machines that aim to enforce flavors of noninterference, which has a (very) sparse precondition. We systematically inject bugs in the machines' checking rules and use FuzzChick to look for counterexamples to the claim that they satisfy a standard noninterference property. We find that vanilla QuickChick almost always fails to find any bugs after a long period of time, as does an earlier proposal for combining property testing and fuzzing. In contrast, FuzzChick often finds them within seconds to minutes. Moreover, FuzzChick is almost fully automatic; although highly tuned, handwritten generators can find the bugs faster than FuzzChick, they require substantial amounts of insight and manual effort. CCS Concepts: • Software and its engineering → General programming languages.

show abstract

Section: The Ifc Register Machinementioning

confidence: 99%

Coverage guided, property based testing

Lampropoulos

Hicks

Pierce

2019

Proc. ACM Program. Lang.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Statistics on the number of lines of code affected by these changes are summarized in Table V: a negligible impact on the overall kernel of roughly 12.6M lines. Similar changes would likely allow FreeBSD to support other tagged-memory security models, such as those in the CRASH-SAFE design [14].…”

Section: Cheribsd Kernelmentioning

confidence: 99%

“…In hardware, Mondriaan investigated an access-control-centered approach based on a TLB/MMU page-table-like mechanism to represent in-addressspace security domains, including running an adaptation of Linux [56]. CRASH-SAFE has more recently explored flexible, software-defined, tagged security models, often grounded in information flow, based on clean-slate ISA approaches [14]. Hypervisors have been used to provide contained execution environments [37], and Dune utilizes hardware virtualization features to accelerate intra-process isolation [6].…”

Section: Related Workmentioning

confidence: 99%

CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

Watson

Woodruff

Neumann

et al. 2015

2015 IEEE Symposium on Security and Privacy

173

155

View full text Add to dashboard Cite

CHERI extends a conventional RISC Instruction-Set Architecture, compiler, and operating system to support fine-grained, capability-based memory protection to mitigate memory-related vulnerabilities in C-language TCBs. We describe how CHERI capabilities can also underpin a hardware-software object-capability model for application compartmentalization that can mitigate broader classes of attack. Prototyped as an extension to the open-source 64-bit BERI RISC FPGA softcore processor, FreeBSD operating system, and LLVM compiler, we demonstrate multiple orders-of-magnitude improvement in scalability, simplified programmability, and resulting tangible security benefits as compared to compartmentalization based on pure Memory-Management Unit (MMU) designs. We evaluate incrementally deployable CHERI-based compartmentalization using several real-world UNIX libraries and applications.

show abstract

“…Proving security of the high-level specifications is a similar process to proving soundness in other label-aware systems. We could then either treat the labels as purely logical state (like many statically-typed security systems), erasing them with a simulation relation, or we could verify a refinement to a machine like the one used in the SAFE system [2], where labels are actually implemented in the hardware and the physical machine performs dynamic label checks and tainting. Regardless of this choice of label representation, as long as we make sure our simulation relation preserves indistinguishability (as discussed in Section 2), the security of the high-level specifications will automatically give us the whole-execution noninterference property for the low-level machine.…”

Section: A3 Example 3: Security Labels and Dynamic Taintingmentioning

confidence: 99%

End-to-end verification of information-flow security for C and assembly programs

Costanzo

Shao

2016

SIGPLAN Not.

View full text Add to dashboard Cite

Protecting the confidentiality of information manipulated by a computing system is one of the most important challenges facing today's cybersecurity community. A promising step toward conquering this challenge is to formally verify that the end-to-end behavior of the computing system really satisfies various information-flow policies. Unfortunately, because today's system software still consists of both C and assembly programs, the end-to-end verification necessarily requires that we not only prove the security properties of individual components, but also carefully preserve these properties through compilation and cross-language linking. In this paper, we present a novel methodology for formally verifying end-to-end security of a software system that consists of both C and assembly programs. We introduce a general definition of observation function that unifies the concepts of policy specification, state indistinguishability, and whole-execution behaviors. We show how to use different observation functions for different levels of abstraction, and how to link different security proofs across abstraction levels using a special kind of simulation that is guaranteed to preserve state indistinguishability. To demonstrate the effectiveness of our new methodology, we have successfully constructed an end-to-end security proof, fully formalized in the Coq proof assistant, of a nontrivial operating system kernel (running on an extended CompCert x86 assembly machine model). Some parts of the kernel are written in C and some are written in assembly; we verify all of the code, regardless of language.

show abstract

SAFE: A clean-slate architecture for secure systems

Cited by 14 publications

References 21 publications

Coverage guided, property based testing

Coverage guided, property based testing

CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization

End-to-end verification of information-flow security for C and assembly programs

Contact Info

Product

Resources

About