Abstract
Protecting the confidentiality of information manipulated by a computing system is one of the most important challenges facing today's cybersecurity community. A promising step toward conquering this challenge is to formally verify that the end-to-end behavior of the computing system really satisfies various information-flow policies. Unfortunately, because today's system software still consists of both C and assembly programs, the end-to-end verification necessarily requires that we not only prove the security properties of individual components, but also carefully preserve these properties through compilation and cross-language linking. In this paper, we present a novel methodology for formally verifying end-to-end security of a software system that consists of both C and assembly programs. We introduce a general definition of observation function that unifies the concepts of policy specification, state indistinguishability, and whole-execution behaviors. We show how to use different observation functions for different levels of abstraction, and how to link different security proofs across abstraction levels using a special kind of simulation that is guaranteed to preserve state indistinguishability. To demonstrate the effectiveness of our new methodology, we have successfully constructed an end-to-end security proof, fully formalized in the Coq proof assistant, of a nontrivial operating system kernel (running on an extended CompCert x86 assembly machine model). Some parts of the kernel are written in C and some are written in assembly; we verify all of the code, regardless of language.
- S. Blazy and X. Leroy. Mechanized semantics for the Clight subset of the C language. J. Automated Reasoning, 43(3): 263–288, 2009.Google Scholar
Cross Ref
- S. Chiricescu, A. DeHon, D. Demange, S. Iyer, A. Kliger, G. Morrisett, B. C. Pierce, H. Reubenstein, J. M. Smith, G. T. Sullivan, A. Thomas, J. Tov, C. M. White, and D. Wittenberg. Safe: A clean-slate architecture for secure systems. In Proceedings of the IEEE International Conference on Technologies for Homeland Security, Nov. 2013.Google Scholar
Cross Ref
- D. Costanzo and Z. Shao. A separation logic for enforcing declarative information flow control policies. In Proc. 3rd International Conference on Principles of Security and Trust (POST), pages 179–198, 2014.Google Scholar
Cross Ref
- D. Costanzo, Z. Shao, and R. Gu. End-to-end verification of information-flow security for C and assembly programs (extended version). Technical Report YALEU/DCS/TR-1522, Dept. of Computer Science, Yale University, April 2016.Google Scholar
- M. Dam, R. Guanciale, N. Khakpour, H. Nemati, and O. Schwarz. Formal verification of information flow security for a simple ARM-based separation kernel. In 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 223–234, 2013. Google Scholar
Digital Library
- L. M. de Moura and N. Bjørner. Z3: an efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference (TACAS), Budapest, Hungary. Proceedings, pages 337–340, 2008. Google Scholar
Digital Library
- J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11–20, 1982.Google Scholar
Cross Ref
- J. A. Goguen and J. Meseguer. Unwinding and inference control. In Proceedings of the 1984 IEEE Symposium on Security and Privacy, Oakland, California, USA, April 29 - May 2, 1984, pages 75–87, 1984.Google Scholar
Cross Ref
- R. Gu, J. Koenig, T. Ramananandro, Z. Shao, X. N. Wu, S. Weng, H. Zhang, and Y. Guo. Deep specifications and certified abstraction layers. In Proc. 42nd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (POPL), Mumbai, India, pages 595–608, 2015. Google Scholar
Digital Library
- C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-to-end security via automated full-system verification. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Broomfield, CO, USA, pages 165–181, 2014. Google Scholar
Digital Library
- J. Jürjens. Secrecy-preserving refinement. In FME 2001: Formal Methods for Increasing Software Productivity, International Symposium of Formal Methods Europe, Berlin, Germany, March 12-16, 2001, Proceedings, pages 135–152, 2001. Google Scholar
Digital Library
- G. Klein, J. Andronick, K. Elphinstone, T. Murray, T. Sewell, R. Kolanski, and G. Heiser. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems, 32(1), Feb. 2014. Google Scholar
Digital Library
- K. R. M. Leino. Dafny: An automatic program verifier for functional correctness. In Logic for Programming, Artificial Intelligence, and Reasoning (LPAR) - 16th International Conference, Dakar, Senegal, pages 348–370, 2010. Google Scholar
Digital Library
- X. Leroy. The CompCert verified compiler. http:// compcert.inria.fr/, 2005–2014.Google Scholar
- X. Leroy. A formally verified compiler back-end. Journal of Automated Reasoning, 43(4):363–446, 2009. Google Scholar
Digital Library
- P. Li and S. Zdancewic. Downgrading policies and relaxed noninterference. In Proc. 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), Long Beach, California, USA, pages 158–170, 2005. Google Scholar
Digital Library
- C. Morgan. The shadow knows: Refinement and security in sequential programs. Sci. Comput. Program., 74(8):629–653, 2009. Google Scholar
Digital Library
- C. Morgan. Compositional noninterference from first principles. Formal Asp. Comput., 24(1):3–26, 2012.Google Scholar
Cross Ref
- T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, and G. Klein. Noninterference for operating system kernels. In Certified Programs and Proofs (CPP) - Second International Conference, Kyoto, Japan, Proceedings, pages 126–142, 2012. Google Scholar
Digital Library
- T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. sel4: From general purpose to a proof of information flow enforcement. In IEEE Symposium on Security and Privacy, pages 415–429, 2013. Google Scholar
Digital Library
- A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proc. 1997 ACM Symposium on Operating System Principles (SOSP), pages 129–142, 1997. Google Scholar
Digital Library
- A. Nanevski, A. Banerjee, and D. Garg. Verification of information flow and access control policies with dependent types. In IEEE Symposium on Security and Privacy, pages 165–179, 2011. Google Scholar
Digital Library
- A. Sabelfeld and A. C. Myers. A model for delimited information release. In Software Security - Theories and Systems, Second Mext-NSF-JSPS International Symposium (ISSS), Tokyo, Japan, pages 174–191, 2003.Google Scholar
- A. Sabelfeld and A. C. Myers. Language-based informationflow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, 2003. Google Scholar
Digital Library
- A. Sabelfeld and D. Sands. A Per model of secure information flow in sequential programs. In Programming Languages and Systems, 8th European Symposium on Programming (ESOP), Amsterdam, The Netherlands, Proceedings, pages 40–58, 1999. Google Scholar
Digital Library
- T. Sewell, S. Winwood, P. Gammie, T. C. Murray, J. Andronick, and G. Klein. seL4 enforces integrity. In Interactive Theorem Proving (ITP) - Second International Conference, Berg en Dal, The Netherlands, Proceedings, pages 325–340, 2011. Google Scholar
Digital Library
- The Coq development team. The Coq proof assistant. http: //coq.inria.fr, 1999 – 2015.Google Scholar
Index Terms
End-to-end verification of information-flow security for C and assembly programs
Recommendations
End-to-end verification of information-flow security for C and assembly programs
PLDI '16: Proceedings of the 37th ACM SIGPLAN Conference on Programming Language Design and ImplementationProtecting the confidentiality of information manipulated by a computing system is one of the most important challenges facing today's cybersecurity community. A promising step toward conquering this challenge is to formally verify that the end-to-end ...
Formal Verification for C Program
Iterative abstraction refinement has emerged in the last few years as the leading approach to software model checking. We present an approach for automatically verifying C programs against safety specifications based on finite state machine. The ...
Toward compositional verification of interruptible OS kernels and device drivers
PLDI '16An operating system (OS) kernel forms the lowest level of any system software stack. The correctness of the OS kernel is the basis for the correctness of the entire system. Recent efforts have demonstrated the feasibility of building formally verified ...







Comments