skip to main content
article
Public Access

End-to-end verification of information-flow security for C and assembly programs

Published:02 June 2016Publication History
Skip Abstract Section

Abstract

Protecting the confidentiality of information manipulated by a computing system is one of the most important challenges facing today's cybersecurity community. A promising step toward conquering this challenge is to formally verify that the end-to-end behavior of the computing system really satisfies various information-flow policies. Unfortunately, because today's system software still consists of both C and assembly programs, the end-to-end verification necessarily requires that we not only prove the security properties of individual components, but also carefully preserve these properties through compilation and cross-language linking. In this paper, we present a novel methodology for formally verifying end-to-end security of a software system that consists of both C and assembly programs. We introduce a general definition of observation function that unifies the concepts of policy specification, state indistinguishability, and whole-execution behaviors. We show how to use different observation functions for different levels of abstraction, and how to link different security proofs across abstraction levels using a special kind of simulation that is guaranteed to preserve state indistinguishability. To demonstrate the effectiveness of our new methodology, we have successfully constructed an end-to-end security proof, fully formalized in the Coq proof assistant, of a nontrivial operating system kernel (running on an extended CompCert x86 assembly machine model). Some parts of the kernel are written in C and some are written in assembly; we verify all of the code, regardless of language.

References

  1. S. Blazy and X. Leroy. Mechanized semantics for the Clight subset of the C language. J. Automated Reasoning, 43(3): 263–288, 2009.Google ScholarGoogle ScholarCross RefCross Ref
  2. S. Chiricescu, A. DeHon, D. Demange, S. Iyer, A. Kliger, G. Morrisett, B. C. Pierce, H. Reubenstein, J. M. Smith, G. T. Sullivan, A. Thomas, J. Tov, C. M. White, and D. Wittenberg. Safe: A clean-slate architecture for secure systems. In Proceedings of the IEEE International Conference on Technologies for Homeland Security, Nov. 2013.Google ScholarGoogle ScholarCross RefCross Ref
  3. D. Costanzo and Z. Shao. A separation logic for enforcing declarative information flow control policies. In Proc. 3rd International Conference on Principles of Security and Trust (POST), pages 179–198, 2014.Google ScholarGoogle ScholarCross RefCross Ref
  4. D. Costanzo, Z. Shao, and R. Gu. End-to-end verification of information-flow security for C and assembly programs (extended version). Technical Report YALEU/DCS/TR-1522, Dept. of Computer Science, Yale University, April 2016.Google ScholarGoogle Scholar
  5. M. Dam, R. Guanciale, N. Khakpour, H. Nemati, and O. Schwarz. Formal verification of information flow security for a simple ARM-based separation kernel. In 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 223–234, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. L. M. de Moura and N. Bjørner. Z3: an efficient SMT solver. In Tools and Algorithms for the Construction and Analysis of Systems, 14th International Conference (TACAS), Budapest, Hungary. Proceedings, pages 337–340, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. J. A. Goguen and J. Meseguer. Security policies and security models. In IEEE Symposium on Security and Privacy, pages 11–20, 1982.Google ScholarGoogle ScholarCross RefCross Ref
  8. J. A. Goguen and J. Meseguer. Unwinding and inference control. In Proceedings of the 1984 IEEE Symposium on Security and Privacy, Oakland, California, USA, April 29 - May 2, 1984, pages 75–87, 1984.Google ScholarGoogle ScholarCross RefCross Ref
  9. R. Gu, J. Koenig, T. Ramananandro, Z. Shao, X. N. Wu, S. Weng, H. Zhang, and Y. Guo. Deep specifications and certified abstraction layers. In Proc. 42nd ACM SIGPLANSIGACT Symposium on Principles of Programming Languages (POPL), Mumbai, India, pages 595–608, 2015. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. C. Hawblitzel, J. Howell, J. R. Lorch, A. Narayan, B. Parno, D. Zhang, and B. Zill. Ironclad apps: End-to-end security via automated full-system verification. In 11th USENIX Symposium on Operating Systems Design and Implementation (OSDI), Broomfield, CO, USA, pages 165–181, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. J. Jürjens. Secrecy-preserving refinement. In FME 2001: Formal Methods for Increasing Software Productivity, International Symposium of Formal Methods Europe, Berlin, Germany, March 12-16, 2001, Proceedings, pages 135–152, 2001. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. G. Klein, J. Andronick, K. Elphinstone, T. Murray, T. Sewell, R. Kolanski, and G. Heiser. Comprehensive formal verification of an OS microkernel. ACM Transactions on Computer Systems, 32(1), Feb. 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. K. R. M. Leino. Dafny: An automatic program verifier for functional correctness. In Logic for Programming, Artificial Intelligence, and Reasoning (LPAR) - 16th International Conference, Dakar, Senegal, pages 348–370, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. X. Leroy. The CompCert verified compiler. http:// compcert.inria.fr/, 2005–2014.Google ScholarGoogle Scholar
  15. X. Leroy. A formally verified compiler back-end. Journal of Automated Reasoning, 43(4):363–446, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. P. Li and S. Zdancewic. Downgrading policies and relaxed noninterference. In Proc. 32nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL), Long Beach, California, USA, pages 158–170, 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. C. Morgan. The shadow knows: Refinement and security in sequential programs. Sci. Comput. Program., 74(8):629–653, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. C. Morgan. Compositional noninterference from first principles. Formal Asp. Comput., 24(1):3–26, 2012.Google ScholarGoogle ScholarCross RefCross Ref
  19. T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, and G. Klein. Noninterference for operating system kernels. In Certified Programs and Proofs (CPP) - Second International Conference, Kyoto, Japan, Proceedings, pages 126–142, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. T. C. Murray, D. Matichuk, M. Brassil, P. Gammie, T. Bourke, S. Seefried, C. Lewis, X. Gao, and G. Klein. sel4: From general purpose to a proof of information flow enforcement. In IEEE Symposium on Security and Privacy, pages 415–429, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. A. C. Myers and B. Liskov. A decentralized model for information flow control. In Proc. 1997 ACM Symposium on Operating System Principles (SOSP), pages 129–142, 1997. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. A. Nanevski, A. Banerjee, and D. Garg. Verification of information flow and access control policies with dependent types. In IEEE Symposium on Security and Privacy, pages 165–179, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. A. Sabelfeld and A. C. Myers. A model for delimited information release. In Software Security - Theories and Systems, Second Mext-NSF-JSPS International Symposium (ISSS), Tokyo, Japan, pages 174–191, 2003.Google ScholarGoogle Scholar
  24. A. Sabelfeld and A. C. Myers. Language-based informationflow security. IEEE Journal on Selected Areas in Communications, 21(1):5–19, 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. A. Sabelfeld and D. Sands. A Per model of secure information flow in sequential programs. In Programming Languages and Systems, 8th European Symposium on Programming (ESOP), Amsterdam, The Netherlands, Proceedings, pages 40–58, 1999. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. T. Sewell, S. Winwood, P. Gammie, T. C. Murray, J. Andronick, and G. Klein. seL4 enforces integrity. In Interactive Theorem Proving (ITP) - Second International Conference, Berg en Dal, The Netherlands, Proceedings, pages 325–340, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. The Coq development team. The Coq proof assistant. http: //coq.inria.fr, 1999 – 2015.Google ScholarGoogle Scholar

Index Terms

  1. End-to-end verification of information-flow security for C and assembly programs

                        Recommendations

                        Comments

                        Login options

                        Check if you have access through your login credentials or your institution to get full access on this article.

                        Sign in

                        Full Access

                        PDF Format

                        View or Download as a PDF file.

                        PDF

                        eReader

                        View online with eReader.

                        eReader
                        About Cookies On This Site

                        We use cookies to ensure that we give you the best experience on our website.

                        Learn more

                        Got it!