skip to main content
research-article
Open Access

A verified information-flow architecture

Published:08 January 2014Publication History
Skip Abstract Section

Abstract

SAFE is a clean-slate design for a highly secure computer system, with pervasive mechanisms for tracking and limiting information flows. At the lowest level, the SAFE hardware supports fine-grained programmable tags, with efficient and flexible propagation and combination of tags as instructions are executed. The operating system virtualizes these generic facilities to present an information-flow abstract machine that allows user programs to label sensitive data with rich confidentiality policies. We present a formal, machine-checked model of the key hardware and software mechanisms used to control information flow in SAFE and an end-to-end proof of noninterference for this model.

Skip Supplemental Material Section

Supplemental Material

d1_right_t7.mp4

References

  1. A. Askarov, S. Hunt, A. Sabelfeld, and D. Sands. Termination-insensitive noninterference leaks more than just a bit. ESORICS. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. CSF. 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. T. H. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. PLAS. 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. A. Banerjee and D. A. Naumann. Stack-based access control and secure information flow. JFP, 15(2):131--177, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. G. Barthe, D. Pichardie, and T. Rezk. A certified lightweight noninterference Java bytecode verifier. ESOP. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. L. Beringer. End-to-end multilevel hybrid information flow control. APLAS. 2012.Google ScholarGoogle Scholar
  7. J. Brown and T. F. Knight, Jr. A minimally trusted computing base for dynamically ensuring secure information flow. Technical Report 5, MIT CSAIL, 2001. Aries Memo No. 15.Google ScholarGoogle Scholar
  8. S. Chen, M. Kozuch, T. Strigkos, B. Falsafi, P. B. Gibbons, T. C. Mowry, V. Ramachandran, O. Ruwase, M. P. Ryan, and E. Vlachos. Flexible hardware acceleration for instruction-grain program monitoring. ISCA. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. A. Chlipala. Mostly-automated verification of low-level programs in computational separation logic. PLDI, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. A. Chlipala. The Bedrock structured programming system: Combining generative metaprogramming and Hoare logic in an extensible program verifier. ICFP. 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. J. A. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. ISSTA. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. M. Dalton, H. Kannan, and C. Kozyrakis. Raksha: a flexible information flow architecture for software security. ISCA, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. M. Dam, R. Guanciale, N. Khakpour, H. Nemati, and O. Schwarz. Formal verification of information flow security for a simple ARMbased separation kernel. CCS, 2013. To appear. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. A. DeHon, B. Karel, T. F. Knight, Jr., G. Malecha, B. Montagu, R. Morisset, G. Morrisett, B. C. Pierce, R. Pollack, S. Ray, O. Shivers, J. M. Smith, and G. Sullivan. Preliminary design of the SAFE platform. PLOS, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. D. Y. Deng and G. E. Suh. High-performance parallel accelerator for flexible and efficient run-time monitoring. DSN. 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. U. Dhawan and A. DeHon. Area-efficient near-associative memories on FPGAs. In International Symposium on Field-Programmable Gate Arrays, (FPGA2013), 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. U. Dhawan, A. Kwon, E. Kadric, C. Hriţcu, B. C. Pierce, J. M. Smith, A. DeHon, G. Malecha, G. Morrisett, T. F. Knight, Jr., A. Sutherland, T. Hawkins, A. Zyxnfryx, D. Wittenberg, P. Trei, S. Ray, and G. Sullivan. Hardware support for safety interlocks and introspection. AHNS, 2012.Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. J. A. Goguen and J. Meseguer. Unwinding and inference control. IEEE S&P. 1984.Google ScholarGoogle Scholar
  19. D. Hedin and A. Sabelfeld. A perspective on information-flow control. Marktoberdorf Summer School. IOS Press, 2011.Google ScholarGoogle Scholar
  20. D. Hedin and A. Sabelfeld. Information-flow security for a core of JavaScript. CSF. 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. C. Hriţcu, M. Greenberg, B. Karel, B. C. Pierce, and G. Morrisett. All your IFCException are belong to us. IEEE S&P. 2013.Google ScholarGoogle Scholar
  22. C. Hritcu, J. Hughes, B. C. Pierce, A. Spector-Zabusky, D. Vytiniotis, A. Azevedo de Amorim, and L. Lampropoulos. Testing noninterference, quickly. ICFP, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. J. Jacob. On the derivation of secure components. IEEE S&P. 1989.Google ScholarGoogle Scholar
  24. J. B. Jensen, N. Benton, and A. Kennedy. High-level separation logic for low-level code. POPL. 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. M. G. Kang, S. McCamant, P. Poosankam, and D. Song. DTA++: Dynamic taint analysis with targeted control-flow propagation. NDSS. 2011.Google ScholarGoogle Scholar
  26. N. Khakpour, O. Schwarz, and M. Dam. Machine assisted proof of ARMv7 instruction level isolation properties. CPP, 2013. To appear.Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal verification of an OS kernel. SOSP. 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. M. N. Krohn and E. Tromer. Noninterference for a practical DIFCbased operating system. IEEE S&P. 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. A. Kwon, U. Dhawan, J. M. Smith, T. F. Knight, Jr., and A. DeHon. Low-fat pointers: compact encoding and efficient gate-level implementation of fat pointers for spatial safety and capability-based security. CCS. 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. X. Leroy. A formally verified compiler back-end. Journal of Automated Reasoning, 43(4):363--446, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. X. Leroy and S. Blazy. Formal verification of a C-like memory model and its uses for verifying program transformations. JAR, 41(1):1--31, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  32. W. Masri, A. Podgurski, and D. Leon. Detecting and debugging insecure information flows. ISSRE. 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. R. Medel, A. B. Compagnoni, and E. Bonelli. A typed assembly language for non-interference. ICTCS. 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. B. Montagu, B. C. Pierce, and R. Pollack. A theory of information flow labels. CSF. 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. seL4: from general purpose to a proof of information flow enforcement. IEEE S&P. 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, and G. Klein. Noninterference for operating system kernels. CPP. 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. M. O. Myreen and M. J. C. Gordon. Hoare logic for realistically modelled machine code. TACAS. 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Z. Ni and Z. Shao. Certified assembly programming with embedded code pointers. POPL. 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. A. Russo and A. Sabelfeld. Dynamic vs. static flow-sensitive security analysis. CSF. 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. A. Sabelfeld and A. Myers. Language-based information-flow security. JSAC, 21(1):5--19, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Ershov Memorial Conference. 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. J. Sevcík, V. Vafeiadis, F. Z. Nardelli, S. Jagannathan, and P. Sewell. Relaxed-memory concurrency and verified compilation. POPL. 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. H. Shrobe, A. DeHon, and T. F. Knight, Jr. Trust-management, intrusion-tolerance, accountability, and reconstitution architecture (TIARA), 2009.Google ScholarGoogle Scholar
  44. D. Stefan, A. Russo, J. C. Mitchell, and D. Mazières. Flexible dynamic information flow control in Haskell. Haskell. 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. ASPLOS, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. N. Vachharajani, M. J. Bridges, J. Chang, R. Rangan, G. Ottoni, J. A. Blome, G. A. Reis, M. Vachharajani, and D. I. August. RIFLE: An architectural framework for user-centric information-flow security. MICRO, 2004. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Venkataramani, I. Doudalis, Y. Solihin, and M. Prvulovic. FlexiTaint: A programmable accelerator for dynamic taint propagation. HPCA, 2008.Google ScholarGoogle Scholar
  48. S. A. Zdancewic. Programming Languages for Information Security. PhD thesis, Cornell University, 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. A verified information-flow architecture

                Recommendations

                Comments

                Login options

                Check if you have access through your login credentials or your institution to get full access on this article.

                Sign in

                Full Access

                PDF Format

                View or Download as a PDF file.

                PDF

                eReader

                View online with eReader.

                eReader
                About Cookies On This Site

                We use cookies to ensure that we give you the best experience on our website.

                Learn more

                Got it!