The HACMS program: using formal methods to eliminate exploitable bugs

Fisher, Kathleen; Launchbury, John; Richards, R.J.

doi:10.1098/rsta.2015.0401

Cited by 33 publications

(25 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, model-based verification has a significant different goal than our work. For instance, the main difference between our work and [42] is that in our case there is no exploitable bug in the program. Instead, we consider legal program behavior that might be informative to attackers.…”

Section: Related Workmentioning

confidence: 82%

A secrecy-preserving language for distributed and object-oriented systems

Ramezanifarkhani¹,

Owe²,

Tokas³

2018

Journal of Logical and Algebraic Methods in Programming

View full text Add to dashboard Cite

In modern systems it is often necessary to distinguish between confidential (low-level) and non-confidential (high-level) information. Confidential information should be protected and not communicated or shared with low-level users. The non-interference policy is an information flow policy stipulating that low-level viewers should not be able to observe a difference between any two executions with the same low-level inputs. Only high-level viewers may observe confidential output. This is a non-trivial challenge when considering modern distributed systems involving concurrency and communication. The present paper addresses this challenge, by choosing language mechanisms that are both useful for programming of distributed systems and allow modular system analysis. We consider a general concurrency model for distributed systems, based on concurrent objects communicating by asynchronous methods. This model is suitable for modeling of modern service-oriented systems, and gives rise to efficient interaction avoiding active waiting and low-level synchronization primitives such as explicit signaling and lock operations. This concurrency model has a simple semantics and allows us to focus on information flow at a high level of abstraction, and allows realistic analysis by avoiding unnecessary restrictions on information flow between confidential and non-confidential data. Due to the non-deterministic nature of concurrent and distributed systems, we define a notion of interaction non-interference policy tailored to this setting. We provide two kinds of static analysis: a secrecy-type system and a trace analysis system, to capture inter-object and network level communication, respectively. We prove that interaction non-interference is satisfied by the combination of these analysis techniques. Thus any deviation from the policy caused by implicit information leakage visible through observation of network communication patterns, can be detected. The contribution of the paper lies in the definition of the notion of interaction non-interference, and in the formalization of a secrecy type system and a static trace analysis that together ensure interaction non-interference. We also provide several versions of a main example (a news subscription service) to demonstrate network leakage.

show abstract

Section: Related Workmentioning

confidence: 82%

A secrecy-preserving language for distributed and object-oriented systems

Ramezanifarkhani¹,

Owe²,

Tokas³

2018

Journal of Logical and Algebraic Methods in Programming

View full text Add to dashboard Cite

show abstract

“…Recent advances in formal verification, a mature area of computer science concerned with improving the security and reliability of systems, offer optimism for the future of electronic voting machines (Fisher et al 2017;Gu et al 2016;Leroy et al 2016). Formal verification uses formal methods, a family of rigorous mathematical techniques, to both specify and verify desirable program behavior.…”

Section: Option 3: Invest In the Development Of Formally Verifiementioning

confidence: 99%

Securing Election Infrastructure with Hand-Marked Paper Ballots

Gupta

Hypolite

Mell

et al. 2020

JSPG

View full text Add to dashboard Cite

American democracy is critically threatened by the use of insecure voting systems. Many existing electronic voting machines have malfunctioned during recent elections, and many are also vulnerable to hacking (Appel et al. 2019, Blaze et al. 2019, Blaze 2020). Most states have switched to secure, hand-marked paper ballots, but roughly 30% of Americans will continue to vote using vulnerable voting machines in 2020 (Cordova et al. 2019, Bajak 2020). While Congress allocated $380 million in 2018 and $425 million in 2020 to improve election security, these funds were neither targeted at nor sufficient for replacing all electronic voting machines. We propose that Congress (1) allocate $110 million exclusively for transitioning away from electronic voting machines and (2) prohibit the use of federal funds for purchasing voting systems that do not primarily use hand-marked paper ballots. This one-time transition cost is much smaller than even annual expenditures on other critical infrastructure (Copeland 2010; Halderman 2019). Replacing electronic voting machines with hand-marked paper ballots is the most affordable and secure option.

show abstract

“…In addition to these directions, previous research work proposed using formally verified microkernels to have a secure core [22], [33], [35]. This secure code can be used to host a security tool.…”

Section: Performance Enhancementmentioning

confidence: 99%

SKEE: A Lightweight Secure Kernel-level Execution Environment for ARM

Azab¹,

Swidowski²,

Bhutkar³

et al. 2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-Previous research on kernel monitoring and protection widely relies on higher privileged system components, such as hardware virtualization extensions, to isolate security tools from potential kernel attacks. These approaches increase both the maintenance effort and the code base size of privileged system components, which consequently increases the risk of having security vulnerabilities. SKEE, which stands for Secure Kernellevel Execution Environment, solves this fundamental problem. SKEE is a novel system that provides an isolated lightweight execution environment at the same privilege level of the kernel. SKEE is designed for commodity ARM platforms. Its main goal is to allow secure monitoring and protection of the kernel without active involvement of higher privileged software.SKEE provides a set of novel techniques to guarantee isolation. It creates a protected address space that is not accessible to the kernel, which is challenging to achieve when both the kernel and the isolated environment share the same privilege level. SKEE solves this challenge by preventing the kernel from managing its own memory translation tables. Hence, the kernel is forced to switch to SKEE to modify the system's memory layout. In turn, SKEE verifies that the requested modification does not compromise the isolation of the protected address space. Switching from the OS kernel to SKEE exclusively passes through a well-controlled switch gate. This switch gate is carefully designed so that its execution sequence is atomic and deterministic. These properties combined guarantee that a potentially compromised kernel cannot exploit the switching sequence to compromise the isolation. If the kernel attempts to violate these properties, it will only cause the system to fail without exposing the protected address space. SKEE exclusively controls access permissions of the entire OS memory. Hence, it prevents attacks that attempt to inject unverified code into the kernel. Moreover, it can be easily extended to intercept other system events in order to support various intrusion detection and integrity verification tools. This paper presents a SKEE prototype that runs on both 32-bit ARMv7 and 64-bit ARMv8 architectures. Performance evaluation results demonstrate that SKEE is a practical solution for real world systems.

show abstract

The HACMS program: using formal methods to eliminate exploitable bugs

Cited by 33 publications

References 30 publications

A secrecy-preserving language for distributed and object-oriented systems

A secrecy-preserving language for distributed and object-oriented systems

Securing Election Infrastructure with Hand-Marked Paper Ballots

SKEE: A Lightweight Secure Kernel-level Execution Environment for ARM

Contact Info

Product

Resources

About