Abstract
SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end-to-end proof of noninterference for this model.
Supplemental Material
- A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. ESORICS. 2008. Google Scholar
Digital Library
- A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. CSF. 2009. Google Scholar
Digital Library
- T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. PLAS. 2009. Google Scholar
Digital Library
- A. Banerjee and D. A. Naumann. Stack-based access control and secure information flow. JFP, 15(2):131--177, 2005. Google Scholar
Digital Library
- G. Barthe, D. Pichardie, and T. Rezk. A certified lightweight noninterference Java bytecode verifier. ESOP. 2007. Google Scholar
Digital Library
- L. Beringer. End-to-end multilevel hybrid information flow control. APLAS. 2012.Google Scholar
- J. Brown and T. F. Knight, Jr. A minimally trusted computing base for dynamically ensuring secure information flow. Technical Report 5, MIT CSAIL, 2001. Aries Memo No. 15.Google Scholar
- S. Chen, M. Kozuch, T. Strigkos, B. Falsafi, P. B. Gibbons, T. C. Mowry, V. Ramachandran, O. Ruwase, M. P. Ryan, and E. Vlachos. Flexible hardware acceleration for instruction-grain program monitoring. ISCA. 2008. Google Scholar
Digital Library
- A. Chlipala. Mostly-automated verification of low-level programs in computational separation logic. PLDI, 2011. Google Scholar
Digital Library
- A. Chlipala. The Bedrock structured programming system: Combining generative metaprogramming and Hoare logic in an extensible program verifier. ICFP. 2013. Google Scholar
Digital Library
- J. A. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. ISSTA. 2007. Google Scholar
Digital Library
- M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: a flexible information flow architecture for software security. ISCA, 2007. Google Scholar
Digital Library
- M. Dam, R. Guanciale, N. Khakpour, H. Nemati, and O. Schwarz. Formal verification of information flow security for a simple ARMbased separation kernel. CCS, 2013. To appear. Google Scholar
Digital Library
- A. DeHon, B. Karel, T. F. Knight, Jr., G. Malecha, B. Montagu, R. Morisset, G. Morrisett, B. C. Pierce, R. Pollack, S. Ray, O. Shivers, J. M. Smith, and G. Sullivan. Preliminary design of the SAFE platform. PLOS, 2011. Google Scholar
Digital Library
- D. Y. Deng and G. E. Suh. High-performance parallel accelerator for flexible and efficient run-time monitoring. DSN. 2012. Google Scholar
Digital Library
- U. Dhawan and A. DeHon. Area-efficient near-associative memories on FPGAs. In International Symposium on Field-Programmable Gate Arrays, (FPGA2013), 2013. Google Scholar
Digital Library
- U. Dhawan, A. Kwon, E. Kadric, C. Hriţcu, B. C. Pierce, J. M. Smith, A. DeHon, G. Malecha, G. Morrisett, T. F. Knight, Jr., A. Sutherland, T. Hawkins, A. Zyxnfryx, D. Wittenberg, P. Trei, S. Ray, and G. Sullivan. Hardware support for safety interlocks and introspection. AHNS, 2012.Google Scholar
Digital Library
- J. A. Goguen and J. Meseguer. Unwinding and inference control. IEEE S&P. 1984.Google Scholar
- D. Hedin and A. Sabelfeld. A perspective on information-flow control. Marktoberdorf Summer School. IOS Press, 2011.Google Scholar
- D. Hedin and A. Sabelfeld. Information-flow security for a core of JavaScript. CSF. 2012. Google Scholar
Digital Library
- C. Hriţcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. All your IFCException are belong to us. IEEE S&P. 2013.Google Scholar
- C. Hritcu, J. Hughes, B. C. Pierce, A. Spector-Zabusky, D. Vytiniotis, A. Azevedo de Amorim, and L. Lampropoulos. Testing noninterference, quickly. ICFP, 2013. Google Scholar
Digital Library
- J. Jacob. On the derivation of secure components. IEEE S&P. 1989.Google Scholar
- J. B. Jensen, N. Benton, and A. Kennedy. High-level separation logic for low-level code. POPL. 2013. Google Scholar
Digital Library
- M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA++: Dynamic taint analysis with targeted control-flow propagation. NDSS. 2011.Google Scholar
- N. Khakpour, O. Schwarz, and M. Dam. Machine assisted proof of ARMv7 instruction level isolation properties. CPP, 2013. To appear.Google Scholar
Digital Library
- G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. SOSP. 2009. Google Scholar
Digital Library
- M. N. Krohn and E. Tromer. Noninterference for a practical DIFCbased operating system. IEEE S&P. 2009. Google Scholar
Digital Library
- A. Kwon, U. Dhawan, J. M. Smith, T. F. Knight, Jr., and A. DeHon. Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. CCS. 2013. Google Scholar
Digital Library
- X. Leroy. A formally verified compiler back-end. Journal of Automated Reasoning, 43(4):363--446, 2009. Google Scholar
Digital Library
- X. Leroy and S. Blazy. Formal verification of a C-like memory model and its uses for verifying program transformations. JAR, 41(1):1--31, 2008. Google Scholar
Digital Library
- W. Masri, A. Podgurski, and D. Leon. Detecting and debugging insecure information flows. ISSRE. 2004. Google Scholar
Digital Library
- R. Medel, A. B. Compagnoni, and E. Bonelli. A typed assembly language for non-interference. ICTCS. 2005. Google Scholar
Digital Library
- B. Montagu, B. C. Pierce, and R. Pollack. A theory of information flow labels. CSF. 2013. Google Scholar
Digital Library
- T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. seL4: from general purpose to a proof of information flow enforcement. IEEE S&P. 2013. Google Scholar
Digital Library
- T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, and G. Klein. Noninterference for operating system kernels. CPP. 2012. Google Scholar
Digital Library
- M. O. Myreen and M. J. C. Gordon. Hoare logic for realistically modelled machine code. TACAS. 2007. Google Scholar
Digital Library
- Z. Ni and Z. Shao. Certified assembly programming with embedded code pointers. POPL. 2006. Google Scholar
Digital Library
- A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. CSF. 2010. Google Scholar
Digital Library
- A. Sabelfeld and A. Myers. Language-based information-flow security. JSAC, 21(1):5--19, 2003. Google Scholar
Digital Library
- A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Ershov Memorial Conference. 2009. Google Scholar
Digital Library
- J. Sevcík, V. Vafeiadis, F. Z. Nardelli, S. Jagannathan, and P. Sewell. Relaxed-memory concurrency and verified compilation. POPL. 2011. Google Scholar
Digital Library
- H. Shrobe, A. DeHon, and T. F. Knight, Jr. Trust-management, intrusion-tolerance, accountability, and reconstitution architecture (TIARA), 2009.Google Scholar
- D. Stefan, A. Russo, J. C. Mitchell, and D. Mazières. Flexible dynamic information flow control in Haskell. Haskell. 2011. Google Scholar
Digital Library
- G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. ASPLOS, 2004. Google Scholar
Digital Library
- N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An architectural framework for user-centric information-flow security. MICRO, 2004. Google Scholar
Digital Library
- Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. FlexiTaint: A programmable accelerator for dynamic taint propagation. HPCA, 2008.Google Scholar
- S. A. Zdancewic. Programming Languages for Information Security. PhD thesis, Cornell University, 2002. Google Scholar
Digital Library
Index Terms
A verified information-flow architecture
Recommendations
A verified information-flow architecture
POPL '14: Proceedings of the 41st ACM SIGPLAN-SIGACT Symposium on Principles of Programming LanguagesSAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible ...
A verified information-flow architecture
SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible ...
Micro-Policies: Formally Verified, Tag-Based Security Monitors
PLAS'15: Proceedings of the 10th ACM Workshop on Programming Languages and Analysis for SecurityMany of today's vulnerabilities arise from the violation of known, but in-practice unenforceable, safety and security policies, including high-level programming models and critical invariants of low-level programs. This project is aimed at showing that ...







Comments